Critical Analysis of Computer Science Methodology: Theory

Similar documents
Lambda Calculus and Type Inference

Timing Analysis of Parallel Software Using Abstract Execution

Material from Recitation 1

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Deductive Methods in Computer Science

CS61A Lecture 38. Robert Huang UC Berkeley April 17, 2013

Lambda Calculus and Type Inference

Lectures 20, 21: Axiomatic Semantics

Program verification. Generalities about software Verification Model Checking. September 20, 2016

Course notes for Data Compression - 2 Kolmogorov complexity Fall 2005

Cover Page. The handle holds various files of this Leiden University dissertation

6. Hoare Logic and Weakest Preconditions

Verifying Safety Property of Lustre Programs: Temporal Induction

Greedy Algorithms CLRS Laura Toma, csci2200, Bowdoin College

Nano-Lisp The Tutorial Handbook

Static Program Analysis CS701

List Functions, and Higher-Order Functions

Recursively Enumerable Languages, Turing Machines, and Decidability

Limitations of Algorithmic Solvability In this Chapter we investigate the power of algorithms to solve problems Some can be solved algorithmically and

COS 320. Compiling Techniques

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Chapter 12. Computability Mechanizing Reasoning

Advanced Programming Methods. Introduction in program analysis

Fundamental Concepts. Chapter 1

COMP 410 Lecture 1. Kyle Dewey

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Hoare triples. Floyd-Hoare Logic, Separation Logic

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

A Gentle Introduction to Program Analysis

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Computer-Aided Program Design

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

A short manual for the tool Accumulator

Static verification of program running time

Reasoning About Programs Panagiotis Manolios

Chapter 3 (part 3) Describing Syntax and Semantics

CS 3360 Design and Implementation of Programming Languages. Exam 1

CMPSCI 250: Introduction to Computation. Lecture #14: Induction and Recursion (Still More Induction) David Mix Barrington 14 March 2013

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Programming Languages Third Edition

CSCI 270: Introduction to Algorithms and Theory of Computing Fall 2017 Prof: Leonard Adleman Scribe: Joseph Bebel

Specification and Analysis of Contracts Tutorial

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

p x i 1 i n x, y, z = 2 x 3 y 5 z

Topics in Software Testing

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Computer Science 210 Data Structures Siena College Fall Topic Notes: Complexity and Asymptotic Analysis

(Provisional) Lecture 32: Estimated Value, Minimax, Functional Data 10:00 AM, Nov 20, 2017

Introduction to Axiomatic Semantics (1/2)

Hardware versus software

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Static program checking and verification

1KOd17RMoURxjn2 CSE 20 DISCRETE MATH Fall

Logic and Computation

Lecture 5. Logic I. Statement Logic

Lecture 5 - Axiomatic semantics

Recursion. What is Recursion? Simple Example. Repeatedly Reduce the Problem Into Smaller Problems to Solve the Big Problem

3.7 Denotational Semantics

Lecture Notes on Real-world SMT

17/05/2018. Outline. Outline. Divide and Conquer. Control Abstraction for Divide &Conquer. Outline. Module 2: Divide and Conquer

Enumerations and Turing Machines

Static Analysis by A. I. of Embedded Critical Software

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

Introduction to Axiomatic Semantics (1/2)

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

CSE 505: Programming Languages. Lecture 10 Types. Zach Tatlock Winter 2015

Theory of Programming Languages COMP360

Verasco: a Formally Verified C Static Analyzer

Applications of Program analysis in Model-Based Design

Program Static Analysis. Overview

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

The Eval/Apply Cycle Eval. Evaluation and universal machines. Examining the role of Eval. Eval from perspective of language designer

Type Checking and Type Equality

Diagonalization. The cardinality of a finite set is easy to grasp: {1,3,4} = 3. But what about infinite sets?

Introduction to Axiomatic Semantics

IDP : conga/minisat(id)

Dataflow Languages. Languages for Embedded Systems. Prof. Stephen A. Edwards. March Columbia University

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

An Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland

Variants of Turing Machines

First Order Predicate Logic CIS 32

MITOCW watch?v=kz7jjltq9r4

Shadows in the graphics pipeline

A Theory of Parallel Computation The π-calculus

Behavioral Equivalence

Propositional Logic. Part I

Behavioral Equivalence

An Evolution of Mathematical Tools

1 Linear programming relaxation

English for Computer Science

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Foundations of Computer Science Spring Mathematical Preliminaries

Program Verification & Testing; Review of Propositional Logic

Option Values, Arrays, Sequences, and Lazy Evaluation

Computation Club: Gödel s theorem

Functional Languages. Hwansoo Han

Semantic Subtyping. Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud)

Transcription:

Critical Analysis of Computer Science Methodology: Theory Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ March 3, 2004 Critical Analysis of CS Methodology: Theory

Introduction Famous quote: There s nothing as useful as a good theory However, some caution is advisable. Some relevant questions: ffl Is the theory accurate enough? ffl Is the theory powerful enough to describe anything interesting? ffl Can the theory be used for other than toy systems? We will use formal verification of system properties to exemplify Critical Analysis of CS Methodology: Theory 1

