program analysis & synthesis 236347
DESCRIPTION
Lecture 01 - Introduction. Program analysis & Synthesis 236347. Eran Yahav. Who?. Eran Yahav Taub 734 Tel: 8294318 [email protected] Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave. Yuri Meshman (TA) Taub 329 Tel: 8294890. What?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/1.jpg)
PROGRAM ANALYSIS & SYNTHESIS236347
Lecture 01 - Introduction
Eran Yahav
![Page 2: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/2.jpg)
2
Who?Eran YahavTaub 734Tel: [email protected] 13:30-14:30http://www.cs.tecnion.ac.il/~yahave
Yuri Meshman (TA)Taub 329Tel: 8294890
![Page 3: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/3.jpg)
3
What?
Understand program analysis & synthesis apply these techniques in your research understand jargon/papers conduct research in this area
We will cover some areas in more depth than others
What will help us TA: Yuri Meshman 3-5 homework assignments Small lightweight project No exam
![Page 4: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/4.jpg)
4
Your slides have dark background
(image source: http://www.apolloideas.com/blog/archives/201)
![Page 5: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/5.jpg)
5
![Page 6: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/6.jpg)
6
Your slides don’t have everything you say written on them Yes, I know, this is by design Slides are a teaching aid Not a replacement for attending lectures If you don’t attend lectures or attend and don’t
listen, you will miss some things If you want slides that have all the material
written on them nicely, that format is commonly known as a textbook
See how horrible this slide is? You won’t see many slides with so much text as this one in the rest of the course
![Page 7: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/7.jpg)
Software is Everywhere
![Page 8: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/8.jpg)
Software is Everywhere
![Page 9: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/9.jpg)
Software is EverywhereUnreliable
![Page 10: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/10.jpg)
December 31, 2008
![Page 11: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/11.jpg)
Zune Bug
1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
![Page 12: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/12.jpg)
Zune Bug
1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
![Page 13: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/13.jpg)
Zune Bug
1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
Suggested solution: wait for tomorrow
![Page 14: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/14.jpg)
February 25, 1991
![Page 15: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/15.jpg)
Patriot Bug - Rounding Error Time measured in 1/10 seconds Binary expansion of 1/10 (non-terminating):
0.0001100110011001100110011001100.... 24-bit register (chopped)
0.00011001100110011001100 error of
0.0000000000000000000000011001100... binary, or ~0.000000095 decimal
After 100 hours of operation error is 0.000000095×100×3600×10=0.34
A Scud travels at about 1,676 meters per second so travels more than half a kilometer in this time
![Page 16: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/16.jpg)
Patriot Bug - Rounding Error Time measured in 1/10 seconds Binary expansion of 1/10 (non-terminating):
0.0001100110011001100110011001100.... 24-bit register (chopped)
0.00011001100110011001100 error of
0.0000000000000000000000011001100... binary, or ~0.000000095 decimal
After 100 hours of operation error is 0.000000095×100×3600×10=0.34
A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time
Suggested solution: reboot every 10 hours
![Page 17: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/17.jpg)
August 13, 2003
I just want to say LOVE YOU SAN!!
(W32.Blaster.Worm)
![Page 18: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/18.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
(YMMV)
![Page 19: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/19.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
ab
(YMMV)
![Page 20: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/20.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
abra
(YMMV)
![Page 21: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/21.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
abraca
(YMMV)
![Page 22: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/22.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
abracada
(YMMV)
![Page 23: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/23.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frameReturn address
Saved FPchar* xbuf[2]
…
abracadabr
(YMMV)
![Page 24: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/24.jpg)
(In)correct Usage of APIs Application Trend: Increasing number of libraries and
APIs– Non-trivial restrictions on permitted sequences of
operations Typestate: Temporal safety properties
– What sequence of operations are permitted on an object?– Encoded as DFAe.g. “Don’t use a Socket unless it is connected”
init connected closed
err
connect() close()
getInputStream()getOutputStream()
getInputStream()getOutputStream()getInputStream()
getOutputStream()
close()
*
![Page 25: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/25.jpg)
Challengesclass SocketHolder { Socket s; }Socket makeSocket() { return new Socket(); // A }open(Socket l) { l.connect(); }talk(Socket s) { s.getOutputStream()).write(“hello”); }
main() { Set<SocketHolder> set = new HashSet<SocketHolder>(); while(…) { SocketHolder h = new SocketHolder(); h.s = makeSocket(); set.add(h) } for (Iterator<SocketHolder> it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); }}
![Page 26: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/26.jpg)
26
But there is hope !
