Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479

Published byKaylin Bisbee Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479"— Presentation transcript:

1 Program Analysis and Verification 0368-4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 9: Abstract Interpretation I Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 We begin … Mobiles Scribe Home assignment – next lesson

3 Previously Operational Semantics – Large step (Natural) – Small step (SOS) Denotational Semantics – aka mathematical semantics Axiomatic Semantics – aka Hoare Logic – aka axiomatic (manual) verification 3 How? What? Why?

4 From verification to analysis Manual program verification – Verifier provides assertions Loop invariants Automatic program verification (P analysis) – Tool automatically synthesize assertions Finds loop invariants

5 Manual proof for max 5 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k<N } { x  N  x  N } { x=N }

6 Manual proof for max 6 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k  N } { x  N  x  N } { x=N }

7 Can we find this proof automatically? 7 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k  N } { x  N  x  N } { x=N } Observation: predicates in proof have the general form  constraint where constraint has the form X - Y  c or  X  c

8 Zone Abstract Domain (Analysis) Developed by Antoine Mine in his Ph.D. thesis Uses constraints of the form X - Y  c and  X  c Built on top of Difference Bound Matrices (DBM) and shortest-path algorithms – O(n 3 ) time – O(n 2 ) space 8

9 Analysis with Zone abstract domain 9 nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { N  0  x=0 } Inv = { N  0  0  x  N } while x res then { N  0  0  x<N } res := nums[x] { N  0  0  x<N } { N  0  0  x<N } x := x + 1 { N  0  0<x  N } {N  0  0  x  x=N } nums : array N : int { N  0 } x := 0 { N  0  x=0 } res := nums[0] { x=0 } Inv = { x  N } while x res then { x=k  k<N } res := nums[x] { x=k  k<N } { x=k  k<N } x := x + 1 { x=k+1  k  N } { x  N  x  N } { x=N } Static Analysis with Zone AbstractionManual Proof

10 Abstract Interpretation [Cousot’77] Mathematical foundation of static analysis 10

11 Abstract Interpretation [Cousot’77] Mathematical foundation of static analysis – Abstract (semantic) domains(“abstract states”) – Transformer functions (“abstract steps”) – Chaotic iteration (“abstract computation”) 11

12 Abstract Interpretation [CC77] A very general mathematical framework for approximating semantics – Generalizes Hoare Logic – Generalizes weakest precondition calculus Allows designing sound static analysis algorithms – Usually compute by iterating to a fixed-point – Not specific to any programming language style Results of an abstract interpretation are (loop) invariants – Can be interpreted as axiomatic verification assertions and used for verification 12

13 Abstract Interpretation by Example

14 Motivating Application: Optimization A compiler optimization is defined by a program transformation: T : Prog  Prog The transformation is semantics-preserving:  s  State. S sos  C  s = S sos  T(C)  s The transformation is applied to the program only if an enabling condition is met We use static analysis for inferring enabling conditions 14

15 Common Subexpression Elimination If we have two variable assignments x := a op b … y := a op b and the values of x, a, and b have not changed between the assignments, rewrite the code as x = a op b … y := x Eliminates useless recalculation Paves the way for more optimizations – e.g., dead code elimination 15 op  {+, -, *, ==, <=}

16 What do we need to prove? 16 { true } C 1 x := a op b C 2 { x = a op b } y := a op b C 3 { true } C 1 x := a op b C 2 { x = a op b } y := x C 3 CSE

17 Available Expressions Analysis A static analysis that infers for every program point a set of facts of the form AV = { x = y | x, y  Var }  { x = - y | x, y  Var }  { x = y op z | y, z  Var, op  {+, -, *, <=} } For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n 3 ) – Yields a trivial algorithm … but, is it efficient? 17

18 Which proof is more desirable? 18 { true } x := a + b { x=a+b } z := a + c { x=a+b } y := a + b... { true } x := a + b { x=a+b } z := a + c { z=a+c } y := a + b... { true } x := a + b { x=a+b } z := a + c { x=a+b  z=a+c } y := a + b...