Is the Theory Accurate Enough? A theory is always limited by its axioms If the axioms are not in full accordance with the system being modeled, then there will be aspects of the system that the theory will not describe Such aspects may affect the practical functionality of the system In reality, any theory has to be approximative to some extent (or it would be too complex to be useful anyway) Thus, formal proofs of system properties should be viewed with some precaution Critical Analysis of CS Methodology: Theory 2

Example: Programming Language Semantics A programming language might be given a formal semantics Proofs of properties of programs, written in the language, can then be carried out For instance, a program can be proven correct w.r.t. some crucial property Naïvely interpreted, such a program cannot go wrong However, there are often aspects that the semantics does not cover A proof of correctness cannot guarantee absence of errors for aspects not covered by the semantics Critical Analysis of CS Methodology: Theory 3

For instance, semantics for functions often assume that recursive calls can be made to arbitrary depth This would require an unbounded memory size to store the call stack But a computer only has a finite, limited memory! As a consequence, some programs may run out of space even though the semantics says they are correct Particularly nasty for reactive systems (servers, embedded control systems, :::), which are supposed to run forever Critical Analysis of CS Methodology: Theory 4

Is the Theory Powerful Enough? Some theories allow exact reasoning and automatic proof methods In such a theory, everything can be proved by an automatic tool! An example is model checking: Model checking works over some finite state model describing a system, and a logical formula specifying some property of the system If the formula is true, then the system has the property specified by the formula A proof method can then automatically prove or disprove that the system has the property Critical Analysis of CS Methodology: Theory 5

The finiteness of the state space is what makes an automatic proof method possible Model checking typically works by a (more or less clever) traversal of the finite state space of the system, thus checking the formula for each possible state However, many interesting systems are not finite-state! Many, even quite simple, software programs are not, for instance Verification of properties for infinite-state systems is typically undecidable Decidable logics, which allow automated proofs, tend to have limited expressiveness. One must be aware of this limitation Critical Analysis of CS Methodology: Theory 6

This is not to say that model checking is not a useful technique! Also, there is active research extending model checking to certain kinds of infinite-state systems Critical Analysis of CS Methodology: Theory 7

Can the Theory be Used for Other than Toy Systems? Some methods are perfect in principle However, when applied in practice, it may turn out that the method is not efficient enough to work for other than small toy systems Model checking is sometimes suffering from this problem Due to the number of states for the system, which may be large even if finite For instance, a chip that can store 10 6 bits will have 2 106 possible states This large number makes a naïve, exhaustive state exploration impossible Some model checking algorithms use smart representations and algorithms to deal with whole sets of states simultaneously (active research topic), but it s definitely a problem in practice Critical Analysis of CS Methodology: Theory 8

Exact Methods vs. Approximate Methods Model checking is an exact method Answers yes if the property is true and no if it is false To some extent, this is the root of its limitations Sometimes, approximate methods are of interest Such a method may answer yes (meaning surely yes ), no (meaning surely no ), or don t know (meaning either yes or no, but I cannot tell for sure which ) Critical Analysis of CS Methodology: Theory 9

The don t know option makes it possible to design approximate methods for undecidable problems This makes them potentially more widely applicable It is also possible to have approximate methods give more detailed answers than yes/no, like a range of possible values for a numeric entity Critical Analysis of CS Methodology: Theory 10

Example: Abstract Interpretation Abstract interpretation is a theoretical framework for program analysis It uses abstract domains to represent properties of entities For every entity e of interest in the program, abstract interpretation defines an abstract entity #e in the abstract domain This means that e surely has the property represented by #e Critical Analysis of CS Methodology: Theory 11

Example: an abstract domain of integer pairs (m; n) representing intervals n], and, for each program variable x and program point P, #x = (m; n) [m; the property the value x of P in is always in the [m; interval n] : int a[17]... P: a[i] =... If the analysis finds, in program point P, that #i = (a; b) where 0» a and b < 17, then we know we will surely not access the array out of bounds This property can be quite important for the correctness of the program Critical Analysis of CS Methodology: Theory 12

Potential Pitfalls of Abstract Interpretation An abstract domain always contains a top element > This element represents don t know So if the analysis says that #i = >, then we know nothing about the value of i in the program point in question Pitfall 1: the analysis returns > in cases when we could have better knowledge (Actually, an abstract interpretation always returning > is correct, however not very useful) Critical Analysis of CS Methodology: Theory 13

Pitfall 2: the analysis might yield grossly overapproximated answers For instance, an abstract interpretation based on intervals must return (1; 10 17 ) (representing 10 17 possible values) when the entity can only assume either the value 1 or 10 17 (two possible values) This pitfall is likely if the abstract domain has overly simplistic values (Pitfall 1 is a special case of pitfall 2) Critical Analysis of CS Methodology: Theory 14

Pitfall 3: the analysis might be very resource-consuming Especially true if it uses an abstract domain with more elaborate property representations Such representations can allow a more precise analysis. So there is a tradeoff between precision and speed/memory requirements In conclusion, approximative methods can also suffer from similar problems as exact methods (although they can be used for a wider class of problems) Critical Analysis of CS Methodology: Theory 15

Conclusion A theory can never model all aspects of a system A proof about the system is only valid for the aspects actually modeled by the theory A sound method based on a sound theory may still have limitations, due to: ffl inexpressiveness of the theory ffl complexity issues ffl impreciseness due to large approximations Critical Analysis of CS Methodology: Theory 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback