SlideShare ist ein Scribd-Unternehmen logo

Sep logic slide

R
rainoftime

Introduction to Separation Logic and Facebook Infer

Wissenschaft
1 von 66
Downloaden Sie, um offline zu lesen
Separation Logic rainoftime rainoftime@gmail.com
Overview • Introduction • Applications • Future work
Introduction Hoare Logic Separation Logic
SL in a nutshell • Extension of Hoare logic with Pointer – low-level imperative programs – shared mutable data structures • Pointers are everywhere – OS kernels – network code – C/C++,even ML has reference – ...
Hoare Logic • The Language: SPL C :: skip | x := a | c0; c1 | if b then c1 else c2 | while b do c • Hoare Triple: {P} C {Q}
How to prove the claims? • Proof rule • What does specification mean? Program, Prdicates, and State premise-1, premise-2,... conclusion
Program,State and Predicate • Consider a program with two varible:x, y • The state of is determined by value of x and y, e.g. { x=0, y=1 } State is a partial function mapping var to int • Predicate s |= P store s satisfies assertion P
Proof Rules for SPL { P } skip { P } { Q[e/x] } x:=e {Q} {P} c1 {R} {R} c2 {Q} {P} c1;c2{Q} {Pb} c1 {Q} {P b} c2 {Q} {P} if b then c1 else c2 {Q} {ib} c {i}_______ {i} while b do c {ib} P  P’, {P’} c {Q’}, Q’  Q {p} c {q}
Another form of assignment rule {P} x:=e {Q} = P => Q[e/x] This is more "general" than {Q[e/x]} x:= e {Q} We can use pre-condition strengthening Rule to prove this form.
{P} c {Q} {P} c {R} Post-condition weakening Rule: Likewise, pre-condition strengthening Rule P Q R {P} c {Q}, Q => R {P} c {R} c P => R, {R} c {Q} {P} c {Q}
Prove via weakest pre-condition • { xy } tmp:=x; x:=y; y:=tmp { xy } • Rule for SEQ requires you to come up with intermediate assertions { xy } tmp:=x{ ? }; x:=y{ ? }; y:=tmp { xy } • What to fill? – Use Q[e/x] suggested by the ASG theorem – Work in reverse direction. – "Weakest pre-condition"(wp)
Weakest Pre-condiion • W = wp(c,Q) {P} c {Q} = P => wp(c, Q) • Samples: all these pre-cond are weakest { y = 10 } x := 10 { y = x } { Q } skip { Q } { Q[e/x] } x := e { Q } • Two properties of wp – Reachability: from any s |= W, after execution of c,the new state s' |= Q – Maximality: if after execution of c, the new state s' |= Q, then the formal state s |= W.
wp for SPL wp(skip, Q) = Q wp((x := e),Q) = Q[e/x] wp((c1; c2), Q) = wp(c1, (wp(c2, Q))) wp((if g then c1 else c2), Q) = g ∧ wp(c1, Q) ∨ g ∧ wp(c2, Q) ... Same as inference rule, determined by syntax and semantic
Proof via wp • Wp calculation is fully syntax driven – No human intelligence needed – Can be automated • Works, as long as we can calculate "wp"-not always possible Possible solutions: • use necessary(not sufficient) pre-cond; • synthesis several candidate pre-conds for proc; • desugar into simpler IR(easy to model and anslysis) ... Besides: • FOL may not be expressive enough to express wp over arbitrary domains of computation.
Beyond pre/post condition • When specifying the order of certain actions within a program is important: – E.g CSP • When sequences of observable states through out the execution have to satisfy certain property – E.g. Temporal Logic(ITL, CTL..) • When the environment cannot be fully trusted: – Logic of belief
Correct,sound and compelte • Correctness: {P}c{Q} Part, c may not terminate Toal = Part + termination • Soundness: Every provable formula is true. |- {P}c{Q} => |= {P}c{Q} • Completness: |= {P}c{Q} => |- {P}c{Q} Usually rely on FOL, but may not be sound and complete.
Intro to SepLogic { y != z } C { *y != *z } { *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 } • Framing problem. • What are the conditions on aliasing btwn x, y, z ? Let C be: *y = 1, *z = 2, and suppose x is alias of y. Then the above assertion is wrong.
Framing problem • What are the conditions on C and R? – in presence of aliasing and heap • Separation logic introduces new connective ∗ { P } C {Q} { R ∧ P } C { Q ∧ R } { P } C {Q} { R ∗ P } C { Q ∗ R }
Syntax Assertion Name false Logical false P ∧ Q Classical conjunction P ∨ Q Classical disjunction P ⇒ Q Classical implication P ∗ Q Separating conjunction P −∗ Q Separating implication E -> E Points to emp Empty heap ∃x. P Existential quantifier E = E Expression value equality
Semantics: notions • Assertions are evaluated w.r.t. a state • State is store and heap – S : Var ⇀ Int – H : Loc ⇀ Int where Loc ⊆ Int • Notations – disjoint domains: dom(H1)  dom(H2) – composition: H = H1 ◦ H2 – evaluation: ßEàS  Int – update: S[x:i] • S,H |= P, the state satisfies spec P
Semantics Relation Definition S,H |= false Never satisfied S,H |= P ∧ Q S,H |= P ∧ S,H |= Q S,H |= P ∨ Q S,H |= P ∨ S,H |= Q S,H |= P ⇒ Q S,H |= P ⇒ S,H |= Q S,H |= P ∗ Q ∃H1,H2.dom(H1)  dom(H2) ∧ H1 ◦ H2 = H ∧ S,H1 |= P ∧ S,H2 |= Q S,H |= P −∗ Q ∀H′. (dom(H)  dom(H’) ∧ S,H′ |= P) ⇒ S,H◦H′ |= Q S,H |= E1 -> E2 dom(H) = {ßE1àS} ∧ H( ßE1àS )= ßE2àS S,H |= emp H = {} S,H |= ∃x.P  i  Int . S[x:i],H |= P S,H |= E1 = E2 ßE1àS = ßE2àS
what's new S,H |= E1 -> E2 S,H |= emp S,H |= P ∗ Q the heap H can be divided in two so that P is trueof one partition and Q of the other S,H |= P −∗ Q asserts that extending H with a disjoint part H' that satisfieds P results in a new heap satisfying Q P * Q expressing separation nicely P -* Q structural assume/guarantee Note: in program analysis/verification, usually use proof system without -*.
• E -> E1,E2,..,En  E -> E1 ∗ E+1 -> E2 ∗ ... ∗ E+(n-1) -> En • E -> _  ∃x. E -> x Shorthands 10 11 43 12 7 x ->3,4,7S = [x:10] H = [10:3,11:4,12: 7] |= x
Examples x -> 4,3 x -> 4,3 * true x -> 4,3 ∗ y -> 4,3 x -> 4,3 ∧ y -> 4,3 34 x 34 y 34 xy        
Inductive Definitions • Describe invariants of recursive data-structure – Trees – List Segments – Doubly-linked list segments – Cyclic lists – List of cyclic doubly linked lists – ... • Reasoning about mutable objects
Additional Rules for SepLogic • Frame Rule • Pointer Assign {e -> x} [e] := f {e -> f} • Dispose {e -> x} dispose e {emp} • Alloc {e = v'∧emp} e := new(v) {e -> v} • deref(fetch) {e = v'∧f -> v} e := [f] {e = v∧f -> v} Note: in order distinguish with *, we do not use C- style "*" or "@"..
The Frame Rule • Side condition: no variable modified by c appears free in R • Enalbes local reasoning: programs that execute correctly in a small state (|= P) also execute correctly in a bigger state (|= R * P) { P } c {Q} { R ∗ P } c { Q ∗ R } c P Q R R
On the complexity of SL • Full SL with FO quantification is undecidable – even without * and -* [calcagno et al, FSTTCS 01] – even with a unique selector[Brochenin et al, CSL 08] • Model-checking, satisfiability and validity for SL are PSPACE-complete – PSPACE-hardness from[CYOH, FSTTCS 01] – Upper bound without arithmetics can be also obtained by translation into a “separation-free” version [Lozes, PhD 04]
Applications Program Analysis Verified Software Axiomatic Semantic ...
Program Analysis • Smallfoot(London) • Space Invader(London) • Slayer(Microsoft) • Hip + Sleek(Singapore) • JStar(Cambridge) • SmallfootRG(Cambridge) • Thor(CMU) Case Study: Infer • Heap-Hop(Paris, London) • HTT + Ynot(Harvard) • Holfoot(Cambridge) • Verifier(Tokyo) • ...
