Formal Methods in Software Engineering

Transcription

1 Formal Methods in Software Engineering An Introduction to Model-Based Analyis and Testing Vesal Vojdani Department of Computer Science University of Tartu Fall 2014 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

2 Orientation Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

3 What are formal methods? formal method = formal model + formal analysis Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

4 What is a formal model? A model is formal if it has... Well-defined syntax. Unambiguous 1 semantics. 1 mathematical Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

5 Formal Analysis 1. Automated Theorem Proving 2. Model Checking 3. Abstract Interpretation Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

6 In General M ϕ M: a situation or model of the system ϕ: a specification of what should hold at situation M Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

7 Where do models come from? 1. Hand-written from informal specs. 2. Derived automatically from source code. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

8 Why create a model? You can use the model to 1. analyze if the model behaves well. 2. test if the implementation conforms to it. For this to be worth it, model must be simpler than actual implementation. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

9 Model-Based Analysis Model may be simple, but... execution may be complex (concurrency!) Visualize the state graph: manually check functional conformance to informal spec. Automatically check all states of the model for safety and liveness properties. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

10 Model-Based Testing Automatic test generation requires an oracle. The model can be used to automatically generate unit tests with all checks and assertions inserted. We can ensure coverage criteria with respect to all states of the model. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

11 Inferring models from code The code itself is a formal model! It is usually not possible to analyze directly. We need bounds and abstractions. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

12 The goal of this course Where should you be in one year? You are qualified to engage in research to either develop novel verification techniques or apply current techniques in novel contexts. Where should you do this work? Our (PLAS) research group! One of the many Estonian companies that are producing novel tools for the maintenance of complex systems. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

13 Must Work Harder There will be weekly exercise sheets. They will be made available on Friday. You may ask questions on Wednesday. You will submit electronically on Wednesday evening. We will discuss on Friday. Three programming projects. Probably as group work. You may replace this with equivalent thesis work if your supervisor agrees. A final exam. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

14 Hoare Logic Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

15 Hoare Triplets φ P ψ A Hoare triple is satisfied under partial correctness: for each state satisfying φ, if execution reaches the end of P, the resulting state satisfies ψ. (Total correctness: partial + termination) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

16 Simple Language C ::= C 1 ; C 2 x := e if e then C 1 else C 2 while e do C skip {C} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

17 FOL with linear arithmetic φ ::= e arithmetic φ 1 φ 2 conjunction φ 1 φ 2 disjunction φ 1 φ 2 implication y : φ existential quantification y : φ universal quantification. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

18 Composition φ C 1 η η C 2 ψ φ C 1 ; C 2 ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

19 Assignment ψ[e/x] x = e ψ Is this backwards? Consider examples for x := 2 and x := x + 1. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

20 Conditional Statements φ e C 1 ψ φ e C 2 ψ φ if e then C 1 else C 2 ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

21 While Statements φ e C φ φ while e do C φ e Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

22 Implication φ φ φ C ψ ψ ψ φ C ψ These end up as verification conditions. Automated theorem provers have to dispatch them. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

23 Hello World! int abs(int i) { if (0 <= i) r := i; else r := -i; } Prove: always returns a non-negative value. (Where exactly would an overflow invalidate this proof?) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

24 Step by step 1. We first have the conditional: 0 i r := i 0 r i < 0 r := i 0 r true if 0 i then r := i else r := i 0 r 2. The true-branch follows from the assignment axiom. 3. The false-branch relies on a simple implication: i < 0 0 i 0 i r := i 0 r i < 0 r := i 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

25 Proof trees i < 0 0 i 0 i r := i 0 r 0 i r := i 0 r i < 0 r := i 0 r true if 0 i then r := i else r := i 0 r The sequential application of inference rules are often represented as proof trees. These trees can grow large... Instead: annotate the program code! Tree structure is implicit. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

26 Tableaux Proofs φ 0 C 1 ; φ 1 C 2 ; φ 2. φ n 1 C n φ n Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

27 Tableaux: Composition φ C 1 η η C 2 ψ φ C 1 ; C 2 ψ φ C 1 ; η C 2 ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

28 Tableaux: Conditional φ e C 1 ψ φ e C 2 ψ φ if e then C 1 else C 2 ψ φ if e then { φ e C 1 ψ } else { φ e C 2 ψ } ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

29 Tableaux: Conditional φ if e then { φ e C 1 φ e C 1 ψ φ e C 2 ψ φ if e then C 1 else C 2 ψ } else { C 2 φ e } ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

30 Tableaux: Implication φ φ φ C ψ ψ ψ φ C ψ φ φ C ψ ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

31 The example as tableaux proof true if (0 i) then { true 0 i r := i 0 r } else { true i < 0 0 i r := i 0 r } 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

