Noam Rinetzky Lecture 2: Program Semantics

Program Analysis and Verification

0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html

Noam Rinetzky

Lecture 2: Program Semantics

Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html

2

Good manners

• Mobiles

3

Admin

• Grades– 4 Assignments (30%)

• 1 involves programming– 1 Lesson summary (10%)– Toar I: Final exam (60%)

• Must pass– Toar II: Project (60%)

Scribes (this week)? Scribes (nextweek)

4

Today

• What does semantics mean?– Why do we need it?– How is it related to analysis/verification?

• Operational semantics– Natural operational semantics– Structural operational semantics

5

Motivation: Verifying absence of bugs

static OSStatusSSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen){OSStatus err;

...

if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)goto fail;if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)goto fail;goto fail;if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)goto fail;

...

fail:SSLFreeBuffer(&signedHashes);SSLFreeBuffer(&hashCtx);return err;

}

6

What can we do about it?

• Monitoring• Testing• Static analysis • Formal verification• Specification

Run time

Design Time

7

What can we do about it?

• Monitoring• Testing• Static analysis • Formal verification• Specification

Run time

Design Time

8

Program analysis & verification

y = ? x? = if (x > 0){

y = 42; }else{

y = 73; foo;)(

}assert (y == 42);

Is assertion true?

No/?/Yes

9


Can we prove this? Automatically? Bad news: problem is generally undecidable

Yes/?/No

y = ? x? = x = y * 2if (x % 2 == 0) { y = 42;} else { y = 73; foo();} assert (y == 42);

10

universe

Main idea: use over-approximation

Exact set of configurations/Behaviors/states

Over Approximation

11

Main idea: find (properties of) all reachable states*

initialstates

badstates

reachablestates

*or of something else …

12

Technique: find (properties of) more than all reachable states*

initialstates

badstates

reachablestates

*or of something else …

13


y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

14

What does P do?

y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

15

What does P mean?

y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

…

syntax semantics

16

“Standard” semantics

y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

…-1,0,1, …

y x…-1,0,1,…

17

“Standard” semantics (“state transformer”)

y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

…-1,0,1, …

y x…-1,0,1,…

18


y = ?; y=3, x=9x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

…-1,0,1, …

y x…-1,0,1,…

19


y = ?; y=3, x=9x = y * 2 y=3, x=6if (x % 2 == 0) { y=3, x=6 y = 42; y=42, x=6} else { y = 73; … foo(); …} assert (y == 42); y=42, x=6

…-1,0,1, …

y x…-1,0,1,…

20

“State transformer” semantics

initialstates

badstates

reachablestates

y=3,x=9

y=3,x=6

y=3,x=6

21


initialstates

badstates

reachablestates

y=4,x=1

y=4,x=8y=4,x=8

22


initialstates

badstates

reachablestates

y=4…,x=…

23

initialstates

badstates

reachablestates

y=3,x=9

y=3,x=6

y=4,x=1y=4,x=8

y=3,x=6

y=4,x=8

“State transformer” semanticsMain idea: find (properties of) all reachable states*

y=4…,x=…

24

“Standard” (collecting) semantics(“sets-of states-transformer”)

y = ?; x = ?; {(y,x) | y,x ∈ Nat}x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

25

“Standard” (collecting) semantics(“sets-of states-transformer”)

y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)}

x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)}

if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)}

y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)}

} else { y = 73; { }

foo(); { }

} assert (y == 42); {(y=42, x=6),(y=42,x=8),(y=42, x=…)}

Yes

26

“Set-of-states transformer” semantics

initialstates

badstates

reachablestates

y=3,x=9

y=3,x=6

y=4,x=1

y=4,x=1

y=3,x=6

y=4,x=1

27

“Abstract-state transformer” semantics

y = ?; y=T, x=Tx = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

TO E

T

y x

TO E

T

(y=E,x=E)={(0,0), (0,2), (-4,10),…}

28


y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No

TO E

T

y x

TO E

T

(y=E,x=E)={(0,0), (0,2), (-4,10),…}

29


y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No

TO E

T

y x

TO E

T

(y=E,x=E)={(0,0), (0,2), (-4,10),…}

30


y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=E, x=E} else { y = 73; … foo(); …} assert (y%2 == 0) y=E, x=E ?

TO E

T

y x

TO E

T

(y=E,x=E)={(0,0), (0,2), (-4,10),…}


initialstates

badstates

31

reachablestates


initialstates

badstates

32

reachablestates


initialstates

badstates

33

reachablestates


initialstates

badstates

34

reachablestates

Technique: explore abstract states

initialstates

badstates

35

reachablestates

36

Sound: cover all reachable states

initialstates

badstates

reachablestates

37

Imprecise abstraction

initialstates

badstates

37

reachablestates

False alarms

38

What does P mean?

y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

…

syntax semantics

Abs

39

Programming Languages

• Syntax • “how do I write a program?”

