Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

Published byTrever Crosland Modified over 10 years ago

Similar presentations

Presentation on theme: "1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint."— Presentation transcript:

1 1 How to transform an analyzer into a verifier

2 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint induction how to realize a verifier, once you have a "suitable" static analyzer (abstract interpreter) expe riments using existing analyzers for type domains functional programming à la ML our implementation of a type abstract interpreter in Cousot, POPL 1997 logic programming Codish & Lagoon, TCS 2000

3 3 THE VERIFICATION METHOD: abstract interpretation a semantic evaluation function F P on a concrete domain (C,  ) the least fixpoint lfp F P is the concrete semantics of program P the class of properties we want to verify is formalized as an abstract domain (A,  ) (C,  ) and (A,  ) are related by a Galois connection ( ,  ) the abstract semantic evaluation function F  P is systematically derived from F P,  and 

4 4 THE VERIFICATION METHOD: abstract semantics and static analysis the abstract semantics lfp F  P is a safe approximation by construction if the property is verified in lfp F  P it is also verified in lfp F P static analysis (abstract interpreter) = computation of the abstract semantics lfp F  P effective only if the least fixpoint is reached in finitely many iterations either the abstract domain is Noetherian or we use widening operators

5 5 THE VERIFICATION METHOD: partial correctness condition 1 an element S of the domain (A,  ) is the specification abstraction of the intended concrete semantics partial correctness of P wrt S  (lfp F P )  S not effective since the concrete fixpoint semantics has to computed sufficient condition 1 for any correct abstract semantic evaluation function F  P lfp F  P  S (1) an abstract fixpoint computation is still needed

6 6 THE VERIFICATION METHOD: partial correctness condition 2 an element S of the domain (A,  ) is the specification abstraction of the intended concrete semantics partial correctness of P wrt S  (lfp F P )  S not effective since the concrete fixpoint semantics has to computed sufficient condition 2 (by fixpoint theorems, abstract version of Park’s induction, for any correct abstract semantic evaluation function F  P ) F  P (S)  S (2) no fixpoint computation

7 7 PARTIAL CORRECTNESS CONDITIONS specification S element of (A,  ) sufficient condition 1 lfp F  P  S (1) effective only if (A,  ) is Noetherian or by using widenings stronger than 2 only when widenings are not needed sufficient condition 2 F  P (S)  S (2) more efficient (no abstract fixpoint computation) effective even if (A,  ) is non-Noetherian  must be decidable the specification S must have a finite representation

8 8 CAN WE USE AN EXISTING STATIC ANALYZER FOR VERIFICATION? condition 1 lfp F  P  S (1) straightforward! use the analyzer to compute the abstract semantics condition 2 F  P (S)  S (2) the analyzer must be defined in a denotational style and give access to the function F  P

9 9 2 EXAMPLES our type inference abstract interpreter for functional programs à la ML the let-polymorphic version a type analyzer for logic programs (by Codish & Lagoon) available from a web site

10 10 The functional language: syntax type ide = Id of string type exp = | Eint of int | Var of ide | Sum of exp * exp | Diff of exp * exp | Ifthenelse of exp * exp * exp | Fun of ide * exp | Rec of ide * exp | Appl of exp * exp | Let of ide * exp * exp | Letrec of ide * exp * exp

11 11 The abstract domain of parametric polytypes type evalt = Notype | Vvar of string | Intero | Mkarrow of evalt * evalt type tscheme = Forall of (string list) * evalt type eval = tscheme * (evalt * evalt) list

12 12 The meaning of F  ( S  )  S   in a language with constructs which create a global environment (typically containing functions), S  is an abstract environment associating to each global name its specification the new expression is evaluated in such an environment assuming that all the global values satisfy their specification using the specification rather than the semantics for the global objects small, modular proofs, which allow us to locate possible bugs  in our language we have closed expressions only F  ( S  ) is exactly the same as F  for all the syntactic constructs, apart from recursive function definition, where S  (when available, top level) has to be used as first approximation of their abstract value

13 13 HOW TO USE THE STATIC ANALYZER FOR TYPE VERIFICATION typeinferd: decl  env  int  env was called sem1 in the lecture on type inference compositional verification of a single declaration specification S an abstract environment specifying the intended types of global names names defined in the declaration it is finite  is the extension to environments of the partial order relation on types

14 14 HOW TO USE THE STATIC ANALYZER FOR SUFFICIENT CONDITION 1 typeinferd: decl  env  int  env S type environment sufficient condition 1 lfp F  P  S (1) infercheck (d:decl) (S:env) (n:int) = (typeinferd d S n)  S verification = inference + comparison

