Program Analysis and Verification Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik Poll, Mooly Sagiv, Jean Souyris, Eran Tromer, Avishai Wool, Eran Yahav

universe Verification by over-approximation Under Approximation Exact set of configurations/ behaviors 2 Over Approximation

universe Program semantics Exact set of configurations/ behaviors 3

Program analysis & verification y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ? 4

What does P do? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ? 5

What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … syntax semantics 6

Program semantics State-transformer – Set-of-states transformer – Trace transformer Predicate-transformer Functions Cat-transformer 7

Program semantics & Verification 8

Agenda Operational semantics – Natural operational semantics – Structural operational semantics 9

What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … syntax semantics 10

“Standard” semantics y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … yx 11

“Standard” semantics (“state transformer”) y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … yx 12

“Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … yx 13

“Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2y=3, x=6 if (x % 2 == 0) {y=3, x=6 y = 42;y=42, x=6 } else { y = 73;… foo();… } assert (y == 42); y=42, x=6 …-1,0,1, … yx 14

“State transformer” semantics initial states bad states reachable states y=3,x=9 y=3,x=6 15

“State transformer” semantics initial states bad states reachable states y=4,x=1 y=4,x=8 16

“State transformer” semantics initial states bad states reachable states y=4…,x=… 17

initial states bad states reachable states y=3,x=9 y=3,x=6 y=4,x=1 y=4,x=8 y=3,x=6 y=4,x=8 “State transformer” semantics Main idea: find (properties of) all reachable states* y=4…,x=… 18

“Standard” (collecting) semantics (“sets-of states-transformer”) y = ?; x = ?;{(y,x) | y,x ∈ Nat} x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); 19

“Standard” (collecting) semantics (“sets-of states-transformer”) y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)} x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)} if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)} y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)} } else { y = 73; { } foo(); { } } assert (y == 42); {(y=42, x=6),(y=42,x=8),(y=42, x=…)} Yes 20

“Set-of-states transformer” semantics initial states bad states reachable states y=3,x=9 y=3,x=6 y=4,x=1 y=3,x=6 y=4,x=1 21

Program semantics State-transformer – Set-of-states transformer – Trace transformer Predicate-transformer Functions 22

Program semantics State-transformer – Set-of-states transformer – Trace transformer Predicate-transformer Functions Cat-transformer 23

“Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); T OE T yx T OE T (y=E,x=E)={(0,0), (0,2), (-4,10),…} 24

“Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2y=T, x=E if (x % 2 == 0) {y=T, x=E y = 42;y=T, x=E } else { y = 73;… foo();… } assert (y == 42); y=E, x=E Yes/?/No T OE T yx T OE T (y=E,x=E)={(0,0), (0,2), (-4,10),…} 25

“Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2y=T, x=E if (x % 2 == 0) {y=T, x=E y = 42;y=T, x=E } else { y = 73;… foo();… } assert (y == 42); y=E, x=E Yes/?/No T OE T yx T OE T (y=E,x=E)={(0,0), (0,2), (-4,10),…} 26

“Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2y=T, x=E if (x % 2 == 0) {y=T, x=E y = 42;y=E, x=E } else { y = 73;… foo();… } assert (y%2 == 0) y=E, x=E ? T OE T yx T OE T (y=E,x=E)={(0,0), (0,2), (-4,10),…} 27

reachable states “Abstract-state transformer” semantics initial states bad states 28

reachable states “Abstract-state transformer” semantics initial states bad states 29

reachable states “Abstract-state transformer” semantics initial states bad states 30

How do we say what P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … syntax semantics 31

Agenda Operational semantics – Natural operational semantics – Structural operational semantics 32

Programming Languages Syntax “how do I write a program?” – BNF – “Parsing” Semantics “What does my program mean?” – … 33

Program semantics State-transformer – Set-of-states transformer – Trace transformer Predicate-transformer Functions 34

Program semantics State-transformer – Set-of-states transformer – Trace transformer Predicate-transformer Functions 35

What semantics do we want? Captures the aspects of computations we care about – “adequate” Hides irrelevant details – “fully abstract” Compositional 36

What semantics do we want? Captures the aspects of computations we care about – “adequate” Hides irrelevant details – “fully abstract” Compositional

Formal semantics 38 “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc.” Semantics with Applications – a Formal IntroductionSemantics with Applications – a Formal Introduction (Page 1) Nielsen & Nielsen

Formal semantics 39 “This theory allows a program to be manipulated like a formula – that is to say, its properties can be calculated.” Gérard Huet & Philippe Flajolet homage to Gilles Kahn

