Program Analysis and Verification
0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html
Noam Rinetzky
Lecture 3: Program Semantics
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
2
Good manners
• Mobiles
3
Admin
• Grades– First home assignment will be published on Tuesday.
• Due lesson 5
Scribes (this week)? Scribes (next week)
4
Today
• Operational semantics– Advanced features
• Traces semantics
• Denotational Semantics
5
What do we mean?
שלום
syntax semantics
6
What do we mean?
Psyntax semantics
P: x7
7
Why formal semantics?
• Implementation-independent definition of a programming language
• Automatically generating interpreters (and some day maybe full fledged compilers)
• Verification and debugging– if you don’t know what it does, how do you know
its incorrect?
8
Programming Languages
• Syntax • “how do I write a program?”
– BNF– “Parsing”
• Semantics • “What does my program mean?”
– …
9
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions• …
10
What semantics do we want?
• Captures the aspects of computations we care about– “adequate”
• Hides irrelevant details– “fully abstract”
• Compositional
11
A simple imperative language: WhileAbstract syntax:
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2
S ::= x := a | skip | S1; S2| if b then S1 else S2
| while b do S
12
Syntactic categories
n Num numeralsx Var program variablesa Aexp arithmetic expressionsb Bexp boolean expressionsS Stm statements
13
Semantic categories
Z Integers {0, 1, -1, 2, -2, …}TTruth values {ff, tt}State Var Z
Example state: s=[x5, y7, z0]Lookup: s x = 5Update: s[x6] = [x6, y7, z0]
14
Semantics of expressions
• Arithmetic expressions are side-effect free– Semantic function A Aexp : State Z– Defined by induction on the syntax tree
A n s = nA x s = s xA a1 + a2 s = A a1 s + A a2 sA a1 - a2 s = A a1 s - A a2 sA a1 * a2 s = A a1 s A a2 s A (a1) s = A a1 s --- not neededA - a s = 0 - A a1 s
– Compositional– Properties can be proved by structural induction
• Similarly for Boolean expressions
Operational Semantics
(Recap)
Operational Semantics
The meaning of a program in the language is explained in terms of a hypothetical computer which performs the set of actions which constitute the elaboration of that program.
[Algol68, Section 2]
Operational Semantics
It is all very well to aim for a more ‘abstract’ and a ‘cleaner’ approach to semantics, but if the plan is to be any good, the operational aspects cannot be completely ignored.
[Scott70]
18
Operational semantics
• Concerned with how to execute programs– How statements modify state– Define transition relation between configurations
• Two flavors– Structural operational semantics: describes how
the individual steps of a computations take place• So-called “small-step” semantics
– Natural semantics: describes how the overall results of executions are obtained• So-called “big-step” semantics
19
Structural operating semantics (SOS)
• aka “Small-step semantics”
S, s S’, s’
first step
20
Structural operational semantics• Developed by Gordon Plotkin [TR 1981]• Configurations: has one of two forms:
S, s Statement S is about to execute on state ss Terminal (final) state
• Transitions S, s = S’, s’ Execution of S from s is not completed and
remaining computation proceeds from intermediate configuration
= s’ Execution of S from s has terminated and the final state is s’
• S, s is stuck if there is no such that S, s
first step
21
Structural semantics for While x:=a, s s[xAas][asssos]
skip, s s[skipsos]
S1, s S1’, s’ S1; S2, s S1’; S2, s’ [comp1
sos]
if b then S1 else S2, s S1, s if B b s = tt[ifttsos]
if b then S1 else S2, s S2, s if B b s = ff[ifffsos]
S1, s s’ S1; S2, s S2, s’ [comp2
sos]
22
Derivation sequences• A derivation sequence of a statement S starting in state s is either• A finite sequence 0, 1, 2 …, k such that
1. 0 = S, s2. i i+1
3. k is either stuck configuration or a final state
• An infinite sequence 0, 1, 2, … such that1. 0 = S, s2. i i+1
• Notations:– 0 k k 0 derives k in k steps– 0 * 0 derives in a finite number of steps
23
Natural operating semantics (NS)
• aka “Large-step semantics”
S, s s’
all steps
24
Natural operating semantics
• Developed by Gilles Kahn [STACS 1987]• Configurations
S, s Statement S is about to execute on state ss Terminal (final) state
• TransitionsS, s s’ Execution of S from s will terminate
with the result state s’– Ignores non-terminating computations
25
Natural operating semantics
• defined by rules of the form
• The meaning of compound statements is defined using the meaning immediate constituent statements
S1, s1 s1’, … , Sn, sn sn’
S, s s’
if…
premise
conclusion
side condition
26
Natural semantics for While x := a, s s[x Aas][assns]
skip, s s[skipns]
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
axioms
27
Derivation trees
• Using axioms and rules to derive a transition S, s s’ gives a derivation tree– Root: S, s s’– Leaves: axioms– Internal nodes: conclusions of rules• Immediate children: matching rule premises
