Spring 2014Program Analysis and Verification

Lecture 2: Operational Semantics I

Roman ManevichBen-Gurion University

2

Syllabus

Semantics

NaturalSemantics

Structural semantics

AxiomaticVerification

StaticAnalysis

AutomatingHoare Logic

AbstractInterpretation fundamentals

Lattices

Galois Connections

Fixed-Points

Widening/Narrowing

Domain constructors

InterproceduralAnalysis

AnalysisTechniques

Numerical Domains

CEGAR

Alias analysis

ShapeAnalysis

Crafting your own

Soot

From proofs to abstractions

Systematically developing

transformers

3

http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html

4

Today

• What is semantics and what is it useful for?• Natural operational semantics pages 19-32• Structural operational semantics pages 32-50

5

What is formal semantics?

“Formal semantics is concerned with rigorously specifying the meaning, or behavior, of

programs, pieces of hardware, etc.” / page 1

6

What is formal semantics?

“This theory allows a program to be manipulated like a formula –

that is to say, its properties can be calculated.”

Gérard Huet & Philippe Flajolet homageto Gilles Kahn

7

Why formal semantics?

• Implementation-independent definition of a programming language

• Automatically generating interpreters (and some day maybe full fledged compilers)

• Verification and debugging– if you don’t know what it does, how do you know

its incorrect?

8

Levels of abstractions and applications

Program Semantics

Assembly-level Semantics(Small-step)

Static Analysis(abstract semantics)

9

Semantic description methods• Operational semantics

– Natural semantics (big step) [G. Kahn]– Structural semantics (small step) [G. Plotkin]

• Denotational semantics [D. Scott, C. Strachy]

• Axiomatic semantics [C. A. R. Hoare, R. Floyd]

• Trace semantics

• Collecting semantics

• [Instrumented semantics]

Today

Next lecture

Concepts that will be introduced even later

Not in this course

Used for verification

10

The while language

11

Syntactic categories

n Num numeralsx Var program variablesa Aexp arithmetic expressionsb Bexp boolean expressionsS Stm statements

12

A simple imperative language: While

Concrete syntax:a ::= n | x | a1 + a2 | a1 a2 | a1 – a2

b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2

S ::= x := a | skip | S1; S2

| if b then S1 else S2

| while b do S

13

Exercise: draw a derivation tree

S S;

S

y:=1; while (x=1) do (y:=y*x; x:=x-1)

14

Concrete syntax may be ambiguous

a

y

:=x

S

a

z

:=y

Sa

x

:=z

S

;

S;

S

a

x

:=z

S

a

y

:=x

S;

S ;

S

a

z

:=y

S

z:=x; x:=y; y:=z

z:=x; (x:=y; y:=z) (z:=x; x:=y); y:=z

15

A simple imperative language: While

Abstract syntax:Notation: n[la,rb] – a node labeled with n and two children l and r. The children may be labeled to indicate their role for easier reading

a ::= n | x | + [a1, a2] | [a1, a2] | –[a1, a2]

b ::= true | false| =[a1, a2] | [ a1, a2] | [b] | [b1, b2]

S ::= :=[x, a] | skip | ;[S1, S2] | if[b, S1

then, S2else]

| while[bcondition, Sbody]

n

l r

a b

16

Exercise: draw an AST

:= while

;

y:=1; while (x=1) do (y:=y*x; x:=x-1)

17

Semantic values

18

Semantic categories

Z Integers {0, 1, -1, 2, -2, …}

T Truth values {ff, tt}State Var Z

Example state: =[x5, y7, z0]Lookup: x = 5Update: [x6] = [x6, y7, z0]

19

Example state manipulations

• [x1, y7, z16] y =• [x1, y7, z16] t =• [x1, y7, z16][x5] =• [x1, y7, z16][x5] x =• [x1, y7, z16][x5] y =

20

Semantics of expressions

21

Semantics of arithmetic expressions

• Arithmetic expressions are side-effect free• Semantic function A Aexp : State Z• Defined by induction on the syntax tree

A n = nA x = xA a1 + a2 = A a1 + A a2 A a1 - a2 = A a1 - A a2 A a1 * a2 = A a1 A a2 A (a1) = A a1 --- not needed

A - a = 0 - A a1

• Compositional• Properties can be proved by structural induction

22

Arithmetic expression exercise

Suppose x = 3Evaluate A x+1

23

Semantics of boolean expressions

• Boolean expressions are side-effect free• Semantic function B Bexp : State T• Defined by induction on the syntax tree

B true = ttB false = ffB a1 = a2 =B a1 a2 =B b1 b2 =

B b =

24

Operational semantics

25

Operational semantics

• Concerned with how to execute programs– How statements modify state– Define transition relation between configurations