Infer Name Lines Time Infer warning/error InferFindbugs junit 26463 5m9s 2m5s 16 221 Findbugs jieba 1012 1m5s 52s 0 18 pysonar2 9311 2m38s 4m45s 12 302 Infer: Linux 3.19.0-25-generic #26-Ubuntu SMPLinux CPU MhZ: 2094.702 Memtotal: 1716644 Kb
History • Local Reasoning about Programs that Alter Data Structures, CSL 01 • Smallfoot: Modular Automatic Assertion Checking with Separation Logic, FMCO 05 • Symbolic Execution with Separation Logic, APLAS 05 • Footprint analysis: A shape analysis that discovers preconditions, SAS 07(intraproc..) • A local shape analysis based on separation logic, CAV 08(Spaceinvader) • Compositional Shape Analysis by Means of Bi- Abduction, POPL 09(Spaceinvader-Abductor) • Moving Fast with Software Verification(Infer)
Step I: Smallfoot v0.1 • Based on SL and symbolic execution • A decidable proof theory for symbolic heaps • Hard-coded inductive predicates for C-like toy language • Implementation: about 4k lines of Ocaml http://www.dcs.qmul.ac.uk/research/logic/theory/proj ects/smallfoot
Automatic Reasoning with Hoare Logic • User provides annotations(formulae) for pre- and post- conditions of procedure and loop invariants • Verification condition generator • Validity checker(for weakest precondition) Example • Formulae or constraint: {P}c{Q} • Verification condition: P => wp(c, Q) • Check: s,h.s,h |= P => wp(c, Q)
How to check? Tool • Interactive theorem prover(Coq, Isabelle..)? • Complete automatic decision procedure? • ... Goal • Safety properties(pointer errors, memory leaks, etc) • Full functional correctness Theory • Use decidable fragement(Full SL is undecidable) – Decidable Logic
Automatic Expressive Decidable Logics: Strand, LISBQ, CSL, etc. Expressive Logics: Separation logics, HOL, Matching logic, etc. Back to the Future: revisiting...using SMT Solvers.
The Fragment of Assertion Assertions A of symbolic heaps(pure parts and heap parts). A ::= (P ∧ ... ∧ P) ; (S ∗ ... ∗ S) E ::= x | nil | E ∧ E P ::= E=E | E  E S ::= E -> E1...En | tree(E) | ls(E, E) | ... ls(E,F) <=> if E=F then emp else x. E->x * ls(x, F) tree(E) <=> if E=nil then emp else x,y. E->x,y * tree(x) * tree(y)
Constraints Geneartion From S1 *...* Sn to constraints of form: (E1F1∧...∧EkFk) => P E.g, from ls(x,y) * ls(z,w) generate: x  y => x  nil z  w => z  nil (x  y ∧ z  w) => x  z
Entailments Between Symbolic Heaps Terminating proof theory for entailments A |- A' Normalization Rules • recognize inconsistency • get rid of equalities via substitution • Perform case analysis using a form of excluded middle • ...
Step II: SpaceInvader v1.1 • Compositional shape analysis via Bi-Abduction • Implementation: ~3.9w lines Bi-Abductive Resource Invariant Synthesis, APLAS 09 Compositional Shape Analysis by means of BI- Abduction, POPL 09 .. http://www0.cs.ucl.ac.uk/staff/p.ohearn/Invader/Inva der/Invader_Home.html
Overview • Frame Inference: A |- B * F, allows an analyzer to use small specs • Abduction Inference: A * M |- B, helps to synthesize small specs • Bi-abduction: A * M |- B * F In interprocedural analysis, usually: A is an assertion at the call site, and B is a precondition from callee’s spec
Frame Inference {list(l1) * list(l2)} Dispose(l1); Dispose(l2); • To use the Frame Rule we must first compute R • Frame Inference: give A and B, compute X such that A |- B*X Example: list(l1)*list(l2) |- list(l1)*list(l2) { P } c {Q} { R ∗ P } c { Q ∗ R }
Abduction Inference lst_nd* p(lst_nd *y) { //1: suppose SH is emp lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x)
Abduction Inference lst_nd* p(lst_nd *y) { lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; // 2.after above, we get A = x->0 merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x)
Abduction Inference lst_nd* p(lst_nd *y) { lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x) Assertion at call site: x->0 Pre from callee’s spec: list(x) * list(y) Then we infer list(y) is missing. We should start with list(y) rather then emp!
Proof Rules for Abduction Inference
Bi-Abduction Inference BiAbd(A, B) = M := Abduce(A, B*true); F := Frame(A*M, B); return (M, F) Abduce() is given by abduction inference rules. BiAbd(A, B) = (M, F) ⇒ A * M |- B * F
Compostional Shape Analysis Construct spec table for every proc. Suppose the procs return a single value and do not access global variables (later to discuss missing part b and A..
Semantic of function call • H is current heap(and assertion at call site) • Callee's spec will not change(generate new set R)
Shape analysis Analyze level by level: if f is in Proc_i and f calls g then g belongs to Proc_j for some j <= i Two abstract runs(InferPre, InferSpec)
InferPre • To infer the precondition of f in Proc_k • T_in: computed spec(from lower level of Proc)
InferSpec • Calculate post-cond calculation from give pre-cond, and filter unsafe pre-cond
Underlying Shape Analysis The "missing parts" The semantic of commands: using 3 functions
Rearr, Exec, Abs Rearrangement: put e in the proper form for an rule to fire Execution: symbolically executes the atomic command in the rearranged heap Abstraction Note: more about rearr, exec, abs, refer to: A local shape analysis based on separation logic, TACAS 06
The abstract transfer function
Verified Software • A formal-verified C static analyzer, POPL 15 • Compositional CompCert, POPL 15 • Verified Correctness and Security of OpenSSL HMAC, USENIX Security 15. • Mostly-automated verification of low-level programs in computational separation logic, PLDI 11 • ... Case study: the verified C static analyzer http://compcert.inria.fr/verasco/
The Verasco Project • Develop and verify in Coq a realistic static analyzer by abstract interpretation • Integration with CompCert
Modular architecture
Future Extension • Numerical abstract domains • Better handling of control-flow(e.g. support recursion..) • Memory absbract domains (e.g. C union, dynamic allocation, shape analysis..)
To be continued ...
Axiomatic semantic for PL To handler diferrent programming languages features: • Separation logic and abstraction Parkinson and Bierman. POPL’05 • Separation Logic, Abstraction, and Inheritance Parkinson, Bierman. POPL'08 • Towards a program logic for JavaScript. Gardner, Maffeis, and Smith. POPL'12 • ... SL for OO language; Coucurrent SL; Higher order Store for SL; ...
Concurrent SL(CSL) [O'hearn 04] • Key Ideas: Threads can only access disjoint resources at the same time.
SL for Object-Orientation • OO languages are popular and widely used • Reasoning about OO programs is challengin – shared mutable state – inheritance(i.e subtyping and method overriding..
Extend the memory model s, h, d |= P • s: Variable -> ObjectID ∪ Integer • h: ObjectID × FieldName -> ObjectID ∪ Integer • d: ObjectID -> ClassNames To be continued...
Higher Order Store Stores that may contain procedures. An observationally complete program logic for imperative higher-order functions, LICS 05 A Simple Model of Separation Logic for Higher-order Store,ICALP 08 Nested Hoare triples and frame rules for higher- order store, CSL 09 ...
Future work Relationship between SL and higher order type system(e.g. dependent type, HoTT..?) Relationship between SL and traditional alias analysis? Distributed compositional shape analysis?.. ....