28
Evaluation via derivation sequences
• For any While statement S and state s it is always possible to find at least one derivation sequence from S, s– Apply axioms and rules forever or until a terminal
or stuck configuration is reached• Proposition: there are no stuck configurations
in While
29
The semantic function Ssos
• The meaning of a statement S is defined as a partial function from State to State
Ssos: Stm (State State)
• Examples:Ssos skip s = sSsos x:=1 s = s [x 1]Ssos while true do skip s = undefined
Ssos S s = s’ if S, s * s’ undefined otherwise
S: What a statement S means to the context: P[S]• S1 = x:=x+2• S2 = x:=x+1 ; x:=x+1• P[S] = z:=x; S; y:=x;
30
The semantic function Sns
• The meaning of a statement S is defined as a partial function from State to State
Sns: Stm (State State)
• Examples:Sns skips = sSns x:=1s = s [x 1]Sns while true do skips = undefined
Sns S s = s’ if S, s s’ undefined otherwise
31
An equivalence result
• S1 and S2 are semantically equivalent if for all s and s’ S1, s s’ if and only if S2, s s’– Same semantics
• SOS and NS– For every statement in While Sns S = Ssos S– Proof in pages 40-43
32
While in WHILE
33
Semantic equivalence
• S1 and S2 are semantically equivalent if for all s and s’ S1, s s’ if and only if S2, s s’
• Simple examplewhile b do Sis semantically equivalent to:if b then (S; while b do S) else skip– Read proof in pages 26-27
34
Structural semantics for while
while b do S, s if b then
S; while b do S) else
skip, s
[whilesos]
35
Natural semantics for While
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
while b do S, s s if B b s = ff[whileffns]
Non-compositional
Comparing semanticsStructuralsemantics
Naturalsemantics
Statement
abortabort; S
skip; S
if x = 0 then abort else y := y / x
• The natural semantics cannot describe looping executions‒ Every execution is represented by a finite derivation tree
• The structural operational semantics can describe both• Looping executions have infinite derivation sequences
• Every step in the derivation sequence is justified by a finite derivation tree
• Terminating executions have a finite one
37
What is a semantics good for?
• Allows to “evaluate” a program
• Properties of programming language semantics holds for all programs …
38
What is a semantics good for?
• Allows to “evaluate” a program
• Properties of programming language semantics holds for all programs …
• NS: more abstract– Fewer rules, top-down interpreter, simpler proofs
• SOS: more “accurate”– Order of evaluation, non-termination
Operational Semantics
(paceR)
Operational Semantics
(Extended language)
41
Language Extensions
• abort statement (like C’s exit w/o return value)• Non-determinism• Parallelism• Local Variables• Procedures– Static Scope– Dynamic scope
42
While + abort
• Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| abort
• Abort terminates the execution– In “skip; S” the statement S executes– In “abort; S” the statement S should never execute
• Natural semantics rules: …?• Structural semantics rules: …?
Comparing semanticsStructuralsemantics
Naturalsemantics
Statement
abortabort; S
skip; S
while true do skipif x = 0 then abort else y := y / x
• The natural semantics cannot distinguish between looping and abnormal termination‒ Unless we add a special error state
• The structural operational semantics can distinguish• looping is reflected by infinite derivations and abnormal
termination is reflected by stuck configuration
44
While + non-determinism
• Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| S1 or S2
• Either S1 is executed or S2 is executed• Example: x:=1 or (x:=2; x:=x+2)– Possible outcomes for x: 1 and 4
45
While + non-determinism:natural semantics
S1, s s’S1 or S2, s s’[or1
ns]
S2, s s’S1 or S2, s s’[or2
ns]
46
While + non-determinism:structural semantics
?[or1sos]
?[or2sos]
47
While + non-determinism
• What about the definitions of the semantic functions?– Sns S1 or S2 s
– Ssos S1 or S2 s
Comparing semanticsStructuralsemantics
Naturalsemantics
Statement
x:=1 or (x:=2; x:=x+2)
(while true do skip) or (x:=2; x:=x+2)
• In the natural semantics non-determinism will suppress non-termination (looping) if possible
• In the structural operational semantics non-determinism does not suppress non-terminating statements
49
While + parallelism
Abstract syntaxS ::= x := a | skip | S1; S2| if b then S1 else S2
| while b do S| S1 S2
• All the interleaving of S1 and S2 are executed• Example: x:=1 (x:=2; x:=x+2)– Possible outcomes for x: 1, 3, 4
50
While + parallelism:structural semantics
S1, s S1’, s’ S1S2, s S1’S2, s’ [par1
sos]
S1, s s’ S1S2, s S2, s’ [par2
sos]
S2, s S2’, s’ S1S2, s S1S2’, s’ [par3
sos]
S2, s s’ S1S2, s S1, s’ [par4
sos]
51
While + parallelism:natural semantics
Challenge problem:Give a formal proof that this is in fact impossible.