– BNF– “Parsing”

• Semantics • “What does my program mean?”

– …

40

Program semantics

• State-transformer– Set-of-states transformer– Trace transformer

• Predicate-transformer• Functions

41

Program semantics



• Cat-transformer

42

What semantics do we want?

• Captures the aspects of computations we care about– “adequate”

• Hides irrelevant details– “fully abstract”

• Compositional

Operational Semantics

Recap

Program semantics



• Cat-transformer

What semantics do we want?

• Captures the aspects of computations we care about– “adequate”

• Hides irrelevant details– “fully abstract”

• Compositional

47

Formal semantics

“Formal semantics is concerned with rigorously specifying the meaning, or behavior, of

programs, pieces of hardware, etc.” / page 1

48

Formal semantics

“This theory allows a program to be manipulated like a formula –

that is to say, its properties can be calculated.”

Gérard Huet & Philippe Flajolet homage to Gilles Kahn

49

Why formal semantics?

• Implementation-independent definition of a programming language

• Automatically generating interpreters (and some day maybe full fledged compilers)

• Verification and debugging– if you don’t know what it does, how do you know

its incorrect?

50

Levels of abstractions and applications

Program Semantics

Assembly-level Semantics(Small-step)

Static Analysis(abstract semantics)

51

Semantic description methods• Operational semantics– Natural semantics (big step) [G. Kahn]– Structural semantics (small step) [G. Plotkin]

• Trace semantics• Collecting semantics• [Instrumented semantics]

• Denotational semantics [D. Scott, C. Strachy]

• Axiomatic semantics [C. A. R. Hoare, R. Floyd]

52

http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html

http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html

Operational Semantics

54

A simple imperative language: WhileAbstract syntax:

a ::= n | x | a1 + a2 | a1 a2 | a1 – a2

b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2

S ::= x := a | skip | S1; S2| if b then S1 else S2

| while b do S

55

Concrete Syntax vs. Abstract Syntax

a

y

:=x

S

a

z

:=y

Sa

x

:=z

S

;

S;

S

a

x

:=z

S

a

y

:=x

S;

S ;

S

a

z

:=y

S

z:=x; x:=y; y:=z

z:=x; (x:=y; y:=z) (z:=x; x:=y); y:=z

56

Exercise: draw an AST

S S;

S

y:=1; while (x=1) do (y:=y*x; x:=x-1)

57

Syntactic categories

n Num numeralsx Var program variablesa Aexp arithmetic expressionsb Bexp boolean expressionsS Stm statements

58

Semantic categories

Z Integers {0, 1, -1, 2, -2, …}TTruth values {ff, tt}State Var Z

Example state: s=[x5, y7, z0]Lookup: s x = 5Update: s[x6] = [x6, y7, z0]

59

Example state manipulations

• [x1, y7, z16] y =• [x1, y7, z16] t =• [x1, y7, z16][x5] =• [x1, y7, z16][x5] x =• [x1, y7, z16][x5] y =

60

Semantics of arithmetic expressions

• Arithmetic expressions are side-effect free• Semantic function A Aexp : State Z• Defined by induction on the syntax tree

A n s = nA x s = s xA a1 + a2 s = A a1 s + A a2 sA a1 - a2 s = A a1 s - A a2 sA a1 * a2 s = A a1 s A a2 s A (a1) s = A a1 s --- not neededA - a s = 0 - A a1 s

• Compositional• Properties can be proved by structural induction

61

Arithmetic expression exercise

Suppose s x = 3Evaluate A x+1 s

62

Semantics of boolean expressions

• Boolean expressions are side-effect free• Semantic function B Bexp : State T• Defined by induction on the syntax tree

B true s = ttB false s = ffB a1 = a2 s =B a1 a2 s =B b1 b2 s = B b s =

63

Operational semantics

• Concerned with how to execute programs– How statements modify state– Define transition relation between configurations

• Two flavors– Natural semantics: describes how the overall

results of executions are obtained• So-called “big-step” semantics

– Structural operational semantics: describes how the individual steps of a computations take place• So-called “small-step” semantics

64

Natural operating semantics (NS)

65

Natural operating semantics (NS)

• aka “Large-step semantics”

S, s s’

all steps

66

Natural operating semantics

• Developed by Gilles Kahn [STACS 1987]• Configurations

S, s Statement S is about to execute on state ss Terminal (final) state

• TransitionsS, s s’ Execution of S from s will terminate

with the result state s’– Ignores non-terminating computations

http://dx.doi.org/10.1007/BFb0039592

67

Natural operating semantics

• defined by rules of the form

• The meaning of compound statements is defined using the meaning immediate constituent statements

S1, s1 s1’, … , Sn, sn sn’

S, s s’

if…

premise

conclusion

side condition

68

Natural semantics for While x := a, s s[x Aas][assns]

skip, s s[skipns]

S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]

S1, s s’ if b then S1 else S2, s s’

if B b s = tt[ifttns]

S2, s s’ if b then S1 else S2, s s’

if B b s = ff[ifffns]

axioms

69

Natural semantics for While

S, s s’, while b do S, s’ s’’while b do S, s s’’

if B b s = tt[whilettns]

while b do S, s s if B b s = ff[whileffns]

Non-compositional

70

Example

• Let s0 be the state which assigns zero to all program variables

x:=x+1, s0

skip, s0 s0

s0[x1]

skip, s0 s0, x:=x+1, s0 s0[x1] skip; x:=x+1, s0 s0[x1]

x:=x+1, s0 s0[x1]if x=0 then x:=x+1 else skip, s0 s0[x1]

71

Derivation trees

• Using axioms and rules to derive a transition S, s s’ gives a derivation tree– Root: S, s s’– Leaves: axioms– Internal nodes: conclusions of rules• Immediate children: matching rule premises

72

Derivation tree example 1• Assume s0=[x5, y7, z0]

s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]

(z:=x; x:=y); y:=z, s0 s3

(z:=x; x:=y), s0 s2 y:=z, s2 s3

z:=x, s0 s1 x:=y, s1 s2

[assns] [assns]

[assns][compns]

[compns]

73

Derivation tree example 1• Assume s0=[x5, y7, z0]

s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]

(z:=x; x:=y); y:=z, s0 s3

(z:=x; x:=y), s0 s2 y:=z, s2 s3

z:=x, s0 s1 x:=y, s1 s2

[assns] [assns]

[assns][compns]

[compns]

74

Top-down evaluation via derivation trees

• Given a statement S and an input state sfind an output state s’ such that S, ss’

• Start with the root and repeatedly apply rules until the axioms are reached– Inspect different alternatives in order

• In While s’ and the derivation tree is unique

75

Top-down evaluation example

• Factorial program with s x = 2• Shorthand: W=while (x=1) do (y:=y*x; x:=x-1)

y:=1; while (x=1) do (y:=y*x; x:=x-1), s s[y 2][x1]

y:=1, s s[y 1] W, s[y 1] s[y 2, x 1]

y:=y*x; x:=x-1, s[y 1] s[y 2][x1] W, s[y 2][x1] s[y 2, x 1]

y:=y*x, s[y 1] s[y 2] x:=x-1, s[y 2] s[y 2][x1][assns]

[compns]

[assns]

[compns]

[whileffns]

[whilettns]

[assns]

76

Program termination

• Given a statement S and input s– S terminates on s if there exists a state s’ such that

S, s s’– S loops on s if there is no state s’ such that

S, s s’• Given a statement S– S always terminates if

for every input state s, S terminates on s– S always loops if

for every input state s, S loops on s

77

Semantic equivalence

• S1 and S2 are semantically equivalent if for all s and s’ S1, s s’ if and only if S2, s s’

• Simple examplewhile b do Sis semantically equivalent to:if b then (S; while b do S) else skip– Read proof in pages 26-27

78

Properties of natural semantics

• Equivalence of program constructs– skip; skip is semantically equivalent to skip – ((S1; S2); S3) is semantically equivalent to

(S1; (S2; S3))– (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40)

79

Equivalence of (S1; S2); S3 and S1; (S2; S3)

80

Equivalence of (S1; S2); S3 and S1; (S2; S3)

(S1; S2), s s12, S3, s12 s’ (S1; S2); S3, s s’

S1, s s1, S2, s1 s12

S1, s s1, (S2; S3), s12 s’ (S1; S2); S3, s s’

S2, s1 s12, S3, s12 s’

Assume (S1; S2); S3, s s’ then the following unique derivation tree exists:

Using the rule applications above, we can construct the following derivation tree:

And vice versa.

