game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of.

Slides:



Advertisements
Similar presentations
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advertisements

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars
IPAW'08 – Salt Lake City, Utah, June 2008 Data lineage model for Taverna workflows with lightweight annotation requirements Paolo Missier, Khalid Belhajjame,
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
0 PROGRAMMING IN HASKELL Chapter 10 - Declaring Types and Classes.
1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Compiler Principle and Technology Prof. Dongming LU Mar. 28th, 2014.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
Chess Review May 8, 2003 Berkeley, CA Classes and Inheritance in Actor- Oriented Models Stephen Neuendorffer Edward Lee UC Berkeley.
O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Honors Compilers Semantic Analysis and Attribute Grammars Mar 5th 2002.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
Towards Game-Based Predicate Abstraction experiments in compositional model checking Adam Bakewell, University of Birmingham.
Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.
Adam bakewell university of birmingham. model checking for unsafety.
Misc. Announcements Assignment available end of the day today –Due back in 11/03 (after break) Will also update slides on website –Today Midterm next week.
Witness and Counterexample Li Tan Oct. 15, 2002.
Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.
1 Combining verification and analysis. 2 CONCLUSIONS ON VERIFICATION  denotational abstract interpreters have the extra-value of being easily transformed.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Witness and Counterexample Li Tan Oct. 15, 2002.
Full abstraction * abstract-machine Compositional * black-box Game semantics.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
2.2 A Simple Syntax-Directed Translator Syntax-Directed Translation 2.4 Parsing 2.5 A Translator for Simple Expressions 2.6 Lexical Analysis.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Control Flow Deobfuscation via Abstract Interpretation © Rolf Rolles, 2010.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
KeyNote Presentation KeyNote. Vishwas Patil, TIFR.2/10 KeyNote: “?”  Aim:- A notation for specifying local security policies and security credentials.
Imperative Languages Section 5 Continued.... A Dynamically Typed Language Variable may take on values from different data types. Run­time type checking.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
1 A Simple Syntax-Directed Translator CS308 Compiler Theory.
The Alloy Analyzer June 14 th Alloy small modelling notation that can express a useful range of structural properties is easy to read and write.
Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
CS412/413 Introduction to Compilers Radu Rugina Lecture 11: Symbol Tables 13 Feb 02.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Formal Methods. What Are Formal Methods Formal methods refers to a variety of mathematical modeling techniques that are applicable to computer system.
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2)
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
LECTURE 10 Semantic Analysis. REVIEW So far, we’ve covered the following: Compilation methods: compilation vs. interpretation. The overall compilation.
String is a synonym for the type [Char].
Over-Approximating Boolean Programs with Unbounded Thread Creation
FP Foundations, Scheme In Text: Chapter 14.
Verified Subtyping with Traits and Mixins
PROGRAMMING IN HASKELL
An explicit state model checker
Verifying a compiler for a simple language with exceptions (MPC 04).
Introduction to verification
Spring 2016 Program Analysis and Verification Operational Semantics
BLAST: A Software Verification Tool for C programs
Presentation transcript:

game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of component built from sub-models  any component can be verified in isolation  huge programs could be verified by isolating difficult parts

game-based p.a. game models cannot avoid state explosion - would benefit from predicate abstraction! predicate abstraction most naturally treated as a model mutation - would benefit from syntax-direct and compositional explanation

contributions a game semantics of p.a. a verification tool for a large subset of C a predicate annotation approach that exploits the syntax-direct property a CEGAR verification algorithm that exploits the syntax-direct property

programming language: IA L C-like control structure if | ; | break | continue | goto | assert block structure state {nat x := M; N} | x := M expressions x | k | M(N 1,..,N n ) | let f(x 1,..,x n ) = M in N

battle of numbers bool goer := 0; nat pile := 10 * you()%10 + me()%10; f (if pile > 0 then {goer := 1; pile -= you()%9%pile}; if pile > 0 then {goer := 0; pile -= me()%9%pile}); if pile = 0 then winner := goer

wrestle of numbers bool goer := 0; nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if pile > 0 then {nat n := you()%9; goer := 1; pile -= n; assert(pile%9 = 9 - n); if pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

stateful game model – no p.a. model: M v = set of traces returning val v distinguish ab/normally terminating traces trace: start state, moves, end state state: map ids in environment to vals move: val position (in typing) | ) ( |

you()%9 d =  m%9=d q you,m you stateful game models you() m = q you,m you (for all m) ( | ( | | ) | ) n := you()%9 () =  d  m%9=d q you,m you ( | | ) ndnd

p.a. game model model: M e = set of traces returning expr e distinguish ab/normally terminating traces trace: start P-state, moves, end P-state P-state: set of (negated) P members move: expr position (in typing) {||}

if sat ( & ) p.a. game models you()%9 y%9 = q you,y you you() y = q you,y you n := you()%9 () = q you,y you y%9/n {| {| {| |} |} |}

wrestle game model goer=0 goer=1 q you,0 you,q f q f1,q you,n you () f1 () f q f1,() f1 q you,1 you,q f … () f1

wrestle p.a. model pile%9=0 pile%9!=9-ngoer=0 pile>0 pile%9!=0 pile%9=9-n pile>0 goer=1 q you,y you,q f q f1,q you,n you pile%9=0 pile%9!=9-n pile=0 goer=0 () f1 () f pile%9=0 pile%9!=9-n pile=0 goer=0 q f1,() f1 () f1

about this formulation + simple + stateful and p.a. variants similar + control semantics orthogonal to state semantics (control ignored in this talk!) – less compositional in spirit than some game semantics - environments are important - p.a. semantics difficult to handle otherwise

p.a. properties the p.a. model is decidable (finite-state) if p.a. model of M has no aborting traces then M is safe

syntactic predicate annotation we can trivially move predicate annotations from the model to the program this can be used to minimize the predicate state size

annotated wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

annotated p.a. model pile%9=0goer=0 pile%9!=0 pile%9=9-ngoer=1 q you,y you,q f q f1,q you,n you () f q f1,() f1 () f1 goer=0

game p.a. c.e.g.a.r. make each conditional a predicate –as tightly scoped as possible model check –safe => safe –unsafe => check trace feasibility widen scope of some letp if infeasible

c.e.g.a.r. wrestle bool goer := 0; nat pile := {nat n = you()%10; n* – n}; letp pile%9 = 0 in assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); letp goer = 0 in assert(goer = 0)

c.e.g.a.r. wrestle bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); letp goer = 0 in assert(goer = 0)

c.e.g.a.r. wrestle bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); letp goer = 0 in f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

c.e.g.a.r. wrestle bool goer := 0; letp goer = 0 in letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n* – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.