motivation no formal theory motivation no formal theory
play

Motivation: No Formal Theory Motivation: No Formal Theory Master - PowerPoint PPT Presentation

Feb 18, 2023 •259 likes •724 views

On the Nature of Symbolic Execution 1 Frank de Boer (Joint work with Marcello Bonsangue) IFIP WG 2.2, 2019 1 FM 2019 Motivation: No Formal Theory Motivation: No Formal Theory Master course at Leiden University Motivation: No Formal Theory

  1. On the Nature of Symbolic Execution 1 Frank de Boer (Joint work with Marcello Bonsangue) IFIP WG 2.2, 2019 1 FM 2019

  2. Motivation: No Formal Theory

  3. Motivation: No Formal Theory Master course at Leiden University

  4. Motivation: No Formal Theory Master course at Leiden University Tools ◮ No formal specification (of correctness/completeness)

  5. Basic Symbolic Execution

  6. Basic Symbolic Execution Programming expressions e := x | op ( e 1 , . . . , e n ) where x is a simple variable of a basic type.

  7. Basic Symbolic Execution Programming expressions e := x | op ( e 1 , . . . , e n ) where x is a simple variable of a basic type. Substitution σ : Var → Expr x σ = σ ( x ) op ( e 1 , . . . , e n ) σ = op ( e 1 σ, . . . , e n σ )

  8. Basic Symbolic Execution Programming expressions e := x | op ( e 1 , . . . , e n ) where x is a simple variable of a basic type. Substitution σ : Var → Expr x σ = σ ( x ) op ( e 1 , . . . , e n ) σ = op ( e 1 σ, . . . , e n σ ) Symbolic configuration � S , σ, φ � where ◮ S denotes the statement to be executed, ◮ σ denotes the current substitution, ◮ Boolean condition φ denotes the path condition.

  9. Symbolic Transition System

  10. Symbolic Transition System Assignment � x = e ; S , σ, φ � → � S , σ [ x = e σ ] , φ � where σ [ x = e ]( y ) = σ ( y ) if x and y are distinct variables, and σ [ x = e ]( x ) = e otherwise.

  11. Symbolic Transition System Assignment � x = e ; S , σ, φ � → � S , σ [ x = e σ ] , φ � where σ [ x = e ]( y ) = σ ( y ) if x and y are distinct variables, and σ [ x = e ]( x ) = e otherwise. Choice ◮ � if B { S 1 }{ S 2 } ; S , σ, φ � → � S 1 ; S , σ, φ ∧ B σ � ◮ � if B { S 1 }{ S 2 } ; S , σ, φ � → � S 2 ; S , σ, φ ∧ ¬ B σ �

  12. Symbolic Transition System Assignment � x = e ; S , σ, φ � → � S , σ [ x = e σ ] , φ � where σ [ x = e ]( y ) = σ ( y ) if x and y are distinct variables, and σ [ x = e ]( x ) = e otherwise. Choice ◮ � if B { S 1 }{ S 2 } ; S , σ, φ � → � S 1 ; S , σ, φ ∧ B σ � ◮ � if B { S 1 }{ S 2 } ; S , σ, φ � → � S 2 ; S , σ, φ ∧ ¬ B σ � Iteration ◮ � while B { S } ; S ′ , σ, φ � → � S ; while B { S } ; S ′ , σ, φ ∧ B σ � ◮ � while B { S } ; S ′ , σ, φ � → � S ′ , σ, φ ∧ ¬ B σ �

  13. Correctness

  14. Correctness Concrete transitions � S , V � → � S ′ , V ′ � where V : Var → Val

  15. Correctness Concrete transitions � S , V � → � S ′ , V ′ � where V : Var → Val Theorem If � S , id , true � → ∗ � S ′ , σ, φ � and V ( φ ) = true then � S , V � → ∗ � S ′ , V ◦ σ � where V ◦ σ ( x ) = V ( σ ( x )) .

  16. Completeness

  17. Completeness Relating symbolic and concrete configurations � S , V � ≃ � S , σ, φ � if V = V 0 ◦ σ and V 0 ( φ ) = true , for some valuation V 0 .

