Program Equivalence From Trace Equivalence Tim Wood 1 Sophia - - PowerPoint PPT Presentation

program equivalence from trace equivalence
SMART_READER_LITE
LIVE PREVIEW

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia - - PowerPoint PPT Presentation

May 31, 2023 389 likes •1.02k views

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College London Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 1 / 30 Context Program maintenance is a common and important

slide-1
SLIDE 1

Program Equivalence From Trace Equivalence

Tim Wood1 Sophia Drossopoulou1

1Imperial College London Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 1 / 30

slide-2
SLIDE 2

Context

Program maintenance is a common and important activity Programmers need to change or extend behaviour Intent is often to preserve most of the behaviour When changing one behaviour, easy and common to unintentionally damage some other behaviour

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 2 / 30

slide-3
SLIDE 3

Context

Program maintenance is a common and important activity Programmers need to change or extend behaviour Intent is often to preserve most of the behaviour When changing one behaviour, easy and common to unintentionally damage some other behaviour Programmers often don’t want to

specify write tests for read or understand

the whole program before they can change it

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 2 / 30

slide-4
SLIDE 4

Question

What does it mean “preserve most of the behaviour”? Can we automatically check that most of the behaviour is preserved?

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 3 / 30

slide-5
SLIDE 5

Answer

We propose a precise criterion to judge preservation of most of the behaviour Programmer tells us which objects should be affected by the modification If any other objects are affected, then the behaviour was not preserved

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 4 / 30

slide-6
SLIDE 6

Answer

We propose a sufficient condition for the criteria that is useful for our tool Condition depends only on the trace of method calls between the affected and unaffected objects Condition doesn’t require the unaffected objects to be precisely tracked We are developing a tool which uses symbolic execution and approximation (not described here)

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 5 / 30

slide-7
SLIDE 7

Contributions

Formal criterion for “preserve most of the behaviour” Useful sufficient condition for automated checking Automated proof of sufficiency of condition in Dafny Verifier

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 6 / 30

slide-8
SLIDE 8

Example

1

StudentDb db = new StudentDb ();

2

Logger logger = new Logger ();

3

Prizes prizes = new Prizes ();

4

void main () {

5

List <Student > students = db. orderedByGrade ();

6

logger.considered(students);

7

prizes.awardTo(students); }

8 9 class

Prizes {

10

void awardTo(List <Student > students) {

11

award(students.get (0));

12

award(students.get (1));

13

award(students.get (2));}

14

void award(final Student student) { /* ... */ }}

15 16 class

Logger {

17

void considered (List <Student > students) {

18 19

for (Student s : students) {

20

println(" considered : " + s.name ()); }}}

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 7 / 30

slide-9
SLIDE 9

Example

1

StudentDb db = new StudentDb ();

2

Logger logger = new Logger ();

3

Prizes prizes = new Prizes ();

4

void main () {

5

List <Student > students = db. orderedByGrade ();

6

logger.considered(students);

7

prizes.awardTo(students); }

8 9 class

Prizes {

10

void awardTo(List <Student > students) {

11

award(students.get (0));

12

award(students.get (1));

13

award(students.get (2));}

14

void award(final Student student) { /* ... */ }}

15 16 class

Logger {

17

void considered (List <Student > students) {

18

sort(students , compareStudentsByName ());

19

for (Student s : students) {

20

println(" considered : " + s.name ()); }}}

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 8 / 30

slide-10
SLIDE 10

Example

1

StudentDb db = new StudentDb ();

2

Logger logger = new Logger ();

3

Prizes prizes = new Prizes ();

4

void main () {

5

List <Student > students = db. orderedByGrade ();

6

logger.considered(students);

7

prizes.awardTo(students); }

8 9 class

Prizes {

10

void awardTo(List <Student > students) {

11

award(students.get (0));

12

award(students.get (1));

13

award(students.get (2));}

14

void award(final Student student) { /* ... */ }}

15 16 class

Logger {

17

void considered (List <Student > students) {

18

sort(students , compareStudentsByName ());

19

for (Student s : students) {

20

println(" considered : " + s.name ()); }}}

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 8 / 30

Allegedly Affected

Modified Objects ⊆ Allegedly Affected

slide-11
SLIDE 11

Example

1

StudentDb db = new StudentDb ();

