A short manual for the tool Accumulator
|
|
- Kerry Carson
- 5 years ago
- Views:
Transcription
1 A short manual for the tool Accumulator ZHAO Jianhua State Key Laboratory of Novel Software Technology Dept. of Computer Sci. and Tech. Nanjing University Nanjing, Jiangsu, P.R.China Abstract. This is a short manual for the code-verification tool Accumulator. 1 The main user interface of this tool The main window of this tool is divided into two parts. The left one is a tree view of the program and specification under verification. People can select a nodes in the left, and then do corresponding operations on the right part. The nodes in the left tree include: Declared variables. The Function Definition node. Select this node, the right part displays the user interface to manipulate function definitions. The Global Property node. Select this node, the right part displays the user interface to manipulate global properties. The tree view of the program and asserts (i.e. the program points). Select a program point, the right part displays the user interface to manipulate formulas in this node. In the program point nodes, the tool display the point number and how many formulas are inserted and how many of them have been proven. 2 About the memory scopes of recursive functions and global properties In our theoretical paper, the memory scope of a user-defined function is specified by a memory scope function. However, such a simple method may introduce too many recursive functions. In this tool, we let users input a memory scope expression for each defined function. The memory scope expression can use the formal parameters of the original function. Now the users are responsible for the correctness of these memory scope expression. Later, we will presents a method to check the correctness of memory scope expressions. We use SMT solver Z3 to do logical formula implications. However, Z3 can not deal with recursive function definitions directly. To solve this problem, we use This paper is supported by the Chinese National 863 Project, NO.2011AA010103
2 a set of global properties to express the properties about the defined functions. The correctness of these global properties is not treated in this tool. There are some high-order logical tools to deal with this problem. Our tool only use the memory scope expressions of defined functions and the global properties. The function definitions are in fact not used by this tool. An interesting advantage is that we can use some undefined functions during the code verification. 3 The main steps of code verification 3.1 Open a source file The first step of verification is to open the code under verification. The tool parses the code and displays the code in the left part of the main window. The tool does the following treatment. 1. The program point nodes (ASSERTS) are inserted into the program automatically. 2. Some spontaneous formulas are inserted automatically. These formulas are set as PROVED. These formulas are called spontaneous because they hold spontaneously at the point as long as the program runs normally. For an if-statement if (e) s 1 else s 2, e is inserted into the point before s 1, not e is inserted into the point before s 2. For a while-statement while (e) s, e is inserted into the point before s, not e is inserted into the point after this while-statement. For an allocation, the tool also inserted some spontaneous formulas. 3. Some mandatory formulas are inserted automatically. These formulas are set as UNPROVED. These formulas are called mandatory because they must hold so that the program can run without causing any exceptions like null-pointer-access or divided-by-zero. Before an assignment e 1 = e 2, the formula &e 1 nil is inserted. Some other formulas are also inserted into the point, to assure that the e- valuation of &e 1 and e 2 causes no exception. For example, before the assignment p = a/b + q f + a[i], the tool generates the formula p nil, b 0, q nil, 0 i and i c, where c is the number of elements of the array a. For an if-statement if (e) s 1 else s 2, some formulas are inserted into the point before this if-statement, to assure that e can be evaluated. For a while-statement while (e) s, some formulas are inserted to the point before this statement and the point after s, to assure that e can be evaluated. Before an allocation e 1 = alloc(t), the formula &e 1 nil is inserted. Some formulas are also inserted, to assure that the evaluation of &e 1 causes no exception.