Why formal semantics? Implementation-independent definition of a programming language Automatically generating interpreters – and some day maybe full fledged compilers Verification and debugging – if you don’t know what it does, how do you know its incorrect? 40

Why formal semantics? Implementation-independent definition of a programming language Automatically generating interpreters – and some day maybe full fledged compilers Verification and debugging – if you don’t know what it does, how do you know its incorrect? 41

Levels of abstractions and applications 42 Program Semantics Assembly-level Semantics (Small-step) Static Analysis (abstract semantics)  

Semantic description methods Operational semantics – Natural semantics (big step) [G. Kahn] – Structural semantics (small step) [G. Plotkin] Trace semantics Collecting semantics [Instrumented semantics] Denotational semantics [D. Scott, C. Strachy] Axiomatic semantics [C. A. R. Hoare, R. Floyd] 43

Operational Semantics

45

A simple imperative language: While Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 46

Concrete Syntax vs. Abstract Syntax 47 a y := x S a z y Sa x z S ; S ; S a x z S a y x S ; S ; S a z y S z:=x; x:=y; y:=z z:=x; (x:=y; y:=z)(z:=x; x:=y); y:=z

Exercise: draw an AST 48 SS ; S y:=1; while  (x=1) do (y:=y*x; x:=x-1)

Syntactic categories n  Numnumerals x  Varprogram variables a  Aexparithmetic expressions b  Bexpboolean expressions S  Stmstatements 49

Semantic categories Z Integers {0, 1, -1, 2, -2, …} T Truth values { ff, tt } State Var  Z Example state:s=[ x  5, y  7, z  0] Lookup: s x = 5 Update: s[ x  6] = [ x  6, y  7, z  0] 50

Example state manipulations [ x  1, y  7, z  16] y = [ x  1, y  7, z  16] t = [ x  1, y  7, z  16][ x  5] = [ x  1, y  7, z  16][ x  5] x = [ x  1, y  7, z  16][ x  5] y = 51

Semantics of arithmetic expressions Arithmetic expressions are side-effect free Semantic function A  Aexp  : State  Z Defined by induction on the syntax tree A  n  s = n A  x  s = s x A  a 1 + a 2  s = A  a 1  s + A  a 2  s A  a 1 - a 2  s = A  a 1  s - A  a 2  s A  a 1 * a 2  s = A  a 1  s  A  a 2  s A  (a 1 )  s = A  a 1  s --- not needed A  - a  s = 0 - A  a 1  s Compositional Properties can be proved by structural induction 52

Arithmetic expression exercise Suppose s x = 3 Evaluate A  x+1  s 53

Semantics of boolean expressions Boolean expressions are side-effect free Semantic function B  Bexp  : State  T Defined by induction on the syntax tree B  true  s = tt B  false  s = ff B  a 1 = a 2  s = B  a 1  a 2  s = B  b 1  b 2  s = B   b  s = 54

Operational semantics Concerned with how to execute programs – How statements modify state – Define transition relation between configurations Two flavors – Natural semantics: describes how the overall results of executions are obtained So-called “big-step” semantics – Structural operational semantics: describes how the individual steps of a computations take place So-called “small-step” semantics 55

Natural operating semantics (NS) 56

Natural operating semantics (NS) aka “Large-step semantics” 57  S, s   s’ all steps

Natural operating semantics Developed by Gilles Kahn [STACS 1987]STACS 1987 Configurations  S, s  Statement S is about to execute on state s sTerminal (final) state Transitions  S, s   s’Execution of S from s will terminate with the result state s’ – Ignores non-terminating computations 58

Natural operating semantics  defined by rules of the form The meaning of compound statements is defined using the meaning immediate constituent statements 59  S 1, s 1   s 1 ’, …,  S n, s n   s n ’  S, s   s’ if… premise conclusion side condition

Natural semantics for While 60  x := a, s   s[x  A  a  s] [ass ns ]  skip, s   s [skip ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ] axioms

Natural semantics for While 61  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]  while b do S, s   s if B  b  s = ff [while ff ns ] Non-compositional

Example Let s 0 be the state which assigns zero to all program variables 62  x:=x+1, s 0    skip, s 0   s 0 s 0 [x  1]  skip, s 0   s 0,  x:=x+1, s 0   s 0 [x  1]  skip ; x:=x+1, s 0   s 0 [x  1]  x:=x+1, s 0   s 0 [x  1]  if x=0 then x:=x+1 else skip, s 0   s 0 [x  1]