2

Logger logger = new Logger ();

3

Prizes prizes = new Prizes ();

4

void main () {

5

List <Student > students = db. orderedByGrade ();

6

logger.considered(students);

7

prizes.awardTo(students); }

8 9 class

Prizes {

10

void awardTo(List <Student > students) {

11

award(students.get (0));

12

award(students.get (1));

13

award(students.get (2));}

14

void award(final Student student) { /* ... */ }}

15 16 class

Logger {

17

void considered (List <Student > students) {

18

sort(students , compareStudentsByName ());

19

for (Student s : students) {

20

println(" considered : " + s.name ()); }}}

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 8 / 30

Actually Affected

slide-12
SLIDE 12

Equivalence Criteria

Equivalence criteria are expressed only in terms of the objects involved in the behaviour of interest to the programmer Programmer can be ignorant of the rest of the objects and their behaviour

Programmer doesn’t have to read or understand those parts, our criteria takes care that they are not affected

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 9 / 30

slide-13
SLIDE 13

Equivalence Criteria

Stack and Heap have the same shape when only the unaffected objects are considered.

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 10 / 30

slide-14
SLIDE 14

State Equivalence - Example

this 3

  • 2

this 1 2 3 4 5

  • 1
  • 2

fi f n

  • v1

U A this 2

  • 9

this 4 4 8 9 2 3 7

  • 1
  • 2

fi f n

  • l

v2 U A

Stack and heap at a point in execution of a different example program.

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 11 / 30

slide-15
SLIDE 15

State Equivalence - Example

this 3

  • 2

this 1 2 3 4 5

  • 1
  • 2

fi f n

  • v1

U A this 2

  • 9

this 4 4 8 9 2 3 7

  • 1
  • 2

fi f n

  • l

v2 U A

Unaffected objects and stack frames only

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 11 / 30

slide-16
SLIDE 16

Sufficient Condition

Objective: Avoid comparing the whole heap at each execution step Solution: Compare only methods calls/returns between affected and unaffected objects Also allows us to over-approximate some or all of the unaffected objects

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 12 / 30

slide-17
SLIDE 17

Sufficient Condition - Illustration

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 13 / 30 V1 . . . V2 . . . We want to establish that the unaffected objects correspond at each execution step

slide-18
SLIDE 18

Sufficient Condition - Illustration

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 13 / 30 V1 . . . V2 . . . Only need to consider states which are method calls or returns between affected and unaffected objects

slide-19
SLIDE 19

Sufficient Condition - Illustration

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 13 / 30 V1 . . . V2 . . . Only need to consider the topmost stack frame

slide-20
SLIDE 20

Sufficient Condition - Illustration

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 14 / 30 V1 V2 Intuition: the method calls and returns (and method parameters), between the affected and unaffected objects are enough information to uniquely deter- mine the unaffected objects

slide-21
SLIDE 21

Trace Equivalence - Example

Method Params Fifo this: 3 return 3 add this: 3 o: 1 return add this: 3 o: 2 return remove this: 3 return 1 remove this: 3 return 2 t1 (from v1)

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 15 / 30

slide-22
SLIDE 22

Trace Equivalence - Example

Method Params Fifo this: 3 return 3 add this: 3 o: 1 return add this: 3 o: 2 return remove this: 3 return 1 remove this: 3 return 2 t1 (from v1) t1 ∼ = t2 using mapping (1,8),(3,10),(2,9) Method Params Fifo this:10 return 10 add this:10 o: 8 return add this:10 o: 9 return remove this:10 return 8 remove this:10 return 9 t2 (from v2)

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 15 / 30

slide-23
SLIDE 23

Trace Equivalence - Example

Method Params Fifo this: 3 return 3 add this: 3 o: 1 return add this: 3 o: 2 return remove this: 3 return 1 remove this: 3 return 2 t1 (from v1) t2 ∼ = t3 Method Params Fifo this: 7 return 7 add this: 7 o: 4 return add this: 7 o: 6 return remove this: 7 return 6 remove this: 7 return 4 t3 (imaginary)

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 15 / 30

slide-24
SLIDE 24

References

Many languages have features that leak information about the actual values

  • f addresses, or order of allocations.

