Towards Deductive Compilation: Implementing a Partial Evaluator Via - - PowerPoint PPT Presentation

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Reiner H¨ ahnle

(joint work with Richard Bubel and Ran Ji)

Chalmers University of Technology Department of Computer Science and Engineering

10 March 2011 Seminar “Deduction at Scale” Schloss Ringberg, March 2011

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 1 / 20

Introduction

Starting Point Program verification tool (KeY) based on Dynamic logic for Java source code First-order theorem proving Symbolic execution Invariant reasoning

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 2 / 20

Introduction

Starting Point Program verification tool (KeY) based on Dynamic logic for Java source code First-order theorem proving Symbolic execution Invariant reasoning Constructing a specialized program from a verification proof attempt

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 2 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} h = a.length; ⇐ pc l = 0; ✇❤✐❧❡ (a[(h-l)/2] >0) { body } rest

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✇❤✐❧❡ (a[(h-l)/2] >0) {⇐ body } rest h=a.length l=0 {h := a.length | l := 0} a!=♥✉❧❧ && a.length>0

1 Precondition is path condition in SE tree; nodes have symbolic state Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✐♥t _i = a.length -0; ⇐ ✐♥t _j = _i/2; ✐♥t _k = a[_j]; ❜♦♦❧❡❛♥ _g = (_k >0); ✇❤✐❧❡ (_g) { body } rest h=a.length l=0 {h := a.length | l := 0} a!=♥✉❧❧ && a.length>0

1 Precondition is path condition in SE tree; nodes have symbolic state 2 Local program transformation: simple, side-effect free expressions Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ❜♦♦❧❡❛♥ _g = (_k >0); ⇐ ✇❤✐❧❡ (_g) { body } rest h=a.length l=0 _k=a[a.length/2] a!=♥✉❧❧ && a.length>0

1 Precondition is path condition in SE tree; nodes have symbolic state 2 Local program transformation: simple, side-effect free expressions Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ❜♦♦❧❡❛♥ _g = (_k >0); ⇐ ✇❤✐❧❡ (_g) { body } rest h=a.length l=0 _k=a[a.length/2] a!=♥✉❧❧ && a.length>0

simplification c h e c k

1 Precondition is path condition in SE tree; nodes have symbolic state 2 Local program transformation: simple, side-effect free expressions 3 First-order reasoning required for simplification, checking bounds Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✇❤✐❧❡ (_g) { body } rest _g=... ✇❤✐❧❡ body rest _g && I !_g && I

1 Precondition is path condition in SE tree; nodes have symbolic state 2 Local program transformation: simple, side-effect free expressions 3 First-order reasoning required for simplification, checking bounds 4 Execute loop under suitable invariant Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✇❤✐❧❡ (_g) { body } rest _g=... ✇❤✐❧❡ body rest _g && I !_g && I

1 Precondition is path condition in SE tree; nodes have symbolic state 2 Local program transformation: simple, side-effect free expressions 3 First-order reasoning required for simplification, checking bounds 4 Execute loop under suitable invariant 5 View SE as depth left first AST traversal (inlined first argument of ;) Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✇❤✐❧❡ (_g) { body } rest _g=... ✇❤✐❧❡ body rest _g && I !_g && I

Observations

1

Transformation of complex assignments, symbolic state simplification: single static assignment (SSA) form easily obtainable

2

If strongest postcondition not needed, can use tr✉❡ as invariant

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Overview of Symbolic Execution

{a!=♥✉❧❧ && a.length >0} ✇❤✐❧❡ (_g) { body } rest _g=... ✇❤✐❧❡ body rest _g && I !_g && I

Observations

1

Transformation of complex assignments, symbolic state simplification: single static assignment (SSA) form easily obtainable

2

If strongest postcondition not needed, can use tr✉❡ as invariant

3

May synthesize specialized program by bottom-up AST traversal: Backward Analysis used variables, etc. Program Specialisation dead code elimination, condition evaluation

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 3 / 20

Program Logic Calculus

Calculus

ruleName

Γ1 = ⇒ U1[p1] . . . Γn = ⇒ Un[pn] Γ = ⇒ U[p]

Notation:

Γ: path conditions (set of formulas) U: update (information from the program has been excuted) p: Java program (program to be excuted)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 4 / 20

