Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University.

Published byMaximilian Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University

2 Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals Lattices Galois Connections Fixed-Points Widening/ Narrowing Domain constructors Interprocedural Analysis Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

3 Previously Axiomatic verification Weakest precondition calculus Strongest postcondition calculus Total correctness 3

4 Axiomatic semantics for While 4 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q

5 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is  ’  sp(P, C) if and only if there exists  such that   P and  C,    ’ Propositions: 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 5

6 Calculating sp 1.sp( skip, P) = P 2.sp( x := a, P) =  v. x=a[v/x]  P[v/x] 3.sp(S 1 ; S 2, P) = sp(S 2, sp(S 1, P)) 4.sp( if b then S 1 else S 2, P) = sp(S 1, b  P)  sp(S 2,  b  P) 5.sp( while b do {  } S, P) =    b where {b   } S {  } and P   b   6

7 Today Static analysis for compiler optimization – Common Subexpression Elimination – Available Expression domain Develop a static analysis for Simple Available Expressions 7

8 Array-max example: Post 3 8 nums : array { N  0  0  m res then { nums(x)>oRes  res=oRes  x=k  0  m oRes  x=k  0  m<k  nums(m)  oRes } { x=k  0  m  k  nums(m)  res } { (x=k  0  m  k  nums(m)  res)  (ores  nums(x)  res=oRes  x=k  res=oRes  0  m<k  nums(m)  oRes)} { x=k  0  m  k  nums(m)  res } x := x + 1 { x=k+1  0  m  k  nums(m)  res } { 0  m<x  nums(m)  res } { x=N  0  m<x  nums(m)  res} [univ p ] {  m. 0  m<N  nums(m)  res }

9 Can we find this proof automatically? 9 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k<N } { x  N  x  N } { x=N } Observation: predicates in proof have the general form  constraint where constraint has the form X - Y  c or  X  c

10 10 Look under the street lamp By Infopablo00 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons …We may move lamp a bit

11 Zone Abstract Domain Developed by Antoine Mine in his Ph.D. thesis Uses constraints of the form X - Y  c and  X  c 11

12 Analysis with Zone abstract domain 12 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { N  0  x=0 } Inv = { N  0  0  x  N } while x res then { N  0  0  x<N } res := nums[x] { N  0  0  x<N } { N  0  0  x<N } x := x + 1 { N  0  0<x<N } {N  0  0  x  x=N } nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k<N } { x  N  x  N } { x=N } Static Analysis with Zone AbstractionManual Proof

13 Static analysis for compiler optimizations 13

14 Motivating problem: optimization A compiler optimization is defined by a program transformation: T : Stmt  Stmt The transformation is semantics-preserving:  s  . S sos  C  s = S sos  T(C)  s The transformation is applied to the program only if an enabling condition is met We use static analysis for inferring enabling conditions 14

15 Common Subexpression Elimination If we have two variable assignments x := a op b … y := a op b and the values of x, a, and b have not changed between the assignments, rewrite the code as x = a op b … y := x Eliminates useless recalculation Paves the way for more optimizations (e.g., dead code elimination) 15 op  {+, -, *, ==, <=}

16 What do we need to prove? 16 { true } C 1 x := a op b C 2 { x = a op b } y := a op b C 3 { true } C 1 x := a op b C 2 { x = a op b } y := x C 3 CSE Assertion localizes decision

17 A simplified problem 17 { true } C 1 x := a + b C 2 { x = a + b } y := a + b C 3 { true } C 1 x := a + b C 2 { x = a + b } y := x C 3 CSE

18 Available Expressions analysis A static analysis that infers for every program point a set of facts of the form AV = { x = y | x, y  Var }  { x = op y | x, y  Var, op  {-, !} }  { x = y op z | y, z  Var, op  {+, -, *, <=} } For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n 3 ) Yields a trivial algorithm … – Is it efficient? 18

19 Simple Available Expressions Define atomic facts (for SAV) as  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – For n=|Var| number of atomic facts is O(n 3 ) Define sav-predicates as  = 2  19