32 Weakest Pre-Conditions We have so far only rules for valid Hoare triples. Not all triples are equally useful false P ψ How do we infer these triples? We will now move towards a more syntax-driven method to infer weakest pre-conditions. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

33 Definition We say φ is weaker than φ if φ φ For φ = WP S ψ, we have φ S ψ is valid if φ S ψ then φ φ ψ holds after S iff φ holds before. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

34 Assignment Consider sequential composition: z := x; z := z + y; u := z It suffices with definitions: WP x = e ψ = ψ[e/x] WP C 1 ; C 2 ψ = WP C 1 (WP C 2 ψ) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

35 A tableaux proof from WPs x + y = 42 z := x; z + y = 42 z := z + y; z = 42 u := z u = 42 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

36 Conditional Hoare logic: φ e C 1 ψ φ e C 2 ψ φ if e then C 1 else C 2 ψ A more syntax-driven rule: φ 1 C 1 ψ φ 2 C 2 ψ φ if e then C 1 else C 2 ψ where φ = (e φ 1 ) ( e φ 2 ) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

37 Proof Tableaux for Conditional 2.0 if e then { C 1 } else { } C 2 ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

38 Proof Tableaux for Conditional 2.0 if e then { WP C 1 ψ C 1 } else { WP C 2 ψ C 2 } ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

39 Proof Tableaux for Conditional 2.0 (e WP C 1 ψ) ( e WP C 2 ψ) if e then { WP C 1 ψ C 1 } else { WP C 2 ψ C 2 } ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

40 The Example Again if (0 i) then { r := i } else { } r := i 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

41 The Example Again if (0 i) then { 0 i r := i } else { 0 i r := i } 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

42 The Example Again (0 i 0 i) (i < 0 0 i) if (0 i) then { 0 i r := i } else { 0 i r := i } 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

43 The Example Again true (0 i 0 i) (i < 0 0 i) if (0 i) then { 0 i r := i } else { 0 i r := i } 0 r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

44 Loop Invariants Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

45 Warm-Up Consider a simple loop-free program: int succ(int x) { a = x + 1; if (a - 1 == 0) y = 1; else y = a; return y; } Show that y = x + 1 at the return statement. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

46 While Loops Recall the proof rule φ e C φ φ while e do C φ e Given a ψ as post-condition... How can we apply this rule? What is the WP of a while loop? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

47 Termination? Weakest Liberal Preconditions wp S ψ wp S true wlp S ψ We did not care about this distinction Termination is an outdated concept. ;) Only loops have different definitions. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

48 WP for while loops WP while e do C ψ? Unrolling the loop: F 0 = while e do skip F i = if e then C ; F i 1 else skip WP for exiting the loop after at most i iterations in a state satisfying ψ : L 0 ψ e L i ( e φ) (e WP C L i 1 ) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

49 WLP for while loops WLP while e do C ψ? Unrolling the loop: F 0 = while e do skip F i = if e then C ; F i 1 else skip WLP for if we exit the loop after at most i iterations, the resulting state satisfies ψ : L 0 ψ L i ( e φ) (e WLP C L i 1 ) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

50 WLP for while loops WLP for if we exit the loop after at most i iterations, the resulting state satisfies ψ : L 0 ψ L i ( e φ) (e WLP C L i 1 ) We then define WLP while e do C ψ = i N : L i Not very practical... Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

51 Precondition of a While Loop To push ψ up through while e do C: 1. Guess a potential invariant φ. 2. Make sure φ e = ψ. 3. Compute φ = WLP C φ. 4. Check that φ e = φ. 5. Then, φ is a pre-condition for ψ. φ e C φ φ while e do C φ e Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

52 Proof Tableaux for Loops φ while e do { φ e WLP C φ C φ } φ E ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

53 Exercise 1 int fact(int x) { y = 1; z = 0; while (z!= x) { z = z + 1; y = y * z; } return y; } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

54 Guessing the invariant Doing a trace: iteration x y z B true true true true true true false i i! i Formulate hypothesis: y = z! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

55 Proof obligations Want to establish ψ y = x!. 1. Our invariant φ y = z! 2. Check that φ (z x) = ψ. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

56 Proof obligations Want to establish ψ y = x!. 1. Our invariant φ y = z! 2. Check that φ (z x) = ψ. 3. Compute WLP of loop body: Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

57 Proof obligations Want to establish ψ y = x!. 1. Our invariant φ y = z! 2. Check that φ (z x) = ψ. 3. Compute WLP of loop body: φ y (z + 1) = (z + 1)! 4. Check if φ z x = φ. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