Empfohlen

Zeta Zero-Counting Function
Zeta Zero-Counting FunctionZeta Zero-Counting Function
Zeta Zero-Counting FunctionFayez A. Alhargan, Ph.D. B.Eng.
 
The Prime-Counting Function
The Prime-Counting FunctionThe Prime-Counting Function
The Prime-Counting FunctionFayez A. Alhargan, Ph.D. B.Eng.
 
Design and Analysis of Algorithms
Design and Analysis of AlgorithmsDesign and Analysis of Algorithms
Design and Analysis of AlgorithmsArvind Krishnaa
 
Asymptotic Notation
Asymptotic NotationAsymptotic Notation
Asymptotic Notationsohelranasweet
 
String Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmString Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmKiran K
 
Algorithm.ppt
Algorithm.pptAlgorithm.ppt
Algorithm.pptTareq Hasan
 
TMPA-2017: Generating Cost Aware Covering Arrays For Free
TMPA-2017: Generating Cost Aware Covering Arrays For Free TMPA-2017: Generating Cost Aware Covering Arrays For Free
TMPA-2017: Generating Cost Aware Covering Arrays For Free Iosif Itkin
 
Design and analysis of algorithm
Design and analysis of algorithmDesign and analysis of algorithm
Design and analysis of algorithmVarun Ojha
 

Empfohlen

Zeta Zero-Counting Function
Zeta Zero-Counting FunctionZeta Zero-Counting Function
Zeta Zero-Counting FunctionFayez A. Alhargan, Ph.D. B.Eng.
 