Microsoft’s Static Driver Verifier (from MSR)
Found 100’s of errors in 140 drivers, right before Windows7 release
Microsoft uses and distributes the tool
![Page 27: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/27.jpg)
27
But there is hope !
“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." -- Bill Gates, 2002
![Page 28: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/28.jpg)
28
But there is hope !
The Astree Static Analyzer has been used to automatically prove the absence of run-time errors in Airbus’s A340 and A380’s primary flight control software
![Page 29: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/29.jpg)
29
But there is hope !
Companies such as IBM, Coverity, Klocwork, Grammatech create sophisticated code analysis tools
![Page 30: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/30.jpg)
30
Theory + Practice
In this course, we will study the core theoretical principles behind these approaches and learn how to apply them to build practical analysis engines
![Page 31: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/31.jpg)
31
Approaches to Reliability
General problem undecidable. There are two general classes of automated techniques for program analysis. We will cover both.
![Page 32: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/32.jpg)
All behaviors inthe universe
Program BehaviorsOver-approximation
Under-approximation
Approaches to Reliability
![Page 33: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/33.jpg)
Under-approximations
standard testing, guided dynamic analysis, symbolic execution, …
Focuses on a subset of behaviors Which subset? What guarantees can it provide?
We will cover some of the more interesting ones
![Page 34: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/34.jpg)
34
Over-approximations aka “Static Analysis”
abstract interpretation, dataflow analysis, constraint-based analysis, type and effect systems
Always err on the safe side
Many applications: verification, bug finding, code synthesis, program understanding, …
![Page 35: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/35.jpg)
Static Analysis
Reason statically (at compile time) about the possible runtime behaviors of a program
“The algorithmic discovery of properties of a program by inspection of its source text1”-- Manna, Pnueli
1 Does not have to literally be the source text, just means w/o running it
![Page 36: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/36.jpg)
Static Analysis
Formalize software behavior in a mathematical model (semantics)
Prove properties of the mathematical model Automatically, typically with approximation
of the formal semantics
Develop theory and tools for program correctness and robustness
![Page 37: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/37.jpg)
program
specification
Abstractcounterexample
Analyzer
Valid
Static Analysis
![Page 38: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/38.jpg)
38
Verification Challenge Imain(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Determine what states can arise during any execution
Challenge: set of states is unbounded
![Page 39: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/39.jpg)
39
Abstract Interpretationmain(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Recipe1)Abstraction2)Transformers3)Exploration
Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states
Determine what states can arise during any execution
![Page 40: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/40.jpg)
40
1) Abstractionmain(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
concrete state
abstract state (sign)
: Var Z
#: Var{+, 0, -, ?}
x y i
3 1 7 x y i
+ + +
3 2 6
x y i
…
![Page 41: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/41.jpg)
2) Transformersmain(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
concrete transformer
abstract transformer x y i
+ + 0
x y i
3 1 0y = y + 1
x y i
3 2 0
x y i
+ + 0
y = y + 1
+ - 0 + ? 0
+ 0 0 + + 0
+ ? 0 + ? 0 41
![Page 42: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/42.jpg)
42
3) Exploration
+ + ? + + ?
x y i
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
+ + ?
+ + ?
? ? ?
x y i
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
![Page 43: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/43.jpg)
Incompleteness
43
main(int i) { int x=3,y=1;
do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y}
+ ? ?
+ ? ?
x y i
+ ? ?
+ + ?
? ? ?
x y i
+ ? ?
+ ? ?
+ ? ?