58 Proof obligations Want to establish ψ y = x!. 1. Our invariant φ y = z! 2. Check that φ (z x) = ψ. 3. Compute WLP of loop body: φ y (z + 1) = (z + 1)! 4. Check if φ z x = φ. 5. Continue WLP computation with φ. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

59 Exercise 2: Minimal-Sum Section Given an integer array a[0], a[1],..., a[n 1]. A section of a is a continuous piece a[i], a[i + 1],..., a[j] with 0 i j < n. Section sum: S i,j = a[i] + + a[j]. A minimal-sum section is a section a[i],..., a[j] s.t. for any other a[i ],..., a[j ], we have S i,j S i,j. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

60 What to do? Compute the sum of the minimal-sum sections in linear time. Prove that the code is correct! For example... [ 1, 3, 15, 6, 4, 5] is 7 for [ 6, 4, 5]. [ 2, 1, 3, 3] is 3 for [ 2, 1] or [ 3]. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

61 The Program int minsum(int a[]) { k = 1; t = a[0]; s = a[0]; while (k!= n) { t = min(t + a[k], a[k]); s = min(s,t); k = k + 1; } return s; } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

62 Post-conditions The value s is smaller than the sum of any section. φ 1 = i, j : 0 i j < n s S i,j There is a section whose sum is s φ 2 = i, j : 0 i j < n s = S i,j Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

63 Trying to prove φ 1 Suitable Invariant: φ 1 = i, j : 0 i j < n s S i,j I 1 (s, k) = i, j : 0 i j < k s S i,j Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

64 Trying to prove φ 1 Suitable Invariant: φ 1 = i, j : 0 i j < n s S i,j I 1 (s, k) = i, j : 0 i j < k s S i,j Additional Invariant I 2 (t, k) = i : 0 i < k t S i,k 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

65 The Key Lemma In the end, we have to prove that I 1 (s, k) I 2 (t, k) k n = I 1 (min(s, (min(t + a[k], a[k])), k + 1) I 2 (min(t + a[k], a[k]), k + 1) This will require human intervention: proof-assistants. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

66 Verification Condition Generation Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

67 Purpose of this lecture Get an idea of how verification condition generation works. We consider the simplest possible implementation. This is based on early work on ESC/Java. We see some important concepts: collecting semantics constraint systems abstraction Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

68 Quick: What is the Loop Invariant? y := 5 ; x := 0 ; while x 5 do x := x + 1 x = y Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

69 Generating VCs Non-trivial loop-invariants must be supplied, but everything else automatic. Assume program is annotated with Pre- & Post-conditions. For every while-loop, a supposed loop-invariant. How do we check automatically that the implementation satisfies the contract? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

70 Verification Conditions Consider the triplets: φ C ψ x = x x := x y x + y = x The verification conditions would be φ WP C ψ (x = x ) ((x y) + y = x ) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

71 Asking an SMT Solver We then ask an SMT solver if the VC is true. (x = x ) ((x y) + y = x ) We want the VC to hold for all parameters. Check if the negated formula is satisfiable! Think: searching for a falsifying assignment (failing test case). Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

72 Translation into Flow Graphs Control Flow Graph G = (N, E, s, r) N are program points, and s, r N are start/return nodes. E = N C N are transition, where C is the set of basic statements. x := 5 y := x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

73 Basic Edges C ::= skip skip x := e assign φ? assume φ! assert Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

74 FOL with linear arithmetic φ ::= e arithmetic φ 1 φ 2 conjunction φ 1 φ 2 disjunction φ 1 φ 2 implication y : φ existential quantification y : φ universal quantification. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

75 Translating If-Statements if e then C 1 else C 2 0 e? e? 1 2 C 1 C 2 3 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

76 Translating While-Statements while e do C 0 e? 2 C e? 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

77 Program State State σ assigns values to variables: σ: V Z Example: σ 0 = {x 0, y 0} x := 5 y := x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

78 Program State State σ assigns values to variables: σ: V Z Example: σ 0 = {x 0, y 0} σ 1 = {x 5, y 0} x := 5 y := x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

79 Program State State σ assigns values to variables: σ: V Z Example: σ 0 = {x 0, y 0} σ 1 = {x 5, y 0} σ 2 = {x 5, y 6} x := 5 y := x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

80 Evaluating Expressions Given a σ, we evaluate expressions: For σ = {x 5, y 6}, z σ = z x σ = σ x e 1 + e 2 σ = e 1 σ + e 2 σ... x + y σ = x σ + y σ = σ x + σ y = = 11 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

81 State satisfies a formula Our state is σ: V Z, but φ may contain unbound logical variables x V. A state σ satisfies φ σ φ if φ evaluates to true for some extension of σ: σ : ( v V : σ v = σ v) ( φ σ = true) And a formula φ is satisfiable if σ : σ φ. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