  18. Completeness Relating symbolic and concrete configurations � S , V � ≃ � S , σ, φ � if V = V 0 ◦ σ and V 0 ( φ ) = true , for some valuation V 0 . Theorem (simulation) � S , V � ≃ � S , σ, φ � and � S , V � → � S ′ , V ′ � implies the existence of a corresponding symbolic transition � S , σ, φ � → � S ′ , σ ′ , φ ′ � such that � S ′ , V ′ � ≃ � S ′ , σ ′ , φ ′ � .

  19. OO

  20. OO Variables ◮ Global variables (main statement) ◮ Local variables (formal parameters of methods) ◮ Instance variables (class definitions)

  21. OO Variables ◮ Global variables (main statement) ◮ Local variables (formal parameters of methods) ◮ Instance variables (class definitions) Programming expressions e := x | op ( e 1 , . . . , e n ) (In the main statement only global variables are used).

  22. OO Variables ◮ Global variables (main statement) ◮ Local variables (formal parameters of methods) ◮ Instance variables (class definitions) Programming expressions e := x | op ( e 1 , . . . , e n ) (In the main statement only global variables are used). Syntax of heap variables H and heap expressions E H := x | H . y E := H | op ( E 1 , . . . , E n ) , where x is a global variable.

  23. Symbolic Heap Representation

  24. Symbolic Heap Representation Symbolic heap σ σ denotes a substitution which assigns to each heap variable H a heap expression E .

  25. Symbolic Heap Representation Symbolic heap σ σ denotes a substitution which assigns to each heap variable H a heap expression E . Local environment τ τ denotes a substitution which assigns to each formal parameter x a heap expression E .

  26. Symbolic Heap Representation Symbolic heap σ σ denotes a substitution which assigns to each heap variable H a heap expression E . Local environment τ τ denotes a substitution which assigns to each formal parameter x a heap expression E . Application substitution θ = τ ∪ σ x θ = σ ( x ) global variable x θ = τ ( x ) local variable x θ = σ ( τ ( this ) . x ) instance variable op ( E 1 , . . . , E n ) θ = op ( E 1 θ, . . . , E n θ )

  27. Symbolic Heap Update

  28. Symbolic Heap Update Update global variable ◮ σ [ x = E ]( x ) = E ◮ σ [ x = E ]( H ) = σ ( H ) , for any other heap variable H

  29. Symbolic Heap Update Update global variable ◮ σ [ x = E ]( x ) = E ◮ σ [ x = E ]( H ) = σ ( H ) , for any other heap variable H Update instance variable ◮ σ [ H . x = E ]( H ′ . x ) = if σ ( H ′ ) = σ ( H ) then E else σ ( H ′ . x ) fi ◮ σ [ H . x = E ]( H ′ ) = σ ( H ′ ) , for any other heap variable H ′

  30. Symbolic Transition System

  31. Symbolic Transition System Assignment global variable � ( ⊥ , x = e ; S ) , σ, φ � → � ( ⊥ , S ) , σ [ x = e σ ] , φ �

  32. Symbolic Transition System Assignment global variable � ( ⊥ , x = e ; S ) , σ, φ � → � ( ⊥ , S ) , σ [ x = e σ ] , φ � Assignment instance variable � ( τ, x = e ; S ) · Σ , σ, φ � → � ( τ, S ) · Σ , σ [ τ ( this ) . x = e θ ] , φ � where θ = τ ∪ σ .

  33. Symbolic Transition System Assignment global variable � ( ⊥ , x = e ; S ) , σ, φ � → � ( ⊥ , S ) , σ [ x = e σ ] , φ � Assignment instance variable � ( τ, x = e ; S ) · Σ , σ, φ � → � ( τ, S ) · Σ , σ [ τ ( this ) . x = e θ ] , φ � where θ = τ ∪ σ . Object creation � ( τ, x = new C ; S ) · Σ , σ, φ � → � ( τ [ x = y ] , S ) · Σ , σ ′ , φ � where σ ′ ( y . z ) = nil .