The Prime-Counting Function
The Prime-Counting FunctionThe Prime-Counting Function
The Prime-Counting FunctionFayez A. Alhargan, Ph.D. B.Eng.
 
Design and Analysis of Algorithms
Design and Analysis of AlgorithmsDesign and Analysis of Algorithms
Design and Analysis of AlgorithmsArvind Krishnaa
 
Asymptotic Notation
Asymptotic NotationAsymptotic Notation
Asymptotic Notationsohelranasweet
 
String Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmString Matching with Finite Automata and Knuth Morris Pratt Algorithm
String Matching with Finite Automata and Knuth Morris Pratt AlgorithmKiran K
 
Algorithm.ppt
Algorithm.pptAlgorithm.ppt
Algorithm.pptTareq Hasan
 
TMPA-2017: Generating Cost Aware Covering Arrays For Free
TMPA-2017: Generating Cost Aware Covering Arrays For Free TMPA-2017: Generating Cost Aware Covering Arrays For Free
TMPA-2017: Generating Cost Aware Covering Arrays For Free Iosif Itkin
 
Design and analysis of algorithm
Design and analysis of algorithmDesign and analysis of algorithm
Design and analysis of algorithmVarun Ojha
 
Analysis and design of algorithms part 4
Analysis and design of algorithms part 4Analysis and design of algorithms part 4
Analysis and design of algorithms part 4Deepak John
 
Algorithum Analysis
Algorithum AnalysisAlgorithum Analysis
Algorithum AnalysisAin-ul-Moiz Khawaja
 
Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7Traian Rebedea
 
Asymptotic analysis
Asymptotic analysisAsymptotic analysis
Asymptotic analysisSoujanya V
 
Lecture13
Lecture13Lecture13
Lecture13vaishali_singh
 
Asymptotic Notation
Asymptotic NotationAsymptotic Notation
Asymptotic NotationProtap Mondal
 
Asymptotic Notation and Complexity
Asymptotic Notation and ComplexityAsymptotic Notation and Complexity
Asymptotic Notation and ComplexityRajandeep Gill
 
Analysis of Algorithm
Analysis of AlgorithmAnalysis of Algorithm
Analysis of Algorithmأحلام انصارى
 
High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...Vissarion Fisikopoulos
 
Single source shortes path in dag
Single source shortes path in dagSingle source shortes path in dag
Single source shortes path in dagKiran K
 
Time complexity
Time complexityTime complexity
Time complexityKatang Isip
 
Introduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic NotationIntroduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic NotationAmrinder Arora
 
An algorithm for computing resultant polytopes
An algorithm for computing resultant polytopesAn algorithm for computing resultant polytopes
An algorithm for computing resultant polytopesVissarion Fisikopoulos
 
Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1Abhimanyu Mishra
 
How to design a linear control system
How to design a linear control systemHow to design a linear control system
How to design a linear control systemAlireza Mirzaei
 
Asymptotic notations
Asymptotic notationsAsymptotic notations
Asymptotic notationsEhtisham Ali
 
Bellman ford
Bellman fordBellman ford
Bellman fordKiran K
 
Polyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimizationPolyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimizationVissarion Fisikopoulos
 
Aho corasick-lecture
Aho corasick-lectureAho corasick-lecture
Aho corasick-lecturePekkaKilpelinen2
 
Linear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent SetLinear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent SetDhaval Shukla
 
Polynomials.pdf
Polynomials.pdfPolynomials.pdf
Polynomials.pdflordofdankness
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemIosif Itkin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Analysis and design of algorithms part 4
Analysis and design of algorithms part 4Analysis and design of algorithms part 4
Analysis and design of algorithms part 4Deepak John
 
Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7Traian Rebedea
 
Asymptotic analysis
Asymptotic analysisAsymptotic analysis
Asymptotic analysisSoujanya V
 
Asymptotic Notation and Complexity
Asymptotic Notation and ComplexityAsymptotic Notation and Complexity
Asymptotic Notation and ComplexityRajandeep Gill
 
High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...Vissarion Fisikopoulos
 
Single source shortes path in dag
Single source shortes path in dagSingle source shortes path in dag
Single source shortes path in dagKiran K
 
Introduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic NotationIntroduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic NotationAmrinder Arora
 
An algorithm for computing resultant polytopes
An algorithm for computing resultant polytopesAn algorithm for computing resultant polytopes
An algorithm for computing resultant polytopesVissarion Fisikopoulos
 
Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1Abhimanyu Mishra
 
How to design a linear control system
How to design a linear control systemHow to design a linear control system
How to design a linear control systemAlireza Mirzaei
 
Asymptotic notations
Asymptotic notationsAsymptotic notations
Asymptotic notationsEhtisham Ali
 
Bellman ford
Bellman fordBellman ford
Bellman fordKiran K
 
Polyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimizationPolyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimizationVissarion Fisikopoulos
 
Linear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent SetLinear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent SetDhaval Shukla
 

Was ist angesagt? (20)

Analysis and design of algorithms part 4
Analysis and design of algorithms part 4Analysis and design of algorithms part 4
Analysis and design of algorithms part 4
 
Algorithum Analysis
Algorithum AnalysisAlgorithum Analysis
Algorithum Analysis
 
Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7Algorithm Design and Complexity - Course 7
Algorithm Design and Complexity - Course 7
 
Asymptotic analysis
Asymptotic analysisAsymptotic analysis
Asymptotic analysis
 
Lecture13
Lecture13Lecture13
Lecture13
 
Asymptotic Notation
Asymptotic NotationAsymptotic Notation
Asymptotic Notation
 
Asymptotic Notation and Complexity
Asymptotic Notation and ComplexityAsymptotic Notation and Complexity
Asymptotic Notation and Complexity
 
Analysis of Algorithm
Analysis of AlgorithmAnalysis of Algorithm
Analysis of Algorithm
 
High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...High-dimensional polytopes defined by oracles: algorithms, computations and a...
High-dimensional polytopes defined by oracles: algorithms, computations and a...
 
