Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University

Agenda What is semantics and what is it useful for? Natural operational semantics (pages 19-32) 2

Tentative syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 3

4

What is formal semantics? 5 “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc.” / page 1

What is formal semantics? 6 “This theory allows a program to be manipulated like a formula – that is to say, its properties can be calculated.” Gérard Huet & Philippe Flajolet homage to Gilles Kahn

Why formal semantics? Implementation-independent definition of a programming language Automatically generating interpreters (and some day maybe full fledged compilers) Verification and debugging – if you don’t know what it does, how do you know its incorrect? 7

Levels of abstractions and applications 8 Program Semantics Assembly-level Semantics (Small-step) Static Analysis (abstract semantics)  

Semantic description methods Operational semantics – Natural semantics (big step) [G. Kahn] – Structural semantics (small step) [G. Plotkin] Denotational semantics [D. Scott, C. Strachy] Axiomatic semantics [C. A. R. Hoare, R. Floyd] Trace semantics Collecting semantics [Instrumented semantics] 9 Today Next lecture We will mainly use as basis for static analysis Not in this course Used for verification

The while language 10

Syntactic categories n  Numnumerals x  Varprogram variables a  Aexparithmetic expressions b  Bexpboolean expressions S  Stmstatements 11

A simple imperative language: While Concrete syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 12

Concrete syntax may be ambiguous 13 a y := x S a z y Sa x z S ; S ; S a x z S a y x S ; S ; S a z y S z:=x; x:=y; y:=z z:=x; (x:=y; y:=z)(z:=x; x:=y); y:=z

A simple imperative language: While Abstract syntax: Notation: n [ l a, r b ] – a node labeled with n and two children l and r. The children may be labeled to indicate their role for easier reading a ::= n | x | + [ a 1, a 2 ] |  [ a 1, a 2 ] | – [ a 1, a 2 ] b ::= true | false | = [ a 1, a 2 ] |  [ a 1, a 2 ] |  [ b ] |  [ b 1, b 2 ] S ::= := [ x, a ] | skip | ; [ S 1, S 2 ] | if [ b, S 1 then, S 2 else ] | while [ b condition, S body ] 14 n lr a b

Exercise: draw an AST 15 :=while ; y:=1; while  (x=1) do (y:=y*x; x:=x-1)

Semantic values 16

Semantic categories Z Integers {0, 1, -1, 2, -2, …} T Truth values { ff, tt } State Var  Z Example state:  =[ x  5, y  7, z  0] Lookup:  x = 5 Update:  [ x  6] = [ x  6, y  7, z  0] 17

Example state manipulations [ x  1, y  7, z  16] y = [ x  1, y  7, z  16] t = [ x  1, y  7, z  16][ x  5] = [ x  1, y  7, z  16][ x  5] x = [ x  1, y  7, z  16][ x  5] y = 18

Semantics of expressions 19

Semantics of arithmetic expressions Arithmetic expressions are side-effect free Semantic function A  Aexp  : State  Z Defined by induction on the syntax tree A  n   = n A  x   =  x A  a 1 + a 2   = A  a 1   + A  a 2   A  a 1 - a 2   = A  a 1   - A  a 2   A  a 1 * a 2   = A  a 1    A  a 2   A  (a 1 )   = A  a 1   --- not needed A  - a   = 0 - A  a 1   Compositional Properties can be proved by structural induction 20

Arithmetic expression exercise Suppose  x = 3 Evaluate A  x+1   21

Semantics of boolean expressions Boolean expressions are side-effect free Semantic function B  Bexp  : State  T Defined by induction on the syntax tree B  true   = tt B  false   = ff B  a 1 = a 2   = B  a 1  a 2   = B  b 1  b 2   = B   b   = 22

Operational semantics 23

Operational semantics Concerned with how to execute programs – How statements modify state – Define transition relation between configurations Two flavors – Natural semantics: describes how the overall results of executions are obtained So-called “big-step” semantics – Structural operational semantics: describes how the individual steps of a computations take place So-called “small-step” semantics 24

25 Big Step (natural) Semantics By Luke (personally authorized right to use this image), via Mighty Optical IllusionsLukeMighty Optical Illusions  S,    ’

Natural operating semantics Developed by Gilles Kahn [STACS 1987]STACS 1987 Configurations  S,  Statement S is about to execute on state   Terminal (final) state Transitions  S,    ’ Execution of S from  will terminate with the result state  ’ – Ignores non-terminating computations 26

Natural operating semantics  defined by rules of the form The meaning of compound statements is defined using the meaning immediate constituent statements 27  S 1,  1    1 ’, …,  S n,  n    n ’  S,    ’ if… premise conclusion side condition

Natural semantics for While 28  x := a,    [x  A  a   ] [ass ns ]  skip,    [skip ns ]  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ] axioms