19 Which proof is more desirable? 19 { true } x := a + b { x=a+b } z := a + c { x=a+b } y := a + b... { true } x := a + b { x=a+b } z := a + c { z=a+c } y := a + b... { true } x := a + b { x=a+b } z := a + c { x=a+b  z=a+c } y := a + b... More detailed predicate = more optimization opportunities x=a+b  z=a+c  x=a+b x=a+b  z=a+c  z=a+c Implication formalizes “more detailed” relation between predicates

20 Developing a theory of approximation Formulae are suitable for many analysis-based proofs but we may want to represent predicates in other ways: – Sets of “facts” – Automata – Linear (in)equalities – … ad-hoc representation Wanted: a uniform theory to represent semantic values and approximations 20

21 A Blast from the Past Recall denotational semantics – Pre-orders – Partial orders Complete partial orders CPO, Pointed CPO Lattices Least upper bounds Chains – Monotonic functions – Fixpoints

22 Abstract Domains Mathematical foundations

23 Preorder We say that a binary order relation  over a set D is a preorder if the following conditions hold for every d, d’, d’’  D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ There may exist d, d’ such that d  d’ and d’  d yet d  d’ 23

24 Preorder example Simple Available Expressions Define SAV = { x = y | x, y  Var }  { x = y + z | y, z  Var } For D=2 SAV (sets of available expressions) define (for two subsets A 1, A 2  D) A 1  imp A 2 if and only if  A 1   A 2 A 1 is “more detailed” if it implies all facts of A 2 Compare {x=y  x=a+b} with {x=y  y=a+b} – Which one should we choose? 24 Can we decide A 1  imp A 2 ?

25 The meaning of implication A predicate P represents the set of states models(P) = { s | s  P } P  Q means models(P)  models(Q) 25

26 Partially ordered sets A partially ordered set (poset) is a pair (D,  ) – D is a set of elements – a (semantic) domain –  is a partial order between pairs of elements from D. That is  : D  D with the following properties, for all d, d’, d’’ in D Reflexive: d  d Transitive: d  d’ and d’  d’’ implies d  d’’ Anti-symmetric: d  d’ and d’  d implies d = d’ Notation: if d  d’ and d  d’ we write d  d’ 26 Unique “most detailed” element

27 From preorders to partial orders We can transform a preorder into a poset by 1.Coarsening the ordering 2.Switching to a canonical form by choosing a representative for the set of equivalent elements d * for { d’ | d  d’ and d’  d } 27

28 Coarsening for SAV For D=2 SAV (sets of available expressions) define (for two subsets A 1, A 2  D) A 1  coarse A 2 if and only if A 1  A 2 Notice that if A 1  A 2 then  A 1   A 2 Compare {x=y  x=a+b} with {x=y  y=a+b} How about {x=y  x=a+b  y=a+b} ? 28

29 Canonical form for SAV For an available expressions element A define Explicate(A) = minimal set B such that: 1. A  B 2.x=y  B implies y=x  B 3.x=y  B and y=z  B implies x=z  B 4.x=y+z  B implies x=z+y  B 5.x=y  B and x=z+w  B implies y=z+w  B 6.x=y  B and z=x+w  B implies z=y+w  B 7.x=z+w  B and y=z+w  B implies x=y  B Makes all implicit facts explicit Define A * = Explicate(A) Define (for two subsets A 1, A 2  D) A 1  exp A 2 if and only if A 1 *  A 2 * Lemma: A 1  exp A 2 if and only A 1  imp A 2 29 Therefore A 1  imp A 2 is decidable

30 Some posets-related terminology If x  y we can say – x is lower than y – x is more precise than y – x is more concrete than y – x under-approximates y – y is greater than x – y is less precise than x – y is more abstract than x – y over-approximates x 30

31 Visualizing ordering for SAV 31 {false} {x=y  y=z+a} * {x=y  p=q} * {y=z+a  p=q} * {x=y} * {y=z+a} * {p=q} * {true} Greater Lower D={x=y, y=x, p=q, q=p, y=z+a, y=a+z, z=y+z, x=z+a}

32 Pointed poset A poset (D,  ) with a least element  is called a pointed poset – For all d  D we have that   d The pointed poset is denoted by (D, ,  ) We can always transform a poset (D,  ) into a pointed poset by adding a special bottom element (D  {  },   {  d | d  D},  ) Greatest element for SAV = {true = ?} Least element for SAV = {false= ?} 32

33 Annotating conditions 33 { P } if b then { b  P } S 1 { Q 1 } else S 2 { Q 2 } { Q } Q approximates Q 1 and Q 2 We need a general way to approximate a set of semantic elements by a single semantic element