Program Logic Calculus

Calculus

ruleName

Γ1 = ⇒ U1[p1] . . . Γn = ⇒ Un[pn] Γ = ⇒ U[p]

Notation:

Γ: path conditions (set of formulas) U: update (information from the program has been excuted) p: Java program (program to be excuted) rule application from bottom-to-top postcondition ignored

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 4 / 20

Interleaving Symbolic Execution and Partial Evaluation

Proof-Search Space Reduction can be achieved by adding calculus rules performing (or invoking) a basic partial evaluator (FMCO 2009): constant propagation constant expression evaluation dead-code elimination

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 5 / 20

Interleaving Symbolic Execution and Partial Evaluation

Proof-Search Space Reduction can be achieved by adding calculus rules performing (or invoking) a basic partial evaluator (FMCO 2009): constant propagation constant expression evaluation dead-code elimination One reason why this is a good idea: Proof branching during symbolic execution creates new static input values: U(b) = ⇒ U[ack=true;r] U(¬b) = ⇒ U[ack=false;r] = ⇒ U[if (b) {ack=true;} else {ack=false;} r]

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 5 / 20

Interleaving Symbolic Execution and Partial Evaluation

Proof-Search Space Reduction can be achieved by adding calculus rules performing (or invoking) a basic partial evaluator (FMCO 2009): constant propagation constant expression evaluation dead-code elimination One reason why this is a good idea: Proof branching during symbolic execution creates new static input values: U(b) = ⇒ U[ack=true;r] U(¬b) = ⇒ U[ack=false;r] = ⇒ U[if (b) {ack=true;} else {ack=false;} r] Can we extract a specialized program out of a verification proof?

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 5 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p]

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal Fwd: program information maintained in forward analysis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal Fwd: program information maintained in forward analysis

◮ program variables potentially read in continuation of p Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal Fwd: program information maintained in forward analysis

◮ program variables potentially read in continuation of p

Bk = sp, use: program information synthesized in backward analysis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal Fwd: program information maintained in forward analysis

◮ program variables potentially read in continuation of p

Bk = sp, use: program information synthesized in backward analysis

◮ sp: generated specialized program of Java source program p ◮ use: program variables used in p (or continuation of p) Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Specialization

Extended Symbolic State Node Γ = ⇒ U[p] | (Fwd)(Bk) Sequent annotated with (Fwd)(Bk) : program analysis and synthesis results from AST traversal Fwd: program information maintained in forward analysis

◮ program variables potentially read in continuation of p

Bk = sp, use: program information synthesized in backward analysis

◮ sp: generated specialized program of Java source program p ◮ use: program variables used in p (or continuation of p)

In general, Fwd and Bk could contain other information

◮ View as specific pre-/postconditions or constraint system Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 6 / 20

Program Generation Rules

Γ1 = ⇒ U1[p1] | (X1)(sp1, use1) . . . Γn = ⇒ Un[pn] | (Xn)(spn, usen) Γ = ⇒ U[p] | (X)(sp, use)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 7 / 20

Program Generation Rules

Γ1 = ⇒ U1[p1] | (X1)(sp1, use1) . . . Γn = ⇒ Un[pn] | (Xn)(spn, usen) Γ = ⇒ U[p] | (X)(sp, use)

symb. exec.

Java source code executed

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 7 / 20

Program Generation Rules

Γ1 = ⇒ U1[p1] | (X1)(sp1, use1) . . . Γn = ⇒ Un[pn] | (Xn)(spn, usen) Γ = ⇒ U[p] | (X)(sp, use)

symb. exec. progr. synth.

Java source code executed then specialized program synthesized

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 7 / 20

Program Generation Rules

Γ1 = ⇒ U1[p1] | (X1)(sp1, use1) . . . Γn = ⇒ Un[pn] | (Xn)(spn, usen) Γ = ⇒ U[p] | (X)(sp, use)

symb. exec. progr. synth.

