Tool 3: Restricted first-order logic for states Features ◮ Propositions are facts about concrete machine states. ◮ Ground terms are identities (bindings, locations, constants). Restrictions ◮ No existential quantifiers. ◮ Only outer-level universal quantifiers. ◮ Quantifiers range over abstract identities. 46
Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” 47
Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” In longhand: (forall x : ( x , � t foo ) (forall a : ( a , ⊤ ) (< x (alen a )))) 48
Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” In longhand: (forall x : ( x , � t foo ) (forall a : ( a , ⊤ ) (< x (alen a )))) Or, in convenient (but incomplete) shorthand: (< ( x , � t foo ) (alen ( a , ⊤ ) )) 49
Logic syntax Features ◮ S-Expressions. ◮ Just or , not . ◮ Relations encoded as functions. 50
Logic semantics Question How do we know when proposition φ is true for state ς ? 51
Logic semantics Question How do we know when proposition φ is true for state ς ? Answer When ς | = φ holds. 52
Logic semantics Question How do we know when proposition φ is true for state ς ? Answer When ς | = φ holds. Means exactly what you think it means. 53
Filtered concretization Set of conrete states ( State ) 54
Filtered concretization � ς { ς : | ς | ⊑ � Set of conrete states ( State ) ς } 55
Filtered concretization Π Set of conrete states ( State ) { ς : ς | = Π } 56
Filtered concretization � ς ς/ Π � Π { ς : | ς | ⊑ � Set of conrete states ( State ) ς and ς | = Π } 57
Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? 58
Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? Answer Yes, if { ( = x y ) , ( = y z ) } ⊢ ( = x z ) holds. 59
Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? Answer Yes, if { ( = x y ) , ( = y z ) } ⊢ ( = x z ) holds. Π ⊢ ( = ι ι ′ ) ψ ∈ Π Π ∪ { φ 1 } ⊢ φ 3 Π ∪ { φ 2 } ⊢ φ 3 Π ⊢ ψ [ ι/x ] (Assm) ( ∨ Ant) (Subst) Π ⊢ ψ [ ι ′ /x ] Π ⊢ ψ Π ∪ { (or φ 1 φ 2 ) } ⊢ φ 3 Π ⊢ φ Π ∪ { φ 1 } ⊢ φ 2 Π ∪ { (not φ 1 ) } ⊢ φ 2 Π ⊆ Π ′ (Ant) (Cases) Π ∪ { (not φ 1 ) } ⊢ φ 2 (Contr) Π ∪ { (not φ 1 ) } ⊢ (not φ 2 ) Π ′ ⊢ φ Π ⊢ φ 2 Π ⊢ φ 1 { φ } ⊢ φ ′ Π ⊢ φ 1 Π ⊢ (forall x : � ι φ ) (Eq) Π ⊢ ( = ι ι ) ( ∨ Cons) (Int) Π ⊢ (or φ 1 φ 2 ) , (or φ 2 φ 1 ) Π ⊢ (forall x : � ι (and φ φ ′ )) Π ⊢ ψ x �∈ free ( ψ ) Π ⊢ (forall � x 1 , x 2 � : � � ι 1 , � ι 2 � ψ ) ( ∀ Intro) ( ∀ Swap) Π ⊢ (forall x : � Π ⊢ (forall � x 2 , x 1 � : � � ι 2 , � ι ψ ) ι 1 � ψ ) 60
Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. 61
Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. Question How can we trust an external theorem prover? 62
Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. Question How can we trust an external theorem prover? Theorem (Syntactic soundness) If Π ⊢ φ holds, then Π | = φ holds. 63
All together now 64
Woven state Example (Assumptions, Π ) Example (Machine, � ς ) call site (f x k) f �→ � local env t foo k �→ � t foo x �→ � t foo (forall x : ( x , � t foo ) (forall z : ( z , � t bar ) ( f , � global env t foo ) �→ · · · (< x z ))) ( k , � t foo ) �→ · · · ( x , � t foo ) �→ positive ( z , � t bar ) �→ positive � time t f 65
Woven state Example (Assumptions, Π ) Example (Machine, � ς ) call site (f x k) f �→ � local env t foo k �→ � t foo x �→ � t foo (forall x : ( x , � t foo ) (forall z : ( z , � t bar ) ( f , � global env t foo ) �→ · · · (< x z ))) ( k , � t foo ) �→ · · · ( x , � t foo ) �→ positive ( z , � t bar ) �→ positive � time t f 66
Woven transition relation Old machine state New machine state ( � > ( � ς ′ , Π ′ ) ς, Π) | = Old assumption base New assumption base 67
Example: Transition Example call site (f x k) � time t f 68
Example: Transition Example call site (f x k) f �→ � local env t foo � time t f 69
Example: Transition Example call site (f x k) f �→ � local env t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f 70
Example: Transition Example call site (f x k) f �→ � local env t foo x �→ � t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f 71
Example: Transition Example call site (f x k) f �→ � local env t foo x �→ � t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f New fact? (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) 72
It depends. 73
Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites Can add it if Π ⊢ φ . Chicken and egg How can φ be in there already? 74
Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. 75
Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. Mechanism ◮ Add counter to every abstract machine state. ◮ Counter maps each binding to times allocated. ◮ Stop counting after 1. 76
Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. Mechanism ◮ Add counter to every abstract machine state. ◮ Counter maps each binding to times allocated. ◮ Stop counting after 1. Theorem If { binding 1 } = { binding 2 } , then binding 1 = binding 2 . 77
Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites ◮ Can add it if Π ⊢ φ . ◮ Or, if count of ( x , � t foo ) is 1 and count of ( a , � t f ) is 0. 78
Γ CFA: Abstract garbage collection Idea Discard unreachable bindings. 79
Γ CFA: Abstract garbage collection Idea Discard unreachable bindings. Mechanism ◮ Start with bindings touched by current state. ◮ Take transitive closure. ◮ Can reset unreachable bindings’ counts to 0. 80
Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites ◮ Can add it if Π ⊢ φ . ◮ Or, if count of ( x , � t foo ) is 1 and count of ( a , � t f ) is 0. ◮ Or, if count of ( x , � t foo ) is 1 and ( a , � t f ) is unreachable. ◮ (More in paper.) 81
Example: Invertible rebinding Example call site (f (+ x 1) k) f �→ � local env t foo x �→ � t f ( f , � global env t foo ) �→ a closure over ( λ (x q) ...) � time t f Updating assumption base Can replace ( x , � t f ) with (- ( x , � t f ) 1) in Π ? 82
Example: Invertible rebinding Example call site (f (+ x 1) k) f �→ � local env t foo x �→ � t f ( f , � global env t foo ) �→ a closure over ( λ (x q) ...) � time t f Updating assumption base Can replace ( x , � t f ) with (- ( x , � t f ) 1) in Π ? Yes, if ( x , � t f ) is unreachable and its count is 1. ( E.g. tail recursion, for loops.) (More on this in the paper.) 83
Example: Conditional Example call site (if (< i (alen a)) ... ...) 84
� Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 1 Π can (dis)prove (< i (alen a)) . Branch one way. � ς true ς � � � � � � � � � � ς false 85
� � Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 2 (< i (alen a)) has one counterpart. Branch both ways & assert. � ς true � � (< i (alen a)) � � � � � � ς � � � � � � � � (not (< i (alen a))) � � ς false 86
� � Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 3 None of the above. Branch both ways. Don’t touch Π ′ . � ς true � � � � � � � � ς � � � � � � � � � � ς false 87
Walkthrough: Simple for loop Example for (i = 0; i < a.length; i++) print(a[i]) ; Example (CPS) (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Parameters ◮ 0CFA contour set. (Bindings = Variables.) 88
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) 89
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) 90
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 91
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 92
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) Safe 0 ≤ i < (alen a) holds! 93
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 94
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 95
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 (- i 1)) 96
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) 97
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) Safe 0 ≤ i < (alen a) holds! 98
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) 99
Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) 100
Recommend
More recommend