Synthesis, Analysis, and Verification Lecture 05a
description
Transcript of Synthesis, Analysis, and Verification Lecture 05a
![Page 1: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/1.jpg)
Synthesis, Analysis, and VerificationLecture 05a
Lectures: Viktor Kuncak
Programs with Data Structures: Assertions for Accesses. Dynamic Allocation
![Page 2: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/2.jpg)
VCG for Real LanguagesPrograms that Manipulate Integers,Maps, Arrays, and Linked Data Structures
Compute Formulas from Programshave more operations in expressions of x=E
Formulas with Integer Variables and Operations,as well as variables and operations on functions
Prover (Integer Constraint Solver) + provers for function symbols,mathematical arrays, term algebras, ...
![Page 3: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/3.jpg)
Subtlety of Array AssignmentRule for wp of assignment of expression E to variable x, for postcondition P: wp(x=E , P) = Example: wp(x=y+1,x > 5) =
wp of assignment to an array cell: wp(a[i]=y+1, a[i]>5) = wp(a[i]=y+1, a[i]>5 && a[j]>3) =
![Page 4: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/4.jpg)
Arrays as Mathematical Functions
Suppose we have expressions that manipulate functions. Array update operator on functions: f(x:=v) = gmeans: 1) g(x)=v, and 2) g(y)=f(y) for y != x.How to represent assignments? x = a[i] x = a(i) a[i]=v
![Page 5: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/5.jpg)
Now we can handle static arrays
wp(x=E, P) =
![Page 6: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/6.jpg)
Example with Static Arrays
if (a[i] > 0) { b[k]= b[k] + a[i]; i= i + 1; k = k + 1;} else { b[k] = b[k] + a[j]; j= j + 1; k = k – 1;}
![Page 7: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/7.jpg)
Example with Static Arrays
(assume(a(i) > 0); b= b(k:= b(k)+ a(i)); i= i + 1; k = k + 1;)[] (assume(a(i)<=0); b= b(k:= b(k)+ a(j)); j= j + 1; k = k – 1;)
guarded commands: formula
![Page 8: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/8.jpg)
Array Bounds Checks: Index >= 0
if (a[i] > 0) { b[k]= b[k] + a[i]; i= i + 1; k = k + 1;} else { b[k] = b[k] + a[j]; j= j + 1; k = k – 1;}
assert(i >= 0)(assume(a(i) > 0); assert assert assert b= b(k:= b(k)+ a(i)); i= i + 1; k = k + 1;)[] (assume(a(i)<=0); assert assert assert b= b(k:= b(k)+ a(j)); j= j + 1; k = k – 1;)
![Page 9: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/9.jpg)
How to model “index not too large”?(for statically allocated arrays)
const M = 100const N = 2*Mint a[N], b[N];...if (a[i] > 0) { b[k]= b[k] + a[i]; i= i + 1; k = k + 1;}
assert(assume(a(i) > 0); assert assert assert b= b(k:= b(k)+ a(i)); i= i + 1; k = k + 1;)[] (assume(a(i)<=0))
![Page 10: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/10.jpg)
Guarded Command Translation of Array Manipulations - with Bounds Checks
x= a[i]
a[i] = y
assert(0 <= i);assert(i < a_size);x = a(i);
assert(0 <= i);...
![Page 11: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/11.jpg)
Checking Assertions
const M = 100;const N = 2*M;int a[N], b[N];i = -1;while (i < N) { i= i + 1; if (a[i] > 0) { k = k + 1; b[k]= b[k] + a[i]; }}
1. Translate to guarded commands2. Find a loop invariant and prove it inductive3. Show that the invariant implies assertions
![Page 12: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/12.jpg)
Checking Assertions (II)
![Page 13: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/13.jpg)
Semantics of Assert using Error
![Page 14: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/14.jpg)
assume and assert
assume(E); assert(E) - never crashesassert(E); assume(E) - crashes if E does not hold
This makes semantics of assert subtle
![Page 15: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/15.jpg)
Arrays in GC Language are ValuesWe always update entire arraysCopy semantics!
guarded commands:b= b(0:=100);assert(b(0)==100);
original programb[0]=100;assert(b(0)==100);
![Page 16: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/16.jpg)
Arrays in GC Language are ValuesWe always update entire arraysCopy semantics!
guarded commands:b= b(0:=100);assert(b(0)==100); oka= b; // copya= a(0:=200);assert(b(0)==100); ok
corresponds to Scala mapsvar a = Map[Int,Int]()var b = Map[Int,Int]()b= b + (0 -> 100)assert(b(0)==100); oka= b // f. updates will copya= a + (0 -> 200)assert(b(0)==100); ok
![Page 17: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/17.jpg)
Mutable Arrays are by Reference
Java (also Scala arrays and mutable maps):b[0]= 100;assert(b[0]==100);a= b; // make references point to same array a[0]= 200;assert(b[0]==100); // fails, b[0]==a[0]==200
![Page 18: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/18.jpg)
To model Java Arrays, we first examine how to model objects in general
![Page 19: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/19.jpg)
Reference Fields
class Node { Node next; }
How to model ‘next’ field?