Derivation trees Using axioms and rules to derive a transition  S, s   s’ gives a derivation tree – Root:  S, s   s’ – Leaves: axioms – Internal nodes: conclusions of rules Immediate children: matching rule premises 63

Derivation tree example 1 Assumes 0 =[x  5, y  7, z  0] s 1 =[x  5, y  7, z  5] s 2 =[x  7, y  7, z  5] s 3 =[x  7, y  5, z  5] 64  ( z:=x; x:=y); y:=z, s 0   s 3  ( z:=x; x:=y), s 0   s 2  y:=z, s 2   s 3  z:=x, s 0   s 1  x:=y, s 1   s 2 [ass ns ] [comp ns ]

Derivation tree example 1 Assumes 0 =[x  5, y  7, z  0] s 1 =[x  5, y  7, z  5] s 2 =[x  7, y  7, z  5] s 3 =[x  7, y  5, z  5] 65  ( z:=x; x:=y); y:=z, s 0   s 3  ( z:=x; x:=y), s 0   s 2  y:=z, s 2   s 3  z:=x, s 0   s 1  x:=y, s 1   s 2 [ass ns ] [comp ns ]

Top-down evaluation via derivation trees Given a statement S and an input state s find an output state s’ such that  S, s   s’ Start with the root and repeatedly apply rules until the axioms are reached – Inspect different alternatives in order In While s’ and the derivation tree is unique 66

Top-down evaluation example Factorial program with s x = 2 Shorthand: W= while  (x=1) do (y:=y*x; x:=x-1) 67  y:=1; while  (x=1) do (y:=y*x; x:=x-1), s   s[y  2][x  1]  y:=1, s   s[y  1]  W, s[y  1]   s[y  2, x  1]  y:=y*x; x:=x-1, s[y  1]   s[y  2][x  1]  W, s[y  2][x  1]   s[y  2, x  1]  y:=y*x, s[y  1]   s[y  2]  x:=x-1, s[y  2]   s[y  2][x  1] [ass ns ] [comp ns ] [ass ns ] [comp ns ] [while ff ns ] [while tt ns ] [ass ns ]

Program termination Given a statement S and input s – S terminates on s if there exists a state s’ such that  S, s   s’ – S loops on s if there is no state s’ such that  S, s   s’ Given a statement S – S always terminates if for every input state s, S terminates on s – S always loops if for every input state s, S loops on s 68

Semantic equivalence S 1 and S 2 are semantically equivalent if for all s and s’  S 1, s   s’ if and only if  S 2, s   s’ Simple example while b do S is semantically equivalent to: if b then (S; while b do S) else skip – Read proof in pages

Properties of natural semantics Equivalence of program constructs – skip; skip is semantically equivalent to skip – ((S 1 ; S 2 ); S 3 ) is semantically equivalent to (S 1 ; (S 2 ; S 3 )) – (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40) 70

Equivalence of (S 1 ; S 2 ); S 3 and S 1 ; (S 2 ; S 3 ) 71

Equivalence of (S 1 ; S 2 ); S 3 and S 1 ; (S 2 ; S 3 ) 72  (S 1 ; S 2 ), s   s 12,  S 3, s 12   s’  (S 1 ; S 2 ); S 3, s   s’  S 1, s   s 1,  S 2, s 1   s 12  S 1, s   s 1,  (S 2 ; S 3 ), s 12   s’  (S 1 ; S 2 ); S 3, s   s’  S 2, s 1   s 12,  S 3, s 12   s’ Assume  (S 1 ; S 2 ); S 3, s   s’ then the following unique derivation tree exists: Using the rule applications above, we can construct the following derivation tree: And vice versa.

Deterministic semantics for While Theorem: for all statements S and states s 1, s 2 if  S, s   s 1 and  S, s   s 2 then s 1 =s 2 The proof uses induction on the shape of derivation trees (pages 29-30) – Prove that the property holds for all simple derivation trees by showing it holds for axioms – Prove that the property holds for all composite trees: For each rule assume that the property holds for its premises (induction hypothesis) and prove it holds for the conclusion of the rule 73 single node #nodes>1

The semantic function S ns The meaning of a statement S is defined as a partial function from State to State S ns : Stm  (State  State) Examples: S ns  skip  s = s S ns  x:=1  s = s [x  1] S ns  while true do skip  s = undefined 74 S ns  S  s = s’ if  S, s   s’ undefined otherwise

Structural operating semantics (SOS) 75

Structural operating semantics (SOS) aka “Small-step semantics” 76  S, s    S’, s’  first step

