Kleene Algebra with Tests (Part 2: Applications) Dexter Kozen Cornell University Workshop on Logic & Computation Nelson, NZ, January 2004

These Lectures 1.Tutorial on KA and KAT model theory complexity, deductive completeness relation to Hoare logic 2.Practical applications compiler optimization scheme equivalence static analysis 3.Theoretical applications automata on guarded strings & BDDs algebraic version of Parikh’s theorem representation dynamic model theory

Kleene Algebra (KA) idempotent semiring under +, ·, 0, 1 (p + q) + r = p + (q + r) (pq)r = p(qr) p + q = q + pp1 = 1p = p p + p = pp0 = 0p = 0 p + 0 = p p(q + r) = pq + pr (p + q)r = pr + qr linear inequalities have unique least solutions p*q = least x such that q + px  x qp* = least x such that q + xp  x def x  y  x + y = y

(K, B, +, ·, *, ¯, 0, 1) (K, +, ·, *, 0, 1) is a Kleene algebra (B, +, ·, ¯, 0, 1) is a Boolean algebra B  K p,q,r,  range over K a,b,c,  range over B Kleene Algebra with Tests (KAT)

Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s y  FV(s) x := s ; y := t = x := s ; y := t[x/s] x  FV(s) x := s ; x := t = x := t[x/s] b[x/t] ; x := t = x := t ; b x := x = 1

Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st order interpreted i  j  j  k  i  k

universal Horn logic p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q premises p i = q i −self-evident assumptions about local behavior −typically involve atomic instructions and tests conclusion p = q −equivalence of original program and optimized or annotated program use schematic and interpreted reasoning only to establish validity of premises – most reasoning done at the propositional level Reasoning with KAT

Compiler Optimizations [Kozen & Patron 00] dead code elimination common subexpression elimination copy propagation loop hoisting loop unrolling reducing nesting depth induction variable elimination instruction scheduling algebraic simplification elimination of redundant instructions array bounds check elimination introduction of sentinels

Typical Premises “two instructions that do not affect each other can be done in either order” load r 1,x ; load r 2,y = load r 2,y ; load r 1,x “after loading a value in a register, that register contains that value” load r 1,x = load r 1,x ; r 1 =xp = pb “no need to load a value if the register already contains that value” r 1 =x ; load r 1,x = r 1 =xbp = b

Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

This is of the form w(cupv)*c p = load r,x b = r=x load r,x = load r,x ; r=x p = pb b p p r=x ; load r,x = r=xbp = b b p b ub = bu vb = bv

p = pb  bp = b  ub = bu  vb = bv  w(cupv)*c = w(cupv(cubv)*c + c) Suffices to show p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= (cupv)*

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cupv)* + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupv)* + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupbv)* + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcupb)*v + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcup)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcup)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbup)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcubp)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcub)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbu)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcu)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcu)*bv + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcub)*v + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cubv)* + 1

p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cubv)* + 1

Loop Unrolling while b do {while b do { p; p; } if b then p; } (bp)*b = (bp(bp + b))*b Key lemma q* = (q n )*(1 + q) n-1

Loop Denesting while b do {if b then { p;p; while c do q;while b  c do }if c then q else p; } (bp(cq)*c)*b = bp((b+c)(cq+cp))*(b+c) + b Key lemma (p*q)*p* = (p + q)*

Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

Array Bounds Check Elimination a =0  i b =i < x.length c =ab i is in bounds We have to prove u(bp(cq + cs)v)*b = u(bpqv)*b Introduce a using u = ua, show a and b (and therefore c) hold where needed to eliminate the array bounds check

LU Decomposition with Pivoting [Mateev, Menon, Pingali 01] Restructuring of matrix operations to take advantage of locality Def/use analysis fails: transformations break def/use dependencies MMP develop a new technique, fractal symbolic analysis

y = x;x = 2*x;y = 2*y; x = 2*x;y = x;

Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s y  FV(s) x := s ; y := t = x := s ; y := t[x/s] x  FV(s) x := s ; x := t = x := t[x/s] b[x/t] ; x := t = x := t ; b x := x = 1

y = x;x = 2*x;y = 2*y; x = 2*x;y = x;

y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x; x = 2*x; x := s ; x := t = x := t[x/s]

y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; x := t = x := t[x/s]

y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; y := t = y := t[x/s] ; x := s y  FV(s)

for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update } for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update }

for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); }

k < i < j  update(i,k);swap(i,j); update(j,k);=update(i,k); swap(i,j);update(j,k);

k > j  swap(k,k+1); for (i = j+1; i < n; i++) { update(i,j); } = for (i = j+1; i < n; i++) { update(i,j); } swap(k,k+1); Key Lemma pq = qp  pq* = q*p

for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); } Key Lemma pq = qp  p*q* = (pq)*(p* + q*)

The Dead Variable Paradox Two ways to show x := 1 ; x := 1 = x := 1

The Dead Variable Paradox Method 1 d = “x is a dead variable” p = “x := 1” p = dp x is dead immediately before it is assigned pd = d an assignment to a dead variable is redundant To show pp = p: pp = pdp = dp = p

The Dead Variable Paradox Method 2 c = “x = 1” p = “x := 1” p = pc x has value 1 immediately after the assignment cp = c it’s pointless to assign to x a value it already has To show pp = p: pp = pcp = pc = p

The Dead Variable Paradox c = “x = 1” d = “x is a dead variable” p = “x := 1” p = dp x is dead immediately before it is assigned pd = d an assignment to a dead variable is redundant p = pc x has value 1 immediately after the assignment cp = c it’s pointless to assign a value to x it already has pp = pcdp = pdcp = dc x := 1 ; x := 1 = x is dead ; x = 1 ???

