Spring 2016 Program Analysis and Verification Operational Semantics

Spring 2016 Program Analysis and Verification Operational Semantics Roman Manevich Ben-Gurion University

http: //www. daimi. au. dk/~bra 8130/Wiley_book/wiley. html 2

Agenda • What is semantics and what is it useful for? • Operational semantics (pages 32 -50) 3

Tentative syllabus Program Verification Program Analysis Basics Abstract Interpretation fundamentals Analysis Techniques Operational semantics Control Flow Graphs Lattices Numerical Domains Axiomatic Verification Equation Systems Fixed-Points Alias analysis Collecting Semantics Chaotic Iteration Interprocedural Analysis Using Soot Galois Connections Shape Analysis Domain constructors CEGAR Widening/ Narrowing 4

What is formal semantics? “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc. ” / page 1 5

Why formal semantics? • Implementation-independent definition of a programming language • Automatically generating interpreters (and some day maybe full fledged compilers) • Verification and debugging – if you don’t know what it does, how do you know its incorrect? 6

Semantic description methods • Operational semantics – Structural semantics (small step) [G. Plotkin] – Natural semantics (big step) [G. Kahn] Today Not in this course • Denotational semantics [D. Scott, C. Strachy] • Axiomatic semantics [C. A. R. Hoare, R. Floyd] Used for verification • Trace semantics • Collecting semantics We will mainly use as basis for static analysis • [Instrumented semantics] 7

The while language 8

Syntactic categories n � Num numerals x � Var program variables a � Aexparithmetic expressions b � Bexpboolean expressions S � Stm statements 9

A simple imperative language: While Concrete syntax: a : : = n | x | a 1 + a 2 | a 1 � a 2 | a 1 – a 2 b : : = true | false | a 1 = a 2 | a 1 � a 2 | � b | b 1 � b 2 S : : = x : = a | skip | S 1; S 2 | if b then S 1 else S 2 | while b do S 10

Concrete syntax may be ambiguous z: =x; x: =y; y: =z S S z S ; S : = a x S ; : = a y S : = a z z: =x; (x: =y; y: =z) z ; ; : = a x S y : = a z y (z: =x; x: =y); y: =z 11

A simple imperative language: While Abstract syntax: Notation: n[la, rb] – a node labeled with n and two children l and r. The children may be labeled to indicate their role for easier reading n a l b r a : : = n | x | + [a 1, a 2] | � [a 1, a 2] | –[a 1, a 2] b : : = true | false | =[a 1, a 2] | � [b 1, b 2] S : : =[x, a] | skip | ; [S 1, S 2] | if[b, S 1 then, S 2 else] | while[bcondition, Sbody] 12

Exercise: draw an AST y: =1; while � (x=1) do (y: =y*x; x: =x-1) ; : = while 13

Semantic values 14

Semantic categories Z T State Integers {0, 1, -1, 2, -2, …} Truth values {ff, tt} Var � Z Example state: Lookup: Update: =[x� 5, y� 7, z� 0] x = 5 [x� 6] = [x� 6, y� 7, z� 0] 15

Example state manipulations • [x 1, y 7, z 16] y = • [x 1, y 7, z 16] t = • [x 1, y 7, z 16][x 7, y 1] • [x 1, y 7, z 16][x 5] x = • [x 1, y 7, z 16][x 5] y = = 16

Semantics of expressions 17

Semantics of arithmetic expressions • Arithmetic expressions are side-effect free • Semantic function A Aexp : State Z • Defined by induction on the syntax tree A n = n A x = x A a 1 + a 2 = A a 1 + A a 2 A a 1 - a 2 = A a 1 - A a 2 A a 1 * a 2 = A a 1 A a 2 A (a 1) = A a 1 --- not needed A - a = 0 - A a 1 • Compositional • Properties can be proved by structural induction 18

Arithmetic expression exercise Suppose x = 3 Evaluate A x+1 19

Semantics of boolean expressions • Boolean expressions are side-effect free • Semantic function B Bexp : State T • Defined by induction on the syntax tree B true = tt B false = ff B a 1 = a 2 = B a 1 � a 2 = B b 1 b 2 = B �b = 20

Operational semantics • Concerned with how to execute programs – How statements modify state – Define transition relation between configurations • Structural operational semantics: describes how the individual steps of a computations take place – So-called “small-step” semantics 21

Small Step Semantics S, first step By Vanillase (Own work) [CC BY-SA 3. 0 (http: //creativecommons. org/licenses/by-sa/3. 0)], via Wikimedia Commons This file is licensed under the Creative Commons Attribution-Share Alike 3. 0 Unported license. 22

Structural operational semantics • Developed by Gordon Plotkin • Configurations: has one of two forms: S, Statement S is about to execute on state Terminal (final) state • Transitions S, first step = S’, ’ Execution of S from is not completed and remaining computation proceeds from intermediate configuration = ’ Execution of S from has terminated and the final state is ’ • S, is stuck if there is no such that S, 23

Structural semantics for While [ass] x: =a, [x A a ] [skip] skip, [comp 1] [comp 2] S 1, S 1’, ’ S 1; S 2, S 1’; S 2, ’ S 1; S 2, ’ When does this happen? [iftt] if b then S 1 else S 2, S 1, if B b = tt [ifff] if b then S 1 else S 2, if B b = ff 24