  34. Symbolic Transition System (Cont’d)

  35. Symbolic Transition System (Cont’d) Method call Given a method declaration m (¯ u ) { S } , we have � ( τ, y = e 0 . m (¯ e ); S ′ ) · Σ , σ, φ � → � ( τ ′ . S ) · ( τ, y =?; S ′ ) · Σ , σ, φ ′ � where ◮ τ ′ (¯ u ) = ¯ e ( τ ∪ σ ) ◮ τ ′ ( this ) = e 0 ( τ ∪ σ )

  36. Symbolic Transition System (Cont’d) Method call Given a method declaration m (¯ u ) { S } , we have � ( τ, y = e 0 . m (¯ e ); S ′ ) · Σ , σ, φ � → � ( τ ′ . S ) · ( τ, y =?; S ′ ) · Σ , σ, φ ′ � where ◮ τ ′ (¯ u ) = ¯ e ( τ ∪ σ ) ◮ τ ′ ( this ) = e 0 ( τ ∪ σ ) Method return � ( τ, return e ) · ( τ ′ , x =?; S ) · Σ , σ, φ � → � ( τ ′ [ x = e θ ] , S ) · Σ , σ, φ � where θ = ( τ ∪ σ ) .

  37. Concrete Transition System

  38. Concrete Transition System Valuation ◮ V ( H ) = V ( H ′ ) implies V ( H . x ) = V ( H ′ . x ) , ◮ V ( x ) � = V ( x ′ ) , for any two distinct global variables x and x ′ which do not appear in the main statement ( unique name assumption ).

  39. Concrete Transition System Valuation ◮ V ( H ) = V ( H ′ ) implies V ( H . x ) = V ( H ′ . x ) , ◮ V ( x ) � = V ( x ′ ) , for any two distinct global variables x and x ′ which do not appear in the main statement ( unique name assumption ). Heap update � v if V ( H ′ ) = V ( H ) ◮ V [ H . x = v ]( H ′ . x ) = V ( H ′ . x ) otherwise ◮ V [ H . x = v ]( H ′ ) = V ( H ′ ) , for any other heap variable H ′ .

  40. Concrete Transition System Valuation ◮ V ( H ) = V ( H ′ ) implies V ( H . x ) = V ( H ′ . x ) , ◮ V ( x ) � = V ( x ′ ) , for any two distinct global variables x and x ′ which do not appear in the main statement ( unique name assumption ). Heap update � v if V ( H ′ ) = V ( H ) ◮ V [ H . x = v ]( H ′ . x ) = V ( H ′ . x ) otherwise ◮ V [ H . x = v ]( H ′ ) = V ( H ′ ) , for any other heap variable H ′ . Assignment instance variable � ( L , x = e ; S ) · Σ , V � → � ( L , S ) · Σ , V [ H . x = v ] � where V ( H ) = L ( this ) and v = ( L ∪ V )( e ) .

  41. Correctness

  42. Correctness Theorem If � ( ⊥ , S ) , id , true � → ∗ � ( τ, S ′ ) · Σ , σ, φ � and V ( φ ) = true , where V is an initial valuation, then � ( ⊥ , S ) , V � → ∗ � ( V ◦ τ, S ′ ) · V ◦ Σ , V ◦ σ � where ◮ ( V ◦ τ )( x ) = V ( τ ( x )) ◮ ( V ◦ σ )( H ) = V ( σ ( H ))

  43. Conclusion

  44. Conclusion Extensions ◮ Arrays ◮ Multithreading (Java) ◮ Concurrent objects ◮ Concolic execution ◮ Backward symbolic execution

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a unified formal theory on reasoning about programs and program con- struction built on top of Intuitionistic Type Theory. 1 OVERVIEW 1. Motivation and

398 views • 20 slides
Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory,

Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory,

Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory, Informally RED TAPE HOLDS UP NEW BRIDGE Formal Theory, Informally INCLUDE YOUR CHILDREN WHEN BAKING COOKIES Formal Theory, Informally PORTABLE

860 views • 85 slides
5. Motivation Motivation: Big Questions Where does motivation come from? Can

5. Motivation Motivation: Big Questions Where does motivation come from? Can

5. Motivation Motivation: Big Questions Where does motivation come from? Can motivation be created or increased? What motivates school- age children? 5.1 Behavioral Theory 5.2 Human Needs Theory 5.3 Attribution Theory

831 views • 45 slides
An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs simply typed lambda calculus (1940); Martin L ofs dependent type theory (1971-1984) Origin: Russells theory of types The world is

848 views • 12 slides
Formal Theory, Informally Jonathan Worthington French Perl Workshop 2006 Formal Theory,

Formal Theory, Informally Jonathan Worthington French Perl Workshop 2006 Formal Theory,