y = x.next; x.next = y;
![Page 20: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/20.jpg)
Each Field Becomes FunctionEach Field assignment becomes Function Update
radius : Circle -> intcenter : Circle -> Point
this.radius = this.radius * 2
class Circle { int radius; Point center; void grow() { radius = radius * 2; }}
radius= radius(this:= radius(this)*2)
![Page 21: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/21.jpg)
Field Manipulations with Checks
x=y.f
y.f = x
x.f.f= z.f + y.f.f.f ;
assertx= f(y)
assertf=
![Page 22: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/22.jpg)
All Arrays of Given Result Become One ClassArray Assignment Updates Given Array at Given Index
length : Array -> intdata : Array -> (Int -> Int) or simply: Array x Int -> Int a.data[i] = x data= data( (a,i):= x)
class Array { int length; data : int[]}a[i] = x
![Page 23: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/23.jpg)
Assignments to Java arrays: Now including All Assertions
(safety ensured, or your models back)
length : Array -> intdata : Array -> (Int -> Int) or simply: Array x Int -> Int
assert assert
data= data( (a,i):= x)
class Array { int length; data : int[]}a[i] = x
y = a[i]
![Page 24: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/24.jpg)
A Detour into the Dark Side
![Page 25: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/25.jpg)
Can this assertion fail in C++ (or Pascal)?
x= 4;y= 5;assert(x==4);
Variables in C and Assembly
void funny(int& x, int& y) {
}int z;funny(z, z);
![Page 26: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/26.jpg)
Memory Model in CJust one global array of locations: mem : int int // one big array each variable x has address in memory, xAddr, which is &xWe map operations to operations on this array:int x;int y;int* p;y= x mem[yAddr]= mem[xAddr]x=y+z mem[xAddr]= mem[yAddr] + mem[zAddr]y = *p mem[yAddr]= mem[mem[pAddr]]p = &x mem[pAddr] = xAddr*p = x mem[mem[pAddr]]= mem[xAddr]
![Page 27: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/27.jpg)
Can this assertion fail in C++ (or Pascal)?
Variables in C and Assembly
void funny(int& x, int& y) { x= 4; y= 5; assert(x==4);}int z;funny(&z, &z);
void funny(xAddr, yAddr) { mem[xAddr]= 4; mem[yAddr]= 5; assert(mem[xAddr]==4);}zAddr = someNiceLocationfunny(zAddr, zAddr);
![Page 28: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/28.jpg)
Disadvantage of Global Array
In Java:wp(x=E, y > 0) =
In C:wp(x=E, y > 0) =
![Page 29: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/29.jpg)
Disadvantage of Global ArrayIn Java:
wp(x=E, y > 0) = y > 0
In C:wp(x=E, y > 0) =wp(mem[xAddr]=E’, mem[yAddr]>0) =wp(mem= mem(xAddr:=E’), mem(yAddr)>0) =(mem(yAddr)>0)[ mem:=mem(xAddr:=E’) ] =(mem(xAddr:=E’))(yAddr) > 0
Each assignment can interfere with each value!This is a problem with the language, not our model
![Page 30: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/30.jpg)
And how to do array bounds checks?
Switch to a decent programming language.
![Page 31: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/31.jpg)
For More Information
Now please install go ahead and install all your updates so that the attacker is less likely to use buffer overflows and other consequences of memory unsafety to compromise your machines.
![Page 32: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/32.jpg)
Back to Memory Safety
![Page 33: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/33.jpg)
Memory Allocation in Java
x = new C();y = new C();assert(x != y); // two fresh objects distinct
Why should this assertion hold? How to model this?
![Page 34: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/34.jpg)
How to represent fresh objects?
assume(N > 50);a = new Object[N];i = 0;while (i < N) { a[i] = new Object(); i = i + 1;}assert(a[5] != a[15]);
![Page 35: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/35.jpg)
Alloc Set (Function)
alloc : Obj Boolean i.e. alloc : Set[Obj]
x = new C();
![Page 36: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/36.jpg)
Allocating New Objects
![Page 37: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/37.jpg)
Allocating New Arrays
![Page 38: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/38.jpg)
Now we can model many programs
We can represent any body of sequential code inside one procedure.
Our loop invariants, pre/post conditions can become very complex – software verification is hard
![Page 39: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/39.jpg)
Example
assume P; if (first == null) { first = n; n.next = null; n.prev = null; } else { n.next = first; first.prev = n; n.prev = null; first = n; } assert Q;
![Page 40: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/40.jpg)
assume P; if (first == null) { first = n; n.next = null; n.prev = null; } else { n.next = first; first.prev = n; n.prev = null; first = n; } assert Q;
![Page 41: Synthesis, Analysis, and Verification Lecture 05a](https://reader036.fdocuments.net/reader036/viewer/2022062813/56816460550346895dd63b08/html5/thumbnails/41.jpg)
Reachabilityassume P; if (first == null) { first = n; n.next = null; n.prev = null; } else { n.next = first; first.prev = n; n.prev = null; first = n; } assert Q;