82 A note on triplets Consider the triplet x = x x := x + 1 x = x + 1 where x is a logical variable. When we say that the triplet φ C ψ is valid under partial correctness if σ : σ φ = C σ ψ we assume that σ includes logical variables. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

83 Notation: Updating the State We update the mapping σ: where σ = σ[x z] σ y = { z σ y if y = x otherwise Useful exercise: σ ψ[e/x] σ[x e σ] ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

84 Notation: Updating the State We update the mapping σ: where σ = σ[x z] σ y = { z σ y if y = x otherwise Useful exercise: σ ψ[e/x] σ[x e σ] ψ ψ[e/x] σ = ψ (σ[x e σ]) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

85 Collecting Semantics For every point p N, we want to know The set of states reaching p: S p. If we assume that S s = S 0 = {σ 0 }. σ 0 v = 0 ( v V) x := 5 y := x {σ 0 } {σ 1 } {σ 2 } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

86 Starting State We need this semantics to validate our WP computation. Therefore, the best choice is S s = V Z, so that only tautologies hold at s. We include all logical variables from assume statements in V. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

87 For a skip edge p skip q S q = S p Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

88 For an assignment edge p q x := e S q = {σ[x e σ] σ S p } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

89 For an assume edge p q φ? S q = {σ σ S p, φ σ = true} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

90 For an assert edge p q φ! S q = {σ σ S p, φ σ = true} { σ S p, φ σ = false} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

91 Quiz: The Error State For any S, what are the results of the edges? false? false! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

92 Quiz: The Error State For any S, what are the results of the edges? false? false! { } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

93 Quiz: The Error State For any S, what are the results of the edges? false? false! { } The should pass through other edges (like exceptions / maybe monad) φ = false [x e] = We amend the assume rule... Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

94 Transfer functions skip S = S x := e S = {σ[x e σ] σ S} e? S = {σ σ S p, e σ 0} { S p } e! S = {σ σ S p, e σ 0} { σ S p, e σ = 0} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

95 Satisfiability for Sets This is lifted as expected: S φ σ S : σ φ As the error state satisfies nothing: φ : φ if S, already S true. (because some assertions may already have failed.) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

96 Example 0 x < 0? 0 x? 1 2 x := x x := x x 0! 4 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

97 Equation & Constraint Systems Recall G = (N, E, s, r). First we set the starting state: S s = {σ s } (or S s = V Z) And for each point q N: S q = { C S p (p, C, q) E} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

98 Equation & Constraint Systems Recall G = (N, E, s, r). First we set the starting state: S s = {σ s } (or S s = V Z) And for each point q N: S q = { C S p (p, C, q) E} As a constraint system: S s {σ s } S q C S p for (p, C, q) E Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

99 Constraint System Example Let x p = {σ x σ S p } (and if σ = ). We start with x 0 = x s = Z. x 0 Z x 1 {z z x 0, z < 0} x 2 {z z x 0, 0 z} x 3 { z z x 1 } x 3 {z + 1 z x 2 } x 4 {z z x 3, z 0} { z x 3, z = 0} 0 x < 0? 0 x? 1 2 x := x x := x x 0! 4 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

100 And Now WP... WP skip ψ = ψ WP x := e ψ = ψ[e/x] WP φ? ψ = φ ψ WP φ! ψ = φ ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

101 Assume versus Assert Definitions: C wp C ψ wlp C ψ φ! φ ψ φ ψ φ? φ ψ φ ψ Our WP C ψ behaves like wp on asserts. However, we will abstract away loops, so in essence this is still partial correctness. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

102 Equation system for WP We now start from the end node r N. Post-conditions are explicitly asserted, so... We start with ψ r = true and for p N: ψ p = {WP c ψ q (p, c, q) E} Alternatively, as a constraint system: ψ r = true ψ p = WP c ψ q for (p, c, q) E Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

103 WP and our Semantics Assume we have computed the initial precondition ψ s starting from the end node ψ r = true. If we start the collecting semantics with S s = {σ σ = ψ s } Then, we expect: S r = true which holds whenever S r. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

104 Quiz: Error State Again Recall our false assume/assert edges: false? false! { } Now what is the WP for these? WP false? ψ WP false! ψ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

105 Quiz: Error State Again Recall our false assume/assert edges: false? false! { } Now what is the WP for these? WP false? ψ true WP false! ψ false Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

106 Again this example: 0 x < 0? 0 x? 1 2 x := x x := x x 0! 4 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

107 Now recall this example... y := 5 ; x := 0 ; while x 5 do x := x + 1 ; x = y! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

108 We could compute this... 0 y := 5 ; x := 0 1 x = 5? x = y! 3 4 x := x + 1 x 5? 2 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

