Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
sav07_lecture_3_skeleton [2007/03/20 18:24] wikiadmin |
sav07_lecture_3_skeleton [2007/03/21 09:37] vkuncak |
||
---|---|---|---|
Line 2: | Line 2: | ||
===== Converting programs (with simple values) to formulas ===== | ===== Converting programs (with simple values) to formulas ===== | ||
+ | |||
==== Context ==== | ==== Context ==== | ||
Line 8: | Line 9: | ||
* represent programs using guarded command language, e.g. desugaring of 'if' into non-deterministic choice and assume | * represent programs using guarded command language, e.g. desugaring of 'if' into non-deterministic choice and assume | ||
* give meaning to guarded command language statements as relations | * give meaning to guarded command language statements as relations | ||
- | * we can represent relations using set comprehensions; if our program c has two state components, we can represent its meaning R( c ) as | + | * we can represent relations using set comprehensions; if our program c has two state components, we can represent its meaning R( c ) as $\{((x_0,y_0),(x,y)) \mid F \}$, where F is some formula that has x,y,x_0,y_0 as free variables. |
- | + | ||
- | $\{((x_0,y_0),(x,y)) \mid F \}$ | + | |
- | + | ||
- | + | ||
- | , where F is some formula that has x,y,x_0,y_0 as free variables. | + | |
* this is what I mean by ''simple values'': later we will talk about modeling pointers and arrays, but we will still use this as a starting point. | * this is what I mean by ''simple values'': later we will talk about modeling pointers and arrays, but we will still use this as a starting point. | ||
Line 25: | Line 21: | ||
What exactly do we prove about the formula R( c ) ? | What exactly do we prove about the formula R( c ) ? | ||
- | We prove that this formula is **valid** | + | We prove that this formula is **valid**: |
R( c ) -> error=false | R( c ) -> error=false | ||
Line 94: | Line 90: | ||
We can apply these rules to reduce the size of formulas. | We can apply these rules to reduce the size of formulas. | ||
- | ==== Abstraction ==== | ||
- | * for proving properties | + | ==== Approximation ==== |
- | * for finding errors | + | |
+ | If (F -> G) is value, we say that F is stronger than F and we say G is weaker than F. | ||
+ | |||
+ | When a formula would be too complicated, we can instead create a simpler approximate formula. To be sound, if our goal is to prove a property, we need to generate a *larger* relation, which corresponds to a weaker formula describing a relation, and a stronger verification condition. (If we were trying to identify counterexamples, we would do the opposite). | ||
+ | |||
+ | We can replace "assume F" with "assume F1" where F1 is weaker. Consequences: | ||
+ | * omtiting complex if conditionals (assuming both branches can happen - as in most type systems) | ||
+ | * replacing complex assignments with arbitrary change to variable: because x=t is havoc(x);assume(x=t) and we drop the assume | ||
+ | |||
+ | This idea is important in static analysis. | ||
+ | |||
==== Symbolic execution ==== | ==== Symbolic execution ==== | ||
Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. It is based on the notion of strongest postcondition. | Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. It is based on the notion of strongest postcondition. | ||
+ | |||
Line 107: | Line 114: | ||
While symbolic execution computes formula by going forward along the program syntax tree, weakest precondition computes formula by going backward. | While symbolic execution computes formula by going forward along the program syntax tree, weakest precondition computes formula by going backward. | ||
+ | |||
+ | ==== Inferring Loop Invariants ==== | ||
+ | |||
+ | Suppose we compute strongest postcondition in a program where we unroll loop k times. | ||
+ | * What does it denote? | ||
+ | * What is its relationship to loop invariant? | ||
+ | |||
+ | Weakening strategies | ||
+ | * maintain a conjunction | ||
+ | * drop conjuncts that do not remain true | ||
+ | |||
+ | Alternative: | ||
+ | * decide that you will only loop for formulas of restricted form, as in abstract interpretation and data flow analysis (next week) | ||
+ | |||
===== Proving quantifier-free linear arithmetic formulas ===== | ===== Proving quantifier-free linear arithmetic formulas ===== | ||
+ | |||
+ | Suppose that we obtain (one or more) verification conditions of the form | ||
+ | |||
+ | ==== Quantifier Presburger arithmetic ==== | ||
+ | |||
+ | Here is the grammar: | ||
+ | |||
+ | var = x | y | z | ... (variables) | ||
+ | K = ... | -2 | -1 | 0 | 1 | 2 | ... (integer constants) | ||
+ | T ::= var | T + T | K * T (terms) | ||
+ | A ::= T=T | T <= T (atomic formulas) | ||
+ | F ::= F & F | F|F | ~F (formulas) | ||
+ | |||
+ | To get full Presburger arithmetic, allow existential and universal quantifiers in formula as well. | ||
+ | |||
+ | Note: we can assume we have boolean variables (such as 'error') as well, because we can represent them as 0/1 integers. | ||
+ | |||
+ | Satisfiability of quantifier-free Presburger arithmetic is decidable. | ||
+ | |||
+ | Proof: small model theorem. | ||
+ | |||
+ | ==== Small model theorem for quantifier-free Presburger arithmetic ==== | ||
+ | |||
+ | First step: transform to disjunctive normal form. | ||
+ | |||
+ | Next: reduce to integer linear programming: | ||
+ | \begin{equation*} | ||
+ | Ax = b, x \geq 0 | ||
+ | \end{equation*} | ||
+ | where $A \in {\cal Z}^{m,n}$ and $x \in {\cal Z}^n$. | ||
+ | |||
+ | Then use small model theorem for integer linear programming. | ||
+ | |||
+ | Short proof by | ||
+ | |||
+ | Tools: | ||
+ | * [[http://www.cs.cmu.edu/~uclid/|UCLID]] | ||
+ | |||
+ | ==== Full Presburger arithmetic ==== | ||
+ | |||
+ | Full Presburger arithmetic is also decidable. | ||
===== Papers ===== | ===== Papers ===== | ||
Line 122: | Line 184: | ||
- | Test : \\ | ||
- | \begin{eqnarray*} | ||
- | \Psi_0 &=& -C_{abcd} Y_0^a m^b Y_1^c m^d e^{-2i\gamma} \\ | ||
- | \Psi_4 &=& -C_{abcd} Y_1^a \bar{m}^b Y_1^c \bar{m}^d e^{2i\gamma} | ||
- | \end{eqnarray*} |