3 3.2 Input or import user-defined functions and their properties The second step is to insert user-defined functions and global properties. You must input the memory scope expressions of these functions. These expressions may use the formal parameters in the definitions of their original functions. Input function definitions Select the Function Definitions node on the left part of the windows, the right part will display the function definitions already input in a table. Click on the last empty line in the table, you can input a function definition and its memory scope expression in a Dialog window. Though a memory scope function definition can be generated syntactically, the generated definition may hard to use and may generate to many recursive functions. With λ-expressions, we can reduce the number of functions significantly. NOTICE 1: Please make sure the memory scope expressions are correct. They are used when we transfer a formula form one program point to another. NOTICE 2: In fact, these function definitions are not used in code verification directly. We use global properties to specify the properties about these functions. We will later implement some mechanics to ensure the consistence between the function definitions and their global properties and memory scope expressions. Input Global Properties Select the Global Properties node on the left part of the windows, the right part will display the global properties already input in a table. The global properties are a set of uniquely numbered formulas. These formulas are used as premisses when we prove formulas by the SMT solver Z3. Click on the last empty line in the table, you can input a global property in a Dialog window. Click on a global property already exists, you can modify the global property. The new property has a new number after the modification. Import and export global properties Recursive function definitions and global properties are important for code verification. These definitions and properties are usually data-structure specific, and can be reused in the verification of other programs. Our tool supports reuse of these definitions and properties by exporting and importing them. You can import these definitions using the menu FILE >Open function definition file. To export these definitions, use the menu FILE >Save function definition file. NOTICE: After you insert formulas into program points, please don t modify the memory scope expressions you have input before. This may cause inconsistency if the memory scope expressions are already used. Till now, this tool does not guarantee the dependency on memory scope expressions yet. We will implement this feature soon.
4 3.3 Insert formulas and prove them Then you can insert formulas into program points and proved them. Usually, you should first insert the pre-conditions of the whole program into the entrance point (usually the point numbered 1), and the post-conditions inserted into the exit point. Then you input formulas into the program points and prove then. The verification process finishes when all the formulas (except the pre-conditions) are set as PROVED. You can use the menu File >Open Scope Logic File and File >Save or File >Save As to load and save files in the middle of verification. 4 Prove formulas 4.1 Formula status and dependencies A formula inserted into program points is either PROVED or UNPROVED. For a PROVED formula, the tool displays the reason by which it holds in the column Proved By of the table. It may dependents some other formulas and global properties. If people delete or modify one of those formulas/global properties, the status of this formula will be set to UNPROVED. 4.2 View, insert, and delete formulas View formulas Select an assert (program point) node in the left part of the main window, all the formulas in this point will be displayed in a table in the right window. On the top of the table, there are some buttons to manipulate the formulas. There may be many formulas in a program point (assert), you can use the menu Option >Hide Proved Intermediate Formulas to hide intermediate formulas from the table. You can select a set of formulas in the table, and click the Hide/Show button to hide or show these formulas, when the option is selected. Insert formulas Click on the last line of the table, or click the button Insert, you can input a formula in a popup dialog window. Some times, you may need to insert a formula similar to an existing one. You can select the existing formula and click the button Clone&Modify. The existing formula will display in the popup dialog window. You can modify the formula and insert to it. Delete formulas Select a set of formulas in the table, you can delete these formulas by clicking the button Delete, or hitting the key Delete. Modify formulas Click a existing formula in the table, you can modify the formula. The original formula is deleted. The new formula has a new unique number.
5 4.3 Prove by This is based on the axiom PST. Select a formula f on a point i, click Prove button, the tool will search in the current program point for a formula f such that f can be derived by adding into f. If such formula is found, f is set as PROVED and dependent on f. 4.4 Prove a formula as a spontaneous one The tool has ready insert some spontaneous formulas in the proper program points. However, there are some other formulas can be inserted and proved as a spontaneous one. After an assignment e 1 = e 2 Suppose the point before this assignment is i. You can select a formula f of the form e 1 == e 2 satisfying the following conditions and click the button Spontaneous, Removing operators in e 2 yields e 2. Removing operators in e 1 yields e 1 or (&e 1 ). The tool first checks the above conditions, and insert memory scope formulas &e 1 M(&e 1) and &e 1 M(&e 2) into the point i. The formula f is set as PROVED, and dependent on the memory scope formulas. These memory scope formulas are simplified automatically. In many cases, these formulas are simplified to a formula T RUE, and set as PROVED. For example, given an assignment c := c + p D, you can use this function to prove a formula c == c@i + p D after this assignment. The tool will insert formula &c {&p, &p D} into the point i, where i is the point before this assignment. The inserted formula can be simplified to T RUE. You can also insert a formula c == c + p D and have the tool proved as a spontaneous. However, the memory scope &c {&c, &p, &p D} is insert into the point i. This formula is equivalent to F ALSE, and can not be proved. After an allocation e 1 = alloc(t) Let the point before this allocation is i. You can prove formulas of one of the following form. not(e 1 = e 2). not(e 1 e 2). It is required that removing from e 1 yields e 1 or (&e 1 ). The tool inserts &e 1 M(&e 1) into the point i. This memory scope formula is simplified automatically. In many cases, this formula is simplified and proved automatically. 4.5 Transfer formulas There are two buttons (Transfer Forward, Transfer Backward) to transfer formulas from one program point to other points.
6 Transfer Forward Select one or more formulas f on a program i, click the Transfer Forward button, If i is before an if-statement if (e) s 1 else s 2, then f is copied to the points before s 1 and s 2. These two copies are both set as PROVED, and dependent on the formula f before this if-statement. If i is the point after one of the branches of an if-statement if (e) s 1 else s 2, f is copied to the point after another branch and the point after this ifstatement. The copy after this if-statement is set as PROVED, dependent on the two copies after the branches. If i is before a while-statement while (e) s, f is copied to the point before s, the point after s and the point after this while-statement. The copy at the point before s is set as PROVED, and dependent on the copy before the while-statement and the copy after s. The copy after this while-statement is also set as PROVED, and dependent on the copy before the while-statement and the copy after s. The copy before s is set as UNPROVED. In fact, this formula is a loop-invariant of this statement. If i is the point before an assignment e 1 = e 2 or an allocation e 1 = alloc(t), the formula not(&e 1 M(f)) is generated and inserted into the point i, and f is copied to the point after this statement, the copy is set as PROVED, and depends on the original copy at i and the formula not(&e 1 f) at the point i. The formula not(&e 1 f) may be automatically simplified into some other simpler formula. Usually, all the operators & in this formula are removed. For example, &v {&pt, &f irst} λ(x)(&x link)[listnodes(first)] can be automatically proved by our tool. So if we transfer a formula &pt ListNodes(first) from the point before v =... to the point after, the memory scope formula is proved automatically. NOTICE: Before transfer a formula, make sure that not(&e 1 M(f)) can be proved at point i. For example, you can not transfer a formula i < 10 before the assignment i := 5, though this formula really holds after this assignment. Transferring this formula inserts a formula &i {&i} into the point before this assignment. Transfer Backward This is reverse to the function Transfer Backward. Select one or more unproved formulas f on a program i, click the Transfer Backward button, If i is after an if-statement if (e) s 1 else s 2, then f is copied to the points after s 1 and s 2. The original formula is set PROVED and dependent on the two copies. If i is at the begin of one branch of an if-statement if (e) s 1 else s 2, then f is copied to the point before this if-statement, and then the original copy is set as PROVED, and dependent on the copy before the if-statement. If i is a point after a while-statement, f is copied to the following points : before the while-statement, before s, after s. The original copy and the copy
7 before s is set as PROVED. They both dependent on the copies after s and before the while-statement. If i is a point after an assignment e 1 = e 2 or an allocation e 1 = alloc(t), f is copied to the point before this statement, and transferred forward to the point i. The formulas about memory scopes are generated and treated automatically. Continuous Transfer This function in fact performs the Transfer Forward continuously. Select one or more formulas at a source point, and then select a proper target point, the tool continuously transfer these formulas to the target point. NOTICE: Make sure all the assignments and allocations does not modify any memory units in the memory scopes of the formulas. Otherwise, the tool will generate some unprovable formulas. This means that you can not finish the verification. 4.6 Prove a formula by implication A formula holds at a point if it is implied by other formulas at the same point. Our tool uses the SMT solver Z3 to prove such formulas. To use this function, you can select one or many formulas in the point, and click the button Z3 Prove, the tool will try to prove the selected unproved formulas using Z3. The smt2 code will be shown in a popup dialog window. When there are too many formulas at the point, using all the formulas as premises may cause Z3 runs over-time and returns UNKNOWN result. You can also use the button Select Premises to select premises. The first you use this function, you will be asked to tell the tool where the executive file of Z3 is. Usually, the location is \Program Files (x86)\microsoft Research\Z3-4.0\bin\z3.exe in Windows OS. Please visit the homepage of Z3: to download Z3 installation. 4.7 Instantiate a global property Usually, a global property is a universal quantified formula. Sometime, Z3 does not handle quantifier very well. You can instantiate such a global property by assigning concrete expressions to the universal quantified variables. Click the button Instantiate GP, then you can select the global property to be instantiated and then input concrete expressions to each variables. The instance of this global property will be inserted into the current program point. This instance is set as PROVED and dependent on the global property.
8 5 The data analysis features We also implement some data analysis techniques, including the range of integer variables, the null-pointer analysis, and the singly-linked lists analysis. However, there are problems about the dependency relations between the formulas generated by these analysis. We will fix the problem later. 6 The loop invariant generation We provide a loop-invariant-generation component to automatically infer loop invariants for loops manipulating commonly-used data structures, including, singly-linked lists, doubly-linked lists, static lists and one-dimensional arrays. Select an exit program point of a loop in the left part of the main window, all the formulas in this point will be displayed in a table in the right window. These formulas are the post-conditions of this loop. Then select one of the postconditions in this table and click the button Loop Invariant Gen with Post. If a suitable invariant can be generated for this selected post-condition, this invariant will be added to the corresponding program points, namely the entry point of the loop, the program point before the loop body, the program point after the loop body and the exit point of the loop. In addition, this selected post-condition is set as PROVED. Otherwise, prompt the user that we cannot generate any loop invariant for this post-condition right now. 7 The weakest precondition calculation Precondition calculation is a very important feature of this tool. Select one or many formulas at a point i, and click the button WP Calculator. Then select a target point j before the point i, the tool will try to compute preconditions at the point i for the formulas at the point j. It is required that the path from i to j contains no allocation statement. As we discussed in the paper about Scope Logic, if the selected formula contains no user-defined recursive functions, the preconditions are just the weakest preconditions. You can still carefully use this function for formulas with user-defined functions. The requirement is that the memory units implicitly accessed by these functions are not modified by the statements. The tool may generate some extra unproved formulas in this case. You can prove these formulas later. For example, given a formula x (NodeSet(first))(first D > 0), the precondition w.r.t the assignments first D = 5, first = first link can be computed. There may be some extra unproved memory scope formulas inserted, but you can prove them later. However, you can not make the tool to compute the pre-condition w.r.t. f irst link = tmp. In this case, a formula f irst NodeSet(f irst) is generated. This property can not be proved anyway. A skill to solve this problem is change the formula to first ({first} NodeSet(first link)). The precondition is
9 x ({first} NodeSet(tmp))(first D > 0). The memory scope generated is (after simplification) f irst NodeSet(tmp) 8 The execution effect synthesis A execution-effect-synthesis component is provided in this tool. Select an assert in the left part and click the button Execution Effect Synthesis. Then select a target point j after the point i, the tool will try to synthesize the execution effect of the statements between the point j and the point i. The execution effect of a statement specifies the memories modified by this statement and the new values stored in these memories after executing the statement. The memory expressions and the new value expressions are evaluated at the point before this statement. The execution effect of a statement can be used to help calculate weakest preconditions for this statement. In this function, assignments, conditionals, sequential statements and some kinds of loops that manipulate commonly-used data structures are supported.