Java source code executed then specialized program synthesized Establishing rule correctness requires to prove bisimulation property of

• riginal and specialized program

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 7 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis ensures variables X read in program continuation are in used variables set (e.g., return variable)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis ensures variables X read in program continuation are in used variables set (e.g., return variable) assignment Γ = ⇒ U{l := r}[rest] | (X)(rest, use) Γ = ⇒ U[l = r;rest] | (X) l = r; rest, (use − {l} ∪ locs(r)) if l ∈ use rest, use

• therwise
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis ensures variables X read in program continuation are in used variables set (e.g., return variable) assignment Γ = ⇒ U{l := r}[rest] | (X)(rest, use) Γ = ⇒ U[l = r;rest] | (X) l = r; rest, (use − {l} ∪ locs(r)) if l ∈ use rest, use

• therwise
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis ensures variables X read in program continuation are in used variables set (e.g., return variable) assignment Γ = ⇒ U{l := r}[rest] | (X)(rest, use) Γ = ⇒ U[l = r;rest] | (X) l = r; rest, (use − {l} ∪ locs(r)) if l ∈ use rest, use

• therwise
• updates used variable set

assignment to unused variable deleted

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Selected Program Generation Rules

emptyBox Γ = ⇒ U | (X)( , ) Γ = ⇒ U[] | (X)(nop, X) ’initiates’ backward program synthesis ensures variables X read in program continuation are in used variables set (e.g., return variable) assignment Γ = ⇒ U{l := r}[rest] | (X)(rest, use) Γ = ⇒ U[l = r;rest] | (X) l = r; rest, (use − {l} ∪ locs(r)) if l ∈ use rest, use

• therwise
• updates used variable set

assignment to unused variable deleted

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 8 / 20

Conditional Rule

conditional

Γ, Ub = ⇒ U[p;rest] | (X) (p; rest, usep;rest) Γ, U(¬b) = ⇒ U[q;rest] | (X) (q; rest, useq;rest) Γ = ⇒ U[if (b) {p} else {q};rest] | (X) if (b) {p; rest} else {q; rest} , (usep;rest ∪ useq;rest ∪ locs(b))

• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 9 / 20

Conditional Rule

conditional

Γ, Ub = ⇒ U[p;rest] | (X) (p; rest, usep;rest) Γ, U(¬b) = ⇒ U[q;rest] | (X) (q; rest, useq;rest) Γ = ⇒ U[if (b) {p} else {q};rest] | (X) if (b) {p; rest} else {q; rest} , (usep;rest ∪ useq;rest ∪ locs(b))

• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 9 / 20

Conditional Rule

conditional

Γ, Ub = ⇒ U[p;rest] | (X) (p; rest, usep;rest) Γ, U(¬b) = ⇒ U[q;rest] | (X) (q; rest, useq;rest) Γ = ⇒ U[if (b) {p} else {q};rest] | (X) if (b) {p; rest} else {q; rest} , (usep;rest ∪ useq;rest ∪ locs(b))

• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 9 / 20

Conditional Rule

conditional

Γ, Ub = ⇒ U[p;rest] | (X) (p; rest, usep;rest) Γ, U(¬b) = ⇒ U[q;rest] | (X) (q; rest, useq;rest) Γ = ⇒ U[if (b) {p} else {q};rest] | (X) if (b) {p; rest} else {q; rest} , (usep;rest ∪ useq;rest ∪ locs(b))

• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 9 / 20

Generating Specialized Programs containing Loops

loopUnwind

Γ = ⇒ U[✐❢ (b) { p; ✇❤✐❧❡ (b) p} rest] | (X)

• if(b){p; while(b)p} rest , use
• Γ =

⇒ U[✇❤✐❧❡ (b) {p}; rest] | (X)

• if(b){p; while(b)p} rest , use
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 10 / 20

Generating Specialized Programs containing Loops

loopUnwind

Γ = ⇒ U[✐❢ (b) { p; ✇❤✐❧❡ (b) p} rest] | (X)

• if(b){p; while(b)p} rest , use
• Γ =

⇒ U[✇❤✐❧❡ (b) {p}; rest] | (X)

• if(b){p; while(b)p} rest , use
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 10 / 20

Generating Specialized Programs containing Loops

loopUnwind

Γ = ⇒ U[✐❢ (b) { p; ✇❤✐❧❡ (b) p} rest] | (X)

• if(b){p; while(b)p} rest , use
• Γ =

⇒ U[✇❤✐❧❡ (b) {p}; rest] | (X)

• if(b){p; while(b)p} rest , use
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 10 / 20

Generating Specialized Programs containing Loops

loopUnwind

Γ = ⇒ U[✐❢ (b) { p; ✇❤✐❧❡ (b) p} rest] | (X)

• if(b){p; while(b)p} rest , use
• Γ =

⇒ U[✇❤✐❧❡ (b) {p}; rest] | (X)

• if(b){p; while(b)p} rest , use
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 10 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] tr✉❡

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] Since we are not interested in proving correctness, use tr✉❡ as invariant!