Single source shortes path in dag
Single source shortes path in dagSingle source shortes path in dag
Single source shortes path in dag
 
Time complexity
Time complexityTime complexity
Time complexity
 
Introduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic NotationIntroduction to Algorithms and Asymptotic Notation
Introduction to Algorithms and Asymptotic Notation
 
An algorithm for computing resultant polytopes
An algorithm for computing resultant polytopesAn algorithm for computing resultant polytopes
An algorithm for computing resultant polytopes
 
Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1Theory of Automata and formal languages unit 1
Theory of Automata and formal languages unit 1
 
How to design a linear control system
How to design a linear control systemHow to design a linear control system
How to design a linear control system
 
Asymptotic notations
Asymptotic notationsAsymptotic notations
Asymptotic notations
 
Bellman ford
Bellman fordBellman ford
Bellman ford
 
Polyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimizationPolyhedral computations in computational algebraic geometry and optimization
Polyhedral computations in computational algebraic geometry and optimization
 
Aho corasick-lecture
Aho corasick-lectureAho corasick-lecture
Aho corasick-lecture
 
Linear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent SetLinear Combination, Span And Linearly Independent, Dependent Set
Linear Combination, Span And Linearly Independent, Dependent Set
 

Ähnlich wie Sep logic slide

TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemIosif Itkin
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)Alex Pruden
 
Formal methods 5 - Pi calculus
Formal methods 5 - Pi calculusFormal methods 5 - Pi calculus
Formal methods 5 - Pi calculusVlad Patryshev
 
Frequency Response with MATLAB Examples.pdf
Frequency Response with MATLAB Examples.pdfFrequency Response with MATLAB Examples.pdf
Frequency Response with MATLAB Examples.pdfSunil Manjani
 
Understanding distributed calculi in Haskell
Understanding distributed calculi in HaskellUnderstanding distributed calculi in Haskell
Understanding distributed calculi in HaskellPawel Szulc
 
Formal Languages and Automata Theory unit 3
Formal Languages and Automata Theory unit 3Formal Languages and Automata Theory unit 3
Formal Languages and Automata Theory unit 3Srimatre K
 
Biomedical Control systems-Block Diagram Reduction Techniques.pptx
Biomedical Control systems-Block Diagram Reduction Techniques.pptxBiomedical Control systems-Block Diagram Reduction Techniques.pptx
Biomedical Control systems-Block Diagram Reduction Techniques.pptxAmnaMuneer9
 
Automata theory - Push Down Automata (PDA)
Automata theory - Push Down Automata (PDA)Automata theory - Push Down Automata (PDA)
Automata theory - Push Down Automata (PDA)Akila Krishnamoorthy
 
Deterministic finite automata
Deterministic finite automata Deterministic finite automata
Deterministic finite automata Muhammad Love Kian
 
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Peng Cheng
 
Advanced matlab codigos matematicos
Advanced matlab codigos matematicosAdvanced matlab codigos matematicos
Advanced matlab codigos matematicosKmilo Bolaños
 
RChain - Understanding Distributed Calculi
RChain - Understanding Distributed CalculiRChain - Understanding Distributed Calculi
RChain - Understanding Distributed CalculiPawel Szulc
 
Raices de ecuaciones
Raices de ecuacionesRaices de ecuaciones
Raices de ecuacionesNatalia
 
Raices de ecuaciones
Raices de ecuacionesRaices de ecuaciones
Raices de ecuacionesNatalia
 
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...ijrap
 

Ähnlich wie Sep logic slide (20)

Polynomials.pdf
Polynomials.pdfPolynomials.pdf
Polynomials.pdf
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
 
Formal methods 5 - Pi calculus
Formal methods 5 - Pi calculusFormal methods 5 - Pi calculus
Formal methods 5 - Pi calculus
 
Frequency Response with MATLAB Examples.pdf
Frequency Response with MATLAB Examples.pdfFrequency Response with MATLAB Examples.pdf
Frequency Response with MATLAB Examples.pdf
 
Understanding distributed calculi in Haskell
Understanding distributed calculi in HaskellUnderstanding distributed calculi in Haskell
Understanding distributed calculi in Haskell
 
chapter9.ppt
chapter9.pptchapter9.ppt
chapter9.ppt
 
Block diagrams.ppt
Block diagrams.pptBlock diagrams.ppt
Block diagrams.ppt
 
Teori automata lengkap
Teori automata lengkapTeori automata lengkap
Teori automata lengkap
 
Formal Languages and Automata Theory unit 3
Formal Languages and Automata Theory unit 3Formal Languages and Automata Theory unit 3
Formal Languages and Automata Theory unit 3
 
Biomedical Control systems-Block Diagram Reduction Techniques.pptx
Biomedical Control systems-Block Diagram Reduction Techniques.pptxBiomedical Control systems-Block Diagram Reduction Techniques.pptx
Biomedical Control systems-Block Diagram Reduction Techniques.pptx
 
Dfa h11
Dfa h11Dfa h11
Dfa h11
 
Automata theory - Push Down Automata (PDA)
Automata theory - Push Down Automata (PDA)Automata theory - Push Down Automata (PDA)
Automata theory - Push Down Automata (PDA)
 
Deterministic finite automata
Deterministic finite automata Deterministic finite automata
Deterministic finite automata
 
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
 
Advanced matlab codigos matematicos
Advanced matlab codigos matematicosAdvanced matlab codigos matematicos
Advanced matlab codigos matematicos
 
RChain - Understanding Distributed Calculi
RChain - Understanding Distributed CalculiRChain - Understanding Distributed Calculi
RChain - Understanding Distributed Calculi
 
Raices de ecuaciones
Raices de ecuacionesRaices de ecuaciones
Raices de ecuaciones
 
Raices de ecuaciones
Raices de ecuacionesRaices de ecuaciones
Raices de ecuaciones
 
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...
Exact Quasi-Classical Asymptoticbeyond Maslov Canonical Operator and Quantum ...
 