Structural operational semantics Developed by Gordon Plotkin Configurations:  has one of two forms:  S, s  Statement S is about to execute on state s sTerminal (final) state Transitions  S, s     =  S’, s’  Execution of S from s is not completed and remaining computation proceeds from intermediate configuration   = s’Execution of S from s has terminated and the final state is s’  S, s  is stuck if there is no  such that  S, s    77 first step

Structural semantics for While 78  x:=a, s   s[x  A  a  s] [ass sos ]  skip, s   s [skip sos ]  S 1, s    S 1 ’, s’   S 1 ; S 2, s    S 1 ’; S 2, s’  [comp 1 sos ]  if b then S 1 else S 2, s    S 1, s  if B  b  s = tt [if tt sos ]  if b then S 1 else S 2, s    S 2, s  if B  b  s = ff [if ff sos ]  S 1, s   s’  S 1 ; S 2, s    S 2, s’  [comp 2 sos ] When does this happen?

Structural semantics for While 79  while b do S, s    if b then S; while b do S ) else skip, s  [while sos ]

Derivation sequences A derivation sequence of a statement S starting in state s is either A finite sequence  0,  1,  2 …,  k such that 1.  0 =  S, s  2.  i   i+1 3.  k is either stuck configuration or a final state An infinite sequence  0,  1,  2, … such that 1.  0 =  S, s  2.  i   i+1 Notations: –  0  k  k  0 derives  k in k steps –  0  *   0 derives  in a finite number of steps For each step there is a corresponding derivation tree 80

Derivation sequence example Assume s 0 =[x  5, y  7, z  0] 81  (z:=x; x:=y); y:=z, s 0    x:=y; y:=z, s 0 [z  5]    y:=z, (s 0 [z  5])[x  7]   ((s 0 [z  5])[x  7])[y  5]  (z:=x; x:=y); y:=z, s 0    x:=y; y:=z, s 0 [z  5]   z:=x; x:=y, s 0    x:=y, s 0 [z  5]   z:=x, s 0   s 0 [z  5] Derivation tree for first step:

Evaluation via derivation sequences For any While statement S and state s it is always possible to find at least one derivation sequence from  S, s  – Apply axioms and rules forever or until a terminal or stuck configuration is reached Proposition: there are no stuck configurations in While 82

Factorial (n!) example Input state s such that s x = 3 y := 1; while  (x=1) do (y := y * x; x := x – 1) 83  y :=1 ; W, s    W, s[y  1]    if  (x =1) then ((y := y * x; x := x – 1); W else skip), s[y  1]    ((y := y * x; x := x – 1); W), s[y  1]    (x := x – 1; W), s[y  3]    W, s[y  3][x  2]    if  (x =1) then ((y := y * x; x := x – 1); W else skip), s[y  3][x  2]    ((y := y * x; x := x – 1); W), s[y  3] [x  2]    (x := x – 1; W), s[y  6] [x  2]    W, s[y  6][x  1]    if  (x =1) then ((y := y * x; x := x – 1); W else skip, s[y  6][x  1]    skip, s[y  6][x  1]   s[y  6][x  1]

Program termination Given a statement S and input s – S terminates on s if there exists a finite derivation sequence starting at  S, s  – S terminates successfully on s if there exists a finite derivation sequence starting at  S, s  leading to a final state – S loops on s if there exists an infinite derivation sequence starting at  S, s  84

Properties of structural operational semantics S 1 and S 2 are semantically equivalent if: – for all s and  which is either final or stuck,  S 1, s   *  if and only if  S 2, s   *  – for all s, there is an infinite derivation sequence starting at  S 1, s  if and only if there is an infinite derivation sequence starting at  S 2, s  Theorem: While is deterministic: – If  S, s   * s 1 and  S, s   * s 2 then s 1 =s 2 85

Sequential composition Lemma: If  S 1 ; S 2, s   k s’’ then there exists s’ and k=m+n such that  S 1, s   m s’ and  S 2, s’   n s’’ The proof (pages 37-38) uses induction on the length of derivation sequences – Prove that the property holds for all derivation sequences of length 0 – Prove that the property holds for all other derivation sequences: Show that the property holds for sequences of length k+1 using the fact it holds on all sequences of length k (induction hypothesis) 86

The semantic function S sos The meaning of a statement S is defined as a partial function from State to State S sos : Stm  (State  State) Examples: S sos  skip  s = s S sos  x:=1  s = s [x  1] S sos  while true do skip  s = undefined 87 S sos  S  s = s’ if  S, s   * s’ undefined else

An equivalence result For every statement in While S ns  S  = S sos  S  Proof in pages

