Presentation is loading. Please wait.

Presentation is loading. Please wait.

Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st."— Presentation transcript:

1 Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st order interpreted i  j  j  k  i  k

2 Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s y  FV(s) x := s ; y := t = x := s ; y := t[x/s] x  FV(s) x := s ; x := t = x := t[x/s] b[x/t] ; x := t = x := t ; b x := x = 1

3 Schematic KAT x := s ; y := t = y := t ; x := s x  FV(t), y  FV(s) b ; x := t = x := t ; b x  FV(b)

4 Relation to Hoare Assignment Rule b[x/t] ; x := t  x := t ; b is equivalent to {b[x/t]} x := t {b} b[x/t] ; x := t = x := t ; b is equivalent to the conjunction of {b[x/t]} x := t {b} {~b[x/t]} x := t {~b}

5 universal Horn logic p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q premises p i = q i −self-evident assumptions about local behavior −typically involve atomic instructions and tests conclusion p = q −equivalence of original program and optimized or annotated program use schematic and interpreted reasoning only to establish validity of premises – most reasoning done at the propositional level Reasoning with KAT

6 Compiler Optimizations [Kozen & Patron 00] dead code elimination common subexpression elimination copy propagation loop hoisting loop unrolling reducing nesting depth induction variable elimination instruction scheduling algebraic simplification elimination of redundant instructions array bounds check elimination introduction of sentinels

7 Typical Premises “two instructions that do not affect each other can be done in either order” load r 1,x ; load r 2,y = load r 2,y ; load r 1,x “after loading a value in a register, that register contains that value” load r 1,x = load r 1,x ; r 1 =xp = pb “no need to load a value if the register already contains that value” r 1 =x ; load r 1,x = r 1 =xbp = b

8 Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

9 Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

10 This is of the form w(cupv)*c p = load r,x b = r=x load r,x = load r,x ; r=x p = pb b p p r=x ; load r,x = r=xbp = b b p b ub = bu vb = bv

11 p = pb  bp = b  ub = bu  vb = bv  w(cupv)*c = w(cupv(cubv)*c + c) Suffices to show p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1

12 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= (cupv)*

13 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cupv)* + 1

14 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupv)* + 1

15 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupbv)* + 1

16 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcupb)*v + 1

17 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcup)*bv + 1

18 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcup)*bv + 1

19 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbup)*bv + 1

20 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcubp)*bv + 1

21 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcub)*bv + 1

22 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbu)*bv + 1

23 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcu)*bv + 1

24 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcu)*bv + 1

25 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcub)*v + 1

26 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cubv)* + 1

27 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cubv)* + 1

28 Loop Unrolling while b do {while b do { p; p; } if b then p; } (bp)*b = (bp(bp + b))*b Key lemma q* = (q n )*(1 + q) n-1

29 Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

30 Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

31 Array Bounds Check Elimination a =0  i b =i < x.length c =ab i is in bounds We have to prove u(bp(cq + cs)v)*b = u(bpqv)*b Introduce a using u = ua, show a and b (and therefore c) hold where needed to eliminate the array bounds check

32 LU Decomposition with Pivoting [Mateev, Menon, Pingali 01] Restructuring of matrix operations to take advantage of locality Def/use analysis fails: transformations break def/use dependencies MMP develop a new technique, fractal symbolic analysis

33 y = x;x = 2*x;y = 2*y; x = 2*x;y = x;

34 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x; x = 2*x; x := s ; x := t = x := t[x/s]

35 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; x := t = x := t[x/s]

36 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; y := t = y := t[x/s] ; x := s y  FV(s)

37 for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update } for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update }

38 for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); }

39 k < i < j  update(i,k);swap(i,j); update(j,k);=update(i,k); swap(i,j);update(j,k);

40 k > j  swap(k,k+1); for (i = j+1; i < n; i++) { update(i,j); } = for (i = j+1; i < n; i++) { update(i,j); } swap(k,k+1); Key Lemma pq = qp  pq* = q*p

41 for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); } Key Lemma pq = qp  p*q* = (pq)*(p* + q*)

42 start y1 := x y4 := f(y1) y1 := f(y1) y2 := g(y1,y4) y3 := g(y1,y1) P(y1) y1 := f(y3) P(y4) P(y2) y2 := f(y2)P(y3) z := y2 halt T T T T F F F F start y := f(x) loop P(y) y := g(y,y) P(y) y2 := f(f(y)) z := y halt T T F F  Scheme Equivalence Example of Paterson from [Manna 74]