Kürzlich hochgeladen

GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyfundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyDrAnita Sharma
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )aarthirajkumar25
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)Areesha Ahmad
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)PraveenaKalaiselvan1
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsSumit Kumar yadav
 
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencySheetal Arora
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPirithiRaju
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...anilsa9823
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bSérgio Sacani
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSLeenakshiTyagi
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfSumit Kumar yadav
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000Sapana Sha
 

Kürzlich hochgeladen (20)

GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyfundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questions
 
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls AgencyHire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 

Sep logic slide

  • 4. SL in a nutshell • Extension of Hoare logic with Pointer – low-level imperative programs – shared mutable data structures • Pointers are everywhere – OS kernels – network code – C/C++,even ML has reference – ...
  • 5. Hoare Logic • The Language: SPL C :: skip | x := a | c0; c1 | if b then c1 else c2 | while b do c • Hoare Triple: {P} C {Q}
  • 6. How to prove the claims? • Proof rule • What does specification mean? Program, Prdicates, and State premise-1, premise-2,... conclusion
  • 7. Program,State and Predicate • Consider a program with two varible:x, y • The state of is determined by value of x and y, e.g. { x=0, y=1 } State is a partial function mapping var to int • Predicate s |= P store s satisfies assertion P
  • 8. Proof Rules for SPL { P } skip { P } { Q[e/x] } x:=e {Q} {P} c1 {R} {R} c2 {Q} {P} c1;c2{Q} {Pb} c1 {Q} {P b} c2 {Q} {P} if b then c1 else c2 {Q} {ib} c {i}_______ {i} while b do c {ib} P  P’, {P’} c {Q’}, Q’  Q {p} c {q}
  • 9. Another form of assignment rule {P} x:=e {Q} = P => Q[e/x] This is more "general" than {Q[e/x]} x:= e {Q} We can use pre-condition strengthening Rule to prove this form.
  • 10. {P} c {Q} {P} c {R} Post-condition weakening Rule: Likewise, pre-condition strengthening Rule P Q R {P} c {Q}, Q => R {P} c {R} c P => R, {R} c {Q} {P} c {Q}
  • 11. Prove via weakest pre-condition • { xy } tmp:=x; x:=y; y:=tmp { xy } • Rule for SEQ requires you to come up with intermediate assertions { xy } tmp:=x{ ? }; x:=y{ ? }; y:=tmp { xy } • What to fill? – Use Q[e/x] suggested by the ASG theorem – Work in reverse direction. – "Weakest pre-condition"(wp)
  • 12. Weakest Pre-condiion • W = wp(c,Q) {P} c {Q} = P => wp(c, Q) • Samples: all these pre-cond are weakest { y = 10 } x := 10 { y = x } { Q } skip { Q } { Q[e/x] } x := e { Q } • Two properties of wp – Reachability: from any s |= W, after execution of c,the new state s' |= Q – Maximality: if after execution of c, the new state s' |= Q, then the formal state s |= W.
  • 13. wp for SPL wp(skip, Q) = Q wp((x := e),Q) = Q[e/x] wp((c1; c2), Q) = wp(c1, (wp(c2, Q))) wp((if g then c1 else c2), Q) = g ∧ wp(c1, Q) ∨ g ∧ wp(c2, Q) ... Same as inference rule, determined by syntax and semantic
  • 14. Proof via wp • Wp calculation is fully syntax driven – No human intelligence needed – Can be automated • Works, as long as we can calculate "wp"-not always possible Possible solutions: • use necessary(not sufficient) pre-cond; • synthesis several candidate pre-conds for proc; • desugar into simpler IR(easy to model and anslysis) ... Besides: • FOL may not be expressive enough to express wp over arbitrary domains of computation.
  • 15. Beyond pre/post condition • When specifying the order of certain actions within a program is important: – E.g CSP • When sequences of observable states through out the execution have to satisfy certain property – E.g. Temporal Logic(ITL, CTL..) • When the environment cannot be fully trusted: – Logic of belief
  • 16. Correct,sound and compelte • Correctness: {P}c{Q} Part, c may not terminate Toal = Part + termination • Soundness: Every provable formula is true. |- {P}c{Q} => |= {P}c{Q} • Completness: |= {P}c{Q} => |- {P}c{Q} Usually rely on FOL, but may not be sound and complete.
  • 17. Intro to SepLogic { y != z } C { *y != *z } { *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 } • Framing problem. • What are the conditions on aliasing btwn x, y, z ? Let C be: *y = 1, *z = 2, and suppose x is alias of y. Then the above assertion is wrong.
  • 18. Framing problem • What are the conditions on C and R? – in presence of aliasing and heap • Separation logic introduces new connective ∗ { P } C {Q} { R ∧ P } C { Q ∧ R } { P } C {Q} { R ∗ P } C { Q ∗ R }
  • 19. Syntax Assertion Name false Logical false P ∧ Q Classical conjunction P ∨ Q Classical disjunction P ⇒ Q Classical implication P ∗ Q Separating conjunction P −∗ Q Separating implication E -> E Points to emp Empty heap ∃x. P Existential quantifier E = E Expression value equality
