Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kleene Algebra with Tests (Part 2: Applications) Dexter Kozen Cornell University Workshop on Logic & Computation Nelson, NZ, January 2004.

Published byScott Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "Kleene Algebra with Tests (Part 2: Applications) Dexter Kozen Cornell University Workshop on Logic & Computation Nelson, NZ, January 2004."— Presentation transcript:

1 Kleene Algebra with Tests (Part 2: Applications) Dexter Kozen Cornell University Workshop on Logic & Computation Nelson, NZ, January 2004

2 These Lectures 1.Tutorial on KA and KAT model theory complexity, deductive completeness relation to Hoare logic 2.Practical applications compiler optimization scheme equivalence static analysis 3.Theoretical applications automata on guarded strings & BDDs algebraic version of Parikh’s theorem representation dynamic model theory

3 Kleene Algebra (KA) idempotent semiring under +, ·, 0, 1 (p + q) + r = p + (q + r) (pq)r = p(qr) p + q = q + pp1 = 1p = p p + p = pp0 = 0p = 0 p + 0 = p p(q + r) = pq + pr (p + q)r = pr + qr linear inequalities have unique least solutions p*q = least x such that q + px  x qp* = least x such that q + xp  x def x  y  x + y = y

4 (K, B, +, ·, *, ¯, 0, 1) (K, +, ·, *, 0, 1) is a Kleene algebra (B, +, ·, ¯, 0, 1) is a Boolean algebra B  K p,q,r,  range over K a,b,c,  range over B Kleene Algebra with Tests (KAT)

5 Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s y  FV(s) x := s ; y := t = x := s ; y := t[x/s] x  FV(s) x := s ; x := t = x := t[x/s] b[x/t] ; x := t = x := t ; b x := x = 1

6 Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st order interpreted i  j  j  k  i  k

7 universal Horn logic p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q premises p i = q i −self-evident assumptions about local behavior −typically involve atomic instructions and tests conclusion p = q −equivalence of original program and optimized or annotated program use schematic and interpreted reasoning only to establish validity of premises – most reasoning done at the propositional level Reasoning with KAT

8 Compiler Optimizations [Kozen & Patron 00] dead code elimination common subexpression elimination copy propagation loop hoisting loop unrolling reducing nesting depth induction variable elimination instruction scheduling algebraic simplification elimination of redundant instructions array bounds check elimination introduction of sentinels

9 Typical Premises “two instructions that do not affect each other can be done in either order” load r 1,x ; load r 2,y = load r 2,y ; load r 1,x “after loading a value in a register, that register contains that value” load r 1,x = load r 1,x ; r 1 =xp = pb “no need to load a value if the register already contains that value” r 1 =x ; load r 1,x = r 1 =xbp = b

10 Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

11 Loop Hoisting for (i = 0; i < n; i++) { b[i] = x; } i := 0  : test i < n jump  if false load r,x store r,b[i] i := i + 1 jump   : 

12 This is of the form w(cupv)*c p = load r,x b = r=x load r,x = load r,x ; r=x p = pb b p p r=x ; load r,x = r=xbp = b b p b ub = bu vb = bv

13 p = pb  bp = b  ub = bu  vb = bv  w(cupv)*c = w(cupv(cubv)*c + c) Suffices to show p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1

14 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= (cupv)*

15 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cupv)* + 1

16 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupv)* + 1

17 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cupbv)* + 1

18 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcupb)*v + 1

19 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcup)*bv + 1

20 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcup)*bv + 1

21 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbup)*bv + 1

22 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcubp)*bv + 1

23 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcub)*bv + 1

24 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vcbu)*bv + 1

25 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(vbcu)*bv + 1

26 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cup(bvcu)*bv + 1

27 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupb(vcub)*v + 1

28 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupbv(cubv)* + 1

29 p = pb  bp = b  ub = bu  vb = bv  (cupv)* = cupv(cubv)* + 1 (cupv)*= cupv(cubv)* + 1

30 Loop Unrolling while b do {while b do { p; p; } if b then p; } (bp)*b = (bp(bp + b))*b Key lemma q* = (q n )*(1 + q) n-1

31 Loop Denesting while b do {if b then { p;p; while c do q;while b  c do }if c then q else p; } (bp(cq)*c)*b = bp((b+c)(cq+cp))*(b+c) + b Key lemma (p*q)*p* = (p + q)*

32 Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

33 Array Bounds Check Elimination for (i = 0; i < x.length; i++) { x[i] := e(i); } i := 0  : test i < n jump  if false compute e(i) if i out of bounds then error x[i] := e(i) i := i + 1 jump   : 