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] Since we are not interested in proving correctness, use tr✉❡ as invariant!

loopInvariantTrue

Γ, UVab = ⇒ [p] | (X ∪ userest ∪ locs(b)) (p, usebody) Γ, UVa¬b = ⇒ [rest] | (X) (rest, userest) Γ = ⇒ U[while (b) {p} rest] | (X)

• while(b){p} rest , (usebody ∪ userest ∪ locs(b))
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] Since we are not interested in proving correctness, use tr✉❡ as invariant!

loopInvariantTrue

Γ, UVab = ⇒ [p] | (X ∪ userest ∪ locs(b)) (p, usebody) Γ, UVa¬b = ⇒ [rest] | (X) (rest, userest) Γ = ⇒ U[while (b) {p} rest] | (X)

• while(b){p} rest , (usebody ∪ userest ∪ locs(b))
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] Since we are not interested in proving correctness, use tr✉❡ as invariant!

loopInvariantTrue

Γ, UVab = ⇒ [p] | (X ∪ userest ∪ locs(b)) (p, usebody) Γ, UVa¬b = ⇒ [rest] | (X) (rest, userest) Γ = ⇒ U[while (b) {p} rest] | (X)

• while(b){p} rest , (usebody ∪ userest ∪ locs(b))
• Bubel/H¨

ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Loop Invariant Rule

loopInvariant

Γ = ⇒ UInv Γ, UVa(Inv ∧ b) = ⇒ [p]Inv Γ, UVa(Inv ∧ ¬b) = ⇒ [rest] Γ = ⇒ U[while (b) {p} rest] Since we are not interested in proving correctness, use tr✉❡ as invariant!

loopInvariantTrue

Γ, UVab = ⇒ [p] | (X ∪ userest ∪ locs(b)) (p, usebody) Γ, UVa¬b = ⇒ [rest] | (X) (rest, userest) Γ = ⇒ U[while (b) {p} rest] | (X)

• while(b){p} rest , (usebody ∪ userest ∪ locs(b))
• In “preserves invariant” branch the program variables used in the

continuation of the loop body must be reflected correctly

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 11 / 20

Work Flow of Synthesizing Loop

... ✇❤✐❧❡ body rest b !b 1 3 4 2

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 12 / 20

Work Flow of Synthesizing Loop

... ✇❤✐❧❡ body rest b !b 1 3 4 2 Differs from traditional symbolic execution

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 12 / 20

Work Flow of Synthesizing Loop

... ✇❤✐❧❡ body rest b !b 1 3 4 2 Differs from traditional symbolic execution Differs from strict forward/backward static analysis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 12 / 20

Example

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Analysis

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 13 / 20

Example

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Analysis

= ⇒ [i=0;...] | (tot)(sp0, use0)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 13 / 20

Example

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Analysis

= ⇒ {i := 0}[count=n;...] | (tot)(sp1, use1) = ⇒ [i=0;...] | (tot)(sp0, use0)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 13 / 20

Example

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Analysis

= ⇒ {. . . ||count := n}[tot=0;while(i<=n)...] | (tot)(sp2, use2) = ⇒ {i := 0}[count=n;...] | (tot)(sp1, use1) = ⇒ [i=0;...] | (tot)(sp0, use0)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 13 / 20

Example

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Analysis

= ⇒ {. . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3) = ⇒ {. . . ||count := n}[tot=0;while(i<=n)...] | (tot)(sp2, use2) = ⇒ {i := 0}[count=n;...] | (tot)(sp1, use1) = ⇒ [i=0;...] | (tot)(sp0, use0)

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 13 / 20

Example Cont’d: Loop Unwind

= ⇒ {i := 0|| . . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 14 / 20

Example Cont’d: Loop Unwind

= ⇒ {i := 0|| . . .}[if(i<=n){...;if(i>=2 && cpn)...;i++;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 14 / 20