  • 20. Semantics: notions • Assertions are evaluated w.r.t. a state • State is store and heap – S : Var ⇀ Int – H : Loc ⇀ Int where Loc ⊆ Int • Notations – disjoint domains: dom(H1)  dom(H2) – composition: H = H1 ◦ H2 – evaluation: ßEàS  Int – update: S[x:i] • S,H |= P, the state satisfies spec P
  • 21. Semantics Relation Definition S,H |= false Never satisfied S,H |= P ∧ Q S,H |= P ∧ S,H |= Q S,H |= P ∨ Q S,H |= P ∨ S,H |= Q S,H |= P ⇒ Q S,H |= P ⇒ S,H |= Q S,H |= P ∗ Q ∃H1,H2.dom(H1)  dom(H2) ∧ H1 ◦ H2 = H ∧ S,H1 |= P ∧ S,H2 |= Q S,H |= P −∗ Q ∀H′. (dom(H)  dom(H’) ∧ S,H′ |= P) ⇒ S,H◦H′ |= Q S,H |= E1 -> E2 dom(H) = {ßE1àS} ∧ H( ßE1àS )= ßE2àS S,H |= emp H = {} S,H |= ∃x.P  i  Int . S[x:i],H |= P S,H |= E1 = E2 ßE1àS = ßE2àS
  • 22. what's new S,H |= E1 -> E2 S,H |= emp S,H |= P ∗ Q the heap H can be divided in two so that P is trueof one partition and Q of the other S,H |= P −∗ Q asserts that extending H with a disjoint part H' that satisfieds P results in a new heap satisfying Q P * Q expressing separation nicely P -* Q structural assume/guarantee Note: in program analysis/verification, usually use proof system without -*.
  • 23. • E -> E1,E2,..,En  E -> E1 ∗ E+1 -> E2 ∗ ... ∗ E+(n-1) -> En • E -> _  ∃x. E -> x Shorthands 10 11 43 12 7 x ->3,4,7S = [x:10] H = [10:3,11:4,12: 7] |= x
  • 24. Examples x -> 4,3 x -> 4,3 * true x -> 4,3 ∗ y -> 4,3 x -> 4,3 ∧ y -> 4,3 34 x 34 y 34 xy        
  • 25. Inductive Definitions • Describe invariants of recursive data-structure – Trees – List Segments – Doubly-linked list segments – Cyclic lists – List of cyclic doubly linked lists – ... • Reasoning about mutable objects
  • 26. Additional Rules for SepLogic • Frame Rule • Pointer Assign {e -> x} [e] := f {e -> f} • Dispose {e -> x} dispose e {emp} • Alloc {e = v'∧emp} e := new(v) {e -> v} • deref(fetch) {e = v'∧f -> v} e := [f] {e = v∧f -> v} Note: in order distinguish with *, we do not use C- style "*" or "@"..
  • 27. The Frame Rule • Side condition: no variable modified by c appears free in R • Enalbes local reasoning: programs that execute correctly in a small state (|= P) also execute correctly in a bigger state (|= R * P) { P } c {Q} { R ∗ P } c { Q ∗ R } c P Q R R
  • 28. On the complexity of SL • Full SL with FO quantification is undecidable – even without * and -* [calcagno et al, FSTTCS 01] – even with a unique selector[Brochenin et al, CSL 08] • Model-checking, satisfiability and validity for SL are PSPACE-complete – PSPACE-hardness from[CYOH, FSTTCS 01] – Upper bound without arithmetics can be also obtained by translation into a “separation-free” version [Lozes, PhD 04]
  • 30. Program Analysis • Smallfoot(London) • Space Invader(London) • Slayer(Microsoft) • Hip + Sleek(Singapore) • JStar(Cambridge) • SmallfootRG(Cambridge) • Thor(CMU) Case Study: Infer • Heap-Hop(Paris, London) • HTT + Ynot(Harvard) • Holfoot(Cambridge) • Verifier(Tokyo) • ...
  • 31. Infer Name Lines Time Infer warning/error InferFindbugs junit 26463 5m9s 2m5s 16 221 Findbugs jieba 1012 1m5s 52s 0 18 pysonar2 9311 2m38s 4m45s 12 302 Infer: Linux 3.19.0-25-generic #26-Ubuntu SMPLinux CPU MhZ: 2094.702 Memtotal: 1716644 Kb
  • 32. History • Local Reasoning about Programs that Alter Data Structures, CSL 01 • Smallfoot: Modular Automatic Assertion Checking with Separation Logic, FMCO 05 • Symbolic Execution with Separation Logic, APLAS 05 • Footprint analysis: A shape analysis that discovers preconditions, SAS 07(intraproc..) • A local shape analysis based on separation logic, CAV 08(Spaceinvader) • Compositional Shape Analysis by Means of Bi- Abduction, POPL 09(Spaceinvader-Abductor) • Moving Fast with Software Verification(Infer)
  • 33. Step I: Smallfoot v0.1 • Based on SL and symbolic execution • A decidable proof theory for symbolic heaps • Hard-coded inductive predicates for C-like toy language • Implementation: about 4k lines of Ocaml http://www.dcs.qmul.ac.uk/research/logic/theory/proj ects/smallfoot
  • 34. Automatic Reasoning with Hoare Logic • User provides annotations(formulae) for pre- and post- conditions of procedure and loop invariants • Verification condition generator • Validity checker(for weakest precondition) Example • Formulae or constraint: {P}c{Q} • Verification condition: P => wp(c, Q) • Check: s,h.s,h |= P => wp(c, Q)
  • 35. How to check? Tool • Interactive theorem prover(Coq, Isabelle..)? • Complete automatic decision procedure? • ... Goal • Safety properties(pointer errors, memory leaks, etc) • Full functional correctness Theory • Use decidable fragement(Full SL is undecidable) – Decidable Logic
  • 36. Automatic Expressive Decidable Logics: Strand, LISBQ, CSL, etc. Expressive Logics: Separation logics, HOL, Matching logic, etc. Back to the Future: revisiting...using SMT Solvers.
  • 37. The Fragment of Assertion Assertions A of symbolic heaps(pure parts and heap parts). A ::= (P ∧ ... ∧ P) ; (S ∗ ... ∗ S) E ::= x | nil | E ∧ E P ::= E=E | E  E S ::= E -> E1...En | tree(E) | ls(E, E) | ... ls(E,F) <=> if E=F then emp else x. E->x * ls(x, F) tree(E) <=> if E=nil then emp else x,y. E->x,y * tree(x) * tree(y)