34 Join operator Assume a poset (D,  ) Let X  D be a subset of D (finite/infinite) The join of X is defined as –  X = the least upper bound (LUB) of all elements in X if it exists –  X = min  { b | forall x  X we have that x  b} – The supremum of the elements in X – A kind of abstract union (disjunction) operator Properties of a join operator – Commutative: x  y = y  x – Associative: (x  y)  z = x  (y  z) – Idempotent: x  x = x 34

35 Meet operator Assume a poset (D,  ) Let X  D be a subset of D (finite/infinite) The meet of X is defined as –  X = the greatest lower bound (GLB) of all elements in X if it exists –  X = max  { b | forall x  X we have that b  x} – The infimum of the elements in X – A kind of abstract intersection (conjunction) operator Properties of a join operator – Commutative: x  y = y  x – Associative: (x  y)  z = x  (y  z) – Idempotent: x  x = x 35

36 Complete lattices A complete lattice (D, , , , ,  ) is A set of elements D A partial order x  y A join operator  A meet operator  A bottom element  = ? A top element  = ? 36

37 Complete lattices A complete lattice (D, , , , ,  ) is A set of elements D A partial order x  y A join operator  A meet operator  A bottom element  =   A top element  =  D 37

38 Transfer Functions Mathematical foundations

39 Towards an automatic proof Goal: automatically compute an annotated program proving as many facts of the form x = y + z as possible Decision 1: develop a forward-going proof Decision 2: draw predicates from a finite set D – “looking under the light of the lamp” – A compromise that simplifies problem by focusing attention – possibly miss some facts that hold Challenge 1: handle straight-line code Challenge 2: handle conditions Challenge 3: handle loops 39

40 Domain for SAV Define atomic facts (for SAV) as  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – For n=|Var| number of atomic facts is O(n 3 ) Define sav-predicates as  = 2  For D  , Conj(D) =  D – Conj({a=b, c=b+d, b=c}) = (a=b)  (c=b+d)  (b=c) Note: – Conj(D 1  D 2 ) = Conj(D 1 )  Conj(D 1 ) – Conj({})  true 40

41 Challenge 2: handling straight-line code 41

42 handling straight-line code: Goal Given a program of the form x 1 := a 1 ; … x n := a n Find predicates P 0, …, P n such that 1.{P 0 } x 1 := a 1 {P 1 } … {P n-1 } x n := a n {P n } is a proof sp(x i := a i, P i-1 )  P i 2.P i = Conj(D i ) D i is a set of simple (SAV) facts 42

43 Example Find a proof that satisfies both conditions 43 { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c }

44 Example Can we make this into an algorithm? 44 { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c } Frame sp cons

45 Algorithm for straight-line code Goal: find predicates P 0, …, P n such that 1.{P 0 } x 1 := a 1 {P 1 } … {P n-1 } x n := a n {P n } is a proof That is: sp(x i := a i, P i-1 )  P i 2.Each P i has the form Conj(D i ) where D i is a set of simple (SAV) facts Idea: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) – We call F the abstract transformer for x:=a Initialize D 0 ={} For each i: compute D i+1 = Conj(F SAV [x i := a i ] D i ) Finally P i = Conj(D i ) 45

46 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 46

47 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 47

48 Defining an SAV abstract transformer Goal: define a function F SAV [x:=a] :    s.t. if F SAV [x:=a](D) = D’ thensp(x := a, Conj(D))  Conj(D’) Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 48  Is either a variable v or an addition expression v+w { x=  } x:=a { } [kill-lhs] { y=x+w } x:=a { } [kill-rhs-1] { y=w+x } x:=a { } [kill-rhs-2] { } x:=  { x=  } [gen] { y=z+w } x:=a { y=z+w } [preserve]

49 SAV abstract transformer example 49  Is either a variable v or an addition expression v+w { } x := a + b { x=a+b } z := a + c { x=a+b, z=a+c } b := a * c { z=a+c } { x=  } x:=a { } [kill-lhs] { y=x+w } x:=a { } [kill-rhs-1] { y=w+x } x:=a { } [kill-rhs-2] { } x:=  { x=  } [gen] { y=z+w } x:=a { y=z+w } [preserve]

50 Problem 1: large expressions Large expressions on the right hand sides of assignments are problematic – Can miss optimization opportunities – Require complex transformers Solution: transform code to normal form where right-hand sides have bounded size 50 Missed CSE opportunity { } x := a + b + c { } y := a + b + c { }