Java/C♯/etc: hashcode(), python: id(), ruby: object_id, etc. A tool using our sufficient condition would additionally need to check any uses of such features

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 16 / 30

slide-25
SLIDE 25

Proof of Sufficiency

Use Microsoft Dafny program verifier to prove that trace equivalence implies state equivalence How to represent the question in Dafny? How to represent and prove Theorems? Some useful techniques.

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 17 / 30

slide-26
SLIDE 26

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

match expr

7

case Exception = > Stuck

8

case Nop = > result(Tau , s1)

9

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 18 / 30

implement operational semantics as executable pure function

slide-27
SLIDE 27

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

match expr

7

case Exception = > Stuck

8

case Nop = > result(Tau , s1)

9

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 18 / 30

instructions, algebraic data type

slide-28
SLIDE 28

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

match expr

7

case Exception = > Stuck

8

case Nop = > result(Tau , s1)

9

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 18 / 30

pure, non-ghost

slide-29
SLIDE 29

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

match expr

7

case Exception = > Stuck

8

case Nop = > result(Tau , s1)

9

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 18 / 30

terminate if out of stack

slide-30
SLIDE 30

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

match expr

7

case Exception = > Stuck

8

case Nop = > result(Tau , s1)

9

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 18 / 30

case split on instruction, and so on...

slide-31
SLIDE 31

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

proof by induction over a sequence

slide-32
SLIDE 32

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

ghost procedure - imperative code proves declarative lemma

slide-33
SLIDE 33

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

parameters universally quantified returns existentially quantified

slide-34
SLIDE 34

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

prove precondition implies post condition

slide-35
SLIDE 35

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

Dafny proves base case automatically

slide-36
SLIDE 36

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 //

Imperative ghost code that proves lemma

8 ... 9 if(ls1 = []) { /*

induction base case */ }

10 else { 11 ... 12 /* call

induction hypothesis (recursive call) */

13 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 14 ... 15 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 19 / 30

applying induction hypothesis is a recursive procedure call

slide-37
SLIDE 37

Performance Issues

Proof is fairly big (≈ 6000 lines) Our operational semantics function and equivalence predicates are large Dafny automatically exposes function definitions at the call site Seems to cause the proof search to get lost

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 20 / 30

slide-38
SLIDE 38

Refinement

Dafny supports modules and module refinement Use abstract evaluation and equivalence functions in most of the proof Refine the abstractions to show the proof applies to the concrete evaluation and equivalence AbstractEquiv ConcreteEquiv AbstractLts ConcreteLts AbstractLang Lang TheoremProof imports refines

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 21 / 30

slide-39
SLIDE 39

Refinement

Resolved performance issues

along with some other techniques - see paper

Led us to prove more general result

proof applies to any equivalences and language semantics provided you can construct the refinements

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 22 / 30

slide-40
SLIDE 40

End

End

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 23 / 30

slide-41
SLIDE 41

Extras

Code for Example 2

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 24 / 30

slide-42
SLIDE 42

State Equivalence - Another Example

1 class

FiFo {

2

Node f;

3

void add(final Object o) {

4

if(f == null)

5

{ f=new Node(o); }

6

else { f.add(o); }}

7

Object remove () {

8

Object r=f.value (); f=f.next (); return r;}}

9 10 class

Node {

11

Object o; Node n;

12

Node(Object o) { this.o=o; }

13

Node next () { return n; }

14

Object value () { return o; }

15

void add(final Object o) {

16

if(n == null)

17

{ n=new Node(o); }

18

else { n.add(o); }}}

1 class

FiFo {

2

Node f, l;

3

void add(final Object o) {

4

if(f == null)

5

{ l=f=new Node(o); }

6

else { l=l.add(o); }}

7

Object remove () {

8

Object r=f.value (); f=f.next (); return r;}}

9 10 class

Node {

11

Object o; Node n;

12

Node(Object o) { this.o=o; }

13

Node next () { return n; }

14

Object value () { return o; }

15

Node add(Object o) {

16

return n=new Node(o); }}

17 18 Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 25 / 30

slide-43
SLIDE 43

State Equivalence - Example

1 class

Test {

2

FiFo fi = new FiFo ();