Formal Theory, Informally Jonathan Worthington French Perl Workshop 2006 Formal Theory, Informally I need rat poison and beer to drink. Formal Theory, Informally I need [rat poison] and [beer to drink]. Formal Theory,

1.01k views • 85 slides
Formal Theory, Informally Jonathan Worthington London Perl Workshop 2006 Formal Theory,

Formal Theory, Informally Jonathan Worthington London Perl Workshop 2006 Formal Theory,

Formal Theory, Informally Jonathan Worthington London Perl Workshop 2006 Formal Theory, Informally I need rat poison and beer to drink. Formal Theory, Informally I need [rat poison] and [beer to drink]. Formal Theory,

1.11k views • 86 slides
Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve distributed problems ? Towards = immature or not ready for presenting Formal = unrealistic or useless Masafumi Yamashita (Kyushu Univ.) Table of

578 views • 33 slides
C1.1 Introduction formulas (over A ) is inductively defined as follows: Every atom a A is a

C1.1 Introduction formulas (over A ) is inductively defined as follows: Every atom a A is a

Theory of Computer Science March 14, 2016 C1. Formal Languages and Grammars Theory of Computer Science C1.1 Introduction C1. Formal Languages and Grammars C1.2 Alphabets and Formal Languages Malte Helmert C1.3 Grammars University of

287 views • 6 slides
Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25

Introduction to formal semantics - Enrico Leonhardt Introduction to formal semantics 1 / 25 Enrico Leonhardt | Motivation | Semiotics | Formal semantics in CS | structure Motivation - Philosophy paradox antinomy

710 views • 25 slides
Theory of Computer Science E1. Complexity Theory: Motivation and Introduction Gabriele R oger

Theory of Computer Science E1. Complexity Theory: Motivation and Introduction Gabriele R oger

Theory of Computer Science E1. Complexity Theory: Motivation and Introduction Gabriele R oger University of Basel May 6, 2020 Motivation How to Measure Runtime? Decision Problems Nondeterminism Summary Overview: Course contents of this

515 views • 39 slides
Formal Language Theory Gerhard J ager University of T ubingen Workshop Artificial Grammar

Formal Language Theory Gerhard J ager University of T ubingen Workshop Artificial Grammar

Formal Language Theory Gerhard J ager University of T ubingen Workshop Artificial Grammar Learning and Formal Language Theory Nijmegen, November 23, 2010 Gerhard J ager (University of T ubingen) Formal Language Theory AGL Workshop

930 views • 72 slides
Formal Game Theory Stphane Le Roux 1 , Pierre Lescanne 1 and Ren Vestergaard 2 1 LIP ENS-Lyon,

Formal Game Theory Stphane Le Roux 1 , Pierre Lescanne 1 and Ren Vestergaard 2 1 LIP ENS-Lyon,

Motivations Simultaneous Games Sequential Games Summary Formal Game Theory Stphane Le Roux 1 , Pierre Lescanne 1 and Ren Vestergaard 2 1 LIP ENS-Lyon, France 2 JAIST Japan Workshop Chambry, Krakow, and Lyon, 2005 SLR, PL and RV Formal

1.39k views • 110 slides
Theory of Computer Science May 6, 2020 E1. Complexity Theory: Motivation and Introduction

Theory of Computer Science May 6, 2020 E1. Complexity Theory: Motivation and Introduction

Theory of Computer Science May 6, 2020 E1. Complexity Theory: Motivation and Introduction Theory of Computer Science E1.1 Motivation E1. Complexity Theory: Motivation and Introduction E1.2 How to Measure Runtime? Gabriele R oger E1.3

332 views • 10 slides
A Formal Theory for the Complexity Class Associated with the Stable Marriage Problem Dai Tri Man

A Formal Theory for the Complexity Class Associated with the Stable Marriage Problem Dai Tri Man

A Formal Theory for the Complexity Class Associated with the Stable Marriage Problem Dai Tri Man L e Joint work with Stephen Cook and Yuli Ye Department of Computer Science University of Toronto Canada LCC 2011 1 / 17 Two Aspects of

684 views • 36 slides
Strategy & Information Mihai Manea MIT What is Game Theory? Game Theory is the formal study

Strategy & Information Mihai Manea MIT What is Game Theory? Game Theory is the formal study

Strategy & Information Mihai Manea MIT What is Game Theory? Game Theory is the formal study of strategic interaction. In a strategic setting the actions of several agents are interdependent. Each agents outcome depends not only on his

794 views • 57 slides
Outline Motivation Experimental Set-Up Theory behind the set-up Results

Outline Motivation Experimental Set-Up Theory behind the set-up Results

Outline Motivation Experimental Set-Up Theory behind the set-up Results Acknowledgements Motivation Attosecond pulses could be used to study time-dependence of atomic dynamics. Greater control of pulse duration

737 views • 32 slides
Administrative - Poster Session on Wednesday, worth 3% of final grade, +2% for top few posters.