51 Solution: Simplify Prog. Lang. Main idea: simplify expressions by storing intermediate results in new temporary variables – Three-address code Number of variables in simplified statements  3 51 { } x := a + b + c { } y := a + b + c { } { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c }

52 Solution: Simplify Prog. Lang. Main idea: simplify expressions by storing intermediate results in new temporary variables – Three-address code Number of variables in simplified statements  3 52 { } x := a + b + c { } y := a + b + c { } { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c } Need to infer i1=i2

53 Problem 2: Transformer Precision Our transformer only infers syntactically available expressions – ones that appear in the code explicitly We want a transformer that looks deeper into the semantics of the predicates – Takes equalities into account 53 { } i1 := a + b { i1=a+b } x := i1 + c { i1=a+b, x=i1+c } i2 := a + b { i1=a+b, x=i1+c, i2=a+b } y := i2 + c { i1=a+b, x=i1+c, i2=a+b, y=i2+c } Need to infer i1=i2

54 Solution: Use Canonical Form Idea: make as many implicit facts explicit by – Using symmetry and transitivity of equality – Commutativity of addition – Meaning of equality – can substitute equal variables For P=Conj(D) let Explicate(D) = minimal set D * such that: 1.D  D * 2.x=y  D * implies y=x  D * 3.x=y  D * y=z  D * implies x=z  D * 4.x=y+z  D * implies x=z+y  D * 5.x=y  D * and x=z+w  D * implies y=z+w  D * 6.x=y  D * and z=x+w  D * implies z=y+w  D * 7.x=z+w  D * and y=z+w  D * implies x=y  D * Notice that Explicate(D)  D – Explicate is a special case of a reduction operator 54

55 Sharpening the transformer Define: F * [x:=a] = Explicate  F SAV [x:=a] 55 { } i1 := a + b { i1=a+b, i1=b+a } x := i1 + c { i1=a+b, i1=b+a, x=i1+c, x=c+i1 } i2 := a + b { i1=a+b, i1=b+a, x=i1+c, x=c+i1, i2=a+b, i2=b+a, i1=i2, i2=i1, x=i2+c, x=c+i2, } y := i2 + c {... } Since sets of facts and their conjunction are isomorphic we will use them interchangeably

56 An algorithm for annotating SLP Annotate(P, x:=a) = {P} x:=a F * [x:=a](P) Annotate(P, S 1 ; S 2 ) = {P} S 1 ; {Q 1 } S 2 {Q 2 – Annotate(P, S 1 ) = {P} S 1 {Q 1 } – Annotate(Q 1, S 2 ) = {Q 1 } S 2 {Q 2 } 56

57 Challenge 2: handling conditions 57

58 handling conditions: Goal Annotate a program if b then S 1 else S 2 with predicates from  Assumption 1: P is given (otherwise use true) Assumption 2: b is a simple binary expression e.g., x=y, x  y, x<y (why?) 58 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q }

59 handling conditions: Goal Annotate a program if b then S 1 else S 2 with predicates from  Assumption 1: P is given (otherwise use true) Assumption 2: b is a simple binary expression e.g., x=y, x  y, x<y (why?) 59 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q }

60 Annotating conditions 1.Start with P or {b  P} and annotate S 1 (yielding Q 1 ) 2.Start with P or {  b  P} and annotate S 2 (yielding Q 2 ) 3.How do we infer a Q such that Q 1  Q and Q 2  Q? Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) 60 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q } Possibly an SAV-fact

61 Joining predicates 1.Start with P or {b  P} and annotate S 1 (yielding Q 1 ) 2.Start with P or {  b  P} and annotate S 2 (yielding Q 2 ) 3.How do we infer a Q such that Q 1  Q and Q 2  Q? Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) 61 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q } The join operator for SAV

62 Joining predicates Q 1 =Conj(D 1 ), Q 2 =Conj(D 2 ) We want to soundly approximate Q 1  Q 2 in  Define: Q = Q 1  Q 2 = Conj(D 1  D 2 ) Notice that Q 1  Q and Q 2  Q meaning Q 1  Q 2  Q 62

63 Handling conditional expressions Let D be a set of facts and b be an expression Goal: Elements in  that soundly approximate – D  bexpr – D   bexpr Technique: Add statement assume bexpr  assume bexpr, s   sos s if B  bexpr  s = tt Find a function F[ assume bexpr] :    Conj(D)  bexpr  Conj(F[ assume bexpr]) 63