  • 38. Constraints Geneartion From S1 *...* Sn to constraints of form: (E1F1∧...∧EkFk) => P E.g, from ls(x,y) * ls(z,w) generate: x  y => x  nil z  w => z  nil (x  y ∧ z  w) => x  z
  • 39. Entailments Between Symbolic Heaps Terminating proof theory for entailments A |- A' Normalization Rules • recognize inconsistency • get rid of equalities via substitution • Perform case analysis using a form of excluded middle • ...
  • 40. Step II: SpaceInvader v1.1 • Compositional shape analysis via Bi-Abduction • Implementation: ~3.9w lines Bi-Abductive Resource Invariant Synthesis, APLAS 09 Compositional Shape Analysis by means of BI- Abduction, POPL 09 .. http://www0.cs.ucl.ac.uk/staff/p.ohearn/Invader/Inva der/Invader_Home.html
  • 41. Overview • Frame Inference: A |- B * F, allows an analyzer to use small specs • Abduction Inference: A * M |- B, helps to synthesize small specs • Bi-abduction: A * M |- B * F In interprocedural analysis, usually: A is an assertion at the call site, and B is a precondition from callee’s spec
  • 42. Frame Inference {list(l1) * list(l2)} Dispose(l1); Dispose(l2); • To use the Frame Rule we must first compute R • Frame Inference: give A and B, compute X such that A |- B*X Example: list(l1)*list(l2) |- list(l1)*list(l2) { P } c {Q} { R ∗ P } c { Q ∗ R }
  • 43. Abduction Inference lst_nd* p(lst_nd *y) { //1: suppose SH is emp lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x)
  • 44. Abduction Inference lst_nd* p(lst_nd *y) { lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; // 2.after above, we get A = x->0 merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x)
  • 45. Abduction Inference lst_nd* p(lst_nd *y) { lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x) Assertion at call site: x->0 Pre from callee’s spec: list(x) * list(y) Then we infer list(y) is missing. We should start with list(y) rather then emp!
  • 47. Bi-Abduction Inference BiAbd(A, B) = M := Abduce(A, B*true); F := Frame(A*M, B); return (M, F) Abduce() is given by abduction inference rules. BiAbd(A, B) = (M, F) ⇒ A * M |- B * F
  • 48. Compostional Shape Analysis Construct spec table for every proc. Suppose the procs return a single value and do not access global variables (later to discuss missing part b and A..
  • 49. Semantic of function call • H is current heap(and assertion at call site) • Callee's spec will not change(generate new set R)
  • 50. Shape analysis Analyze level by level: if f is in Proc_i and f calls g then g belongs to Proc_j for some j <= i Two abstract runs(InferPre, InferSpec)
  • 51. InferPre • To infer the precondition of f in Proc_k • T_in: computed spec(from lower level of Proc)
  • 52. InferSpec • Calculate post-cond calculation from give pre-cond, and filter unsafe pre-cond
  • 53. Underlying Shape Analysis The "missing parts" The semantic of commands: using 3 functions
  • 54. Rearr, Exec, Abs Rearrangement: put e in the proper form for an rule to fire Execution: symbolically executes the atomic command in the rearranged heap Abstraction Note: more about rearr, exec, abs, refer to: A local shape analysis based on separation logic, TACAS 06
  • 56. Verified Software • A formal-verified C static analyzer, POPL 15 • Compositional CompCert, POPL 15 • Verified Correctness and Security of OpenSSL HMAC, USENIX Security 15. • Mostly-automated verification of low-level programs in computational separation logic, PLDI 11 • ... Case study: the verified C static analyzer http://compcert.inria.fr/verasco/
  • 57. The Verasco Project • Develop and verify in Coq a realistic static analyzer by abstract interpretation • Integration with CompCert
  • 59. Future Extension • Numerical abstract domains • Better handling of control-flow(e.g. support recursion..) • Memory absbract domains (e.g. C union, dynamic allocation, shape analysis..)
  • 61. Axiomatic semantic for PL To handler diferrent programming languages features: • Separation logic and abstraction Parkinson and Bierman. POPL’05 • Separation Logic, Abstraction, and Inheritance Parkinson, Bierman. POPL'08 • Towards a program logic for JavaScript. Gardner, Maffeis, and Smith. POPL'12 • ... SL for OO language; Coucurrent SL; Higher order Store for SL; ...
  • 62. Concurrent SL(CSL) [O'hearn 04] • Key Ideas: Threads can only access disjoint resources at the same time.
  • 63. SL for Object-Orientation • OO languages are popular and widely used • Reasoning about OO programs is challengin – shared mutable state – inheritance(i.e subtyping and method overriding..
  • 64. Extend the memory model s, h, d |= P • s: Variable -> ObjectID ∪ Integer • h: ObjectID × FieldName -> ObjectID ∪ Integer • d: ObjectID -> ClassNames To be continued...
  • 65. Higher Order Store Stores that may contain procedures. An observationally complete program logic for imperative higher-order functions, LICS 05 A Simple Model of Separation Logic for Higher-order Store,ICALP 08 Nested Hoare triples and frame rules for higher- order store, CSL 09 ...
  • 66. Future work Relationship between SL and higher order type system(e.g. dependent type, HoTT..?) Relationship between SL and traditional alias analysis? Distributed compositional shape analysis?.. ....