Administrative - Poster Session on Wednesday, worth 3% of final grade, +2% for top few posters.

Administrative - Poster Session on Wednesday, worth 3% of final grade, +2% for top few posters. There will be food - CS224D (Deep Learning for NLP) was announced for next quarter taught by Richard Socher, natural followup for more DL. Fei-Fei Li

732 views • 38 slides
Human-level control through deep reinforcement Liia Butler But first... A quote "The

Human-level control through deep reinforcement Liia Butler But first... A quote "The

Human-level control through deep reinforcement Liia Butler But first... A quote "The question of whether machines can think... is about as relevant as the question of whether submarines can swim" Edsger W. Dijkstra Overview 1.

338 views • 21 slides
Project TIER: Teaching Transparency in Empirical Research Richard Ball Associate Professor of

Project TIER: Teaching Transparency in Empirical Research Richard Ball Associate Professor of

Project TIER: Teaching Transparency in Empirical Research Richard Ball Associate Professor of Economics Haverford College rball@haverford.edu www.haverford.edu/TIER @Project_TIER Presented at the INET/YSI Workshop on Replication and

510 views • 28 slides
PHYS 597 Senior Physics Laboratory Goals Becoming an independent researcher Student Learning

PHYS 597 Senior Physics Laboratory Goals Becoming an independent researcher Student Learning

Alexander Lvovsky PHYS 597 Senior Physics Laboratory Goals Becoming an independent researcher Student Learning (labs under guidance) - detailed instructions - prepared equipment - known theory - known results PHYS 597 PHYS 598/599 MSc

1.11k views • 94 slides
Snake News or Fake News? The Game Show Tara Cataldo Science Collections Coordinator Marston

Snake News or Fake News? The Game Show Tara Cataldo Science Collections Coordinator Marston

Snake News or Fake News? The Game Show Tara Cataldo Science Collections Coordinator Marston Science Library University of Florida Researching Students Information Choices (RSIC): Determining Identity and Judging Credibility in Digital

1.11k views • 84 slides
The Automatic Statistician and Future Directions in Probabilistic Machine Learning Zoubin

The Automatic Statistician and Future Directions in Probabilistic Machine Learning Zoubin

The Automatic Statistician and Future Directions in Probabilistic Machine Learning Zoubin Ghahramani Department of Engineering University of Cambridge zoubin@eng.cam.ac.uk http://mlg.eng.cam.ac.uk/ http://www.automaticstatistician.com/ MLSS

289 views • 28 slides
CSC321 Lecture 23: Go Roger Grosse Roger Grosse CSC321 Lecture 23: Go 1 / 22 Final Exam

CSC321 Lecture 23: Go Roger Grosse Roger Grosse CSC321 Lecture 23: Go 1 / 22 Final Exam

CSC321 Lecture 23: Go Roger Grosse Roger Grosse CSC321 Lecture 23: Go 1 / 22 Final Exam Monday, April 24, 7-10pm A-O: NR 25 P-Z: ZZ VLAD Covers all lectures, tutorials, homeworks, and programming assignments 1/3 from the first half, 2/3

373 views • 24 slides
CSC421/2516 Lecture 22: Go Roger Grosse and Jimmy Ba Roger Grosse and Jimmy Ba CSC421/2516

CSC421/2516 Lecture 22: Go Roger Grosse and Jimmy Ba Roger Grosse and Jimmy Ba CSC421/2516

CSC421/2516 Lecture 22: Go Roger Grosse and Jimmy Ba Roger Grosse and Jimmy Ba CSC421/2516 Lecture 22: Go 1 / 20 Overview Most of the problem domains weve discussed so far were natural application areas for deep learning (e.g. vision,

480 views • 22 slides

More recommend