Spring 2016 Program Analysis and Verification Operational Semantics Roman Manevich Ben-Gurion University

http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html

Agenda What is semantics and what is it useful for? Operational semantics (pages 32-50)

Tentative syllabus Program Verification Program Analysis Basics Operational semantics Axiomatic Verification Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR

What is formal semantics? “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc.” / page 1

Why formal semantics? Implementation-independent definition of a programming language Automatically generating interpreters (and some day maybe full fledged compilers) Verification and debugging if you don’t know what it does, how do you know its incorrect?

Semantic description methods Operational semantics Structural semantics (small step) [G. Plotkin] Natural semantics (big step) [G. Kahn] Denotational semantics [D. Scott, C. Strachy] Axiomatic semantics [C. A. R. Hoare, R. Floyd] Trace semantics Collecting semantics [Instrumented semantics] Today Not in this course Used for verification Christopher Strachey & Dana S. Scott We will mainly use as basis for static analysis

The while language

Syntactic categories n  Num numerals x  Var program variables a  Aexp arithmetic expressions b  Bexp boolean expressions S  Stm statements

A simple imperative language: While Concrete syntax: a ::= n | x | a1 + a2 | a1  a2 | a1 – a2 b ::= true | false | a1 = a2 | a1  a2 | b | b1  b2 S ::= x := a | skip | S1; S2 | if b then S1 else S2 | while b do S

Concrete syntax may be ambiguous z:=x; x:=y; y:=z S S S ; S S ; S z := a S ; S S ; S y := a x x := a y := a z := a x := a z y z x y z:=x; (x:=y; y:=z) (z:=x; x:=y); y:=z

A simple imperative language: While Abstract syntax: Notation: n[la,rb] – a node labeled with n and two children l and r. The children may be labeled to indicate their role for easier reading a ::= n | x | + [a1, a2] |  [a1, a2] | –[a1, a2] b ::= true | false | =[a1, a2] | [ a1, a2] |  [b] | [b1, b2] S ::= :=[x, a] | skip | ;[S1, S2] | if[b, S1then, S2else] | while[bcondition, Sbody] n a b l r

y:=1; while (x=1) do (y:=y*x; x:=x-1) Exercise: draw an AST y:=1; while (x=1) do (y:=y*x; x:=x-1) ; := while

Semantic values

Semantic categories Z Integers {0, 1, -1, 2, -2, …} T Truth values {ff, tt} State Var  Z Example state:  =[x5, y7, z0] Lookup:  x = 5 Update: [x6] = [x6, y7, z0]

Example state manipulations [x1, y7, z16] y = [x1, y7, z16] t = [x1, y7, z16][x7, y1] = [x1, y7, z16][x5] x = [x1, y7, z16][x5] y =

Semantics of expressions

Semantics of arithmetic expressions Arithmetic expressions are side-effect free Semantic function A  Aexp  : State  Z Defined by induction on the syntax tree A  n   = n A  x   =  x A  a1 + a2   = A  a1   + A  a2   A  a1 - a2   = A  a1   - A  a2   A  a1 * a2   = A  a1    A  a2   A  (a1)   = A  a1   --- not needed A  - a   = 0 - A  a1   Compositional Properties can be proved by structural induction

Arithmetic expression exercise Suppose  x = 3 Evaluate A x+1 

Semantics of boolean expressions Boolean expressions are side-effect free Semantic function B  Bexp  : State  T Defined by induction on the syntax tree B  true   = tt B  false   = ff B  a1 = a2  = B  a1  a2   = B  b1  b2   = B   b   =

Operational semantics Concerned with how to execute programs How statements modify state Define transition relation between configurations Structural operational semantics: describes how the individual steps of a computations take place So-called “small-step” semantics

S,    Small Step Semantics first step By Vanillase (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons This file is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license.

Structural operational semantics Developed by Gordon Plotkin Configurations:  has one of two forms: S,  Statement S is about to execute on state   Terminal (final) state Transitions S,    = S’, ’ Execution of S from  is not completed and remaining computation proceeds from intermediate configuration  = ’ Execution of S from  has terminated and the final state is ’ S,  is stuck if there is no  such that S,    first step PLOTKIN G .D., “A Structural Approach to Operational Semantics”, DAIMI FN-19, Computer Science Department, Aarhus University, Aarhus, Denmark, September 1981.