109 VCG: Abstraction of Loops Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

110 WP computation was stuck in this loop 0 y := 5 ; x := 0 1 x = 5? x = y! 3 4 x := x + 1 x 5? 2 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

111 Havoc (wrong!) Concrete semantics: havoc x S = {σ[x z] σ S, z Z} WP for havoc: WP havoc x ψ = x : ψ Practically, all information about x is lost, except indirect relations remain: WP havoc x (y = x x = z) = (y = z) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

112 Havoc (for post-conditions!) Concrete semantics: havoc x S = {σ[x z] σ S, z Z} WP for havoc: WP havoc x ψ = x : ψ Practically, all information about x is lost, except indirect relations remain (after the assignment): WP havoc x (y = x x = z) = (y = z) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

113 Pre-Condition of Havoc Concrete semantics: havoc x S = {σ[x z] σ S, z Z} WP for havoc: WP havoc x ψ = x : ψ We need ψ to hold for all values of x. Usually, we have assumes after havoc, so a typical example is WP havoc x ((y = x) (x = z)) = (y = z) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

114 Pre-Condition of Havoc Concrete semantics: havoc x S = {σ[x z] σ S, z Z} WP for havoc: WP havoc x ψ = ψ[x /x] x is fresh! We need ψ to hold for all values of x. Usually, we have assumes after havoc, so a typical example is WP havoc x ((y = x) (x = z)) = (y = z) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

115 A simple assumption We should havoc all variables that are assigned to in the loop body. For simplicity, we assume this is only x. (You may think of x as a vector.) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

116 Normal While Loop 0 e? 2 C e? 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

117 Abstraction using invariant φ 0 φ! ; havoc x ; φ? 0 e? 2 e? false? 1 2 C ; φ! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

118 Why can we do this? The construction guarantees that if we have S 2 S 2 S 2 where S i are the sets computed for the original while loop. Note: it follows very closely the proof rules of Hoare logic. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

119 Now we really can compute a VC 0 y := 5 ; x := 0 1 havoc x 1 x = 5? 3 x = y! 4 x 5? false? 2 x := x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

120 What happened? Well, there was no invariant to check. That s good because the invariant was trivial. The homework requires making this construction with an invariant. Just a note on procedure, and then we prove the soundness of the construction. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

121 Procedure Calls Given a function P with parameter p and result r and contract φ P ψ We produce the following translation for a call x = P(e). p := e φ! ψ? x := r Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

122 Soundness of the transformation C 0 1 e? e? 2 A 0 φ! ; havoc x ; φ? e? 2 e? false? 1 B C ; φ! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

123 Proof Plan 1. Write down constraint systems S and S. 2. Separate assertions into the conditions they impose constraint system for values 3. Show that the value system satisfies the constraints of S. 4. This implies that any solution of S is greater than the least solution of S. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

124 Constraint System S S 0 S S 0 C S 1 S 1 e? S 0 S 2 e? S 0 C 0 e? e? 2 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

125 Constraint System S S A S S 0 φ? {σ[x z] z Z, σ φ! S A} S 1 e? S 0 S B φ! ( C S 1) S 2 e? S 0 { S B} A 0 φ! ; havoc x ; φ? e? e? false? 2 1 B C ; φ! Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

126 Splitting S based on S 2 We can be sure S 2 if we have S φ C S 1 φ Letting S x = {σ[x z] z Z, σ S}, the following constraints remain: S 0 φ? S x S 1 e? S 0 S 2 e? S 0 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

127 Splitting S based on S 2 We can be sure S 2 if we have S φ C S 1 φ Letting S x = {σ[x z] z Z, σ S}, we obtain the following solution: S 0 = {σ S x σ φ} S 1 = {σ S x σ φ e} S 2 = {σ S x σ φ e} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

128 Solution to original system? Given the solution and conditions: S 0 = {σ S x σ φ} S 1 = {σ S x σ φ e} S 2 = {σ S x σ φ e} S φ C S 1 φ We check if the original constraints are satisfied: S 0 S S 0 C S 1 S 1 e? S 0 S 2 e? S 0 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

129 What did we just do? We had two systems: X F(X) X F (X) We showed that for any Y Y F (Y) = Y F(Y) What did we conclude? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

130 Data Flow Analysis Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

131 Data Flow Analysis We now consider how to check assertions using data flow analysis. Before we do that, we must to understand the basics of classical data flow analysis frameworks. We need to reason about soundness. Statements about programs are ordered... Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

132 Partial Orders Definition A set D together with a relation is a partial order if for all a, b, c D, a a a b b a = a = b a b b c = a c reflexivity anti-symmetry transitivity Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