64 Handling conditional expressions F[ assume bexpr] :    such that Conj(D)  bexpr  Conj(F[ assume bexpr])  (bexpr) = if bexpr is an SAV-fact then {bexpr} else {} – Notice bexpr   (bexpr) – Examples  (y=z) = {y=z}  (y<z) = {} F[ assume bexpr](D) = D   (bexpr) 64

65 Example 65 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

66 Example 66 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

67 Recap We now have an algorithm for soundly annotating loop-free code Generates forward-going proofs Algorithm operates on abstract syntax tree of code – Handles straight-line code by applying F * – Handles conditions by recursively annotating true and false branches and then intersecting their postconditions 67

68 An algorithm for conditions Annotate(P, if bexpr then S 1 else S 2 ) = {P} if bexpr then S 1 else S 2 Q 1  Q 2 – Annotate(P   (bexpr), S 1 ) = F[ assume bexpr](P) S 1 {Q 1 } – Annotate(P   (  bexpr), S 2 )= F[ assume  bexpr](P) S 2 {Q 2 } 68

69 Example 69 { } if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b } else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a } { a=b+c, a=c+b }

70 Challenge 2: handling loops 70 By Stefan Scheer (Own work (Own Photo)) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC-BY-SA-2.5-2.0-1.0 (http://creativecommons.org/licenses/by-sa/2.5-2.0-1.0)], via Wikimedia Commons

71 Challenge 2: handling loops 71

72 handling loops: Goal 72 { P } Inv = { N } while bexpr do { bexpr  N } S { Q } {  bexpr  N }

73 handling loops: Goal Annotate a program while bexpr do S with predicates from  – s.t. P  N Main challenge: find N Assumption 1: P is given (otherwise use true) Assumption 2: bexpr is a simple binary expression 73 { P } Inv = { N } while bexpr do { bexpr  N } S { Q } {  bexpr  N }

74 Example: annotate this program 74 { y=x+a, y=a+x, w=d, d=w } Inv = { y=x+a, y=a+x } while (x  z) do { z=x+a, z=a+x, w=d, d=w } x := x + 1 { w=d, d=w } y := x + a { y=x+a, y=a+x, w=d, d=w } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

75 Example: annotate this program 75 { y=x+a, y=a+x, w=d, d=w } Inv = { y=x+a, y=a+x } while (x  z) do { y=x+a, y=a+x } x := x + 1 { } y := x + a { y=x+a, y=a+x } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

76 handling loops: Idea Idea: try to guess a loop invariant from a small number of loop unrollings – We know how to annotate S (by induction) 76 { P } Inv = { N } while bexpr do { bexpr  N } S { Q } {  bexpr  N }

77 k-loop unrolling 77 { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a }

78 k-loop unrolling 78 { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x }

79 k-loop unrolling 79 The following must hold: P  N Q 1  N Q 2  N … Q k  N { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x }

80 k-loop unrolling 80 The following must hold: P  N Q 1  N Q 2  N … Q k  N … { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } We can compute the following sequence: N 0 = P N 1 = N 1  Q 1 N 2 = N 1  Q 2 … N k = N k-1  Q k Observation 1: No need to explicitly unroll loop – we can reuse postcondition from unrolling k-1 for k

81 k-loop unrolling 81 The following must hold: P  N Q 1  N Q 2  N … Q k  N … { P } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } if (x  z) x := x + 1 y := x + a d := x + a Q 2 = { y=x+a, y=a+x } … { P } Inv = { N } while (x  z) do x := x + 1 y := x + a d := x + a { y=x+a, y=a+x, w=d, d=w } if (x  z) x := x + 1 y := x + a d := x + a Q 1 = { y=x+a, y=a+x } We can compute the following sequence: N 0 = P N 1 = N 1  Q 1 N 2 = N 1  Q 2 … N k = N k-1  Q k Observation 2: N k monotonically decreases set of facts. Question: does it stabilizes for some k?

