[PPT] - Verification Suvam Mukherjee Programming Languages Laboratory, PowerPoint Presentation

SLIDE 1

Fun with Program Analysis and Verification

Suvam Mukherjee Programming Languages Laboratory, Department of Computer Science and Automation, Indian Institute of Science, Bangalore 560012

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 1

SLIDE 2

BACKGROUND

I’m from the Programming Languages Laboratory! 

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 2

SLIDE 3

What’s done in the PL Lab?

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 3

If doubts encompass you regarding Java, Python or C, T

end your quest, in PL Lab you

should be…

SLIDE 4

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 4

Deepak D’Souza K V Raghavan Aastha Suvam Raghavendra Aravind Tejas Narendran Raveendra Girish Remish

SLIDE 5

Related Laboratories

SEAL (Software Engineering and Analysis

Laboratory): Dr. Aditya Kanade

Scalable Software Systems Lab: Dr. Murali

Krishna Ramanathan

Compilers Laboratory: Prof. Y N Srikant
Multicore Computing Laboratory: Dr. Uday

Kumar Reddy

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 5

SLIDE 6

Why analyze/verify programs?

Ariane-5 Rocket Explosion

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 6

SLIDE 7

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA Courtesy: YouTube 7

SLIDE 8

Ariane 5 Rocket Explosion

Crashed on June 4, 1996
“…it crashed 36 seconds after the launch due

to a conversion of a 64-bit floating point to a 16-bit integer value” [Principles of Model Checking, Baier and Katoen]

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 8

SLIDE 9

Why analyze/verify programs?

Therac 25

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 9

SLIDE 10

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 10

SLIDE 11

Therac-25

Radiation Therapy Machine
Caused the death of 6 cancer patients between 1985-87 due

to radiation overdose

“The accidents occurred when the high-power electron beam

was activated instead of the intended low power beam…Therac-25 had removed them, depending instead on software interlocks for safety. The software interlock could fail due to a race condition. “ [Wikipedia]

7/8/2013 11:56:35 AM Suvam Mukherjee, CSA 11

SLIDE 12

Races

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 12

temp = x; if (temp >= 0) { // Operation } x = 0 x = -1

SLIDE 13

Races

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 13

temp = x; if (temp >= 0) { // Operation } x = 0 x = -1

SLIDE 14

Why analyze/verify programs?

I could go on forever…

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 14

SLIDE 15

Why analyze/verify programs?

Information and Communication

T echnologies have become ubiquitious

Incorrect software could have catastrophic

consequences

Formal techniques to analyze/verify

programs, to either improve performance or to make sure it doesn’t do something bad

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 15

SLIDE 16

Analysis of Flow of Data

Abstract Interpretation

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 16

SLIDE 17

Example

int i = 0; while(true) { i++; }

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 17

SLIDE 18

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 18

A C B D

i = 0 [true] i++ id Control Flow Graph

Is i ever negative at this program location?

SLIDE 19

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 19

A C B D

i = 0 [true] id i++

Iteration #1

SLIDE 20

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 20

A C B D

i = 0 [true] id i++

Iteration #2

SLIDE 21

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 21

A C B D

i = 0 [true] id i++

Iteration #3

SLIDE 22

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 22

A C B D

i = 0 [true] id i++

Iteration #3 When do we stop?

NEV EVER!!! ER!!!

SLIDE 23

Issue

Variable i takes a value from an infinite domain:

Integers

The more paths we cover, the more information we
btain
But we don’t need such precision!
Solution: Over-approximate the values i can assume

at any program point

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 23

3

2

99 >-3

SLIDE 24

7/8/2013 11:56:36 AM Courtesy: Deepak D’Souza 24

SLIDE 25

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 25

A C B D

i = 0 [true] id i++

Over- approximations

Join Over All Paths (JOP)

SLIDE 26

How do we over-approximate?

There are several “candidate” over- approximated values (possibly infinite). Which one to choose?

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 28

Depends on what kind of analysis you are interested in

SLIDE 27

T ailoring Values to the Property

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 30

dd

even

dd/even

Exercise: {odd} x++ {?}

SLIDE 28

Definition

Concrete State: a snapshot of the memory

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 31

x = 0, y = 5 x = 5, y = 5

x = x + y

SLIDE 29

What We Need

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 33

SLIDE 30

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 34

x = 5 x >= 0

SLIDE 31

What we need

Doma

main in of over-approximated values

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 35

Is that enough?

