Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Slides:



Advertisements
Similar presentations
A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Advertisements

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars
Satisfiability Modulo Theories (An introduction)
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Axiomatic Semantics Dr. M Al-Mulhem ICS
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.
Describing Syntax and Semantics
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Synthesis, Analysis, and Verification Lecture 05a Lectures: Viktor Kuncak Programs with Data Structures: Assertions for Accesses. Dynamic Allocation.
Synthesis, Analysis, and Verification Lecture 12 Verifying Programs that have Data Structures.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
D Goforth COSC Translating High Level Languages Note error in assignment 1: #4 - refer to Example grammar 3.4, p. 126.
Lecture by: Prof. Pooja Vaishnav.  Language Processor implementations are highly influenced by the kind of storage structure used for program variables.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Ukrprog Formal requirement language and its applications A.Letichevsky Glushkov Institute of Cybernetics.
CSE Winter 2008 Introduction to Program Verification for-loops; review.
This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Semantics(1). 2 Symantec(1)  To provide an authoritative definition of the meaning of all language constructs for: 1.Programmers 2.Compiler writers 3.Standards.
Formal Verification – Robust and Efficient Code Lecture 1
Weakest Precondition of Unstructured Programs
Reasoning About Code.
Automating Induction for Solving Horn Clauses
Formal Methods in software development
Formal Methods in software development
Program Verification with Hoare Logic
COP4020 Programming Languages
Presentation transcript:

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Verification-Condition Generation (VCG) Steps in Verification generate formulas implying program correctness attempt to prove formulas if formula is valid, program is correct if formula has a counterexample, it indicates one of these: error in the program error in the property error in auxiliary statements Terminology generated formulas: verification conditions generation process: verification-condition generation program that generates formulas: verification-condition generator (VCG)

VCG Explained Until Now Programs that Manipulate Integers Compute Formulas from Programs Formulas with Integer Variables and Operations Prover (Integer Constraint Solver)

VCG for Real Languages Programs that Manipulate Integers, Maps, Arrays, and Linked Data Structures Compute Formulas from Programs have more operations in expressions of x=E Formulas with Integer Variables and Operations, as well as variables and operations on functions Prover (Integer Constraint Solver) + provers for function symbols, mathematical arrays, term algebras,...

Weakest Precondition Formula For set P, relation r P = wp(r,Q) means Let P F and Q F have x as free variable(s) For formula Q F, command c, P F = wp(c,Q F ) should imply {x | P F } = wp([[c]], {x|Q F }) If formula for command c is F(x,x’) then P F is

assume(E) x=E havoc(x) Preconditions for Basic Commands

Key Next Step: Handling Arrays If we know how to handle one static array, we will easily generalize to heap, many arrays, and other memory data structures. Now our language has – integer variables: x:Int; j:Int(as before) – but also arrays: a : Array[Int], b : Array[Int]

Subtlety of Array Assignment Rule for wp of assignment of expression E to variable x, for postcondition P: wp(x=E, P) = Example: wp(x=y+1,x > 5) = wp of assignment to an array cell: wp(a[i]=y+1, a[i]>5) = wp(a[i]=y+1, a[i]>5 && a[j]>3) =

wp of a[i]=E Let P be any formula containing also a[j] expressions wp(a[i]=E, P) =

Arrays as Mathematical Functions Suppose we have expressions that manipulate functions. Array update operator on functions: f(x:=v) = g means: 1) g(x)=v, and 2) g(y)=f(y) for y != x. How to represent assignments? x = a[i]  x = a(i) a[i]=v 

Construct formulas recursively Guarded program given by tree Leaves: x=E, assume(P) assume(P)  x=E 

Tree nodes (recursion) Non-deterministic choice [] Sequential composition ;

Generated Formula: Size and Structure How do generated formulas look like for loop-free code? ((c1 ; c2) [] (c3 ; c4)) ; c5 ( F1 & F2 | F3 & F4 ) & F5 can move existential quantifiers to top What is the size of the formula as function of code size?

Logic with Array Updates Variables denote: integers or arrays Operations on integers: +,-,*,/ Operations on arrays: a(i), a(i:=v) Comparison operators: ==, !=, Operators on atomic formulas: &&, ||, ! (Combination of theory of integers and extensional theory of arrays.)

Example with Static Arrays if (a[i] > 0) { b[k]= b[k] + a[i]; i= i + 1; k = k + 1; } else { b[k] = b[k] + a[j]; j= j + 1; k = k – 1; }

Example with Static Arrays (assume(a(i) > 0); b= b(k:= b(k)+ a(i)); i= i + 1; k = k + 1;) [] (assume(a(i)<=0); b= b(k:= b(k)+ a(j)); j= j + 1; k = k – 1; ) guarded commands: formula

Conditional Expressions y = (x > 0 ? x : (-x)) y = abs(x) a3 = a2(i:=v) && x = a3(j) Can we eliminate a3? We obtain

Eliminating Conditionals Formula u = (x > 0 ? x+1 : 2-x) becomes: Satisfiability of y > z + 2*(x > 0 ? x : (-x)) Becomes satisfiability of Satisfiability of disjunctions?

Logic with Conditional Expressions Variables denote: integers or arrays Operations on integers: +,-,*,/ Arrays access: a(i) Comparison operators: ==, !=, Operators on atomic formulas: &&, ||, ! (Combination of theory of integers and theory of functions.)

Suppose we find values for integers When can we find functions? f(i) = x && f(j) = y i  0, j  1, x  5, y  7 example f: f(i) = x && f(j) = y && i == j i  1, j  1, x  5, y  7 example f: Note if we have f(f(i))=x 

Satisfiability of Constraints with Uninterpreted Functions If we have a model for integer values such that then we can extend it to a model of functions. How to ensure we only find models that satisfy constraints? (Ackermann encoding)

Now we can handle static arrays wp(x=E, P) =

Reference Fields class Node { Node next; } How to model ‘next’ field? y = x.next;  x.next = y; 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.