82 Algorithm for annotating a loop Annotate(P, while bexpr do S ) = Initialize N’ := N c := P repeat let Annotate(P, if b then S else skip ) be {N c } if bexpr then S else skip {N’} N c := N c  N’ until N’ = N c return {P} INV= N’ while bexpr do F[ assume bexpr](N) Annotate(F[ assume bexpr](N), S) F[ assume  bexpr](N) 82

83 A technical issue Unrolling loops is quite inconvenient and inefficient (but we can avoid it as we just saw) How do we handle more complex control-flow constructs, e.g., goto, break, exceptions…? Solution: model control-flow by labels and goto statements Would like a dedicated data structure to explicitly encode control flow in support of the analysis Solution: control-flow graphs (CFGs) 83

84 Intermediate language example 84 while (x  z) do x := x + 1 y := x + a d := x + a a := b label0: if x  z goto label1 x := x + 1 y := x + a d := x + a goto label0 label1: a := b

85 Control-flow graph example 85 1 label0: if x  z goto label1 x := x + 1 y := x + a d := x + a goto label0 label1: a := b 2 3 4 5 7 8 6 label0: if x  z x := x + 1 y := x + a d := x + a goto label0 label1: a := b 1 2 3 4 5 6 7 8 line number

86 Control-flow graph example 86 1 label0: if x  z goto label1 x := x + 1 y := x + a d := x + a goto label0 label1: a := b 2 3 4 5 7 8 6 label0: if x  z x := x + 1 y := x + a d := x + a goto label0 label1: a := b 1 2 3 4 5 6 8 entry exit 7

87 Control-flow graph Node are statements or labels Special nodes for entry/exit A edge from node v to node w means that after executing the statement of v control passes to w – Conditions represented by splits and join node – Loops create cycles Can be generated from abstract syntax tree in linear time – Automatically taken care of by the front-end Usage: store analysis results in CFG nodes 87

88 CFG with Basic Blocks Stores basic blocks in a single node Extended blocks – maximal connected loop- free subgraphs 88 if x  z x := x + 1 y := x + a d := x + a a := b 2 3 8 entry exit 4 5

89 Next lecture: abstract interpretation 4

90 Previously Available Expressions analysis – Abstract transformer for assignments – Processing serial composition – Processing conditions – Processing loop Control-flow graphs 90

91 CSE optimization 91 { x = a + b } y := a + b y := x CSE

92 Semantic domain Define factoids:  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } Define predicates as  = 2  Treat conjunctive formulas as sets of factoids {a=b, c=b+d, b=c} ~ (a=b)  (c=b+d)  (b=c) 92

93 Defining an SAV abstract transformer Goal: define a function F SAV [x:=aexpr] :    s.t. if F SAV [x:=aexpr](D) = D’ thensp(x :=aexpr, D)  D’ Idea: define rules for individual facts and generalize to sets of facts by the conjunction rule 93  Is either a variable v or an addition expression v+w { x=  } x:= aexpr { } [kill-lhs] { y=x+w } x:= aexpr { } [kill-rhs-1] { y=w+x } x:= aexpr { } [kill-rhs-2] { } x:=  { x=  } [gen] { y=z+w } x:= aexpr { y=z+w } [preserve]

94 Defining a reduction For an SAV-predicate D define Explicate(D) = minimal set D * such that: 1.D  D * 2.x=y  D * implies y=x  D * 3.x=y  D * y=z  D * implies x=z  D * 4.x=y+z  D * implies x=z+y  D * 5.x=y  D * and x=z+w  D * implies y=z+w  D * 6.x=y  D * and z=x+w  D * implies z=y+w  D * 7.x=z+w  D * and y=z+w  D * implies x=y  D * Define: F * [x:=aexpr] = Explicate  F SAV [x:= aexpr] 94

95 Recap

96 An algorithm for annotating SLP Annotate(P, S 1 ; S 2 ) = let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } 96

97 Handling conditional expressions We want to soundly approximate D  bexpr and D   bexpr in  Define an artificial statement assume bexpr  assume bexpr, s   sos s if B  bexpr  s = tt Define  (bexpr) = if bexpr is factoid {bexpr} else {} Define F[ assume bexpr](D) = D   (bexpr) Can sharpen F * [ assume bexpr] = Explicate  F SAV [ assume bexpr] 97

98 An algorithm for annotating conditions let P t = F * [ assume bexpr] P let P f = F * [ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } 98

99 Algorithm for annotating loops Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = N c return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)} 99

100 Algorithm for annotating a program Annotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F * [x:=aexpr] P} case S is S 1 ; S 2 let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } case S is if bexpr then S 1 else S 2 let P t = F[ assume bexpr] P let P f = F[ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } case S is while bexpr do S N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)} 100

101 Exercise: apply algorithm 101 { } y := a+b { } x := y {} while (x  z) do {} w := a+b {} x := a+b {} a := z {}

102 Step 1/18 102 {} y := a+b { y=a+b }* x := y while (x  z) do w := a+b x := a+b a := z Not all factoids are shown – apply Explicate to get all factoids