![Page 44: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/44.jpg)
44
Parity Abstraction
challenge: how to find “the right” abstraction
while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); }}
![Page 45: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/45.jpg)
Example: Shape (Heap) Analysisvoid stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
![Page 46: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/46.jpg)
Example: Shape (Heap) Analysisvoid stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 47: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/47.jpg)
Example: Shape (Heap) Analysis
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 48: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/48.jpg)
Example: Shape (Heap) Analysis
t
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 49: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/49.jpg)
Example: Shape (Heap) Analysis
t
t
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 50: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/50.jpg)
Example: Shape (Heap) Analysis
t
t
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 51: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/51.jpg)
Example: Shape (Heap) Analysis
t
t
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 52: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/52.jpg)
Example: Shape (Heap) Analysis
xtt
t
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 53: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/53.jpg)
Example: Shape (Heap) Analysis
xtt
x
ntt
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 54: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/54.jpg)
Example: Shape (Heap) Analysis
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 55: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/55.jpg)
Example: Shape (Heap) Analysis
tx
n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 56: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/56.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 57: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/57.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 58: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/58.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 59: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/59.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
tx
n n
![Page 60: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/60.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
tx
n n
xt n n
![Page 61: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/61.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
tx
n n
xt n n
xt n n n
![Page 62: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/62.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
tx
n n
xt n n
xt n n n
xt n n n
![Page 63: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/63.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
tx
n n
xt n n
xt n n n
xt n n n
xt n n n
top
![Page 64: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/64.jpg)
Example: Shape (Heap) Analysis
tx
n
xt n
xt n n
xt n n
xtt
x
ntt
ntx
tx
tx
emp
void stack-init(int i) { Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
} assert(acyclic(Top))
tx
n n
xt n n
xt n n n
xt n n n
xt n n n
top
![Page 65: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/65.jpg)
Static Analysis in one slide
1) Abstraction
Concrete state
xt n n
![Page 66: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/66.jpg)
Static Analysis in one slide
1) Abstraction
Concrete state
xt n n n
xt
n
![Page 67: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/67.jpg)
Static Analysis in one slide
1) Abstraction
Concrete state Abstract state
xt n n n
xt
n
![Page 68: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/68.jpg)
Static Analysis in one slide
1) Abstraction
Concrete state Abstract state
xt n n n
xt
n
2) Transformers
n
xt
nt n
x nt->n = x
![Page 69: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/69.jpg)
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 70: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/70.jpg)
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 71: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/71.jpg)
t
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 72: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/72.jpg)
t
t
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 73: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/73.jpg)
t
t
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
![Page 74: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/74.jpg)
t
t
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))tx Top
![Page 75: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/75.jpg)
t
t
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))tx Top
![Page 76: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/76.jpg)
xtt
t
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))tx Top
![Page 77: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/77.jpg)
xtt
xn
tt
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))tx Top
![Page 78: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/78.jpg)
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))tx Top
![Page 79: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/79.jpg)
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 80: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/80.jpg)
tx
n
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 81: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/81.jpg)
tx
n
xt n
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 82: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/82.jpg)
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 83: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/83.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 84: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/84.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))n
tx Top
tx Top
![Page 85: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/85.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top
![Page 86: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/86.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
xt n
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top
![Page 87: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/87.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
xt n
nn
xt
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top
![Page 88: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/88.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
xt n
nn
xt
n
t n
x n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top
![Page 89: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/89.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
xt n
nn
xt
n
t n
x n
xt n
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top
![Page 90: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/90.jpg)
xt n n
tx
n
xt n
xt n n
xtt
xn
tt
ntx
tx
tx
emp
xt n
n
xt n
nn
xt
n
t n
x n
xt n
n
Static Analysisvoid stack-init (int i)
{
Node* x = null;
do {
Node t = malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top)) xt n
Top n
ntx Top
tx Top x
t n
Top n
![Page 91: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/91.jpg)
Example: Polyhedra (Numerical) Domain
proc MC(n:int) returns (r:int) var t1:int, t2:int; begin if (n>100) then r = n-10; else t1 = n + 11; t2 = MC(t1); r = MC(t2); endif; end
var a:int, b:int; begin b = MC(a); end
What is the result of this program?
![Page 92: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/92.jpg)
McCarthy 91 functionproc MC (n : int) returns (r : int) var t1 : int, t2 : int;begin /* (L6 C5) top */ if n > 100 then /* (L7 C17) [|n-101>=0|] */ r = n - 10; /* (L8 C14) [|-n+r+10=0; n-101>=0|] */ else /* (L9 C6) [|-n+100>=0|] */ t1 = n + 11; /* (L10 C17) [|-n+t1-11=0; -n+100>=0|] */ t2 = MC(t1); /* (L11 C17) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0|] */ r = MC(t2); /* (L12 C16) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0; r-t2+10>=0; r-91>=0|] */ endif; /* (L13 C8) [|-n+r+10>=0; r-91>=0|] */end
var a : int, b : int;begin /* (L18 C5) top */ b = MC(a); /* (L19 C12) [|-a+b+10>=0; b-91>=0|] */end
if (n>=101) then n-10 else 91
![Page 93: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/93.jpg)
93
Some things that should trouble you does a result always exist? does the recipe always converge? is the result always “the best”? how do I pick my abstraction? how do come up with abstract
transformers?