20 Notation for conjunctive sets of facts For a set of atomic facts D  , we define Conj(D) =  D – E.g., if D={a=b, c=b+d, b=c} then Conj(D) = (a=b)  (c=b+d)  (b=c) Notice that for two sets of facts D 1 and D 2 Conj(D 1  D 2 ) = Conj(D 1 )  Conj(D 1 ) What does Conj({}) stand for…? 20

21 Towards an automatic proof Goal: automatically compute an annotated program proving as many facts as possible of the form x = y and x = y + z Decision 1: develop a forward-going proof Decision 2: draw predicates from a finite set D – “looking under the light of the lamp” – A compromise that simplifies problem by focusing attention – possibly miss some facts that hold Challenge 1: handle straight-line code Challenge 2: handle conditions Challenge 3: handle loops 21

22 Challenge 1: handling straight-line code 22 By Zachary Dylan Tax (Zachary Dylan Tax) [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons

23 Straight line code example Find a proof that satisfies both conditions 23 { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c }

24 Straight line code example Can we make this into an algorithm? What do we need to ensure for each triple? 24 { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c } Frame sp cons

25 Goal Given a program of the form x 1 := a 1 ; … x n := a n Find predicates P 0, …, P n such that 1.{P 0 } x 1 := a 1 {P 1 } … {P n-1 } x n := a n {P n } is a proof That is: sp(x i := a i, P i-1 )  P i 2.Each P i has the form Conj(D i ) where D i is a set of atomic 25

26 Algorithm for straight-line code Goal: find predicates P 0, …, P n such that 1.{P 0 } x 1 := a 1 {P 1 } … {P n-1 } x n := a n {P n } is a proof That is: sp(x i := a i, P i-1 )  P i 2.Each P i has the form Conj(D i ) where D i is a set of atomic facts Idea: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) – We call F the abstract transformer of x:=a Unless D 0 is given, initialize D 0 ={} For each i: compute D i+1 = Conj(F SAV [x i := a i ] D i ) Finally P i = Conj(D i ) 26

27 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 27

28 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 28

29 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 29  Is either a variable v or an addition expression v+w { x=  } x:=a { } [kill-lhs] { y=x+w } x:=a { } [kill-rhs-1] { y=w+x } x:=a { } [kill-rhs-2] { } x:=  { x=  } [gen] { y=z+w } x:=a { y=z+w } [preserve]

30 SAV abstract transformer example 30  Is either a variable v or an addition expression v+w { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c } { x=  } x:= aexpr { } [kill-lhs] { y=x+w } x:= aexpr { } [kill-rhs-1] { y=w+x } x:= aexpr { } [kill-rhs-2] { } x:=  { x=  } [gen] { y=z+w } x:= aexpr { y=z+w } [preserve]

31 Problem 1: large expressions Large expressions on the right hand sides of assignments are problematic – Can miss optimization opportunities – Require complex transformers Solution: transform code to normal form where right-hand sides have bounded size 31 Missed CSE opportunity { } x := a + b + c { } y := a + b + c { }

32 Three-address code Main idea: simplify expressions by storing intermediate results in new temporary variables Number of variables in simplified statements  3 32 { } x := a + b + c { } y := a + b + c { } { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c }

33 Three-address code Main idea: simplify expressions by storing intermediate results in new temporary variables Number of variables in simplified statements  3 33 { } x := a + b + c { } y := a + b + c { } { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c } Need to infer i1=i2

34 Problem 2: transformer precision Our transformer only infers syntactically available expressions – ones that appear in the code explicitly We want a transformer that looks deeper into the semantics of the predicates – Takes equalities into account 34 { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c } Need to infer i1=i2

35 Defining a semantic reduction Idea: make as many implicit facts explicit by – Using symmetry and transitivity of equality – Commutativity of addition – Meaning of equality – can substitute equal variables For an SAV-predicate P=Conj(D) define Explicate(D) = minimal set D * such that: 1.D  D * 2.x=y  D * implies y=x  D * 3.x=y  D * y=z  D * implies x=z  D * 4.x=y+z  D * implies x=z+y  D * 5.x=y  D * and x=z+w  D * implies y=z+w  D * 6.x=y  D * and z=x+w  D * implies z=y+w  D * 7.x=z+w  D * and y=z+w  D * implies x=y  D * Notice that Explicate(D)  D Explicate is a special case of a semantic reduction 35