133 Examples 1. D = 2 {a,b,c} with the relation 2. Z with the relation = 3. Z with the relation 4. Z = Z { } with the ordering: x y (x = ) (x = y) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

134 Facts about the program Our domain elements represent propositions about the program. Let p = x denote x holds whenever execution reaches program point p. We order these propositions such that x y whenever (p = x) = (p = y) Consider examples: The set of possibly live variables. The set of definitely initialized variables. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

135 Combining information Assume there are two paths to reach p (true-branch and false-branch). If we have x along one path and y along the other, how can we combine this information? x y We want something that is true of both paths, and as precise as possible. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

136 Least Upper Bounds d D is called an upper bound for X D if x d for all x X d is called a least upper bound if 1. d is an upper bound and 2. d y for every upper bound y of X. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

137 Do least upper bounds always exist? h i e f g a b c Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

138 Do least upper bounds always exist? h i e f g a b c Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

139 Do least upper bounds always exist? h i e f g a b c Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

140 Do least upper bounds always exist? h i e f g a b c Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

141 Complete Lattice Definition A complete lattice D is a partial ordering where every subset X D has a least upper bound X D. Every complete lattice has a least element = D; a greatest element = D D. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

142 Which are complete lattices? 1. D = 2 {a,b,c} 2. D = Z with =. 3. D = Z with. 4. D = Z. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

143 Which are complete lattices? 1. D = 2 {a,b,c} 2. D = Z with =. 3. D = Z with. 4. D = Z. 5. Z = Z {, }. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

144 Proof demo: Greatest Lower Bounds Recall the definition A complete lattice D is a partial ordering where every subset X D has a least upper bound X D. Theorem If D is a complete lattice, then every subset X D has a greatest lower bound X. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

145 Proof L = {l x X : l x}. Let g = L. (Least upper bound of the lower bounds.) We show that g = X. 1. Show that g is a lower bound of X. 2. Show that g is the greatest lower bound. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

146 Solving constraint systems Recall the concrete semantics: S q c S p for (p, c, q) E In general: x i f i (x 1,..., x n ) We rewrite multiple constraints: x d 1 x d k x {d 1,..., d k } Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

147 So how to do it? In order to solve: x i f i (x 1,..., x n ) We need f i to be monotonic. A mapping f is monotonic if a b = f(a) f(b) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

148 Monotonicity A mapping f is monotonic if a b = f(a) f(b) Which of the following is not monotonic? inc x = x + 1 dec x = x 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

149 Monotonicity A mapping f is monotonic if a b = f(a) f(b) Which of the following is not monotonic? inc x = x + 1 dec x = x 1 top x = bot x = Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

150 Monotonicity A mapping f is monotonic if a b = f(a) f(b) Which of the following is not monotonic? inc x = x + 1 dec x = x 1 top x = bot x = id x = x inv x = x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

151 Vector function We want to solve: x i f i (x 1,..., x n ) Construct vector function F: D n D n F(x 1,..., x n ) = (y 1,..., y n ) where y i = f i (x 1,..., x n ) If f i are monotonic, so is F. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

152 Kleene iteration Successively iterate from :, F( ), F 2 ( ),... Stop if we reach some X = F n ( ) with F(X) = X Will this terminate? Is this the least solution? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

153 Simple Example For D = 2 {a,b,c} x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} The Iteration x 1 x 2 x Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

154 Simple Example For D = 2 {a,b,c} x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} The Iteration x 1 {a} x 2 x 3 {c} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

155 Simple Example For D = 2 {a,b,c} x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} The Iteration x 1 {a} {a, c} x 2 x 3 {c} {a, c} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

156 Simple Example For D = 2 {a,b,c} x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} The Iteration x 1 {a} {a, c} {a, c} x 2 {a} x 3 {c} {a, c} {a, c} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

157 Simple Example For D = 2 {a,b,c} x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} The Iteration x 1 {a} {a, c} {a, c} x 2 {a} x 3 {c} {a, c} {a, c} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

158 Why Kleene iteration works 1., F( ), F 2 ( ),... is an ascending chain F( ) F 2 ( ) 2. If F k ( ) = F k+1 ( ), it is the least solution. 3. If all ascending chains in D are finite, Kleene iteration terminates. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

159 Discussion What if D does contain infinite ascending chains? In particular, our concrete semantics was defined as the set of states with σ V N. How do we know there aren t better solutions to the constraint system? x = f(x) x f(x) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

160 Answer to the first question Theorem (Knaster-Tarski) Assume D is a complete lattice. Then every monotonic function f: D D has a least fixpoint d 0 D where d 0 = P P = {d D d f(d)} 1. Show that d 0 P. 2. Show that d 0 is a fixpoint. 3. Show that d 0 is the least fixpoint. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