103 Step 2/18 103 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* while (x  z) do w := a+b x := a+b a := z

104 Step 3/18 104 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do w := a+b x := a+b a := z

105 Step 4/18 105 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b x := a+b a := z

106 Step 5/18 106 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b a := z

107 Step 6/18 107 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z

108 Step 7/18 108 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’ = { y=a+b, x=y, x=a+b }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

109 Step 8/18 109 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

110 Step 9/18 110 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

111 Step 10/18 111 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

112 Step 11/18 112 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=y, w=x, x=y, a=z }*

113 Step 12/18 113 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’ = { x=y }* while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

114 Step 13/18 114 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

115 Step 14/18 115 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

116 Step 15/18 116 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

117 Step 16/18 117 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

118 Step 17/18 118 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv’’’ = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

119 Step 18/18 119 {} y := a+b { y=a+b }* x := y { y=a+b, x=y, x=a+b }* Inv = { } while (x  z) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }* { x=z }

120 Another Example

121 Constant Propagation Optimization: constant folding – Example: x:=7; y:=x*9 transformed to: x:=7; y:=7*9 and then to: x:=7; y:=63 Analysis: constant propagation (CP) – Infers facts of the form x = c 121 { x = c } y := aexpr y := eval(aexpr[c/x]) constant folding simplifies constant expressions

122 CP semantic domain 122 ?

123 CP semantic domain Define CP-factoids:  = { x = c | x  Var, c  Z } – How many factoids are there? Define predicates as  = 2  – How many predicates are there? – Do all predicates make sense? (x=5)  (x=7) Treat conjunctive formulas as sets of factoids {x=5, y=7} ~ (x=5)  (y=7) 123

124 CP abstract transformer Goal: define a function F CP [x:=aexpr] :    such that if F CP [x:=aexpr] P = P’ then sp(x:=aexpr, P)  P’ 124 ?

125 CP abstract transformer Goal: define a function F CP [x:=aexpr] :    such that if F CP [x:=aexpr] P = P’ then sp(x:=aexpr, P)  P’ 125 { x=c } x:=aexpr { } [kill] { y=c, z=c’ } x:=y op z { x=c op c’ } [gen-2] { } x:=c { x=c } [gen-1] { y=c } x:=aexpr { y=c } [preserve]

126 Gen-kill formulation of transformers Suited for analysis propagating sets of factoids – Available expressions, – Constant propagation, etc. For each statement, define a set of killed factoids and a set of generated factoids F[S] P = (P \ kill(S))  gen(S) F CP [x:=aexpr] P = (P \ {x=c}) aexpr is not a constant F CP [x:=k] P = (P \ {x=c})  {x=k} Used in dataflow analysis – a special case of abstract interpretation 126

127 Does this still work? Annotate(P, S 1 ; S 2 ) = let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } 127

128 Handling conditional expressions We want to soundly approximate D  bexpr and D   bexpr in  Define an artificial statement assume bexpr  assume bexpr, s   sos s if B  bexpr  s = tt Define  (bexpr) = if bexpr is CP-factoid {bexpr} else {} Define F[ assume bexpr](D) = D   (bexpr) 128

129 Does this still work? let P t = F[ assume bexpr] P let P f = F[ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } 129 How do we define join for CP?

130 Join example {x=5, y=7}  {x=3, y=7, z=9} = 130

131 Does this still work? What about correctness? What about termination? 131 Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)}

132 Does this still work? What about correctness? – If loop terminates then is N’ a loop invariant? What about termination? 132 Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)}

133 A termination principle g : X  X is a function How can we determine whether the sequence x 0, x 1 = g(x 0 ), …, x k+1 =g(x k ),… stabilizes? Technique: 1.Find ranking function rank : X  N (that is show that rank(x)  0 for all x) 2.Show that if x  g(x) then rank(g(x)) < rank(x) 133

134 Rank function for available expressions rank(P) = ? 134

135 Rank function for available expressions rank(P) = |P| number of factoids Prove that either N c = N c  N’ or rank(N c  N’) < ? rank(N c ) 135 Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)}

136 Rank function for constant propagation rank(P) = ? Prove that either N c = N c  N’ or rank(N c ) > ? rank(N c  N’) 136 Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)}