The Dead Variable Paradox Solution “x is a dead variable” is not a property of the local state use u = “make x undefined” = “x :=  ” instead x := 0 ; x :=  = x :=  x :=  ; x := 0 = x := 0

start y1 := x y4 := f(y1) y1 := f(y1) y2 := g(y1,y4) y3 := g(y1,y1) P(y1) y1 := f(y3) P(y4) P(y2) y2 := f(y2)P(y3) z := y2 halt T T T T F F F F start y := f(x) loop P(y) y := g(y,y) P(y) y2 := f(f(y)) z := y halt T T F F  Scheme Equivalence Example of Paterson from [Manna 74]

x 1 p 41 p 11 q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 ((a 4 +a 4 (a 2 p 22 )*a 2 a 3 p 41 p 11 ) q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 )* a 4 (a 2 p 22 )*a 2 a 3 z 2 z  saq(araq)*az x1x1 p 41 p 11 q 214 q 311 a1a1 p 13 a4a4 a2a2 a3a3 z2z2 p 22 a1a1 a4a4 a2a2 a3a3 s q a r z a a  Kleene’s Theorem

Static Analysis Derivation of information about the execution state at various points in a program at compile time or load time, prior to execution Approaches –type inference –dataflow analysis –abstract interpretation –set constraints Applications –code optimization –verification

Software Model Checking with SLAM Thomas Ball Testing, Verification and Measurement Sriram K. Rajamani Software Productivity Tools Microsoft Research

State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; else s = Locked; } KeReleaseSpinLock.entry { if (s==Unlocked) abort; else s = Unlocked; } Locking Rule in SLIC

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if (request) { request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

do { kA; n; if (R) { u; kR; m; } } while (~B); kR;

do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR;

do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR; kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR

Preconditions for safe execution operationprecondition kA (acquire) ~A (unlocked) kR (release) A (locked) Global precondition: initially unlocked Original program ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR Annotated program ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

kA = kA;A- acquiring the lock acquires it kR = kR;~A- releasing the lock releases it B;m = B;m;~B- if two integer variables are equal and we increment one, then they are no longer equal n = n;B- setting one variable equal to another makes them equal A;n = n;A- commutativity conditions A;u = u;A A;m = m;A B;u = u;B B;kR = kR;B

kA = kA;A  kR = kR;~A  B;m = B;m;~B  n = n;B  A;n = n;A  A;u = u;A  A;m = m;A  B;u = u;B  B;kR = kR;B  ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR = ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

Security Automata [Schneider 98] general mechanism for specification and runtime enforcement of safety policies policy is specified by a finite automaton M code is instrumented to call M before all critical operations (ones that could change state of M ) M aborts the computation if the operation causes a transition to an error state can handle all safety properties read send read error start

Example no send after read read send read error code is instrumented to call M before each read and send instruction purely a runtime mechanism start

Security Automata and KAT Use KAT to do static analysis to eliminate unnecessary calls to M assertion U for each state of M premises A M : UV = 0 for U ≠ V Up  pV for each atomic transition U  V Up  pU if p is noncritical start state S, error states E p

Prefixes Pre(r) = an expression representing prefixes of computations of r. Defined inductively: Pre(p) = 1 + pp an atomic action Pre(b) = 1b a test Pre(pq) = Pre(p) + p;Pre(q) Pre(p + q) = Pre(p) + Pre(q) Pre(p*) = p*;Pre(p) This is a closure operator in the sense that Pre(Pre(p)) = Pre(p) is a theorem of KAT

Eliminating Runtime Checks Soundness Theorem Let D be any set of premises over P, B, and let r be any program over P, B. If D  A M  S·Pre(r)  ~E(ΣP)*~E is a theorem of KAT, then r is safe with respect to M in any Kripke frame whose trace algebra satisfies D. Completeness Theorem The converse holds as well, provided D is finite and all elements of D are of the form p = 0.

More Generally... Let L be an upper semilattice such that all ascending chains are finite (ACC). Elements are called types or abstract values. Associated with each atomic action p is a strict, partial, finitely additive map f p : L  L called its transfer function. Take premises Xp  p f p (X) and propagate information as before (ACC needed for *). Safe p = dom f p.

Types or Abstract Values Represent sets of values –statically derivable –conservative approximation Form a partial semilattice –higher = less specific –join does not exist = type error

Example: Java Bytecode Object Array [ ] IntegerContinuations Array [ ][ ] … Interface implements Useless Null Java class hierarchy int, short, byte, boolean, char

Example: Java Bytecode local variable array operand stack thisp0p0 p1p1 p2p2 parameters other locals maxLocals maxStack = reference type = integer = continuation String Hash- table Object String- Buffer User- Class int[ ] = useless

Example of a Transfer Function locals stack locals stack iload 3 Preconditions for safe execution: local 3 is an integer stack is not full Effect: push integer in local 3 on stack

Demo of KAT-ML KAT-ML is an interactive theorem prover for Kleene algebra with tests written in standard ML. Versions for a variety of platforms are available from