161 Answer to the second question Could there be better solutions to the constraint system than the least fixpoint? According to the theorem: d 0 = {d D d f(d)} Thus, d 0 is a lower bound for all solutions to the constraint system d f(d). Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

162 Chaotic iteration 1. Set all x i to and W = {1,..., n}. 2. Take some i W out of W. (if W =, exit). 3. Compute n := f i (x 1,..., x n ). 4. If x i n, goto Set x i := x i n and reset W := {1,..., n}. 6. Goto 2. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

163 Data flow versus paths We want to verify that whenever execution reaches program point p, a certain assertion holds. We need to check every path leading to p. Then: Why are we solving data flow constraint systems?? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

164 Path Semantics We define a path π inductively: π = ɛ π = π e empty path where e E If π is a path from p to q, we write π: p q. We define the path semantics: ɛ S = S π(p, c, q) S = c ( π S) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

165 Merge Over All Paths For a complete lattice D, we solved x s d s x q c x p (p, c, q) E But we are really interested in: y p = { π d s π: s p} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

166 Example: Merge Over All Paths skip 0 skip 1 2 x := 4 3 x := 4 y := x 2 y = 16! 4 5 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

167 When do solutions coincide? For our collecting semantics, they do. All functions c are distributive. In reality, we compute an abstract semantics. x s d s x q c x p (p, c, q) E Transfer functions c : D D are monotonic. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

168 Soundness of LFP Solutions Theorem (Kam, Ullman, 1975) Let x i satisfy the following constraint system: x s d s x q c x p (p, c, q) E where c are monotonic. Then, for every p N, we have x p { π d s π: s p} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

169 Proof We need to show that for each π: s p: x p π d s By induction on the length of π (assume the above holds for all paths of length n to any node). Base case. There is only one zero-length path: π = ɛ. We have x s ɛ d s from the first constraint. Inductive step: Let π = π (p, c, q). We have x p π d s from the inductive hypothesis. We need x q π d s = c ( π d s ). From monotonicity: x q c x p c ( π d s ). Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

170 On Distributivity A function f: D 1 D 2 is distributive if for all X D 1 : ( ) f X = {f x x X} It is strict if f = It is totally distributive if both distributive and strict (distributes also ). Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

171 Why these distinctions? Many useful analyses are distributive, but... we generally do not have strict transfer functions. Instead, we assume each node v is reachable from the start node. Under these assumptions, distributivity suffices for our coinidence theorem. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

172 Intraprocedural Coincidence Theorem (Kildall, 1972) Let x i satisfy the following constraint system: x s d s x q c x p (p, c, q) E where c are distributive. Then, for every p N, we have x p = { π d s π: s p} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

173 Proof I Note that any distributive function is also monotonic. Simple proof using: x y x y = y Thus, we only need to show this direction: x p { π d s π: s p} For this, we show that the MOP solution satisfies our constraint system. (WHY?) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

174 Proof II We show for an edge (p, c, q): x q c x p We compute: x q = { π d s π: s q} { π d s π: s p q} = { c ( π d s ) π: s p} ( ) = c { π d s π: s p} = c x p Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

175 Implementing a constraint solver Given the definitions: a s : D value at program start s : D D abstract semantics Solve the following system: x q d s q entry point x q c x p (p, c, q) edge Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

176 Representation of Right-Hand Sides For each variable x V, we have a single constraint f x. Given the sets V : Constraint Variables (Unknowns) D: The abstract value domain. The type of right hand sides are f x : (V D) D Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

177 The example encoded Mathematical formulation: x 1 {a} x 3 x 2 x 3 {a, b} x 3 x 1 {c} Functional encoding: f x1 = λσ. {a} σ x 3 f x2 = λσ. σ x 3 {a, b} f x3 = λσ. σ x 1 {c} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

178 Encoding in Haskell data V = X1 X2 X3 deriving (Eq,Show) class FSet v where vars :: [v] instance FSet V where vars = [X1,X2,X3] f X1 = \σ S.fromList [ a ] (σ X3) f X2 = \σ (σ X3) S.fromList [ a, b ] f X3 = \σ (σ X1) S.fromList [ c ] Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

179 Assignments and Solutions Given a variable assignment σ: V D, we can evaluate a right-hand-side f σ D. An assignment σ satisfies a constraint x f x iff σ x f x σ When σ satisfies all constrains, it is a solution. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

180 Haskell Code: Check Solution type RHS v d = (v d) d type Sys v d = v RHS v d type Sol v d = v d verify σ f = all verifyvar vars where verifyvar v = σ v f v σ Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

181 Kleene Iteration We iterate a monotonic function starting from : f f (f ) f i Until (hopefully) we reach an i, such that f i f i 1 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

