Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
sav07_lecture_3_skeleton [2007/03/21 10:53] vkuncak |
sav07_lecture_3_skeleton [2007/03/21 14:07] vkuncak |
||
---|---|---|---|
Line 2: | Line 2: | ||
===== Converting programs (with simple values) to formulas ===== | ===== Converting programs (with simple values) to formulas ===== | ||
+ | |||
Line 11: | Line 12: | ||
* we can represent relations using set comprehensions; if our program c has two state components, we can represent its meaning R( c ) as $\{((x_0,y_0),(x,y)) \mid F \}$, where F is some formula that has x,y,x_0,y_0 as free variables. | * we can represent relations using set comprehensions; if our program c has two state components, we can represent its meaning R( c ) as $\{((x_0,y_0),(x,y)) \mid F \}$, where F is some formula that has x,y,x_0,y_0 as free variables. | ||
- | * this is what I mean by ''simple values'': later we will talk about modeling pointers and arrays, but we will still use this as a starting point. | + | * simple values: variables are integers. Later we will talk about modeling pointers and arrays, but what we say now applies |
Our goal is to find rules for computing R( c ) that are | Our goal is to find rules for computing R( c ) that are | ||
Line 24: | Line 25: | ||
R( c ) -> error=false | R( c ) -> error=false | ||
+ | |||
Line 37: | Line 39: | ||
R(havoc x) = frame(x) | R(havoc x) = frame(x) | ||
- | R(assume F) = F[x:=x_0, y:=y_0, error:=error_0] | + | R(assume F) = F[x:=x_0, y:=y_0, error:=error_0] & frame() |
R(assert F) = (F -> frame) | R(assert F) = (F -> frame) | ||
Line 102: | Line 104: | ||
This idea is important in static analysis. | This idea is important in static analysis. | ||
+ | |||
+ | |||
Line 112: | Line 116: | ||
Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. | Symbolic execution converts programs into formulas by going forward. It is therefore somewhat analogous to the way an [[interpreter]] for the language would work. | ||
+ | Avoid renaming all the time. | ||
+ | |||
+ | SE(F,k, c1; c2) = SE(F & R(c1), k+1, c2) (update formula) | ||
+ | |||
+ | SE(F,k,(c1 [] c2); c2) = SE(F, k, c1) | SE(F,k,c2) (explore both branches) | ||
+ | |||
+ | Note: how many branches do we get? | ||
Strongest postcondition: | Strongest postcondition: | ||
Line 119: | Line 130: | ||
Like composition of a set with a relation. It's called ''relational image'' of set $P$ under relation $r$. | Like composition of a set with a relation. It's called ''relational image'' of set $P$ under relation $r$. | ||
- | Note: when proving our verification condition, instead of proving that semantics of relation implies error=false, it's same as proving that the formula for set sp(U,r) implies error=false, where U is the universal relation. | + | Note: when proving our verification condition, instead of proving that semantics of relation implies error=false, it's same as proving that the formula for set sp(U,r) implies error=false, where U is the universal relation, or, in terms of formulas, computing the strongest postcondition of formula 'true'. |
==== Weakest preconditions ==== | ==== Weakest preconditions ==== | ||
While symbolic execution computes formula by going forward along the program syntax tree, weakest precondition computes formula by going backward. | While symbolic execution computes formula by going forward along the program syntax tree, weakest precondition computes formula by going backward. | ||
+ | |||
+ | wp(Q, x=t) = | ||
+ | wp(Q, assume F) = | ||
+ | wp(Q, assert F) = | ||
+ | wp(Q, c1 [] c2) = | ||
+ | wp(Q, c1 ; c2) = | ||
==== Inferring Loop Invariants ==== | ==== Inferring Loop Invariants ==== | ||
Line 137: | Line 154: | ||
Alternative: | Alternative: | ||
* decide that you will only loop for formulas of restricted form, as in abstract interpretation and data flow analysis (next week) | * decide that you will only loop for formulas of restricted form, as in abstract interpretation and data flow analysis (next week) | ||
+ | |||
Line 148: | Line 166: | ||
\end{equation*} | \end{equation*} | ||
- | whose validity we need to prove. We here assume that F contains only | + | whose validity we need to prove. We here assume that F contains only linear arithmetic. Note: we can check satisfiability of $F\ \land\ (\mbox{error}=\mbox{true})$. We show an algorithm to check this satisfiability. |
- | + | ||
- | Note: we can check satisfiability of $F\ \land\ (\mbox{error}=\mbox{true})$. | + | |
==== Quantifier Presburger arithmetic ==== | ==== Quantifier Presburger arithmetic ==== | ||
Line 160: | Line 176: | ||
T ::= var | T + T | K * T (terms) | T ::= var | T + T | K * T (terms) | ||
A ::= T=T | T <= T (atomic formulas) | A ::= T=T | T <= T (atomic formulas) | ||
- | F ::= F & F | F|F | ~F (formulas) | + | F ::= A | F & F | F|F | ~F (formulas) |
To get full Presburger arithmetic, allow existential and universal quantifiers in formula as well. | To get full Presburger arithmetic, allow existential and universal quantifiers in formula as well. | ||
Line 169: | Line 185: | ||
Proof: small model theorem. | Proof: small model theorem. | ||
+ | |||
Line 197: | Line 214: | ||
* solution of Ax=b (A regular) has as components rationals of form p/q with bounded p,q | * solution of Ax=b (A regular) has as components rationals of form p/q with bounded p,q | ||
* duality of linear programming | * duality of linear programming | ||
- | * obtains bound $M = n(ma)^{2m+1}$, which needs $(2m+1)(\log n + \log m + \log a)$ bits | + | * obtains bound $M = n(ma)^{2m+1}$, which needs $\log n + (2m+1)\log(ma)$ bits |
* we could encode the problem into SAT: use circuits for addition, comparison etc. | * we could encode the problem into SAT: use circuits for addition, comparison etc. | ||
Line 225: | Line 242: | ||
* Presburger Arithmetic (PA) bounds: {{papadimitriou81complexityintegerprogramming.pdf}} | * Presburger Arithmetic (PA) bounds: {{papadimitriou81complexityintegerprogramming.pdf}} | ||
* Specializing PA bounds: http://www.lmcs-online.org/ojs/viewarticle.php?id=43&layout=abstract | * Specializing PA bounds: http://www.lmcs-online.org/ojs/viewarticle.php?id=43&layout=abstract | ||
- | |||
- | |||
- | |||
- |