43 x 1 p 41 p 11 q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 ((a 4 +a 4 (a 2 p 22 )*a 2 a 3 p 41 p 11 ) q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 )* a 4 (a 2 p 22 )*a 2 a 3 z 2 z  saq(araq)*az x1x1 p 41 p 11 q 214 q 311 a1a1 p 13 a4a4 a2a2 a3a3 z2z2 p 22 a1a1 a4a4 a2a2 a3a3 s q a r z a a  Kleene’s Theorem

44 Static Analysis Derivation of information about the execution state at various points in a program at compile time or load time, prior to execution Approaches –type inference –dataflow analysis –abstract interpretation –set constraints Applications –code optimization –verification

45 Software Model Checking with SLAM Thomas Ball Testing, Verification and Measurement Sriram K. Rajamani Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

46 State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; else s = Locked; } KeReleaseSpinLock.entry { if (s==Unlocked) abort; else s = Unlocked; } Locking Rule in SLIC

47 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

48 do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

49 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

50 do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

51 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

52 Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

53 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if (request) { request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

54 do { kA; n; if (R) { u; kR; m; } } while (~B); kR;

55 do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR;

56 do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR; kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR

57 Preconditions for safe execution operationprecondition kA (acquire) ~A (unlocked) kR (release) A (locked) Global precondition: initially unlocked Original program ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR Annotated program ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

58 kA = kA;A- acquiring the lock acquires it kR = kR;~A- releasing the lock releases it B;m = B;m;~B- if two integer variables are equal and we increment one, then they are no longer equal n = n;B- setting one variable equal to another makes them equal A;n = n;A- commutativity conditions A;u = u;A A;m = m;A B;u = u;B B;kR = kR;B

59 kA = kA;A  kR = kR;~A  B;m = B;m;~B  n = n;B  A;n = n;A  A;u = u;A  A;m = m;A  B;u = u;B  B;kR = kR;B  ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR = ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

60 Security Automata [Schneider 98] general mechanism for specification and runtime enforcement of safety policies policy is specified by a finite automaton M code is instrumented to call M before all critical operations (ones that could change state of M ) M aborts the computation if the operation causes a transition to an error state can handle all safety properties read send read error start

61 Example no send after read read send read error code is instrumented to call M before each read and send instruction purely a runtime mechanism start

62 Security Automata and KAT Use KAT to do static analysis to eliminate unnecessary calls to M assertion U for each state of M premises A M : UV = 0 for U ≠ V Up  pV for each atomic transition U  V Up  pU if p is noncritical start state S, error states E p

63 Prefixes Pre(r) = an expression representing prefixes of computations of r. Defined inductively: Pre(p) = 1 + pp an atomic action Pre(b) = 1b a test Pre(pq) = Pre(p) + p;Pre(q) Pre(p + q) = Pre(p) + Pre(q) Pre(p*) = p*;Pre(p) This is a closure operator in the sense that Pre(Pre(p)) = Pre(p) is a theorem of KAT

64 Eliminating Runtime Checks Soundness Theorem Let D be any set of premises over P, B, and let r be any program over P, B. If D  A M  S·Pre(r)  (~E·ΣP)*·~E is a theorem of KAT, then r is safe with respect to M in any Kripke frame whose trace algebra satisfies D. Completeness Theorem The converse holds as well, provided D is finite and all elements of D are of the form p = 0.

65 2nd-Order Abstract Interpretation Let L be an upper semilattice such that all ascending chains are finite (ACC). Elements are called types or abstract values. Associated with each atomic action p is a strict, partial, finitely additive map f p : L  L called its transfer function. Take premises Xp  p f p (X) and propagate information as before (ACC needed for *).

66 Types or Abstract Values Represent sets of values –statically derivable –conservative approximation Form a partial semilattice –higher = less specific –join does not exist = type error

67 Example: Java Bytecode Object Array [ ] IntegerContinuations Array [ ][ ] … Interface implements Useless Null Java class hierarchy int, short, byte, boolean, char

68 Example: Java Bytecode local variable array operand stack thisp0p0 p1p1 p2p2 parameters other locals maxLocals maxStack = reference type = integer = continuation String Hash- table Object String- Buffer User- Class int[ ] = useless

69 Example of a Transfer Function 01234567 locals stack 01234567 locals stack iload 3 Preconditions for safe execution: local 3 is an integer stack is not full Effect: push integer in local 3 on stack

70 Work in Progress Second-order abstract interpretation [Kot] Equational theory of arrays [Aboul-Hosn] KAT-ML [Aboul-Hosn]

Download ppt "Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Representation of Kleene Algebra with Tests Dexter Kozen Cornell University.

Representation of Kleene Algebra with Tests Dexter Kozen Cornell University.
Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research

Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research

Similar presentations

Ads by Google