![Page 94: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/94.jpg)
94
Recap: program analysis
Reason statically (at compile time) about the possible runtime behaviors of a program
use sound over-approximation of program behavior
abstract interpretation abstract domain transformers exploration (fixed-point computation)
finding the right abstraction?
![Page 95: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/95.jpg)
95
Program Synthesis
Automatically synthesize a program that is correct-by-construction from a (higher-level) specification
program
specification Synthesizer
![Page 96: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/96.jpg)
96
Program Synthesis: Techniques Gen/Test Theorem Proving Games SAT/SMT Solvers Transformational Synthesis Abstract Interpretation … (we will not be able to cover all in
depth)
![Page 97: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/97.jpg)
97
Synthesis Challenge Isignum(int x) { if (x>0) return 1; else if (x<0) return -1; else return 0;}
Challenge: Generate efficient assembly code for “signum”# x in d0add.l d0, d0 | add d0 to itselfsubx.l d1,d1 | subtract (d1+carry) from d1negx.l d0 | put (0-d0-carry) into d0addx.l d1, d1 | add (d1+carry) to d1# signum(x) is now in d1
![Page 98: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/98.jpg)
98
Superoptimizer [Massalin, 1987]
exhaustive search over assembly programs order search by increasing program length check input/output “equivalence” with original
code boolean test – construct boolean formula for
functions and compare them not practical
probabilistic test – run many times on some inputs and check if the outputs of both programs are the same
expensive, only applied to critical pieces of code (e.g., common libraries)
![Page 99: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/99.jpg)
99
Denali Superoptimizer[Joshi, Nelson, Randall, 2001]
“a refutation-based automatic theorem-prover is in fact a general-purpose goal-directed search engine, which can perform a goal-directed search for anything that can be specified in its declarative input language. Successful proofs correspond to unsuccessful searches, and vice versa.”
(more details later in the course…)
• Turn the search of a program into a search of counter-example in a theorem prover
![Page 100: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/100.jpg)
{ ……………… …… …………………. …………………….…………………………}
P1()
Synthesis of Atomic Sections
100
{ …………………………… ……………………. …}
P2()
atomic
atomic
{ ………………….. …… ……………………. ……………… ……………………}
P3()
atomic
Safety Specification: S
![Page 101: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/101.jpg)
{ ……………… …… …………………. …………………….…………………………}
P1(){ …………………………… ……………………. …}
P2(){ ………………….. …… ……………………. ……………… ……………………}
P3()
Safety Specification: S
101
Synthesis of Atomic Sections
![Page 102: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/102.jpg)
lessatomic
moreatomic
102
Semantic Optimized Search[vechev, yahav, bacon and rinetzky, 2007]
![Page 103: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/103.jpg)
103
unsigned int got_lock = 0; ...1: while(*) { ...2: if (*) {3: lock();4: got_lock++; } ...5: if (got_lock != 0){6: unlock(); }7: got_lock--; ... }
lock() {lock: LOCK:=1;}unlock(){unlock: LOCK:=0;}
SpecificationP1: do not acquire a lock twiceP2: do not call unlock without holding the lock
P1: always( line=lock implies next( line!=lock w-until line=unlock ))P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock ))
(slide adapted with permission from Barbara Jobstmann)
Program Repair as a Game [Jobstmann et. al. 2005]
![Page 104: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/104.jpg)
104
How to Repair a Reactive System?