Structural semantics for While [while] while b do S, if b then S; while b do S) else skip, 25

Factorial (n!) example • Input state such that x = 3 y : = 1; while (x=1) do (y : = y * x; x : = x – 1) y : =1 ; W, [y 1] if (x =1) then ((y : = y * x; x : = x – 1); W) else skip, [y 1] ((y : = y * x; x : = x – 1); W), [y 1] (x : = x – 1; W), [y 3] W , [y 3][x 2] if (x =1) then ((y : = y * x; x : = x – 1); W) else skip, [y 3][x 2] ((y : = y * x; x : = x – 1); W), [y 3] [x 2] (x : = x – 1; W) , [y 6] [x 2] W, [y 6][x 1] if (x =1) then ((y : = y * x; x : = x – 1); W) else skip, [y 6][x 1] 26

Structural operational semantics and termination 27

Program termination • Given a statement S and input – S terminates on if there exists a finite derivation sequence starting at S, – S terminates successfully on if there exists a finite derivation sequence starting at S, leading to a final state – S loops on if there exists an infinite derivation sequence starting at S, 28

Semantic equivalence 29

Semantic equivalence • S 1 and S 2 are semantically equivalent if: – for all and which is either final or stuck S 1, * if and only if S 2, * – there is an infinite derivation sequence starting at S 1, if and only if there is an infinite derivation sequence starting at S 2, 30

Properties of structural semantics • while b do S is semantically equivalent to: if b then (S; while b do S) else skip • Equivalence of program constructs – Both (S; skip) and (skip; S) are semantically equivalent to S – ((S 1; S 2); S 3) is semantically equivalent to (S 1; (S 2; S 3)) – (x: =5; y: =x*8) is semantically equivalent to (x: =5; y: =40) 31

Properties of Structural operational semantics 32

Determinism • Theorem: While is deterministic: – If S, * 1 and S, * 2 then 1= 2 • Proof: … ? 33

The semantic function • The meaning of a statement S is defined as a partial function from State to State � Stm � (State � State) ’ � S� = if S, * ’ undefined else • Examples: skip = x: =1 = [x 1] while true do skip = undefined 34

Language extensions • • • abort Non-determinism Parallelism Local Variables Procedures – Static Scope – Dynamic scope 35

While + abort • Syntax S : : = x : = a | skip | S 1; S 2 | if b then S 1 else S 2 | while b do S | abort • Abort terminates the execution – In “skip; S” the statement S executes – In“abort; S” the statement S should never execute • Structural semantics rules: …? 36

Comparing behaviors • abort; S • skip; S • while true do skip • if x = 0 then abort else y : = y / x 37

Comparing behaviors • abort Derivation sequence: abort, • abort; S Derivation sequence: abort; S, • skip; S Equivalent to S • while true do skip Infinite derivation sequence • if x = 0 then abort else y : = y / x Derivation sequence: stuck after one step if x = 0 38

While + abort conclusion • abort does not affect the state, only the flow of control • In the structural operational semantics looping is reflected by infinite derivations and abnormal termination is reflected by stuck configuration 39

Extending While with non-deterministic choice 40

While + non-determinism • Syntax S : : = x : = a | skip | S 1; S 2 | if b then S 1 else S 2 | while b do S | S 1 or S 2 • Either S 1 is executed or S 2 is executed • Example: x: =1 or (x: =2; x: =x+2) – Possible outcomes for x: 1 and 4 41

Rules for non-determinism [or 1] ? [or 2] ? Is the semantic function for non-deterministic statements well-defined? 42

While + random • Syntax S : : = x : = a | skip | S 1; S 2 | if b then S 1 else S 2 | while b do S | x : = random() 43

Extending While with parallel statements 44

While + parallelism • Syntax S : : = x : = a | skip | S 1; S 2 | if b then S 1 else S 2 | while b do S | S 1 �S 2 • All the interleavings of S 1 and S 2 are executed • Example: x: =1 �(x: =2; x: =x+2) – Possible outcomes for x: 1, 3, 4 45

Rules for parallelism [par 1] S 1, S 1’, ’ S 1� S 2, S 1’� S 2, ’ [par 2] S 1, ’ S 1� S 2, ’ [par 3] S 2, S 2’, ’ S 1� S 2, S 1� S 2’, ’ [par 4] S 2, ’ S 1� S 2, S 1, ’ 46

Example: derivation sequences of a parallel statement x: =1 �(x: =2; x: =x+2), 47

Operational semantics summary • SOS is powerful enough to describe imperative programs – Can define the set of traces – Can represent program counter implicitly – Handle goto statements and other non-trivial control constructs (e. g. , exceptions) • Thinking in terms of concrete semantics is essential for a compiler writer / verifier 48

Assignment 1 • Exercise on operational semantics • La. Te. X: THE way to produce scientific documents Recommended editor 49

See you next time 50

Levels of abstractions and applications Static Analysis (abstract semantics) � Program Semantics � Assembly-level Semantics (Small-step) 51