81

Deterministic semantics for While• Theorem: for all statements S and states s1, s2

if S, s s1 and S, s s2 then s1=s2

• The proof uses induction on the shape of derivation trees (pages 29-30)– Prove that the property holds for all simple

derivation trees by showing it holds for axioms– Prove that the property holds for all composite trees:

• For each rule assume that the property holds for its premises (induction hypothesis) and prove it holds for the conclusion of the rule

single node

#nodes>1

82

The semantic function Sns

• The meaning of a statement S is defined as a partial function from State to State

Sns: Stm (State State)

• Examples:Sns skips = sSns x:=1s = s [x 1]Sns while true do skips = undefined

Sns S s = s’ if S, s s’ undefined else

83

Structural operating semantics (SOS)

• aka “Small-step semantics”

S, s S’, s’

first step

84

Structural operational semantics• Developed by Gordon Plotkin• Configurations: has one of two forms:

S, s Statement S is about to execute on state ss Terminal (final) state

• Transitions S, s = S’, s’ Execution of S from s is not completed and

remaining computation proceeds from intermediate configuration

= s’ Execution of S from s has terminated and the final state is s’

• S, s is stuck if there is no such that S, s

first step

85

Structural semantics for While x:=a, s s[xAas][asssos]

skip, s s[skipsos]

S1, s S1’, s’ S1; S2, s S1’; S2, s’ [comp1

sos]

if b then S1 else S2, s S1, s if B b s = tt[ifttsos]

if b then S1 else S2, s S2, s if B b s = ff[ifffsos]

S1, s s’ S1; S2, s S2, s’ [comp2

sos]

When does this happen?

86

Structural semantics for While

while b do S, s if b then

S; while b do S) else

skip, s

[whilesos]

87

Derivation sequences• A derivation sequence of a statement S starting in state s is either• A finite sequence 0, 1, 2 …, k such that

1. 0 = S, s2. i i+1

3. k is either stuck configuration or a final state

• An infinite sequence 0, 1, 2, … such that1. 0 = S, s2. i i+1

• Notations:– 0 k k 0 derives k in k steps– 0 * 0 derives in a finite number of steps

• For each step there is a corresponding derivation tree

88

Derivation sequence example

• Assume s0=[x5, y7, z0](z:=x; x:=y); y:=z, s0

x:=y; y:=z, s0[z5] y:=z, (s0[z5])[x7] ((s0[z5])[x7])[y5]

(z:=x; x:=y); y:=z, s0 x:=y; y:=z, s0[z5]

z:=x; x:=y, s0 x:=y, s0[z5]

z:=x, s0 s0[z5]

• Derivation tree for first step:

89

Evaluation via derivation sequences

• For any While statement S and state s it is always possible to find at least one derivation sequence from S, s– Apply axioms and rules forever or until a terminal

or stuck configuration is reached• Proposition: there are no stuck configurations

in While

90

Factorial (n!) example

• Input state s such that s x = 3y := 1; while (x=1) do (y := y * x; x := x – 1)

y :=1 ; W, s W, s[y1] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y1] ((y := y * x; x := x – 1); W), s[y1] (x := x – 1; W), s[y3] W , s[y3][x2] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y3][x2] ((y := y * x; x := x – 1); W), s[y3] [x2] (x := x – 1; W) , s[y6] [x2] W, s[y6][x1] if (x =1) then ((y := y * x; x := x – 1); W else skip, s[y6][x1] skip, s[y6][x1] s[y6][x1]

91

Program termination

• Given a statement S and input s– S terminates on s if there exists a finite derivation

sequence starting at S, s– S terminates successfully on s if there exists a

finite derivation sequence starting at S, s leading to a final state

– S loops on s if there exists an infinite derivation sequence starting at S, s

92

Properties of structural operational semantics

• S1 and S2 are semantically equivalent if:– for all s and which is either final or stuck,

S1, s * if and only if S2, s * – for all s, there is an infinite derivation sequence

starting at S1, s if and only if there is an infinite derivation sequence starting at S2, s

• Theorem: While is deterministic:– If S, s * s1 and S, s * s2 then s1=s2

93

Sequential composition• Lemma: If S1; S2, s k s’’ then

there exists s’ and k=m+n such thatS1, s m s’ and S2, s’ n s’’

• The proof (pages 37-38) uses induction on the length of derivation sequences– Prove that the property holds for all derivation sequences

of length 0– Prove that the property holds for all other derivation

sequences: • Show that the property holds for sequences of length k+1 using

the fact it holds on all sequences of length k (induction hypothesis)

94

The semantic function Ssos

• The meaning of a statement S is defined as a partial function from State to State

Ssos: Stm (State State)

• Examples:Ssos skip s = sSsos x:=1 s = s [x 1]Ssos while true do skip s = undefined

Ssos S s = s’ if S, s * s’ undefined else

95

An equivalence result

• For every statement in WhileSns S = Ssos S

• Proof in pages 40-43

The End

Documents

Noam Rinetzky Lecture 2: Program Semantics