Programming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationTesting & Symbolic Execution
Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior
More informationPrecondition Calculation for Loops Iterating over Data Structures
Software Engineering Group Department of Computer Science Nanjing University http://seg.nju.edu.cn Technical Report No. NJU-SEG-2016-IC-003 2016-IC-003 Precondition Calculation for Loops Iterating over
More informationChapter 3 (part 3) Describing Syntax and Semantics
Chapter 3 (part 3) Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationReasoning about programs
Reasoning about programs Last time Coming up This Thursday, Nov 30: 4 th in-class exercise sign up for group on moodle bring laptop to class Final projects: final project presentations: Tue Dec 12, in
More informationLast time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise
Last time Reasoning about programs Coming up This Thursday, Nov 30: 4 th in-class exercise sign up for group on moodle bring laptop to class Final projects: final project presentations: Tue Dec 12, in
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationCOSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor
COSC252: Programming Languages: Semantic Specification Jeremy Bolton, PhD Adjunct Professor Outline I. What happens after syntactic analysis (parsing)? II. Attribute Grammars: bridging the gap III. Semantic
More informationStatic semantics. Lecture 3-6: Semantics. Attribute grammars (2) Attribute grammars. Attribute grammars example. Dynamic semantics
Lecture 3-6: Semantics Static semantics Attribute grammars Dynamic semantics Denotational semantics: semantic equations Axiomatic semantics: inference rules and correctness proofs Static semantics Semantics
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationProgram Verification. Program Verification 307/434
Program Verification Program Verification 307/434 Outline Introduction: What and Why? Pre- and Postconditions Conditionals while-loops and Total Correctness Arrays Program Verification Introduction 308/434
More informationTesting, Fuzzing, & Symbolic Execution
Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed
More informationFundamentals of Software Engineering
Fundamentals of Software Engineering Reasoning about Programs - Selected Features Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel,
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationChapter 3. Describing Syntax and Semantics
Chapter 3 Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings of Programs:
More informationFreePascal changes: user documentation
FreePascal changes: user documentation Table of Contents Jochem Berndsen February 2007 1Introduction...1 2Accepted syntax...2 Declarations...2 Statements...3 Class invariants...3 3Semantics...3 Definitions,
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Spring 2016) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationDPLL(Γ+T): a new style of reasoning for program checking
DPLL(Γ+T ): a new style of reasoning for program checking Dipartimento di Informatica Università degli Studi di Verona Verona, Italy June, 2011 Motivation: reasoning for program checking Program checking
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationSoftwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24
Softwaretechnik Program verification Albert-Ludwigs-Universität Freiburg June 28, 2012 Softwaretechnik June 28, 2012 1 / 24 Road Map Program verification Automatic program verification Programs with loops
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationSoftwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011
Softwaretechnik Program verification Software Engineering Albert-Ludwigs-University Freiburg June 30, 2011 (Software Engineering) Softwaretechnik June 30, 2011 1 / 28 Road Map Program verification Automatic
More informationCritical Analysis of Computer Science Methodology: Theory
Critical Analysis of Computer Science Methodology: Theory Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ March 3, 2004 Critical
More informationCSE 307: Principles of Programming Languages
CSE 307: Principles of Programming Languages Advanced Topics R. Sekar Topics 1 / 14 1. 2 / 14 Section 1 3 / 14 Semantics of Programs Syntax defines what programs are valid. Semantics defines what the valid
More informationLecture 10 Linked Lists
Lecture 10 Linked Lists 15-122: Principles of Imperative Computation (Spring 2017) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to implement
More informationOverview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions
Overview Verification with Functions and Pointers Işıl Dillig The IMP language considered so far does not have many features of realistics PLs Our goal today: Enrich IMP with two features, namely functions
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationA Partial Correctness Proof for Programs with Decided Specifications
Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications
More informationBinary Search to find item in sorted array