Language Extensions abort statement (like C’s exit w/o return value) Non-determinism Parallelism Local Variables Procedures – Static Scope – Dynamic scope

While + abort Abstract syntax S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | abort Abort terminates the execution – In “skip; S” the statement S executes – In “abort; S” the statement S should never execute Natural semantics rules: …? Structural semantics rules: …? 90

Comparing semantics Structural semantics Natural semantics Statement abort abort; S skip; S while true do skip if x = 0 then abort else y := y / x 91 The natural semantics cannot distinguish between looping and abnormal termination ‒Unless we add a special error state In the structural operational semantics looping is reflected by infinite derivations and abnormal termination is reflected by stuck configuration Conclusions

While + non-determinism Abstract syntax S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | S 1 or S 2 Either S 1 is executed or S 2 is executed Example: x:=1 or (x:=2; x:=x+2) – Possible outcomes for x : 1 and 4 92

While + non-determinism: natural semantics  S 1, s   s’  S 1 or S 2, s   s’ [or 1 ns ]  S 2, s   s’  S 1 or S 2, s   s’ [or 2 ns ] 93

While + non-determinism: structural semantics ? [or 1 sos ] ? [or 2 sos ] 94

While + non-determinism What about the definitions of the semantic functions? – S ns  S 1 or S 2  s – S sos  S 1 or S 2  s 95

Comparing semantics Structural semantics Natural semantics Statement x:=1 or (x:=2; x:=x+2) (while true do skip) or (x:=2; x:=x+2) 96 In the natural semantics non-determinism will suppress non-termination (looping) if possible In the structural operational semantics non-determinism does not suppress non-terminating statements Conclusions

While + parallelism Abstract syntax S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | S 1  S 2 All the interleaving of S 1 and S 2 are executed Example: x:=1  (x:=2; x:=x+2) – Possible outcomes for x : 1, 3, 4 97

While + parallelism: structural semantics 98  S 1, s    S 1 ’, s’   S 1  S 2, s    S 1 ’  S 2, s’  [par 1 sos ]  S 1, s   s’  S 1  S 2, s    S 2, s’  [par 2 sos ]  S 2, s    S 2 ’, s’   S 1  S 2, s    S 1  S 2 ’, s’  [par 3 sos ]  S 2, s   s’  S 1  S 2, s    S 1, s’  [par 4 sos ]

While + parallelism: natural semantics 99 Challenge problem: Give a formal proof that this is in fact impossible. Idea: try to prove on a restricted version of While without loops/conditions

Example: derivation sequences of a parallel statement 100  x:=1  (x:=2; x:=x+2), s  

Conclusion In the structural operational semantics we concentrate on small steps so interleaving of computations can be easily expressed In the natural semantics immediate constituent is an atomic entity so we cannot express interleaving of computations 101

While + memory Abstract syntax S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | x := malloc( a ) | x := [ y ] | [ x ] := y 102 State : Var  Z State : Stack  Heap Stack : Var  Z Heap : Z  Z Integers as memory addresses

From states to traces

Trace semantics Low-level (conceptual) semantics Add program counter (pc) with states –  = State + pc The meaning of a program is a relation     Stm   Execution is a finite/infinite sequence of states A useful concept in defining static analysis as we will see later 104

Example 1: y := 1; while 2:  (x=1) do ( 3: y := y * x; 4: x := x - 1 ) 5: 105

Traces 106 1: y := 1; while 2:  (x=1) do ( 3: y := y * x; 4: x := x - 1 ) 5:  {x  2,y  3},1  [ y:=1 ]  {x  2,y  1},2  [  (x=1)]  {x  2,y  1},3  [y:=y*x]  {x  2,y  2},4  [x:=x-1]  {x  1,y  2},2  [  (x=1)]  {x  1,y  2},5   {x  3,y  3},1  [ y:=1 ]  {x  3,y  1},2  [  (x=1)]  {x  3,y  1},3  [y:=y*x]  {x  3,y  3},4  [x:=x-1]  {x  2,y  3},2  [  (x=1)]  {x  2,y  3},3  [y:=y*x]  {x  2,y  6},4  [x:=x-1]  {x  1,y  6},2  [  (x=1)]  {x  1,y  6},5  … Set of traces is infinite therefore trace semantics is incomputable in general

Operational semantics summary SOS is powerful enough to describe imperative programs – Can define the set of traces – Can represent program counter implicitly – Handle goto statements and other non-trivial control constructs (e.g., exceptions) Natural operational semantics is an abstraction Different semantics may be used to justify different behaviors Thinking in concrete semantics is essential for a analysis writer 107

The End