Idea: try to prove on a restricted version of While without loops/conditions
52
Example: derivation sequencesof a parallel statement
x:=1 (x:=2; x:=x+2), s
53
While + Local Variables
• S ::= …| Let x := a in S
54
Conclusion
• In the structural operational semantics we concentrate on small steps so interleaving of computations can be easily expressed
• In the natural semantics immediate constituent is an atomic entity so we cannot express interleaving of computations
55
While + memory
Abstract syntaxS ::= x := a | skip | S1; S2| if b then S1 else S2
| while b do S| x := malloc(a)| x := [y]|[x] := y
State : Var Z State : Stack HeapStack : Var ZHeap : Z Z
Integers as memory addresses
56
From states to traces
57
Trace semantics
• Low-level (conceptual) semantics• Add program counter (pc) with states– = State + pc
• The meaning of a program is a relation Stm
• Execution is a finite/infinite sequence of states• A useful concept in defining static analysis as
we will see later
58
Example
1: y := 1;
while 2: (x=1) do (
3: y := y * x;
4: x := x - 1
)
5:
59
Traces1: y := 1;
while 2: (x=1) do (
3: y := y * x;
4: x := x - 1
)
5:
{x2,y3},1 [y:=1] {x2,y1},2 [(x=1)] {x2,y1},3 [y:=y*x] {x2,y2},4 [x:=x-1] {x1,y2},2 [(x=1)] {x1,y2},5
{x3,y3},1 [y:=1] {x3,y1},2 [(x=1)] {x3,y1},3 [y:=y*x] {x3,y3},4 [x:=x-1] {x2,y3},2 [(x=1)] {x2,y3},3 [y:=y*x] {x2,y6},4 [x:=x-1] {x1,y6},2 [(x=1)] {x1,y6},5
…
Set of traces is infinite therefore trace semantics is incomputable in general
60
Operational semantics summary• SOS is powerful enough to describe imperative
programs– Can define the set of traces– Can represent program counter implicitly– Handle goto statements and other non-trivial control
constructs (e.g., exceptions)• Natural operational semantics is an abstraction• Different semantics may be used to justify different
behaviors• Thinking in concrete semantics is essential for a
analysis writer
Denotational Semantics
Based on a lecture by Martin Abadi
62
Denotational Semantics• A “mathematical” semantics– S is a mathematical object– A fair amount of mathematics is involved
• Compositional• More abstract and canonical than Op. Sem.– No notion of “execution”
• Merely definitions– No small step vs. big step
63
Denotational Semantics• Denotational semantics is also called– Fixed point semantics– Mathematical semantics– Scott-Strachey semantics
64
Plan
• Denotational semantics of While (1st attempt)• Math– Complete partial orders– Montonicity– Continuity
• Denotational semantics of While
65
Denotational semantics• A: Aexp (N)• B: Bexp (T)• S: Stm ()• Defined by structural induction
66
Denotational semantics• A: Aexp (N)• B: Bexp (T)• S: Stm ()• Defined by structural induction
A a , B b , Sns S , Ssos S
67
Denotational semantics of Aexp• A: Aexp (N)• A n = {(, n) | }• A X = {(, X) | }• A a0+a1 = {(, n0+n1) | (, n0)Aa0, (,n1)Aa1}• A a0-a1 = {(, n0-n1) | (, n0)Aa0, (,n1)Aa1}• A a0a1 = {(, n0 n1) | (, n0)Aa0, (,n1)Aa1}
Lemma: A a is a functionFunctions represented as sets of pairs
68
Denotational semantics of Aexp with
• A: Aexp (N)• A n = .n• A X = .(X)• A a0+a1 = .(A a0+Aa1)• A a0-a1 = .(A a0-Aa1)• A a0a1 = .(A a0 Aa1)
69
Denotational semantics of Bexp• B: Bexp (T)• B true = {(, true) | }• B false = {(, false) | }• B a0=a1 = {(, true) | & Aa0=Aa1 }
{(, false) | & Aa0Aa1 }• B a0a1 = {(, true) | & Aa0 Aa1 }
{(, false) | & Aa0Aa1 }• B b = {(, T t) | , (, t) Bb} • B b0b1 = {(, t0 Tt1) | , (, t0) Bb0, (, t1) Bb1 }• B b0b1 = {(, t0 Tt1) | , (, t0) Bb0, (, t1) Bb1 }
Lemma: Bb is a function
70
Denotational semantics of statements?