Example Cont’d: Loop Unwind

= ⇒ {i := 0|| . . .}[if(0<=n){...;if(0>=2 && cpn)...;i=0+1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . .}[if(i<=n){...;if(i>=2 && cpn)...;i++;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 14 / 20

Example Cont’d: Loop Unwind

= ⇒ {i := 0|| . . . ; tot := 0}[if(0<=n){...;tot=0+m;i=1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . .}[if(0<=n){...;if(0>=2 && cpn)...;i=0+1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . .}[if(i<=n){...;if(i>=2 && cpn)...;i++;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 14 / 20

Example Cont’d: Loop Unwind

= ⇒ {i := 0|| . . . ||tot := 0}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . . ; tot := 0}[if(0<=n){...;tot=0+m;i=1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . .}[if(0<=n){...;if(0>=2 && cpn)...;i=0+1;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . .}[if(i<=n){...;if(i>=2 && cpn)...;i++;while...}] | (tot)(sp3, use3) = ⇒ {i := 0|| . . . ||tot := 0}[while(i<=n)...] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 14 / 20

Example Cont’d: Loop Unwind 2nd Round

= ⇒ {. . .}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 15 / 20

Example Cont’d: Loop Unwind 2nd Round

¬(0 <= n) = ⇒ {. . .}[] | (tot)(nop, tot) 0 <= n = ⇒ {. . .}[int m=read();...] | (tot)(sp4, use4) = ⇒ {. . .}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 15 / 20

Example Cont’d: Loop Unwind 2nd Round

0 <= n = ⇒ {. . . m := read()tot := mi := 1}[while(i<=n)...] | (tot)(sp5, use5) . . . ¬(0 <= n) = ⇒ {. . .}[] | (tot)(nop, tot) 0 <= n = ⇒ {. . .}[int m=read();...] | (tot)(sp4, use4) = ⇒ {. . .}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 15 / 20

Example Cont’d: Loop Unwind 2nd Round

0 <= n = ⇒ {. . .}[if(i<=n)...;while...] | (tot)(sp5, use5) 0 <= n = ⇒ {. . . m := read()tot := mi := 1}[while(i<=n)...] | (tot)(sp5, use5) . . . ¬(0 <= n) = ⇒ {. . .}[] | (tot)(nop, tot) 0 <= n = ⇒ {. . .}[int m=read();...] | (tot)(sp4, use4) = ⇒ {. . .}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 15 / 20

Example Cont’d: Loop Unwind 2nd Round

1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6) . . . 0 <= n = ⇒ {. . .}[if(i<=n)...;while...] | (tot)(sp5, use5) 0 <= n = ⇒ {. . . m := read()tot := mi := 1}[while(i<=n)...] | (tot)(sp5, use5) . . . ¬(0 <= n) = ⇒ {. . .}[] | (tot)(nop, tot) 0 <= n = ⇒ {. . .}[int m=read();...] | (tot)(sp4, use4) = ⇒ {. . .}[if(0<=n){int m=read();tot=m;i=1;while...}] | (tot)(sp3, use3)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 15 / 20

Example Cont’d: Loop Invariant True

1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . i := i+1}[] | (tot ∪ i)(sp12, use12) . . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Original Java Code

... ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . i := i+1}[] | (tot ∪ i)(sp12, use12) . . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Synthesis

sp12 : nop use12 : {tot, i}

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . i := i+1}[] | (tot ∪ i)(sp12, use12) . . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Synthesis

sp12 : nop use12 : {tot, i} sp10 : tot = tot + m; i + +; use10 : {tot, i}

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . i := i+1}[] | (tot ∪ i)(sp12, use12) . . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Synthesis

sp12 : nop use12 : {tot, i} sp10 : tot = tot + m; i + +; use10 : {tot, i} sp8 : if (cpn){tot = tot + m ∗ 0.9; i + +; } else{tot = tot + m; i + +; } use8 : {tot, i, cpn}

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Example Cont’d: Loop Invariant True