Binary Search to find item in sorted array January 15, 2008 QUESTION: Suppose we are given a sorted list A[1..n] (as an array), of n real numbers: A[1] A[2] A[n]. Given a real number x, decide whether
More informationAXIOMS FOR THE INTEGERS
AXIOMS FOR THE INTEGERS BRIAN OSSERMAN We describe the set of axioms for the integers which we will use in the class. The axioms are almost the same as what is presented in Appendix A of the textbook,
More informationWorking with Z3 (10 points)
Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.820 Foundations of Program Analysis Problem Set 4 Out: October 22, 2015 Due: Nov 6, 2015 at 5:00 PM In
More informationLambda Calculus and Type Inference
Lambda Calculus and Type Inference Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ August 17, 2007 Lambda Calculus and Type
More informationCMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics
Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationAXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop
AXIOMS OF AN IMPERATIVE LANGUAGE We will use the same language, with the same abstract syntax that we used for operational semantics. However, we will only be concerned with the commands, since the language
More informationALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS
ALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS Abstract This article describes how to express programs with assignment statements and conditional go tos in mathematical logic without any programming
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationProgramming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.1
Programming Languages and Compilers Qualifying Examination Monday, September 19, 2016 Answer 4 of 6 questions.1 GENERAL INSTRUCTIONS 1. Answer each question in a separate book. 2. Indicate on the cover
More informationWriting Circuit Descriptions 8
8 Writing Circuit Descriptions 8 You can write many logically equivalent descriptions in Verilog to describe a circuit design. However, some descriptions are more efficient than others in terms of the
More informationChapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction
Topics Chapter 3 Semantics Introduction Static Semantics Attribute Grammars Dynamic Semantics Operational Semantics Axiomatic Semantics Denotational Semantics 2 Introduction Introduction Language implementors
More informationLecture Notes on Queues
Lecture Notes on Queues 15-122: Principles of Imperative Computation Frank Pfenning Lecture 9 September 25, 2012 1 Introduction In this lecture we introduce queues as a data structure and linked lists
More informationTesting! Prof. Leon Osterweil! CS 520/620! Spring 2013!
Testing Prof. Leon Osterweil CS 520/620 Spring 2013 Relations and Analysis A software product consists of A collection of (types of) artifacts Related to each other by myriad Relations The relations are
More informationLambda Calculus and Type Inference
Lambda Calculus and Type Inference Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ October 13, 2004 Lambda Calculus and Type
More informationInduction and Semantics in Dafny
15-414 Lecture 11 1 Instructor: Matt Fredrikson Induction and Semantics in Dafny TA: Ryan Wagner Encoding the syntax of Imp Recall the abstract syntax of Imp: a AExp ::= n Z x Var a 1 + a 2 b BExp ::=
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationFormal Systems II: Applications
Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationVHDL Essentials Simulation & Synthesis
VHDL Essentials Simulation & Synthesis Course Description This course provides all necessary theoretical and practical know-how to design programmable logic devices using VHDL standard language. The course
More informationBasic Verification Strategy
ormal Verification Basic Verification Strategy compare behavior to intent System Model of system behavior intent Verifier results Intent Usually, originates with requirements, refined through design and
More informationOn the correctness of template metaprograms
Proceedings of the 7 th International Conference on Applied Informatics Eger, Hungary, January 28 31, 2007 Vol 2 pp 301 308 On the correctness of template metaprograms Ádám Sipos, István Zólyomi, Zoltán
More informationExam I Principles of Imperative Computation, Summer 2011 William Lovas. May 27, 2011
Exam I 15-122 Principles of Imperative Computation, Summer 2011 William Lovas May 27, 2011 Name: Sample Solution Andrew ID: wlovas Instructions This exam is closed-book with one sheet of notes permitted.
More informationSeparation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016
Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1 Motivation: Reasoning About Pointers Recall this
More informationDefining Languages GMU
Defining Languages CS463 @ GMU How do we discuss languages? We might focus on these qualities: readability: how well does a language explicitly and clearly describe its purpose? writability: how expressive
More informationCSE 331 Midterm Exam Sample Solution 2/13/12
Question 1. (14 points) (assertions) Using backwards reasoning, find the weakest precondition for each sequence of statements and postcondition below. Insert appropriate assertions in each blank line.