137 Rank function for constant propagation rank(P) = |P| number of factoids Prove that either N c = N c  N’ or rank(N c ) > ? rank(N c  N’) 137 Annotate(P, while bexpr do S) = N’ := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N’} N c := N c  N’ until N’ = Nc return {P} INV= {N’} while bexpr do {P t } A body {F[ assume  bexpr](N)}

138 What were the common elements? Two static analyses – Available Expressions (extended with equalities) – Constant Propagation Semantic domain – An approximation relation  A weaker one given by set inclusion – Join operator Abstract transformers for basic statements – Assignments – assume statements Initial precondition 138

139 Orders (Reminder)

140 Preorder Let D be a set of elements We say that a binary order relation  over D is a preorder if the following conditions hold for every d, d’, d’’  D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ There may exist d, d’ such that d  d’ and d’  d yet d  d’ 140

141 Preorder examples SAV-predicates – SAV-factoids  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – SAV-predicates  = 2  – Order relation 1: P 1  set P 2 iff P 1  P 2 – Order relation 2: P 1  imp P 2 iff P 1  P 2 – Which order relation is stronger (contains more pairs)? – Which order relation is easier to check? 141

142 SAV preorder 1: P 1  set P 2 iff P 1  P 2 142 {x=y}{x=x+x}{y=y+y} {} {y=x}{y=x+y}{y=y+x}{x=x+y}{x=y+x} {x=y, y=x}{x=y, x=x+x}{x=x+y, x=y+x} … {x=y, x=x+x, x=x+y} … {x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x} Var = {x, y}

143 Preorder examples CP-predicates – CP-factoids  = { x = c | x  Var, c  Z } – CP-predicates  = 2  – Order relation 1: P 1  set P 2 iff P 1  P 2 – Order relation 2: P 1  imp P 2 iff P 1  P 2 – Is there a difference? 143

144 Preorder examples CP-predicates – CP-factoids  = { x = c | x  Var, c  Z } – CP-predicates  = 2  – Order relation 1: P 1  set P 2 iff P 1  P 2 – Order relation 2: P 1  imp P 2 iff P 1  P 2 – Is there a difference? {x=5, x=7, x=9}  {x=5, x=7} {x=5, x=7, x=9}  {x=5, x=7} {x=5, x=7}  {x=5, x=7, x=9} 144

145 CP preorder example 145 {x=-3}{x=-1}{x=0} {} {x=-2}{x=1}{x=2}{x=3} …… Var = {x}

146 CP preorder example 146 {x=-3}{x=3}{y=-5} {} {x=0}{y=0}{y=36} …… {x=-3, y=-5}{x=0, y=0}{x=3, y=36} … Var = {x, y}

147 The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} S – {x=y, y=a+b} S Leads to unpredictability Which result should our static analysis give? 147

148 The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} assert y==a+b – {x=y, y=a+b} assert y==a+b Leads to unpredictability Which result should our static analysis give? 148

149 The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} assert x==a+b – {x=y, y=a+b} assert x==a+b Leads to unpredictability Which result should our static analysis give? 149 In practice many static analyses use preorders

150 Partially ordered sets (partial orders) A partially ordered set (Poset) is a pair (D,  ) D is a set of elements – a semantic domain  is a partial order between pairs of elements from D. That is  : D  D with the following properties, for all d, d’, d’’ in D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ – Anti-symmetric: d  d’ and d’  d implies d = d’ If d  d’ and d  d’ we write d  d’ 150

151 SAV partial order SAV-predicates – SAV-factoids  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – SAV-predicates  = 2  Order relation 1: P 1  set P 2 iff P 1  P 2 Is this a partial order? Order relation 2: P 1  imp P 2 iff P 1  P 2 that is models(P 1 )  models(P 2 ) Is this a partial order? Order relation 3: P 1  set* P 2 iff Explicate(P 1 )  set Explicate(P 2 ) Is this a partial order? 151

Download ppt "Program Analysis and Verification 0368-4479"

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
SORTING Lecture 12B CS2110 – Spring 2014. InsertionSort 2 pre: b 0 b.length ? post: b 0 b.length sorted inv: or: b[0..i-1] is sorted b 0 i b.length sorted.

SORTING Lecture 12B CS2110 – Spring InsertionSort 2 pre: b 0 b.length ? post: b 0 b.length sorted inv: or: b[0..i-1] is sorted b 0 i b.length sorted.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS

Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Program Analysis and Verification 0368-4479

Program Analysis and Verification
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.

Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin.

Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin.

Similar presentations

Ads by Google