34 Array Bounds Check Elimination a =0  i b =i < x.length c =ab i is in bounds We have to prove u(bp(cq + cs)v)*b = u(bpqv)*b Introduce a using u = ua, show a and b (and therefore c) hold where needed to eliminate the array bounds check

35 LU Decomposition with Pivoting [Mateev, Menon, Pingali 01] Restructuring of matrix operations to take advantage of locality Def/use analysis fails: transformations break def/use dependencies MMP develop a new technique, fractal symbolic analysis

36 y = x;x = 2*x;y = 2*y; x = 2*x;y = x;

37 Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s y  FV(s) x := s ; y := t = x := s ; y := t[x/s] x  FV(s) x := s ; x := t = x := t[x/s] b[x/t] ; x := t = x := t ; b x := x = 1

38 y = x;x = 2*x;y = 2*y; x = 2*x;y = x;

39 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x; x = 2*x; x := s ; x := t = x := t[x/s]

40 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; x := t = x := t[x/s]

41 y = x;x = 2*x;y = 2*y; x = 2*x;y = x; y = 2*x;x = 2*x; x = 2*x;y = x; x := s ; y := t = y := t[x/s] ; x := s y  FV(s)

42 for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update } for (j = 0; j < n-1; j++) { tmp = a[j]; //swap a[j] = a[j+1]; a[j+1] = tmp; } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { a[i] = a[i]/a[j]; //update }

43 for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); }

44 k < i < j  update(i,k);swap(i,j); update(j,k);=update(i,k); swap(i,j);update(j,k);

45 k > j  swap(k,k+1); for (i = j+1; i < n; i++) { update(i,j); } = for (i = j+1; i < n; i++) { update(i,j); } swap(k,k+1); Key Lemma pq = qp  pq* = q*p

46 for (j = 0; j < n-1; j++) { swap(j,j+1); for (i = j+1; i < n; i++) { update(i,j); } for (j = 0; j < n-1; j++) { swap(j,j+1); } for (j = 0; j < n-1; j++) { for (i = j+1; i < n; i++) { update(i,j); } Key Lemma pq = qp  p*q* = (pq)*(p* + q*)

47 The Dead Variable Paradox Two ways to show x := 1 ; x := 1 = x := 1

48 The Dead Variable Paradox Method 1 d = “x is a dead variable” p = “x := 1” p = dp x is dead immediately before it is assigned pd = d an assignment to a dead variable is redundant To show pp = p: pp = pdp = dp = p

49 The Dead Variable Paradox Method 2 c = “x = 1” p = “x := 1” p = pc x has value 1 immediately after the assignment cp = c it’s pointless to assign to x a value it already has To show pp = p: pp = pcp = pc = p

50 The Dead Variable Paradox c = “x = 1” d = “x is a dead variable” p = “x := 1” p = dp x is dead immediately before it is assigned pd = d an assignment to a dead variable is redundant p = pc x has value 1 immediately after the assignment cp = c it’s pointless to assign a value to x it already has pp = pcdp = pdcp = dc x := 1 ; x := 1 = x is dead ; x = 1 ???

51 The Dead Variable Paradox Solution “x is a dead variable” is not a property of the local state use u = “make x undefined” = “x :=  ” instead x := 0 ; x :=  = x :=  x :=  ; x := 0 = x := 0

52 start y1 := x y4 := f(y1) y1 := f(y1) y2 := g(y1,y4) y3 := g(y1,y1) P(y1) y1 := f(y3) P(y4) P(y2) y2 := f(y2)P(y3) z := y2 halt T T T T F F F F start y := f(x) loop P(y) y := g(y,y) P(y) y2 := f(f(y)) z := y halt T T F F  Scheme Equivalence Example of Paterson from [Manna 74]

53 x 1 p 41 p 11 q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 ((a 4 +a 4 (a 2 p 22 )*a 2 a 3 p 41 p 11 ) q 214 q 311 (a 1 p 11 q 214 q 311 )*a 1 p 13 )* a 4 (a 2 p 22 )*a 2 a 3 z 2 z  saq(araq)*az x1x1 p 41 p 11 q 214 q 311 a1a1 p 13 a4a4 a2a2 a3a3 z2z2 p 22 a1a1 a4a4 a2a2 a3a3 s q a r z a a  Kleene’s Theorem

54 Static Analysis Derivation of information about the execution state at various points in a program at compile time or load time, prior to execution Approaches –type inference –dataflow analysis –abstract interpretation –set constraints Applications –code optimization –verification

55 Software Model Checking with SLAM Thomas Ball Testing, Verification and Measurement Sriram K. Rajamani Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

56 State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; else s = Locked; } KeReleaseSpinLock.entry { if (s==Unlocked) abort; else s = Unlocked; } Locking Rule in SLIC