3

Object o1 = new Object (),

4

  • 2 = new

Object ();

5

void test () {

6

fi.add(o1); fi.add(o2);

7

  • 1=fi.remove (); o2=fi.remove () ;}}

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 26 / 30

slide-44
SLIDE 44

Extras

Operational Semantics More Detail

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 27 / 30

slide-45
SLIDE 45

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

slide-46
SLIDE 46

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

slide-47
SLIDE 47

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

pure, non-ghost

slide-48
SLIDE 48

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

terminate if out of stack

slide-49
SLIDE 49

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

case split on instruction

slide-50
SLIDE 50

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

call instruction

slide-51
SLIDE 51

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

lookup code by version

slide-52
SLIDE 52

Operational Semantics

1 datatype

Expr = Nop | Call(meth:Method) | ... | Exception

2 datatype

Result = result(l:LC , s:SC) | Stuck

3 function

method eval(s:SC) : Result {

4

if(!hasSf(s)) then Stuck else

5

...

6

var expr := topCont(s).o[0];

7

var s1 := advance(s);

8

...

9

match expr

10

case Exception = > Stuck

11

case Nop = > result(Tau , s1)

12

...

13

case Call(meth) = >

14

if | topOperands (s).o| < 2 then Stuck

15

else

16

var receiver := topOperands (s).o[0];

17

var param := topOperands (s).o[1];

18

var klass := KlassOf(s1 , receiver).o;

19

var code := codeForMeth (version(s1), klass , meth);

20

var sr := pushNewFrameForMethod

21

(s1 , receiver , IsMethod(klass , meth), param , code);

22

...

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 28 / 30

calculate next state

slide-53
SLIDE 53

Extras

Theorems In Dafny

Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 29 / 30

slide-54
SLIDE 54

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

proof by induction over a sequence

slide-55
SLIDE 55

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

ghost procedure - imperative

slide-56
SLIDE 56

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

parameters universally quantified returns existentially quantified

slide-57
SLIDE 57

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

prove precondition implies post condition

slide-58
SLIDE 58

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

assign such-that predicate is satisfied

slide-59
SLIDE 59

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

Dafny proves base case automatically

slide-60
SLIDE 60

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

asserts are in-line lemmas

slide-61
SLIDE 61

Theorems/Lemmas

1 lemma

TraceEquivStepsPreservesComp

2

(s1:S,ls1:seq <L>,s3:S,s2:S) returns (ls2:seq <L>,s4:S)

3

requires Steps(s1 ,ls1 ,s3) ∧ TraceEquiv (s1 ,ls1 ,s3 ,s2);

4

ensures Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4);

5

ensures ∃al :: StateComp(s3 ,s4 ,al);

6 { 7 ls2 ,s4 :| Steps(s2 ,ls2 ,s4) ∧ StepsComp(s1 ,ls1 ,s3 , s2 ,ls2 ,s4); 8 var al :| StateComp(s1 ,s2 ,al) ∧ TraceComp(ls1 ,ls2 ,al); 9 10 if(ls1 = []) { } else { 11 var l1 ,l2 ,ls5 ,ls6 := ls1 [0], ls2 [0], ls1 [1..] , ls2 [1..]; 12 ... 13 assert [l1]+ ls5 = ls1; assert [l2]+ ls6 = ls2; 14 15 var s5 :| Step(s1 ,l1 ,s5) ∧ Steps(s5 ,ls5 ,s3); 16 var s6 :| Step(s2 ,l2 ,s6) ∧ Steps(s6 ,ls6 ,s4); 17 18 var al ’ := StepPreservesTraceComp (s1 ,l1 ,s5 ,ls5 , s2 ,l2 ,s6 ,ls6 , al); 19 20 StepPreservesTraceEquiv (s1 ,l1 ,s5 ,ls5 ,s3 , s2 ,l2 ,s6 ,ls6 ,s4); 21 22 var ls6 ’,s4 ’ := TraceEquivStepsPreservesComp (s5 ,ls5 ,s3 ,s6); 23 DeterminismSeq (s6 ,ls6 ,s4 ,ls6 ’,s4 ’); 24 }} Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 30 / 30

apply induction hypothesis