1. Add freedom choice for the system, space of permitted
modifications to the system2. Source code ➝ transition system (game)
non-determinism in the program (demonic) non-determinism in permitted modification (angelic)
3. Specification ➝ monitor acceptance4. Check if we can find system choices s.t. model
is accepted by monitor product of trans. system and monitor search for winning strategy in game
(slide adapted with permission from Barbara Jobstmann)
![Page 105: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/105.jpg)
105
unsigned int got_lock = 0; ...1: while(*) { ...2: if (*) {3: lock();4: got_lock = 1; } ...5: if (got_lock != 0){6: unlock(); }7: got_lock = 0; ... }
lock() {lock: LOCK:=1;}unlock(){unlock: LOCK:=0;}
SpecificationP1: do not acquire a lock twiceP2: do not call unlock without holding the lock
P1: always( line=lock implies next( line!=lock w-until line=unlock ))P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock ))
(slide adapted with permission from Barbara Jobstmann)
Repaired Program
![Page 106: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/106.jpg)
106
Partial Programs and SKETCH[aLisp: Andre et al 2002, Sketch: Solar-Lezama et al 2006] partial program freedom in games
defines a space of program Given a partial program P with control
variables C (“holes”), a specification S, the goal is to find an assignment for C such that P[C] S
double(x) { return 2 * x;}
double(x) { return x + x;}
Synthesizer
double(x) { return ?? * x;}
![Page 107: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/107.jpg)
107
SKETCH: isolate rightmost 0bit[W] isolate0 (bit[W] x) { // W: word size
bit[W] ret=0; for (int i = 0; i < W; i++) if (!x[i]) { ret[i] = 1; break; } return ret;}
bit[W] isolate0Fast (bit[W] x) implements isolate0 { return ~x & (x+1);}
bit[W] isolate0Sketched(bit[W] x) implements isolate0 { return ~(x + ??) & (x + ??);}
(Hacker’s Delight, H.S. Warren)
![Page 108: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/108.jpg)
Synthesis as generalized SAT The sketch synthesis problem
c x spec(x) = sketch(x,c) Counter-example driven solver
I = x = random-input()do I = I {x} find c such that iI (spec(i)=sketch(c,i)) if cannot find c then exit(“non-satisfiable sketch'') find x such that spec(x) sketch(x,c) while x != nilreturn c
![Page 109: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/109.jpg)
109
SMARTEdit[Lau et al, 2000]
synthesize editor macros (programs) from examples
behind the scenes: machine learning techniques
![Page 110: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/110.jpg)
110
![Page 111: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/111.jpg)
111
![Page 112: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/112.jpg)
112
![Page 113: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/113.jpg)
113
Recap: program synthesis
Automatically synthesize a program that is correct-by-construction from a (higher-level) specification
many techniques games games with abstraction (abstract
interpretation)
![Page 114: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/114.jpg)
114
Next: Objectives
![Page 115: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/115.jpg)
115
Objective 1Understand the principles behind automated reasoning techniques and be able to apply them in your research
![Page 116: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/116.jpg)
116
Objective 2Understand how to use these principles to build a practical working analyzer
![Page 117: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/117.jpg)
117
Objective 3Gain familiarity with the state-of-the-art in the research area and be able to conduct research
![Page 118: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/118.jpg)
118
Important Side Objective
Have fun !
![Page 119: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/119.jpg)
119
Program Semantics: basis for everything Dynamic Analysis: using the semantics for cool analyses Abstract Interpretation: theory of approximation Predicate abstraction: a widely used form of A.I. Pointer analysis: how to abstract heaps Symbolic execution: merge of static and dynamic Program synthesis: discovery of code Program analysis frameworks: building an analysis More…?
Coming up (extremely optimistic! more likely, we’ll cover half of it)
![Page 120: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/120.jpg)
120
Course Project
Implement a program analyzer
There is a default project we will give you a template to simplify your work
But, if you have your own idea, we can discuss it.
Please do not copy code from others
![Page 121: Program analysis & Synthesis 236347](https://reader035.vdocument.in/reader035/viewer/2022070501/56816946550346895de0d39a/html5/thumbnails/121.jpg)
121
References
Patriot bug: http://www.cs.usyd.edu.au/~alum/patriot_bug.ht
ml Patrick Cousot’s NYU lecture notes
Zune bug:
http://www.crunchgear.com/2008/12/31/zune-bug-explained-in-detail/
Blaster worm: http://www.sans.org/security-resources/malware
faq/w32_blasterworm.php Interesting CACM article
http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
http://journals.cambridge.org/download.php?file=%2FMSC%2FMSC19_05%2FS0960129509990041a.pdf&code=d5af66869c1881e31339879b90c07d0c