15 15 HOW TO USE THE STATIC ANALYZER FOR SUFFICIENT CONDITION 2 typeinferd: decl  env  int  env S type environment sufficient condition 2 F  P (S)  S (2) different for recursive functions only rather than computing (an approximation of) the fixpoint, we evaluate the function expression (once) in the specification we handle recursive functions as standard functions check (d:decl) (S:env) (n:int) = match d with |let id = e -> (typeinferd d S n)  S |let rec id = e -> (typeinferd (let id = e) S n)  S

16 16 HOW TO USE THE STATIC ANALYZER FOR SUFFICIENT CONDITION 2 typeinferd: decl  env  int  env S type environment sufficient condition 2 F  P (S)  S (2) check (d:decl) (S:env) (n:int) = match d with |let id = e -> (typeinferd d S n)  S |let rec id = e -> (typeinferd (let id = e) S n)  S l mutual recursion is not shown l the widening control parameter is used for approximating fixpoints corresponding to recursive functions occurring within e

17 17 Why checking F  ( S  )  S  rather than lfp F   S  ? why computing F  ( S  ) rather than lfp F  ? no fixpoint computation more efficient possible even with non-noetherian domains modular proofs in which the proof of a component uses the specification rather than the semantics of the other components

18 18 TYPE VERIFICATION EXAMPLES 1 § compositionality # check ``let fact = pi id 1'' [pi int) -> int -> int -> int; id 'a; fact int] 1;; - : bool = true § condition 2 can be better than 1 (widening) # check ``let rec f f1 g n x = if n=0 then g(x) else f(f1)(function x -> (function h -> g(h(x)))) (n-1) x f1'' [f 'a) -> ('a -> 'b) -> int -> 'a -> 'b] 1;; - : bool = true # infercheck ``let rec f f1 g n x = if n=0 then g(x) else f(f1)(function x -> (function h -> g(h(x)))) (n-1) x f1'' [f 'a) -> ('a -> 'b) -> int -> 'a -> 'b] 1;; - : bool = false

19 19 TYPE VERIFICATION EXAMPLES 2 let polymorphism  # check  ``let g = id id''  [ id 'a; g 'b ]  1;;  - : bool = true mutual recursion § # check § ``let rec ap f x y n = if n=0 then y else ap f x (f x y) (n-1) and times x n = ap (function z -> function w -> z + w) x 0 n’’ § [ap 'b -> 'b) -> 'a -> 'b -> int -> 'b; § times int -> int] § 1;; § - : bool = true

20 20 TYPE VERIFICATION EXAMPLES 3 incompleteness # check ``let rec f f1 g n x = if n=0 then g(x) else f(f1)(function x -> (function h -> g(h(x)))) (n-1) x f1'' [f int) -> (int -> int) -> int -> int -> int] 1;; - : bool = false # infercheck ``let rec f f1 g n x = if n=0 then g(x) else f(f1)(function x -> (function h -> g(h(x)))) (n-1) x f1'' [f int) -> (int -> int) -> int -> int -> int] 2;; -: bool = true the specification is not satisfied # check ``let rec f f1 g n x = if n=0 then g(x) else f(f1)(function x -> (function h -> g(h(x)))) (n-1) x f1'' [f 'c) -> ('a -> 'b) -> int -> 'a -> 'b] 1;; -: bool = false

Download ppt "1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
1 A simple abstract interpreter to compute Sign s.

1 A simple abstract interpreter to compute Sign s.
1 Some abstract interpreters for type inference. 2 Types as abstract interpretations §inspired by a paper of Cousot (POPL ‘97), which l derives several.

1 Some abstract interpreters for type inference. 2 Types as abstract interpretations §inspired by a paper of Cousot (POPL ‘97), which l derives several.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
CMSC 330: Organization of Programming Languages Tuples, Types, Conditionals and Recursion or “How many different OCaml topics can we cover in a single.

CMSC 330: Organization of Programming Languages Tuples, Types, Conditionals and Recursion or “How many different OCaml topics can we cover in a single.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
© M. Winter COSC 4P41 – Functional Programming 10. 1 Testing vs Proving Testing –uses a set of “typical” examples, –symbolic testing, –may find errors,

© M. Winter COSC 4P41 – Functional Programming Testing vs Proving Testing –uses a set of “typical” examples, –symbolic testing, –may find errors,
8. Introduction to Denotational Semantics. © O. Nierstrasz PS — Denotational Semantics 8.2 Roadmap Overview:  Syntax and Semantics  Semantics of Expressions.

8. Introduction to Denotational Semantics. © O. Nierstrasz PS — Denotational Semantics 8.2 Roadmap Overview:  Syntax and Semantics  Semantics of Expressions.
1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.

1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.
Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.

Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.
ML: a quasi-functional language with strong typing Conventional syntax: - val x = 5; (*user input *) val x = 5: int (*system response*) - fun len lis =

ML: a quasi-functional language with strong typing Conventional syntax: - val x = 5; (*user input *) val x = 5: int (*system response*) - fun len lis =

Similar presentations

Ads by Google