semantics application to c programs
play

Semantics: Application to C Programs Lecture Slides by Dr. - PowerPoint PPT Presentation

Oct 11, 2023 •19 likes •1.02k views

Semantics: Application to C Programs Lecture Slides by Dr. Marie-Christine Jakobs Prof. Dr. Dirk Beyer Dirk.Beyer@sosy-lab.org SoSy-Lab, LMU Munich, Germany Organization Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 2 / 100 Lecture

  1. Semantics: Application to C Programs Lecture Slides by Dr. Marie-Christine Jakobs Prof. Dr. Dirk Beyer Dirk.Beyer@sosy-lab.org SoSy-Lab, LMU Munich, Germany

  2. Organization Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 2 / 100

  3. Lecture and Tutorial Lecture Feb 27, 2019, 10:00 – 14:00 Munich, Oettingenstr. 67, C003 Tutorial Feb 27, 2019, 14:00 – 15:30 Munich, Oettingenstr. 67, C003 Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 3 / 100

  4. Course Material https: //www.sosy-lab.org/Teaching/2019-SS-Semantik/ Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 4 / 100

  5. Introduction Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 5 / 100

  6. Software Analysis Computes an (over-)approximation of a program’s behavior . Applications ◮ Optimization ◮ Correctness (i.e. whether program satisfies a given property) Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 6 / 100

  7. Software Verification Formally proves whether a program P satisfies a property ϕ . ◮ Requires program semantics, i.e., meaning of program ◮ Relies on mathematical methods, ◮ logic ◮ induction ◮ . . . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 7 / 100

  8. Software Verification Formally proves whether a program P satisfies a property ϕ . TRUE � Program P � Verifier Property ϕ FALSE × Disprove ( × ) Find a program execution ( counterexample ) that violates the property ϕ Prove ( � ) Show that every execution of the program satisfies the property ϕ . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 8 / 100

  9. What Could an Analysis Find out? double divTwiceCons( double y) { int cons = 5; int d = 2 ∗ cons; if (cons != 0) return y/(2 ∗ cons); else return 0; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 9 / 100

  10. Some Analysis Results double divTwiceCons( double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2 ∗ cons; if (cons != 0) // expression 2*cons evaluated before return y/(2 ∗ cons); else // dead code return 0; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 10 / 100

  11. One Resulting Code Optimization double divTwiceCons( double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2 ∗ cons; if (cons != 0) // expression 2*cons evaluated before return y/(2 ∗ cons); else // dead code return 0; } double divTwiceConsOptimized( double y) { return y/10; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 11 / 100

  12. Does This Code Work? double avgUpTo( int [] numbers, int length) { double sum = 0; for ( int i=0;i<length;i++) sum += numbers[i]; return sum/( double )length; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 12 / 100

  13. Problems With This Code double avgUpTo( int [] numbers, int length) { double sum = 0; for ( int i=0;i<length;i++) // possible null pointer access (numbers==null) // index out of bounds (length>numbers.length) // integer overflow sum += numbers[i]; // division by zero (length==0) return sum/( double ) length; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 13 / 100

  14. Why Should One Care for Bugs? Intel Pentium FDIV bug . . . Costs Ariane V88 Mars Polar Lander endanger human lives . . . Safety-criticality Therac-25 Uber autonomous car Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 14 / 100

  15. Analysis and Verification Tools Sapienz Klee PeX SLAM Infer Lint Error Prone SpotBugs UltimateAutomizer CBMC . . . CPAchecker Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 15 / 100

  16. Overview on Analysis and Verification Techniques Type Dynamic Static Systems Runtime Testing Interactive Automatic Verification Theorem Program Model Proving Analysis Checking Dataflow Abstract Analysis Interpretation This lecture Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 16 / 100

  17. Why Different Static, Automatic Techniques? Theorem of Rice Any non-trivial, semantic property of programs is undecidable. Consequences Techniques are ◮ incomplete, e.g. answer UNKNOWN, or ◮ unsound, i.e., report ◮ false alarms (non-existing bugs), ◮ false proofs (miss bugs). Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 17 / 100

  18. Verifier Design Space TRUE � Program P � Ideal verifier Verifier UNKNOWN Property ϕ FALSE × false proof correct TRUE � Program P � Unreliable verifier Verifier UNKNOWN Property ϕ FALSE × false alarm violation Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 18 / 100

  19. Verifier Design Space ◮ Overapproximating verifier (superset of program behavior) without precise counterexample check TRUE � Program P � Verifier UNKNOWN Property ϕ FALSE × false alarm violation ◮ Underapproximating verifier (subset of program behavior) false proof correct TRUE � Program P � Verifier UNKNOWN Property ϕ FALSE × Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 19 / 100