Natural semantics for While 29  S,     ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]  while b do S,    if B  b   = ff [while ff ns ] Non-compositional

Executing the semantics 30

Example Let  0 be the state which assigns zero to all program variables 31  x:=x+1,  0    skip,  0    0  0 [x  1]  skip,  0    0,  x:=x+1,  0    0 [x  1]  skip ; x:=x+1,  0    0 [x  1]  x:=x+1,  0    0 [x  1]  if x=0 then x:=x+1 else skip,  0    0 [x  1]

Derivation trees Using axioms and rules to derive a transition  S,    ’ gives a derivation tree – Root:  S,    ’ – Leaves: axioms – Internal nodes: conclusions of rules Immediate children: matching rule premises 32

Derivation tree example 1 Assume  0 =[x  5, y  7, z  0]  1 =[x  5, y  7, z  5]  2 =[x  7, y  7, z  5]  3 =[x  7, y  5, z  5] 33  ( z:=x; x:=y); y:=z,  0    3  ( z:=x; x:=y),  0    2  y:=z,  2    3  z:=x,  0    1  x:=y,  1    2 [ass ns ] [comp ns ]

Derivation tree example 1 Assume  0 =[x  5, y  7, z  0]  1 =[x  5, y  7, z  5]  2 =[x  7, y  7, z  5]  3 =[x  7, y  5, z  5] 34  ( z:=x; x:=y); y:=z,  0    3  ( z:=x; x:=y),  0    2  y:=z,  2    3  z:=x,  0    1  x:=y,  1    2 [ass ns ] [comp ns ]

Top-down evaluation via derivation trees Given a statement S and an input state  find an output state  ’ such that  S,    ’ Start with the root and repeatedly apply rules until the axioms are reached – Inspect different alternatives in order Theorem: In While,  ’ and the derivation tree are unique 35

Top-down evaluation example Factorial program with  x = 2 Shorthand: W= while  (x=1) do (y:=y*x; x:=x-1) 36  y:=1; while  (x=1) do (y:=y*x; x:=x-1),    [y  2][x  1]  y:=1,    [y  1]  W,  [y  1]    [y  2, x  1]  y:=y*x; x:=x-1,  [y  1]    [y  2][x  1]  W,  [y  2][x  1]    [y  2, x  1]  y:=y*x,  [y  1]    [y  2]  x:=x-1,  [y  2]    [y  2][x  1] [ass ns ] [comp ns ] [ass ns ] [comp ns ] [while ff ns ] [while tt ns ] [ass ns ]

Properties of natural semantics 37

Program termination Given a statement S and input  – S terminates on  if there exists a state  ’ such that  S,    ’ – S loops on  if there is no state  ’ such that  S,    ’ Given a statement S – S always terminates if for every input state , S terminates on  – S always loops if for every input state , S loops on  38

Semantic equivalence S 1 and S 2 are semantically equivalent if for all  and  ’  S 1,    ’ if and only if  S 2,    ’ Simple example while b do S is semantically equivalent to: if b then (S; while b do S) else skip – Read proof in pages

Properties of natural semantics Equivalence of program constructs – skip; skip is semantically equivalent to skip – ((S 1 ; S 2 ); S 3 ) is semantically equivalent to (S 1 ; (S 2 ; S 3 )) – (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40) 40

Equivalence of (S 1 ; S 2 ); S 3 and S 1 ; (S 2 ; S 3 ) 41

Equivalence of (S 1 ; S 2 ); S 3 and S 1 ; (S 2 ; S 3 ) 42  (S 1 ; S 2 ),    12,  S 3,  12    ’  (S 1 ; S 2 ); S 3,    ’  S 1,    1,  S 2,  1    12  S 1,    1,  (S 2 ; S 3 ),  12    ’  S 1 ; (S 2 ; S 3 ),    ’  S 2,  1    12,  S 3,  12    ’ Assume  (S 1 ; S 2 ); S 3,     ’ then the following unique derivation tree exists: Using the rule applications above, we can construct the following derivation tree: And vice versa.

Deterministic semantics for While Theorem: for all statements S and states  1,  2 if  S,    1 and  S,    2 then  1 =  2 The proof uses induction on the shape of derivation trees (pages 29-30) – Prove that the property holds for all simple derivation trees by showing it holds for axioms – Prove that the property holds for all composite trees: For each rule assume that the property holds for its premises (induction hypothesis) and prove it holds for the conclusion of the rule 43 single node #nodes>1

The semantic function S ns The meaning of a statement S is defined as a partial function from State to State S ns : Stm  (State  State) Examples: S ns  skip   =  S ns  x:=1   =  [x  1] S ns  while true do skip   = undefined 44 S ns  S   =  ’ if  S,    ’ undefined else

Next lecture: operational semantics II

Natural semantics for While 46  x := a,    [x  A  a   ] [ass ns ]  skip,    [skip ns ]  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]