Structural semantics for While x:=a,   [xAa] [ass] skip,    [skip] S1,   S1’, ’ S1; S2,   S1’; S2, ’ [comp1] When does this happen? S1,   ’ S1; S2,   S2, ’ [comp2] if b then S1 else S2,   S1,  if B b  = tt [iftt] if b then S1 else S2,   S2,  if B b  = ff [ifff]

Structural semantics for While while b do S,   if b then S; while b do S) else skip,  [while]

Factorial (n!) example Input state  such that  x = 3 y := 1; while (x=1) do (y := y * x; x := x – 1) y :=1 ; W,   W, [y1]  if (x =1) then ((y := y * x; x := x – 1); W) else skip, [y1]  ((y := y * x; x := x – 1); W), [y1]  (x := x – 1; W), [y3]  W , [y3][x2]  if (x =1) then ((y := y * x; x := x – 1); W) else skip, [y3][x2]  ((y := y * x; x := x – 1); W), [y3] [x2]  (x := x – 1; W) , [y6] [x2]  W, [y6][x1]  if (x =1) then ((y := y * x; x := x – 1); W) else skip, [y6][x1]  skip, [y6][x1]  [y6][x1]

Structural operational semantics and termination

Program termination Given a statement S and input  S terminates on  if there exists a finite derivation sequence starting at S,  S terminates successfully on  if there exists a finite derivation sequence starting at S,  leading to a final state S loops on  if there exists an infinite derivation sequence starting at S, 

Semantic equivalence

Semantic equivalence S1 and S2 are semantically equivalent if: for all  and  which is either final or stuck S1,  *  if and only if S2,  *  there is an infinite derivation sequence starting at S1,  if and only if there is an infinite derivation sequence starting at S2, 

Properties of structural semantics while b do S is semantically equivalent to: if b then (S; while b do S) else skip Equivalence of program constructs Both (S; skip) and (skip; S) are semantically equivalent to S ((S1; S2); S3) is semantically equivalent to (S1; (S2; S3)) (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40)

Properties of Structural operational semantics

Theorem: While is deterministic: Proof: … ? Determinism Theorem: While is deterministic: If S,  * 1 and S,  * 2 then 1=2 Proof: … ?

The semantic function ’ if S,  *’ undefined else S  = The meaning of a statement S is defined as a partial function from State to State  Stm   (State  State) Examples: skip  =  x:=1  =  [x 1] while true do skip  = undefined S  = ’ if S,  *’ undefined else

Language extensions abort Non-determinism Parallelism Local Variables Procedures Static Scope Dynamic scope

While + abort Syntax S ::= x := a | skip | S1; S2 | if b then S1 else S2 | while b do S | abort Abort terminates the execution In “skip; S” the statement S executes In“abort; S” the statement S should never execute Structural semantics rules: …?

Comparing behaviors abort abort; S skip; S while true do skip if x = 0 then abort else y := y / x

Comparing behaviors abort Derivation sequence: abort,  abort; S Derivation sequence: abort; S,  skip; S Equivalent to S while true do skip Infinite derivation sequence if x = 0 then abort else y := y / x Derivation sequence: stuck after one step if  x = 0

While + abort conclusion abort does not affect the state, only the flow of control In the structural operational semantics looping is reflected by infinite derivations and abnormal termination is reflected by stuck configuration

Extending While with non-deterministic choice

While + non-determinism Syntax S ::= x := a | skip | S1; S2 | if b then S1 else S2 | while b do S | S1 or S2 Either S1 is executed or S2 is executed Example: x:=1 or (x:=2; x:=x+2) Possible outcomes for x: 1 and 4

Rules for non-determinism ? [or1] ? [or2] Is the semantic function for non-deterministic statements well-defined?

While + random Syntax S ::= x := a | skip | S1; S2 | if b then S1 else S2 | while b do S | x := random()

Extending While with parallel statements

While + parallelism Syntax S ::= x := a | skip | S1; S2 | if b then S1 else S2 | while b do S | S1  S2 All the interleavings of S1 and S2 are executed Example: x:=1  (x:=2; x:=x+2) Possible outcomes for x: 1, 3, 4

Rules for parallelism S1,   S1’, ’ S1S2,   S1’S2, ’

Example: derivation sequences of a parallel statement x:=1  (x:=2; x:=x+2),  

Operational semantics summary SOS is powerful enough to describe imperative programs Can define the set of traces Can represent program counter implicitly Handle goto statements and other non-trivial control constructs (e.g., exceptions) Thinking in terms of concrete semantics is essential for a compiler writer / verifier

Assignment 1 Exercise on operational semantics LaTeX: THE way to produce scientific documents Recommended editor

See you next time

Levels of abstractions and applications Static Analysis (abstract semantics)  Program Semantics  Assembly-level Semantics (Small-step)