36 Sharpening the transformer Define: F * [x:=aexpr] = Explicate  F SAV [x:= aexpr] 36 { } i1 := a + b { i1=a+b, i1=b+a } x := i1 + c { i1=a+b, i1=b+a, x=i1+c, x=c+i1 } i2 := a + b { i1=a+b, i1=b+a, x=i1+c, x=c+i1, i2=a+b, i2=b+a, i1=i2, i2=i1, x=i2+c, x=c+i2, } y := i2 + c {... } Since sets of facts and their conjunction are isomorphic we will use them interchangeably

37 An algorithm for annotating SLP Annotate(P, x:=aexpr) = {P} x:=aexpr F * [x:= aexpr](P) Annotate(P, S 1 ; S 2 ) = let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } 37

38 Challenge 2: handling conditions 38

39 Goal Annotate a program if bexpr then S 1 else S 2 with predicates from  Assumption 1: P is given (otherwise use true) Assumption 2: bexpr is a simple binary expression e.g., x=y, x  y, x<y (why?) 39 { P } if bexpr then { bexpr  P } S 1 { Q 1 } else {  bexpr  P } S 2 { Q 2 } { Q }

40 Joining predicates 1.Start with P or {bexpr  P} and annotate S 1 (yielding Q 1 ) 2.Start with P or {  bexpr  P} and annotate S 2 (yielding Q 2 ) 3.How do we infer a Q such that Q 1  Q and Q 2  Q? Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) 40 { P } if bexpr then { bexpr  P } S 1 { Q 1 } else {  bexpr  P } S 2 { Q 2 } { Q } Possibly an SAV-fact

41 Joining predicates 1.Start with P or {bexpr  P} and annotate S 1 (yielding Q 1 ) 2.Start with P or {  bexpr  P} and annotate S 2 (yielding Q 2 ) 3.How do we infer a Q such that Q 1  Q and Q 2  Q? Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) 41 The join operator for SAV { P } if bexpr then { bexpr  P } S 1 { Q 1 } else {  bexpr  P } S 2 { Q 2 } { Q }

42 Joining predicates Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) We want to soundly approximate Q 1  Q 2 in  Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) Notice that Q 1  Q and Q 2  Q meaning Q 1  Q 2  Q 42

43 Simplifying conditions Extend While with – Non-determinism (or) and – An assume statement  assume b, s   sos s if B  b  s = tt Now, the following two statements are equivalent – if b then S 1 else S 2 – ( assume b; S 1 ) or ( assume  b; S 2 ) 43

44 Handling conditional expressions We want to soundly approximate D  bexpr and D   bexpr in  Define  (bexpr) = if bexpr is factoid {bexpr} else {} Define F[ assume bexpr](D) = D   (bexpr) Can sharpen F * [ assume bexpr] = Explicate  F SAV [ assume bexpr] 44

45 Handling conditional expressions Notice bexpr   (bexpr) Examples –  (y=z) = {y=z} –  (y<z) = {} 45

46 An algorithm for annotating conditions let P t = F * [ assume bexpr] P let P f = F * [ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } 46

47 Example 47 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

48 Example 48 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

49 Recap We now have an algorithm for soundly annotating loop-free code Generates forward-going proofs Algorithm operates on abstract syntax tree of code – Handles straight-line code by applying F * – Handles conditions by recursively annotating true and false branches and then intersecting their postconditions 49

50 Example 50 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

51 Challenge 2: handling loops 51 By Stefan Scheer (Own work (Own Photo)) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC-BY-SA-2.5-2.0-1.0 (http://creativecommons.org/licenses/by-sa/2.5-2.0-1.0)], via Wikimedia Commons

52 Goal Annotate a program while bexpr do S with predicates from  – s.t. P  N Main challenge: find N Assumption 1: P is given (otherwise use true) Assumption 2: bexpr is a simple binary expression 52 { P } Inv = { N } while bexpr do { bexpr  N } S { Q } {  bexpr  N }

53 Example: annotate this program 53 { y=x+a, y=a+x, w=d, d=w } Inv = { y=x+a, y=a+x } while (x  z) do { z=x+a, z=a+x, w=d, d=w } x := x + 1 { w=d, d=w } y := x + a { y=x+a, y=a+x, w=d, d=w } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