  20. Other Reasons to Use Different Static Techniques ◮ State space grows exponentially with number of variables ◮ (Syntactic) paths grow exponentially with number of branches ⇒ Precise techniques may require too many resources (memory, time,. . . ) ⇒ Trade-off between precision and costs Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 20 / 100

  21. Flow-Insensitivity Order of statements not considered E.g., does not distinguish between these two programs x=0; x=0; y=x; x=x+1; x=x+1; y=x; ⇒ very imprecise Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 21 / 100

  22. Flow-Sensitivity Plus Path-Insensitivity ◮ Takes order of statements into account ◮ Mostly, ignores infeasibility of syntactical paths ◮ Ignores branch correlations E.g., does not distinguish between these two programs if (x>0) if (x>0) y=1; y=1; else else y=0; y=0; if (x>0) if (x>0) y=y+1; y=y+2; else else y=y+2; y=y+1; Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 22 / 100

  23. Path-Sensitivity ◮ Takes (execution) paths into account ◮ Excludes infeasible, syntactic paths (not necessarily all infeasible ones) ◮ Covers flow-sensitivity To detect that y has value 0, 1, or 3 if (x>0) y=1; ◮ must exclude infeasible, syntactic path else along first else-branch and second y=0; if-branch if (x>0) ◮ need to detect correlation between the y=y+2; if-conditions else ◮ requires path-sensitivity y=y+1; ⇒ very precise Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 23 / 100

  24. Precision vs. Costs Dataflow Analysis Abstract Interpretation Program Analysis Model Checking Flow-insensitive Flow-sensitive Path-sensitive imprecise precise cheap expensive Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 24 / 100

  25. Program Syntax and Semantics Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 25 / 100

  26. Programs Theory : simple while-programs ◮ Restriction to integer constants and variables ◮ Minimal set of statements (assignment, if, while) ◮ Techniques easier to teach/understand Practice : C programs ◮ Widely-used language ◮ Tool support Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 26 / 100

  27. While-Programs ◮ Arithmetic expressions aexpr := Z | var | -aexpr | aexpr op a aexpr op a standard arithmetic operation like + , − , /, % , . . . ◮ Boolean expressions bexpr := aexpr | aexpr op c aexpr | !bexpr | bexpr op b bexpr ◮ integer value 0 ≡ false, remaining values represent true ◮ op c comparison operator like <, < = , > = , >, == , ! = ◮ op b logic connective like &&( ∧ ) , || ( ∨ ) , ˆ (xor) , . . . ◮ Program S:= var=aexpr; | while bexpr S | if bexpr S else S | if bexpr S | S;S Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 27 / 100

  28. Syntax vs. Semantics Syntax Representation of a program Semantics Meaning of a program Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 28 / 100

  29. How to Represent a Program? 1. Source code if (x>0) abs = x; ◮ Basically sequence of characters else ◮ No explicit information about the abs = − x; i = 1; structure or paths of programs while (i<abs) i = 2 ∗ i; Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 29 / 100

  30. How to Represent a Program? 2. Abstract-syntax tree (AST) Program Sequence Sequence if Assignment Condition if-Block else-Block while x>0 i=1; Assignement Assignement Condition while-Block abs=x; abs=-x; i<abs Assignement i=2*i; ◮ Hierarchical representation ◮ Flow, paths hard to detect Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 30 / 100

  31. How to Represent a Program? 3. Control-flow graph 4. Control-flow automaton l 0 x>0 ! ( x>0 ) x>0 TRUE FALSE l 1 l 2 abs=x; abs=-x; abs=x; abs=-x; l 3 i=1; i=1; l 4 i=2*i; i<abs ! ( i<abs ) i<abs TRUE FALSE l 5 l 6 i=2*i; � Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 31 / 100

  32. Control-Flow Automaton Definition A control-flow automaton (CFA) is a three-tuple P = ( L, l 0 , G ) consisting of ◮ the set L of program locations (domain of program counter) ◮ the initial program location l 0 ∈ L , and ◮ the control-flow edges G ⊆ L × Ops × L . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 32 / 100

  33. Operations Ops Two types ◮ Assumes (boolean expressions) ◮ Assignments ( var=aexpr; ) Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 33 / 100

Recommend

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

CMSC 430 Compilers Fall 2018 PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we must know what they mean Semantics comes from the Greek semaino , to mean Most language semantics

883 views • 70 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of valid programs Dynamic semantics: definition of how programs are executed So far: Dynamic semantics is given in English on lab handouts This