182 Haskell Code: Domains class Domain t where ( ) :: t t Bool ( ) :: t t t bot :: t lfp :: Domain d => (d d) d lfp f = stable (iterate f bot) stable (x:fx:tl) fx x = x otherwise = stable (fx:tl) matt.might.net/articles/partial-orders/ iterate f x = x : iterate f ( f x) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

183 Haskell Code: Vector Function instance (FSet v, Domain d) => Domain (v d) where f g = all (\v f v g v) vars f g = \v f v g v bot = \v bot solve f = lfp (flip f) f: V (V D) D flip f: (V D) (V D) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

184 Testing the Simple Solver instance Ord e => Domain (Set e) where x y = x y x y = x y bot = empty f X1 = \σ S.fromList [ a ] (σ X3) f X2 = \σ (σ X3) S.fromList [ a, b ] f X3 = \σ (σ X1) S.fromList [ c ] *Simple> solve f X1 fromlist "ac" X2 fromlist "a" X3 fromlist "ac" Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

185 Assertion Checking with Static Analysis Vesal Vojdani Department of Computer Science University of Tartu Formal Methods (2014) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

186 Assertion Checking Track values of variables. Combine with WP computation. Infer invariants for loops. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

187 Value Domains Characterize the possible values of variables whenever we reach program point p. A non-relational value domain: D = V D Z We consider two simple value domains: 1. Kildall s constant propagation domain. 2. The Interval Domain. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

188 Non-relational Domains For a complete lattice D and finite set V, the set of functions D V with the point-wise ordering f 1 f 2 v V : f 1 (v) f 2 (v) is also a complete lattice. For example: D = V 2 Z. Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

189 Abstract Evaluation Just like for concrete state σ V Z: z σ = z x σ = σ x e 1 + e 2 σ = e 1 σ + e 2 σ Now, we need abstract operators such that for d D = V D Z, we evaluate: z d = z x d = d x e 1 + e 2 d = e 1 d + e 2 d Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

190 What the domain must supply 1. Lattice operations. 2. Lifting of constants: 3. Abstract operations: z Z : z D Z z 1, z 2 D Z : z 1 + z 2 D Z (not just for +; also unary, comparisons, logical, etc.) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

191 Kildall s Domain 1. Lattice is the flat lattice. 2. Constants are already elements of D Z : z = z 3. Operators are essentially lifted: if a = or b = a + b = if a = or b = a + b otherwise (More precise, e.g., for multiplication?) Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

192 Interval Domain 1. Lattice is Z Z with l 1, u 1 l 2, u 2 if l 2 l 1 u 1 u 2 2. Constants are singleton intervals: z = z, z 3. Operators are generally defined as: l 1, u 1 l 2, u 2 = l, u where l = min {a b a {l 1, u 1 }, b {l 2, u 2 }} u = max{a b a {l 1, u 1 }, b {l 2, u 2 }} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

193 The Analysis We define abstract transfer functions. The simple ones: skip d = d x := e d = d[x e d] Much like the concrete semantics: skip S = S x := e S = {σ[x e σ] σ S} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

194 The Bottom Value The bottom element is the mapping d v = ( v V) As soon as v with d v =, we would set all variables to. The bottom value then denotes non-reachability. All transfer functions would strictly let pass through. Why allow in the value domains at all? Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

195 Assume edges The concrete semantics: e? S = {σ σ S p, e σ 0} { S p } We will handle errors separately. Abstract value sets: { e? if e d = 0 d = d d t otherwise where d t = minimal elems {d e d 0} Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

196 Example 1: Dead Code 0 x := 5 1 x = 5? x 5? 2 3 y := 9 y := 6 4 y = 9! 5 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

197 Example 2: Restricting Values 0 x = 5? x 5? 1 2 x := x + 1 x := 6 3 x = 6! 4 Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

198 Correctness We have a monotonic concretization function γ. For the value domains γ: D Z 2 Z. if a = γ z = Z if a = {z} otherwise For the variable assignments: { if v : d v = γ d = {ρ v : ρ v γ (d v)} otherwise Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

199 Correctness condition All our transfer functions need to satisfy: c (γ d) γ ( c d) Then, then the least solutions also satisfy: S p γ x p Because if we have f(γ x) γ(f x) and d = f d, then f(γ d) γ(f d) = γ d Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187

200 Assert edges Their effect on values is like assume: e! S = {σ σ S p, e σ 0} { σ S p, e σ = 0} So how to check assertions? (next slide) Let x p be the value analysis: x 0 d 0 x q c x p for (p, c, q) E Vesal Vojdani (University of Tartu) Formal Methods in SW Engineering Fall / 187