Noam Rinetzky Lecture 2: Program Semantics

1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 2: Program Semantics Slides credit: Roman Manevich, MoolySagiv, EranYahav

2. Good manners • Mobiles

3. Admin • Grades • 4 Assignments (30%) • 1 involves programming • 1 Lesson summary (10%) • Toar I: Final exam (60%) • Must pass • ToarII: Project (60%) • Scribes (this week) • Scribes (nextweek)

4. Today • What does semantics mean? • Why do we need it? • How is it related to analysis/verification? • Operational semantics • Natural operational semantics • Structural operational semantics

5. Motivation: Verifying absence of bugs static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, boolisRsa, SSLBuffersignedParams, uint8_t *signature, UInt16 signatureLen) { OSStatuserr; ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) gotofail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) gotofail; gotofail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) gotofail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); returnerr; }

6. What can we do about it? Run time Design Time • Monitoring • Testing • Static analysis • Formal verification • Specification

7. What can we do about it? Run time Design Time • Monitoring • Testing • Static analysis • Formal verification • Specification

8. Program analysis & verification y = ? x = ? if (x > 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); No/?/Yes • Is assertion true?

9. Program analysis & verification y = ? x = ? x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); Yes/?/No • Can we prove this? Automatically? • Bad news: problem is generally undecidable

10. Main idea: use over-approximation Exact set of configurations/ Behaviors/states Over Approximation universe

11. Main idea: find (properties of) all reachable states* badstates reachablestates initialstates *or of something else …

12. Technique: find (properties of) more than all reachable states* badstates reachablestates initialstates *or of something else …

13. Program analysis & verification y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

14. What does P do? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

15. What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … syntax semantics

16. “Standard” semantics y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

17. “Standard” semantics (“state transformer”) y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

18. “Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

19. “Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2 y=3, x=6 if (x % 2 == 0) { y=3, x=6 y = 42; y=42, x=6 } else { y = 73; … foo(); … } assert (y == 42); y=42, x=6 …-1,0,1, … …-1,0,1,… y x

20. “State transformer” semantics badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 initialstates

21. “State transformer” semantics badstates reachablestates y=4,x=8 initialstates y=4,x=8 y=4,x=1

22. “State transformer” semantics badstates reachablestates initialstates y=4…,x=…

23. “State transformer” semanticsMain idea: find (properties of) all reachable states* badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 y=4,x=8 y=4,x=1 initialstates y=4,x=8 y=4…,x=…

24. “Standard” (collecting) semantics(“sets-of states-transformer”) y = ?; x = ?;{(y,x) | y,x∈ Nat} x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

25. “Standard” (collecting) semantics(“sets-of states-transformer”) y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)} x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)} if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)} y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)} } else { y = 73; { } foo(); { } } assert (y == 42);{(y=42, x=6),(y=42,x=8),(y=42, x=…)} Yes

26. “Set-of-states transformer” semantics badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 y=4,x=1 initialstates y=4,x=1 y=4,x=1

27. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…}

28. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E } else { y = 73; … foo(); … } assert (y == 42); y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} Yes/?/No

29. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E } else { y = 73; … foo(); … } assert (y == 42); y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} Yes/?/No

30. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=E, x=E } else { y = 73; … foo(); … } assert (y%2 == 0)y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} ?

31. “Abstract-state transformer” semantics badstates reachablestates initialstates

32. “Abstract-state transformer” semantics badstates reachablestates initialstates

33. “Abstract-state transformer” semantics badstates reachablestates initialstates

34. “Abstract-state transformer” semantics badstates reachablestates initialstates

35. Technique: explore abstract states badstates reachablestates initialstates

36. Sound: cover all reachable states badstates reachablestates initialstates

37. Imprecise abstraction False alarms badstates reachablestates initialstates

38. What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … Abs syntax semantics

39. Programming Languages • Syntax • “how do I write a program?” • BNF • “Parsing” • Semantics • “What does my program mean?” • …

40. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions

41. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions • Cat-transformer

42. What semantics do we want? • Captures the aspects of computations we care about • “adequate” • Hides irrelevant details • “fully abstract” • Compositional

43. Operational Semantics

44. Recap

45. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions • Cat-transformer

46. What semantics do we want? • Captures the aspects of computations we care about • “adequate” • Hides irrelevant details • “fully abstract” • Compositional

47. Formal semantics “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc.” / page 1

48. Formal semantics • “This theory allows a program to be manipulated like a formula –that is to say, its properties can be calculated.” • Gérard Huet & Philippe Flajolethomage to Gilles Kahn

49. Why formal semantics? • Implementation-independent definition of a programming language • Automatically generating interpreters (and some day maybe full fledged compilers) • Verification and debugging • if you don’t know what it does, how do you know its incorrect?

50. Levels of abstractions and applications Static Analysis(abstract semantics)  Program Semantics  Assembly-level Semantics(Small-step)