1.54k views • 137 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple

Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple

Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple programming language: atomic action a empty action skip 1 ; 2 sequence if then 1 else 2 if-then-else while do while-loop

356 views • 20 slides
Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic

Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic

Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic Programming Conclusion: resolution is a complete and effective deduction mechanism using: Horn clauses (related to D efinite programs), L

596 views • 23 slides
Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan

Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan

Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan Department of Philosophy First Formal Epistemology Festival, Konstanz 29 July 2008 1. What is constraint semantics? 2. Why do I think we should

566 views • 53 slides
Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics

Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics

Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics value semantics : Behavior where values are copied when assigned, passed as parameters, or returned. All primitive types in Java use value

392 views • 25 slides
A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan Hoffmann 1 Thomas Reps 2,3 1 Carnegie Mellon University 2 University of Wisconsin 3 GrammaTech, Inc. Probabilistic Programs Draw random data from

914 views • 72 slides
Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56 Announcements Semantics 2/56 The roadmap of propositional logic Semantics 3/56 FCC spectrum auction an application of propositional spectrums to

1.3k views • 56 slides
Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di

Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di

Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di Udine James Lipton Wesleyan University 1 The World of Logic Programming Several extensions of logic programs CLP abstract data types

240 views • 23 slides
Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University,

Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University,

Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University, Department of Information Technologies April 28, 2008 Overview Invariant Diagrams Bigstep operational semantics Smallstep operational

382 views • 34 slides
Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The

Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The

Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The symbols and rules to write legal programs Semantics The meaning of legal programs Programming language implementation Syntax &gt;

478 views • 14 slides
Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy,

Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy,

Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy, Paolo Pistone DIAPASoN, Unibo 27 February 2020 1 / 17 A metric on programs? Distance between programs ( t , s ) : 2 / 17 A metric on programs?

770 views • 61 slides
Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and its application Yoriyuki Yamagata Validity of bilateral classical logic and Verificationist semantics its application Bilateral classical logic Proof theoretical semantics of BCL Evidences and

585 views • 42 slides
The Web as an Implicit Training Set: Application to Noun Compound Syntax and Semantics Preslav

The Web as an Implicit Training Set: Application to Noun Compound Syntax and Semantics Preslav

The Web as an Implicit Training Set: Application to Noun Compound Syntax and Semantics Preslav Nakov, Qatar Computing Research Institute (joint work with Marti Hearst, UC Berkeley) MWE2014 April 26, 2014 Gothenburg, Sweden Web-scale

1.1k views • 81 slides
A Light Introduction to Transparent Intensional Logic and its Application in Semantics Logika:

A Light Introduction to Transparent Intensional Logic and its Application in Semantics Logika:

A Light Introduction to Transparent Intensional Logic and its Application in Semantics Logika: systmov rmec rozvoje oboru v R a koncepce logickch propedeutik pro mezioborov studia (reg. . CZ.1.07/2.2.00/28.0216, OPVK) doc. PhDr.

1.05k views • 45 slides
Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and

Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and

Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and Tsinghua University Outline Introduction Syntax of Quantum Programs Operational Semantics Denotational Semantics Correctness Formulas Proof System

1.02k views • 79 slides
Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

11/13/18 Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures discussed Predicate-Argument Structure, and composing meanings of parts to produce the correct global sentence meaning Frame Semantic Parsing

460 views • 14 slides
Coherence and Consistency 30 The Meaning of Programs An ISA is a programming language To

Coherence and Consistency 30 The Meaning of Programs An ISA is a programming language To

Coherence and Consistency 30 The Meaning of Programs An ISA is a programming language To be useful, programs written in it must have meaning or semantics Any sequence of instructions must have a meaning. The semantics of

486 views • 34 slides
Strong Negation in Well-Founded and Partial Stable Semantics for Logic Programs Pedro Cabalar 1

Strong Negation in Well-Founded and Partial Stable Semantics for Logic Programs Pedro Cabalar 1

Strong Negation in Well-Founded and Partial Stable Semantics for Logic Programs Pedro Cabalar 1 Sergei Odintsov 2 David Pearce 3 1 University of Corunna (Spain) 2 Sobolev Institute of Mathematics (Novosibirsk, Russia) 3 Universidad Rey Juan Carlos

1.13k views • 101 slides
Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Johannes Hlzl TU Mnchen, Germany Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond) Kaminski, Katoen, Matheja, and Olmedo [ESOP 2016] Denotational: Operational: Correspondence: Denotational 2

954 views • 84 slides
Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Johannes Hlzl TU Mnchen, Germany Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond) Kaminski, Katoen, Matheja, and Olmedo [ESOP 2016] Denotational: Operational: Correspondence: Denotational 2

1.36k views • 89 slides

More recommend