More informationSafety SPL/2010 SPL/20 1
Safety 1 system designing for concurrent execution environments system: collection of objects and their interactions system properties: Safety - nothing bad ever happens Liveness - anything ever happens
More informationSMT-Based Modular Analysis of Sequential Systems Code
SMT-Based Modular Analysis of Sequential Systems Code Shuvendu K. Lahiri Microsoft Research Abstract. In this paper, we describe a few challenges that accompany SMTbased precise verification of systems
More informationThis is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS
1 THE FORMALIZATION OF MATHEMATICS by Harvey M. Friedman Ohio State University Department of Mathematics friedman@math.ohio-state.edu www.math.ohio-state.edu/~friedman/ May 21, 1997 Can mathematics be
More informationAutomatic Inference of Reference Count Invariants. David Detlefs Sun Microsystems Laboratories SPACE Jan. 2004
Automatic Inference of Reference Count Invariants David Detlefs Sun Microsystems Laboratories SPACE Jan. 2004 1 Goal of this Work A form of compile-time GC. Escape analysis: Region inference: Mostly short-lived
More informationLecture 18 Restoring Invariants
Lecture 18 Restoring Invariants 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In this lecture we will implement heaps and operations on them. The theme of this lecture is reasoning
More informationLecture 8 Data Structures
Lecture 8 Data Structures 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning, André Platzer, Rob Simmons, Iliano Cervesato In this lecture we introduce the idea of imperative data
More informationStatic Checking and Intermediate Code Generation Pat Morin COMP 3002
Static Checking and Intermediate Code Generation Pat Morin COMP 3002 Static Checking and Intermediate Code Generation Parser Static Checker Intermediate Code Generator Intermediate Code Generator Parse
More informationMIDTERM EXAM (Solutions)
MIDTERM EXAM (Solutions) Total Score: 100, Max. Score: 83, Min. Score: 26, Avg. Score: 57.3 1. (10 pts.) List all major categories of programming languages, outline their definitive characteristics and
More information1.3. Conditional expressions To express case distinctions like
Introduction Much of the theory developed in the underlying course Logic II can be implemented in a proof assistant. In the present setting this is interesting, since we can then machine extract from a
More informationTesting, Debugging, and Verification
Testing, Debugging, and Verification Formal Specification, Part II Srinivas Pinisetty 23 November 2017 Introduction Today: Introduction to Dafny: An imperative language with integrated support for formal
More informationCounterexample-Driven Genetic Programming
Counterexample-Driven Genetic Programming Iwo Błądek, Krzysztof Krawiec Institute of Computing Science, Poznań University of Technology Poznań, 12.12.2017 I. Błądek, K. Krawiec Counterexample-Driven Genetic
More informationEffectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky
Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv http://www.cs.tau.ac.il/~shachar/afwp.html
More informationIntroduction to Programming in C Department of Computer Science and Engineering
Introduction to Programming in C Department of Computer Science and Engineering In this lecture, we will see slightly more advanced data type, then a singly link list. We will briefly go over one or two
More informationFunctions. Functions. Identify Repeated Code. Identify Repeated Code. Identify Similar Code. Use Parameters to Customize 2/25/14
Functions Functions Based on slides from K. N. King and Dianna Xu Bryn Mawr College CS246 Programming Paradigm Function: Unit of operation o A series of statements grouped together with a given name Must
More informationForward Assignment; Strongest Postconditions
3/1 new version Forward Assignment; Strongest Postconditions CS 536: Science of Programming, Spring 2018 A. Why? At times, a forward version of the assignment rule is more appropriate than the backward
More informationMIDTERM EXAMINATION - CS130 - Spring 2005
MIDTERM EAMINATION - CS130 - Spring 2005 Your full name: Your UCSD ID number: This exam is closed book and closed notes Total number of points in this exam: 231 + 25 extra credit This exam counts for 25%
More information1 The sorting problem
Lecture 6: Sorting methods - The sorting problem - Insertion sort - Selection sort - Bubble sort 1 The sorting problem Let us consider a set of entities, each entity having a characteristics whose values
More informationOutline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include
Outline Computer Science 331 Correctness of Algorithms Mike Jacobson Department of Computer Science University of Calgary Lectures #2-4 1 What is a? Applications 2 Recursive Algorithms 3 Final Notes Additional
More informationLinked lists. Comp Sci 1575 Data Structures. Definitions. Memory structure. Implementation. Operations. Comparison
Linked lists Comp Sci 1575 Data Structures Outline 1 2 3 4 5 Linked list Linked lists are of a linear collection of data elements, called nodes, each pointing to the next node Each node is composed of
More informationGNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK
1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK Tool architecture User view Source gnatprove Verdict 2 Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3
More informationLAB 5, THE HIDDEN DELIGHTS OF LINKED LISTS
LAB 5, THE HIDDEN DELIGHTS OF LINKED LISTS Questions are based on the Main and Savitch review questions for chapter 5 in the Exam Preparation section of the webct course page. In case you haven t observed
More informationFormal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5
Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5 [talking head] This lecture we study theory design and implementation. Programmers have two roles to play here. In one role, they
More informationFrom OCL to Propositional and First-order Logic: Part I
22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 From OCL to Propositional and First-order Logic: Part I Copyright 2007-8 Reiner Hähnle and Cesare Tinelli. Notes originally
More informationSequence Abstract Data Type
1 Sequence Abstract Data Type Table of Contents Introduction.. 1 Objects for the sequence data type.. 2 The sequence as an object. 2.1 Sequence components. 2.2 Operations on sequences 3 Enquiry operations..
