semantics application to c programs
play

Semantics: Application to C Programs Lecture Slides by Dr. - PowerPoint PPT Presentation

Oct 11, 2023 •19 likes •1.02k views

Semantics: Application to C Programs Lecture Slides by Dr. Marie-Christine Jakobs Prof. Dr. Dirk Beyer Dirk.Beyer@sosy-lab.org SoSy-Lab, LMU Munich, Germany Organization Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 2 / 100 Lecture

  1. Semantics: Application to C Programs Lecture Slides by Dr. Marie-Christine Jakobs Prof. Dr. Dirk Beyer Dirk.Beyer@sosy-lab.org SoSy-Lab, LMU Munich, Germany

  2. Organization Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 2 / 100

  3. Lecture and Tutorial Lecture Feb 27, 2019, 10:00 – 14:00 Munich, Oettingenstr. 67, C003 Tutorial Feb 27, 2019, 14:00 – 15:30 Munich, Oettingenstr. 67, C003 Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 3 / 100

  4. Course Material https: //www.sosy-lab.org/Teaching/2019-SS-Semantik/ Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 4 / 100

  5. Introduction Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 5 / 100

  6. Software Analysis Computes an (over-)approximation of a program’s behavior . Applications ◮ Optimization ◮ Correctness (i.e. whether program satisfies a given property) Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 6 / 100

  7. Software Verification Formally proves whether a program P satisfies a property ϕ . ◮ Requires program semantics, i.e., meaning of program ◮ Relies on mathematical methods, ◮ logic ◮ induction ◮ . . . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 7 / 100

  8. Software Verification Formally proves whether a program P satisfies a property ϕ . TRUE � Program P � Verifier Property ϕ FALSE × Disprove ( × ) Find a program execution ( counterexample ) that violates the property ϕ Prove ( � ) Show that every execution of the program satisfies the property ϕ . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 8 / 100

  9. What Could an Analysis Find out? double divTwiceCons( double y) { int cons = 5; int d = 2 ∗ cons; if (cons != 0) return y/(2 ∗ cons); else return 0; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 9 / 100

  10. Some Analysis Results double divTwiceCons( double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2 ∗ cons; if (cons != 0) // expression 2*cons evaluated before return y/(2 ∗ cons); else // dead code return 0; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 10 / 100

  11. One Resulting Code Optimization double divTwiceCons( double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2 ∗ cons; if (cons != 0) // expression 2*cons evaluated before return y/(2 ∗ cons); else // dead code return 0; } double divTwiceConsOptimized( double y) { return y/10; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 11 / 100

  12. Does This Code Work? double avgUpTo( int [] numbers, int length) { double sum = 0; for ( int i=0;i<length;i++) sum += numbers[i]; return sum/( double )length; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 12 / 100

  13. Problems With This Code double avgUpTo( int [] numbers, int length) { double sum = 0; for ( int i=0;i<length;i++) // possible null pointer access (numbers==null) // index out of bounds (length>numbers.length) // integer overflow sum += numbers[i]; // division by zero (length==0) return sum/( double ) length; } Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 13 / 100

  14. Why Should One Care for Bugs? Intel Pentium FDIV bug . . . Costs Ariane V88 Mars Polar Lander endanger human lives . . . Safety-criticality Therac-25 Uber autonomous car Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 14 / 100

  15. Analysis and Verification Tools Sapienz Klee PeX SLAM Infer Lint Error Prone SpotBugs UltimateAutomizer CBMC . . . CPAchecker Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 15 / 100

  16. Overview on Analysis and Verification Techniques Type Dynamic Static Systems Runtime Testing Interactive Automatic Verification Theorem Program Model Proving Analysis Checking Dataflow Abstract Analysis Interpretation This lecture Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 16 / 100

  17. Why Different Static, Automatic Techniques? Theorem of Rice Any non-trivial, semantic property of programs is undecidable. Consequences Techniques are ◮ incomplete, e.g. answer UNKNOWN, or ◮ unsound, i.e., report ◮ false alarms (non-existing bugs), ◮ false proofs (miss bugs). Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 17 / 100

  18. Verifier Design Space TRUE � Program P � Ideal verifier Verifier UNKNOWN Property ϕ FALSE × false proof correct TRUE � Program P � Unreliable verifier Verifier UNKNOWN Property ϕ FALSE × false alarm violation Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 18 / 100

  19. Verifier Design Space ◮ Overapproximating verifier (superset of program behavior) without precise counterexample check TRUE � Program P � Verifier UNKNOWN Property ϕ FALSE × false alarm violation ◮ Underapproximating verifier (subset of program behavior) false proof correct TRUE � Program P � Verifier UNKNOWN Property ϕ FALSE × Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 19 / 100

  20. Other Reasons to Use Different Static Techniques ◮ State space grows exponentially with number of variables ◮ (Syntactic) paths grow exponentially with number of branches ⇒ Precise techniques may require too many resources (memory, time,. . . ) ⇒ Trade-off between precision and costs Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 20 / 100

  21. Flow-Insensitivity Order of statements not considered E.g., does not distinguish between these two programs x=0; x=0; y=x; x=x+1; x=x+1; y=x; ⇒ very imprecise Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 21 / 100

  22. Flow-Sensitivity Plus Path-Insensitivity ◮ Takes order of statements into account ◮ Mostly, ignores infeasibility of syntactical paths ◮ Ignores branch correlations E.g., does not distinguish between these two programs if (x>0) if (x>0) y=1; y=1; else else y=0; y=0; if (x>0) if (x>0) y=y+1; y=y+2; else else y=y+2; y=y+1; Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 22 / 100

  23. Path-Sensitivity ◮ Takes (execution) paths into account ◮ Excludes infeasible, syntactic paths (not necessarily all infeasible ones) ◮ Covers flow-sensitivity To detect that y has value 0, 1, or 3 if (x>0) y=1; ◮ must exclude infeasible, syntactic path else along first else-branch and second y=0; if-branch if (x>0) ◮ need to detect correlation between the y=y+2; if-conditions else ◮ requires path-sensitivity y=y+1; ⇒ very precise Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 23 / 100

  24. Precision vs. Costs Dataflow Analysis Abstract Interpretation Program Analysis Model Checking Flow-insensitive Flow-sensitive Path-sensitive imprecise precise cheap expensive Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 24 / 100

  25. Program Syntax and Semantics Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 25 / 100

  26. Programs Theory : simple while-programs ◮ Restriction to integer constants and variables ◮ Minimal set of statements (assignment, if, while) ◮ Techniques easier to teach/understand Practice : C programs ◮ Widely-used language ◮ Tool support Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 26 / 100

  27. While-Programs ◮ Arithmetic expressions aexpr := Z | var | -aexpr | aexpr op a aexpr op a standard arithmetic operation like + , − , /, % , . . . ◮ Boolean expressions bexpr := aexpr | aexpr op c aexpr | !bexpr | bexpr op b bexpr ◮ integer value 0 ≡ false, remaining values represent true ◮ op c comparison operator like <, < = , > = , >, == , ! = ◮ op b logic connective like &&( ∧ ) , || ( ∨ ) , ˆ (xor) , . . . ◮ Program S:= var=aexpr; | while bexpr S | if bexpr S else S | if bexpr S | S;S Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 27 / 100

  28. Syntax vs. Semantics Syntax Representation of a program Semantics Meaning of a program Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 28 / 100

  29. How to Represent a Program? 1. Source code if (x>0) abs = x; ◮ Basically sequence of characters else ◮ No explicit information about the abs = − x; i = 1; structure or paths of programs while (i<abs) i = 2 ∗ i; Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 29 / 100

  30. How to Represent a Program? 2. Abstract-syntax tree (AST) Program Sequence Sequence if Assignment Condition if-Block else-Block while x>0 i=1; Assignement Assignement Condition while-Block abs=x; abs=-x; i<abs Assignement i=2*i; ◮ Hierarchical representation ◮ Flow, paths hard to detect Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 30 / 100

  31. How to Represent a Program? 3. Control-flow graph 4. Control-flow automaton l 0 x>0 ! ( x>0 ) x>0 TRUE FALSE l 1 l 2 abs=x; abs=-x; abs=x; abs=-x; l 3 i=1; i=1; l 4 i=2*i; i<abs ! ( i<abs ) i<abs TRUE FALSE l 5 l 6 i=2*i; � Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 31 / 100

  32. Control-Flow Automaton Definition A control-flow automaton (CFA) is a three-tuple P = ( L, l 0 , G ) consisting of ◮ the set L of program locations (domain of program counter) ◮ the initial program location l 0 ∈ L , and ◮ the control-flow edges G ⊆ L × Ops × L . Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 32 / 100

  33. Operations Ops Two types ◮ Assumes (boolean expressions) ◮ Assignments ( var=aexpr; ) Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 33 / 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

CMSC 430 Compilers Fall 2018 PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we must know what they mean Semantics comes from the Greek semaino , to mean Most language semantics

883 views • 70 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of valid programs Dynamic semantics: definition of how programs are executed So far: Dynamic semantics is given in English on lab handouts This

1.54k views • 137 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple

Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple

Operational semantics of programs Giuseppe De Giacomo 1 Programs We will consider a very simple programming language: atomic action a empty action skip 1 ; 2 sequence if then 1 else 2 if-then-else while do while-loop

356 views • 20 slides
Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic

Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic

Computational Logic Fundamentals of Definite Programs: Syntax and Semantics 1 Towards Logic Programming Conclusion: resolution is a complete and effective deduction mechanism using: Horn clauses (related to D efinite programs), L

596 views • 23 slides
Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan

Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan

Constraint Semantics and its Application to Conditionals Eric Swanson University of Michigan Department of Philosophy First Formal Epistemology Festival, Konstanz 29 July 2008 1. What is constraint semantics? 2. Why do I think we should

566 views • 53 slides
Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics

Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics

Building Java Programs Chapter 16 References and linked nodes reading: 16.1 2 Value semantics value semantics : Behavior where values are copied when assigned, passed as parameters, or returned. All primitive types in Java use value

392 views • 25 slides
A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan Hoffmann 1 Thomas Reps 2,3 1 Carnegie Mellon University 2 University of Wisconsin 3 GrammaTech, Inc. Probabilistic Programs Draw random data from

914 views • 72 slides
Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56 Announcements Semantics 2/56 The roadmap of propositional logic Semantics 3/56 FCC spectrum auction an application of propositional spectrums to

1.3k views • 56 slides
Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di

Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di

Indexed Categories and Bottom-Up Semantics of Logic Programs Gianluca Amato Universit` a di Udine James Lipton Wesleyan University 1 The World of Logic Programming Several extensions of logic programs CLP abstract data types

240 views • 23 slides
Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University,

Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University,

Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University, Department of Information Technologies April 28, 2008 Overview Invariant Diagrams Bigstep operational semantics Smallstep operational

382 views • 34 slides
Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The

Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The

Fundamantals Syntax of Programming Languages cs3723 1 Syntax and Semantics Syntax The symbols and rules to write legal programs Semantics The meaning of legal programs Programming language implementation Syntax &gt;

478 views • 14 slides
Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy,

Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy,

Differential program semantics: sub-modular functions and partial metrics Guillaume Geoffroy, Paolo Pistone DIAPASoN, Unibo 27 February 2020 1 / 17 A metric on programs? Distance between programs ( t , s ) : 2 / 17 A metric on programs?

770 views • 61 slides
Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and its application Yoriyuki Yamagata Validity of bilateral classical logic and Verificationist semantics its application Bilateral classical logic Proof theoretical semantics of BCL Evidences and

585 views • 42 slides
Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p &lt; 10) i =10

Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p &lt; 10) i =10

Symbolic Execution Saswat Anand 22/09/2009 Limitation of Dataflow Analysis if(p &lt; 10) i =10 x = 1 Is the DU pair involving variables I real? if(p &gt; 10) No, because the path is infeasible. x=x+1 j = i+1 1 Outline Background

462 views • 12 slides
Superop)miza)on CSE 501 Spring 15 1 Course Outline

Superop)miza)on CSE 501 Spring 15 1 Course Outline

Superop)miza)on CSE 501 Spring 15 1 Course Outline Sta)c analysis Language design Program Verifica)on Dynamic analysis New compilers

492 views • 36 slides
Jesus Will Return What will that look like? Seven Cs of history 1. 2. 3. 4. 5. 6. 7.

Jesus Will Return What will that look like? Seven Cs of history 1. 2. 3. 4. 5. 6. 7.

Jesus Will Return What will that look like? Seven Cs of history 1. 2. 3. 4. 5. 6. 7. Seven Cs of history 1. Creation 2. 3. 4. 5. 6. 7. Seven Cs of history 1. Creation 2. Corruption 3. 4. 5. 6. 7. Seven Cs of

1.17k views • 68 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of Basel Departement of Mathematics and Computer Science 18 September, 2020 Classical Planning A B start I G 1 G 2 C D Extending SymPA with

850 views • 45 slides
1 Peter Series Lesson #101 July 27, 2017 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #101 July 27, 2017 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #101 July 27, 2017 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. G IVING AN A NSWER P ART 19 R ESURRECTION : T HE S EAL , THE G UARDS , THE E MPTY T OMB , THE G RAVE C LOTHES , THE W ITNESSES (M

770 views • 49 slides
Informed Search How can we make search smarter? Use problem-specific knowledge beyond CS

Informed Search How can we make search smarter? Use problem-specific knowledge beyond CS

Informed Search How can we make search smarter? Use problem-specific knowledge beyond CS 331: Artificial Intelligence the definition of the problem itself Informed Search Specifically, incorporate knowledge of how good a non-goal

265 views • 7 slides
Dead Code Elimination &amp; Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination &amp; Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination on SSA Form Dead Code Elimination &amp; Dead code elimination Constant Propagation Conceptually similar to mark-sweep garbage collection C t ll i il t k b ll ti &gt; Mark useful operations on SSA Form SSA F

1.29k views • 4 slides

More recommend