57 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

58 do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

59 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

60 do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

61 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

62 Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

63 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if (request) { request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

64 do { kA; n; if (R) { u; kR; m; } } while (~B); kR;

65 do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR;

66 do { kA; n; if (R) {do p while C u; = p;(C;p)*;~C kR; m;if C then p } = C;p + ~C } while (~B); kR; kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR

67 Preconditions for safe execution operationprecondition kA (acquire) ~A (unlocked) kR (release) A (locked) Global precondition: initially unlocked Original program ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR Annotated program ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

68 kA = kA;A- acquiring the lock acquires it kR = kR;~A- releasing the lock releases it B;m = B;m;~B- if two integer variables are equal and we increment one, then they are no longer equal n = n;B- setting one variable equal to another makes them equal A;n = n;A- commutativity conditions A;u = u;A A;m = m;A B;u = u;B B;kR = kR;B

69 kA = kA;A  kR = kR;~A  B;m = B;m;~B  n = n;B  A;n = n;A  A;u = u;A  A;m = m;A  B;u = u;B  B;kR = kR;B  ~A;kA;n;(R;u;kR;m + ~R); (~B;kA;n;(R;u;kR;m + ~R))*;B;kR = ~A;~A;kA;n;(R;u;A;kR;m + ~R); (~B;~A;kA;n;(R;u;A;kR;m + ~R))*;B;A;kR

70 Security Automata [Schneider 98] general mechanism for specification and runtime enforcement of safety policies policy is specified by a finite automaton M code is instrumented to call M before all critical operations (ones that could change state of M ) M aborts the computation if the operation causes a transition to an error state can handle all safety properties read send read error start

71 Example no send after read read send read error code is instrumented to call M before each read and send instruction purely a runtime mechanism start

72 Security Automata and KAT Use KAT to do static analysis to eliminate unnecessary calls to M assertion U for each state of M premises A M : UV = 0 for U ≠ V Up  pV for each atomic transition U  V Up  pU if p is noncritical start state S, error states E p

73 Prefixes Pre(r) = an expression representing prefixes of computations of r. Defined inductively: Pre(p) = 1 + pp an atomic action Pre(b) = 1b a test Pre(pq) = Pre(p) + p;Pre(q) Pre(p + q) = Pre(p) + Pre(q) Pre(p*) = p*;Pre(p) This is a closure operator in the sense that Pre(Pre(p)) = Pre(p) is a theorem of KAT

74 Eliminating Runtime Checks Soundness Theorem Let D be any set of premises over P, B, and let r be any program over P, B. If D  A M  S·Pre(r)  ~E(ΣP)*~E is a theorem of KAT, then r is safe with respect to M in any Kripke frame whose trace algebra satisfies D. Completeness Theorem The converse holds as well, provided D is finite and all elements of D are of the form p = 0.

75 More Generally... Let L be an upper semilattice such that all ascending chains are finite (ACC). Elements are called types or abstract values. Associated with each atomic action p is a strict, partial, finitely additive map f p : L  L called its transfer function. Take premises Xp  p f p (X) and propagate information as before (ACC needed for *). Safe p = dom f p.

76 Types or Abstract Values Represent sets of values –statically derivable –conservative approximation Form a partial semilattice –higher = less specific –join does not exist = type error

77 Example: Java Bytecode Object Array [ ] IntegerContinuations Array [ ][ ] … Interface implements Useless Null Java class hierarchy int, short, byte, boolean, char

78 Example: Java Bytecode local variable array operand stack thisp0p0 p1p1 p2p2 parameters other locals maxLocals maxStack = reference type = integer = continuation String Hash- table Object String- Buffer User- Class int[ ] = useless

79 Example of a Transfer Function 01234567 locals stack 01234567 locals stack iload 3 Preconditions for safe execution: local 3 is an integer stack is not full Effect: push integer in local 3 on stack

80 Demo of KAT-ML KAT-ML is an interactive theorem prover for Kleene algebra with tests written in standard ML. Versions for a variety of platforms are available from http://www5.cs.cornell.edu/~kamal/kat

Download ppt "Kleene Algebra with Tests (Part 2: Applications) Dexter Kozen Cornell University Workshop on Logic & Computation Nelson, NZ, January 2004."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Compiler Construction

Compiler Construction
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Representation of Kleene Algebra with Tests Dexter Kozen Cornell University.

Representation of Kleene Algebra with Tests Dexter Kozen Cornell University.
Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st.

Levels of Reasoning propositional p 1 = q 1  p 2 = q 2 ...  p n = q n  p = q schematic (1 st order uninterpreted) x := s ; x := t = x := t[x/s] 1 st.

Similar presentations

Ads by Google