More informationSardar Vallabhbhai Patel Institute of Technology (SVIT), Vasad M.C.A. Department COSMOS LECTURE SERIES ( ) (ODD) Code Optimization
Sardar Vallabhbhai Patel Institute of Technology (SVIT), Vasad M.C.A. Department COSMOS LECTURE SERIES (2018-19) (ODD) Code Optimization Prof. Jonita Roman Date: 30/06/2018 Time: 9:45 to 10:45 Venue: MCA
More informationSymbolic Execution and Proof of Properties
Chapter 7 Symbolic Execution and Proof of Properties Symbolic execution builds predicates that characterize the conditions under which execution paths can be taken and the effect of the execution on program
More informationWhy3 A Multi-Prover Platform for Program Verification
Why3 A Multi-Prover Platform for Program Verification Jean-Christophe Filliâtre CNRS joint work with Andrei Paskevich, Claude Marché, and François Bobot ProVal team, Orsay, France IFIP WG 1.9/2.14 Verified
More informationAbstractions and small languages in synthesis CS294: Program Synthesis for Everyone
Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California, Berkeley Today Today: we describe why high-level
More informationLecture Notes: Hoare Logic
Lecture Notes: Hoare Logic 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich (jonathan.aldrich@cs.cmu.edu) Lecture 3 1 Hoare Logic The goal of Hoare logic is to provide a formal system for
More informationAn Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012
An Extensible Programming Language for Verified Systems Software Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 The status quo in computer system design DOM JS API Web page Network JS API CPU Timer interrupts
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationMathematical Induction
Mathematical Induction Victor Adamchik Fall of 2005 Lecture 3 (out of three) Plan 1. Recursive Definitions 2. Recursively Defined Sets 3. Program Correctness Recursive Definitions Sometimes it is easier
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationTemplate-based Program Verification and Program Synthesis
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Template-based Program Verification and Program Synthesis Saurabh Srivastava and Sumit Gulwani and Jeffrey S. Foster
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More information12/30/2013 S. NALINI,AP/CSE
12/30/2013 S. NALINI,AP/CSE 1 UNIT I ITERATIVE AND RECURSIVE ALGORITHMS Iterative Algorithms: Measures of Progress and Loop Invariants-Paradigm Shift: Sequence of Actions versus Sequence of Assertions-
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationLecture 10 Design by Contract
CS 5959 Writing Solid Code Fall 2015 Nov-23 Lecture 10 Design by Contract Zvonimir Rakamarić University of Utah Design by Contract Also called assume-guarantee reasoning Developers annotate software components
More informationCIS 341 Midterm March 2, 2017 SOLUTIONS
CIS 341 Midterm March 2, 2017 SOLUTIONS 1 1. True or False (14 points) Mark each statement as either true or false. a. T F The typical compiler consists of several phases, including: lexing, parsing, transformation
More informationPrinciple of Complier Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore
Principle of Complier Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore Lecture - 20 Intermediate code generation Part-4 Run-time environments
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationBackward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops
Backward Reasoning: Rule for Assignment Hoare Logic, continued Reasoning About Loops { wp( x=expression,q) x = expression; { Q Rule: the weakest precondition wp( x=expression,q) is Q with all occurrences
More information