SLIDE 32

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 36

x = 5 x ++ x >= 1 x >= 0

SLIDE 33

What we need

Doma

main in of over-approximated values

Transfer

sfer Function nctions:

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 37

Is that enough?

SLIDE 34

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 38

x = 5 x ++ x >= 1 x >= 0 x >= 0 x >= 0

SLIDE 35

What we need

Doma

main in La Latt ttice ice of over-approximated values

Transfer

sfer Function nctions:

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 39

SLIDE 36

Lattice

A lattice is a partially ordered set, where

every pair of elements has a least upper bound and a greatest lower bound.

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 42

SLIDE 37

Lattice

7/8/2013 11:56:36 AM Courtesy: Deepak D’Souza 43

Upper Bound Least Upper Bound

SLIDE 38

Lattice

7/8/2013 11:56:36 AM Courtesy: Deepak D’Souza 44

Exercise

SLIDE 39

Lattice

A lattice is a partially ordered set, where

every pair of elements has a least upper bound and a greatest lower bound.

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 45

Is that enough?

SLIDE 40

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 46

What is the least upper bound of the set of Natural Numbers?

. . .

SLIDE 41

Complete Lattice

A complete lattice is a partially ordered set,

where any subset of elements has a least upper bound and a greatest lower bound.

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 47

SLIDE 42

7/8/2013 11:56:36 AM Suvam Mukherjee, CSA 48

. . .

SLIDE 43

What we need

Doma

main in Comp mplet lete e La Lattic ttice of over- approximated values. Lattice must be of finite height for termination.

Transfer

sfer Function nctions:

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 51

Is that enough?

SLIDE 44

Concretization Function

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 52

i >= 0

i = 0 i = 1 1 i = 2 2 i = 3 3

i = 10 i = 14 i = 33 i = 87

i = 5 599

i = 100

i = 99 i = 88

SLIDE 45

Concretization Function

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 53

SLIDE 46

What we need

Doma

main in Comp mplet lete e La Lattic ttice of over- approximated values. Lattice must be of finite height for termination.

Transfer

sfer Function nctions:

Concr

ncretizati etization

n Funct

nction: ion:

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 54

Is that enough? YES 

SLIDE 47

Summary

Usual way of viewing programs: evolution of

states

Given a property, “tailor” an abstract domain
Run the program with abstract values
Have fun
What if I need a proof of program

correctness?

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 55

SLIDE 48

Proving Programs Correct

Hoare Style Proofs Weakest Preconditions and Interpolants

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 56

SLIDE 49

Problem

Given a program, with a given pre-condition and post-condition, give a proof of correctness

f the program

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 57

SLIDE 50

Proof of Correctness

Consider any state satisfying P. Then, on

executing S, if S terminates, we will be in a state satisfying Q.

Also known an a “Hoare Triple”

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 58

SLIDE 51

Hoare Style Proofs

An Axiomatic Basis for Computer

Programming: C.A.R Hoare

Annotate each vertex of the CFG with a

formula

Key to the proof are the Hoare Triples

{P {P} } S {Q {Q}

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 59

SLIDE 52

Hoare Triples

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 60

P

S Q

Q over-approximates the set of states reachable from P on executing S.

x >= 0 x = 1 x >= 1 x = 2 x > -5 x++

SLIDE 53

Hoare Triple: Example

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 61

{True}

int i = 0; y = 1; for(; i<3; i++) y = y * i

{y = i3}

SLIDE 54

Example

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 63

SLIDE 55

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 64

i = 0 [i<n] i++ id

n>0

[i>=n]

(i = n) (n>0, i = 0) n >= i n >= i

int i =0; while (i < n) { i++; }

n>0 (i = n)

SLIDE 56

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 65

TRUE TRUE TRUE

SLIDE 57

Weakest Precondition/Strongest Postcondition

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 66

SLIDE 58

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 67

Verification Condition

SLIDE 59

Interpolants

Sometimes, the weakest precondition could

contain too much information

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 68

Too much information. May contain quantifiers Contains information “relevant” to proving the program correct

SLIDE 60

Interpolants

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 69

Variables common to A and B

SLIDE 61

Summary

Hoare Style Proofs: standard way of showing

a program satisfies the given pre/post conditions

Weakest Preconditions: compute proofs

using the post condition

Interpolants: compute “relevant” facts
Have Fun

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 71

SLIDE 62

Acknowledgements

Prof. Deepak D’Souza
Chandrahans Dewangan

Machine Learning Laboratory

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 72

SLIDE 63

Thank You

Questions?

7/8/2013 11:56:37 AM Suvam Mukherjee, CSA 73