54 Example: annotate this program 54 { y=x+a, y=a+x, w=d, d=w } Inv = { y=x+a, y=a+x } while (x  z) do { y=x+a, y=a+x } x := x + 1 { } y := x + a { y=x+a, y=a+x } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

55 Goal Idea: try to guess a loop invariant from a small number of loop unrollings – We know how to annotate S (by induction) 55 { P } Inv = { N } while bexpr do { bexpr  N } S { Q } {  bexpr  N }

56 k-loop unrolling 56 { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a }

57 k-loop unrolling 57 { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x }

58 k-loop unrolling 58 The following must hold: P  N Q 1  N Q 2  N … Q k  N { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x }

59 k-loop unrolling 59 The following must hold: P  N Q 1  N Q 2  N … Q k  N … { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } We can compute the following sequence: N 0 = P N 1 = N 1  Q 1 N 2 = N 1  Q 2 … N k = N k-1  Q k Observation 1: No need to explicitly unroll loop – we can reuse postcondition from unrolling k-1 for k

60 k-loop unrolling 60 The following must hold: P  N Q 1  N Q 2  N … Q k  N … { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } We can compute the following sequence: N 0 = P N 1 = N 1  Q 1 N 2 = N 1  Q 2 … N k = N k-1  Q k Observation 2: N k monotonically decreases set of facts. Question: does it stabilizes for some k?

61 Algorithm for annotating a loop Annotate(P, while bexpr do S ) = Initialize N := N c := P repeat let Annotate(P, if b then S else skip ) be {N c } if bexpr then S else skip {N} N c := N c  N until N = N c return {P} INV= N while bexpr do F[ assume bexpr](N) Annotate(F[ assume bexpr](N), S) F[ assume  bexpr](N) 61

62 Putting it together 62

63 Algorithm for annotating a program Annotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F * [x:=aexpr] P} case S is S 1 ; S 2 let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } case S is if bexpr then S 1 else S 2 let P t = F[ assume bexpr] P let P f = F[ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } case S is while bexpr do S N := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N} N c := N c  N until N= Nc return {P} INV= {N} while bexpr do {P t } A body {F[ assume  bexpr](N)} 63

64 Exercise: apply algorithm 64 { } y := a+b { } x := y {} while (x  z) do {} w := a+b {} x := a+b {} a := z {}

65 Step 1/18 65 {} y := a+b { y=a+b }* x := y while (x  z) do w := a+b x := a+b a := z Not all factoids are shown – apply Explicate to get all factoids

66 Step 2/18 66 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* while (x  z) do w := a+b x := a+b a := z

67 Step 3/18 67 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do w := a+b x := a+b a := z

68 Step 4/18 68 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b x := a+b a := z

69 Step 5/18 69 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b a := z

70 Step 6/18 70 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z

71 Step 7/18 71 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

72 Step 8/18 72 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

73 Step 9/18 73 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

74 Step 10/18 74 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

75 Step 11/18 75 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=y, w=x, x=y, a=z }*

76 Step 12/18 76 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

77 Step 13/18 77 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

78 Step 14/18 78 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

79 Step 15/18 79 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

80 Step 16/18 80 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

81 Step 17/18 81 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

82 Step 18/18 82 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }* { x=z }

83 Next lecture: abstract interpretation fundamentals

84 Canonical form for SAV For an available expressions element A define Explicate(A) = minimal set B such that: 1. A  B 2.x=y  B implies y=x  B 3.x=y  B and y=z  B implies x=z  B 4.x=y+z  B implies x=z+y  B 5.x=y  B and x=z+w  B implies y=z+w  B 6.x=y  B and z=x+w  B implies z=y+w  B 7.x=z+w  B and y=z+w  B implies x=y  B Makes all implicit facts explicit Define A * = Explicate(A) Define (for two subsets A 1, A 2  D) A 1  exp A 2 if and only if A 1 *  A 2 * Lemma: A 1  exp A 2 if and only A 1  imp A 2 84

Download ppt "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
CS 355 – Programming Languages

CS 355 – Programming Languages
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.

Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics

Describing Syntax and Semantics
Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.

Program Analysis and Verification Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.

Similar presentations

Ads by Google