Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
sav07_lecture_3_skeleton [2007/03/21 10:17] vkuncak |
sav07_lecture_3_skeleton [2007/03/21 10:45] vkuncak |
||
|---|---|---|---|
| Line 102: | Line 102: | ||
| This idea is important in static analysis. | This idea is important in static analysis. | ||
| + | |||
| Line 108: | Line 109: | ||
| Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. It is based on the notion of strongest postcondition. | Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. It is based on the notion of strongest postcondition. | ||
| - | + | \begin{equation*} | |
| + | sp(P,r) = \{ s_2 \mid \exists s_1.\ s_1 \in P \land (s_1,s_2) \in r \} | ||
| + | \end{equation*} | ||
| ==== Weakest preconditions ==== | ==== Weakest preconditions ==== | ||
| Line 127: | Line 129: | ||
| Alternative: | Alternative: | ||
| * decide that you will only loop for formulas of restricted form, as in abstract interpretation and data flow analysis (next week) | * decide that you will only loop for formulas of restricted form, as in abstract interpretation and data flow analysis (next week) | ||
| + | |||
| + | |||
| Line 132: | Line 136: | ||
| Suppose that we obtain (one or more) verification conditions of the form | Suppose that we obtain (one or more) verification conditions of the form | ||
| + | \begin{equation*} | ||
| + | F\ \rightarrow\ (\mbox{error}=\mbox{false}) | ||
| + | \end{equation*} | ||
| + | |||
| + | whose validity we need to prove. We here assume that F contains only | ||
| + | |||
| + | Note: we can check satisfiability of $F\ \land\ (\mbox{error}=\mbox{true})$. | ||
| ==== Quantifier Presburger arithmetic ==== | ==== Quantifier Presburger arithmetic ==== | ||
| Line 150: | Line 161: | ||
| Proof: small model theorem. | Proof: small model theorem. | ||
| + | |||
| + | |||
| Line 162: | Line 175: | ||
| Next: reduce to integer linear programming: | Next: reduce to integer linear programming: | ||
| \begin{equation*} | \begin{equation*} | ||
| - | Ax = b, x \geq 0 | + | A\vec x = \vec b, \qquad \vec x \geq \vec 0 |
| \end{equation*} | \end{equation*} | ||
| where $A \in {\cal Z}^{m,n}$ and $x \in {\cal Z}^n$. | where $A \in {\cal Z}^{m,n}$ and $x \in {\cal Z}^n$. | ||
| Line 183: | Line 196: | ||
| Moreover, one can improve these bounds. One tool based on these ideas is [[http://www.cs.cmu.edu/~uclid/|UCLID]]. | Moreover, one can improve these bounds. One tool based on these ideas is [[http://www.cs.cmu.edu/~uclid/|UCLID]]. | ||
| - | Alternative: enumerate disjuncts of DNF on demand, each disjunct is a conjunction, then use ILP techniques (often first solve the underlying linear programming problem over reals). Most SMT tools are based on this idea (along with Nelson-Oppen combination: next class). | + | Alternative: enumerate disjuncts of DNF on demand, each disjunct is a conjunction, then use ILP techniques (often first solve the underlying linear programming problem over reals). Many SMT tools are based on this idea (along with Nelson-Oppen combination: next class). |
| * [[http://www.cs.nyu.edu/acsys/cvc3/download.html|CVC3]] (successor of CVC Lite) | * [[http://www.cs.nyu.edu/acsys/cvc3/download.html|CVC3]] (successor of CVC Lite) | ||
| * [[http://combination.cs.uiowa.edu/smtlib/|SMT-LIB]] Standard for formulas, competition | * [[http://combination.cs.uiowa.edu/smtlib/|SMT-LIB]] Standard for formulas, competition | ||