. . . = ⇒ {. . . i := i+1}[] | (tot ∪ i)(sp12, use12) . . . = ⇒ {. . . tot := tot+m}[i++;] | (tot ∪ i)(sp11, use11) . . . , cpn = ⇒ . . . | (tot ∪ i)(sp9, use9) . . . , ¬cpn = ⇒ {. . .}[tot=tot+m;...] | (tot ∪ i)(sp10, use10) . . . = ⇒ {m := read()}[if(cpn)...] | (tot ∪ i)(sp8, use8) . . . , ¬(i <= n) = ⇒ [] | (tot)(nop, tot) . . . , i <= n = ⇒ [int ...] | (tot ∪ i ∪ tot)(sp7, use7) 1 <= n = ⇒ {. . . i := 2}[while(i<=n)...] | (tot)(sp6, use6)

Synthesis

sp12 : nop use12 : {tot, i} sp10 : tot = tot + m; i + +; use10 : {tot, i} sp8 : if (cpn){tot = tot + m ∗ 0.9; i + +; } else{tot = tot + m; i + +; } use8 : {tot, i, cpn} sp6 : while(i <= n){int m = read(); if (cpn){tot = tot + m ∗ 0.9; i + +; } else{tot = tot + m; i + +; }} use6 : {tot, i, cpn}

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 16 / 20

Specialized Program

✇❤✐❧❡ ✐♥t ✐❢ ❡❧s❡ r❡t✉r♥

Specialized Java Code

tot = 0; ✐❢(0 <= n) { ✐♥t m = read(); tot = m; ✐❢(1 <= n) { ✐♥t m = read(); tot = tot + m; i = 2; ✇❤✐❧❡(i <= n) { ✐♥t m = read(); ✐❢ (cpn) { tot = tot + 0.9 ∗ m; i++; } ❡❧s❡ { tot = tot + m; i++; } } } } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 17 / 20

Specialized Program

Original Java Code

i = 0; count = n; tot = 0; ✇❤✐❧❡(i <= count) { ✐♥t m = read(); ✐❢(i >=2 && cpn) tot = tot + m ∗ 0.9; ❡❧s❡ tot = tot + m; i++; } r❡t✉r♥ tot;

Specialized Java Code

tot = 0; ✐❢(0 <= n) { ✐♥t m = read(); tot = m; ✐❢(1 <= n) { ✐♥t m = read(); tot = tot + m; i = 2; ✇❤✐❧❡(i <= n) { ✐♥t m = read(); ✐❢ (cpn) { tot = tot + 0.9 ∗ m; i++; } ❡❧s❡ { tot = tot + m; i++; } } } } r❡t✉r♥ tot;

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 17 / 20

Bytecode Compilation

Γ = ⇒ {l := r}[rest] (rest, use) Γ = ⇒ [l=r;rest] iload r; istore l; rest, ((use − {l}) ∪ {r}) if l ∈ use rest, use

• therwise
• Realise a rule-based Java bytecode compiler:

Change the target language from Java source code to Java bytecode Single static assignment form: easy to synthesize bytecode Compiler correctness: soundness of program logic + local bisimulation Some available optimizations (FO reasoning, partial evaluation):

◮ dead code elimination (can’t reach unexecuted code in closed branches) ◮ type inference ◮ safety analysis (avoid creation of exception handlers) ◮ constant propagation, expression simplification ◮ precise usage, binding time analysis of variables Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 18 / 20

Summary

New architecture to construct verified compilers: Verification + PE + local transformation = (verified) compiler Correctness of symbolic execution rules & bisimulation property guarantee correct specialisation/compilation Symbolic execution permits in dynamic analysis at compile time First-order reasoning, partial evaluation integrated

◮ Infeasible path detection + Interleaving partial evaluation:

⇒ specialized and optimized programs

Use-definition chains are maintained to eliminate unused assignments

◮ Further analyses can be added

Contracts (variable import/export) computed automatically: compositional (can compile methods independently) Implementation in KeY verification system ongoing

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 19 / 20

Related Work, Outlook

Related Work

Compiler verification Hoare’s Grand Challenge “The Verifying Compiler” ⇒ “The Compiling Verifier” Rule-based compilation Translation validation of optimizing compilers Online partial evaluation MSR trace-based compilation

Outlook

Invariants in recursive calls, parallelize independent code Room for heuristics:

◮ to unwind or not to unwind ◮ merge tails (e.g., by computing product)

Import information from other tools, e.g., invariants Add security/safety properties in asserts or postcondition: detect violation and patch with inlined monitors, wrappers, etc.

Bubel/H¨ ahnle/Ji (CTH) Deductive Compilation 10 March 2011 20 / 20