• Intuition:–Running a statement s starting from a
state yields another state ’• Can we define S s as a function
that maps to ‘ ? –S .: Stm ( )
71
Denotational semantics of commands?
• Problem: running a statement might not yield anything if the statement does not terminate
• We introduce the special element to denote a special outcome that stands for non-termination
• For any set X, we write X for X {}
• Convention:– whenever f X X we extend f to X X
“strictly” so that f() =
72
Denotational semantics of statements?
• We try:– S . : Stm ( )
• S skip=
• S s0 ; s1 = S s1 (S s0 )
• S if b then s0 else s1 =
if Bb then S s0 else S s1
73
Examples
• S X:= 2; X:=1= [X1]• S if true then X:=2; X:=1 else … = [X1] • The semantics does not care about
intermediate states• So far, we did not explicitly need
74
Denotational semantics of loops?
• S while b do s = ?
75
Denotational semantics of statements?• Abbreviation W=S while b do s• Idea: we rely on the equivalence
while b do s if b then (s; while b do s) else skip
• We may try using unwinding equationW() = if Bb then W(Ss ) else
• Unacceptable solution– Defines W in terms of itself– It not evident that a suitable W exists– It may not describe W uniquely
(e.g., for while true do skip)
76
Introduction to Domain Theory
• We will solve the unwinding equation through a general theory of recursive equations
• Think of programs as processors of streams of bits (streams of 0’s and 1’s, possibly terminated by $)What properties can we expect?
input output
77
Motivation• Let “isone” be a function that must return “1$” when
the input string has at least a 1 and “0$” otherwise– isone(00…0$) = 0$– isone(xx…1…$) =1$– isone(0…0) =?
• Monotonicity : Output is never retracted– More information about the input is reflected in
more information about the output• How do we express monotonicity precisely?
78
Montonicity
• Define a partial orderx y– A partial order is reflexive, transitive, and anti-symmetric– y is a refinement of x
• “more precise”
• For streams of bits x y when x is a prefix of y• For programs, a typical order is:– No output (yet) some output
79
Montonicity
• A set equipped with a partial order is a poset• Definition: – D and E are postes– A function f: D E is monotonic if
x, y D: x D y f(x) E f(y) – The semantics of the program ought to be a
monotonic function• More information about the input leads to more
information about the output
80
Montonicity Example• Consider our “isone” function with the prefix
ordering• Notation:– 0k is the stream with k consecutive 0’s– 0 is the infinite stream with only 0’s
• Question (revisited): what is isone(0k )?– By definition, isone(0k$) = 0$ and isone(0k1$) = 1$– But 0k 0k$ and 0k 0 k1$– “isone” must be monotone, so:
• isone( 0k ) isone( 0k$) = 0$• isone( 0k ) isone( 0k1$) = 1$
– Therefore, monotonicity requires that isone(0k ) is a common prefix of 0$ and 1$, namely
81
Motivation• Are there other constraints on “isone”?• Define “isone” to satisfy the equations– isone()=– isone(1s)=1$– isone(0s)=isone(s)– isone($)=0$
• What about 0?• Continuity: finite output depends only on finite input
(no infinite lookahead)
82
Chains• A chain is a countable increasing sequence
<xi> = {xi X | x0 x1 … }• An upper bound of a set if an element “bigger” than
all elements in the set• The least upper bound is the “smallest” among upper
bounds:– xi <xi> for all i N– <xi> y for all upper bounds y of <xi>
and it is unique if it exists
83
Complete Partial Orders
• Not every poset has an upper bound– with n and nn for all n N– {1, 2} does not have an upper bound
• Sometimes chains have no upper bound
0 1 2…
210
The chain 0 12…
does not have an upper bound
84
Complete Partial Orders• It is convenient to work with posets where every
chain (not necessarily every set) has a least upper bound
• A partial order P is complete if every chain in P has a least upper bound also in P
• We say that P is a complete partial order (cpo)• A cpo with a least (“bottom”) element is a pointed
cpo (pcpo)
85
Examples of cpo’s• Any set P with the order
x y if and only if x = y is a cpoIt is discrete or flat
• If we add so that x for all x P, we get a flat pointed cpo• The set N with is a poset with a bottom, but not a complete
one• The set N { } with n is a pointed cpo• The set N with is a cpo without bottom• Let S be a set and P(S) denotes the set of all subsets of S
ordered by set inclusion– P(S) is a pointed cpo
86
The End