• Two flavors– Natural semantics: describes how the overall

results of executions are obtained• So-called “big-step” semantics

– Structural operational semantics: describes how the individual steps of a computations take place• So-called “small-step” semantics

26

Big Step (natural)Semantics

By Luke (personally authorized right to use this image), via Mighty Optical Illusions

S, ’

27

Natural operating semantics

• Developed by Gilles Kahn [STACS 1987]• Configurations

S, Statement S is about to execute on state Terminal (final) state

• TransitionsS, ’ Execution of S from will terminate

with the result state ’– Ignores non-terminating computations

28

Natural operating semantics

• defined by rules of the form

• The meaning of compound statements is defined using the meaning immediate constituent statements

S1, 1 1’, … , Sn, n n’ S, ’

if…

premise

conclusion

side condition

29

Natural semantics for While

x := a, [x Aa][assns]

skip, [skipns]

S1, ’, S2, ’ ’’S1; S2, ’’

[compns]

S1, ’ if b then S1 else S2, ’

if B b = tt[ifttns]

S2, ’ if b then S1 else S2, ’

if B b = ff[ifffns]

axioms

30

Natural semantics for While

S, ’, while b do S, ’ ’’while b do S, ’’

if B b = tt[whilettns]

while b do S, if B b = ff[whileffns]

Non-compositional

31

Executing the semantics

32

Example

• Let 0 be the state which assigns zero to all program variables

x:=x+1, 0

skip, 0 0

0[x1]

skip, 0 0, x:=x+1, 0 0[x1] skip; x:=x+1, 0 0[x1]

x:=x+1, 0 0[x1]if x=0 then x:=x+1 else skip, 0 0[x1]

33

Derivation trees

• Using axioms and rules to derive a transition S, ’ gives a derivation tree– Root: S, ’– Leaves: axioms– Internal nodes: conclusions of rules• Immediate children: matching rule premises

34

Derivation tree example 1• Assume 0=[x5, y7, z0]

1=[x5, y7, z5]2=[x7, y7, z5]3=[x7, y5, z5]

(z:=x; x:=y); y:=z, 0 3

(z:=x; x:=y), 0 2 y:=z, 2 3

z:=x, 0 1 x:=y, 1 2

[assns] [assns]

[assns][compns]

[compns]

35

Derivation tree example 1• Assume 0=[x5, y7, z0]

1=[x5, y7, z5]2=[x7, y7, z5]3=[x7, y5, z5]

(z:=x; x:=y); y:=z, 0 3

(z:=x; x:=y), 0 2 y:=z, 2 3

z:=x, 0 1 x:=y, 1 2

[assns] [assns]

[assns][compns]

[compns]

36

Top-down evaluation via derivation trees

• Given a statement S and an input state find an output state ’ such that S, ’

• Start with the root and repeatedly apply rules until the axioms are reached– Inspect different alternatives in order

• In While ’ and the derivation tree is unique

37

Top-down evaluation example

• Factorial program with x = 2• Shorthand: W=while (x=1) do (y:=y*x; x:=x-1)

y:=1; while (x=1) do (y:=y*x; x:=x-1), [y 2][x1]

y:=1, [y 1] W, [y 1] [y 2, x 1]

y:=y*x; x:=x-1, [y 1] [y 2][x1] W, [y 2][x1] [y 2, x 1]

y:=y*x, [y 1] [y 2] x:=x-1, [y 2] [y 2][x1]

[assns]

[compns]

[assns]

[compns]

[whileffns]

[whilettns]

[assns]

38

Properties of natural semantics

39

Program termination

• Given a statement S and input – S terminates on s if there exists a state ’ such that

S, ’– S loops on s if there is no state ’ such that

S, ’• Given a statement S– S always terminates if

for every input state , S terminates on – S always loops if

for every input state , S loops on

40

Semantic equivalence

• S1 and S2 are semantically equivalent if for all and ’ S1, ’ if and only if S2, ’

• Simple examplewhile b do Sis semantically equivalent to:if b then (S; while b do S) else skip– Read proof in pages 26-27

41

Properties of natural semantics

• Equivalence of program constructs– skip; skip is semantically equivalent to skip – ((S1; S2); S3) is semantically equivalent to

(S1; (S2; S3))– (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40)

42

Equivalence of (S1; S2); S3 and S1; (S2; S3)

43

Equivalence of (S1; S2); S3 and S1; (S2; S3)

(S1; S2), 12, S3, 12 ’ (S1; S2); S3, ’

S1, s 1, S2, 1 12

S1, 1, (S2; S3), 12 ’ (S1; S2); S3, ’

S2, 1 12, S3, 12 ’

Assume (S1; S2); S3, ’ then the following unique derivation tree exists:

Using the rule applications above, we can construct the following derivation tree:

And vice versa.

44

Deterministic semantics for While

• Theorem: for all statements S and states 1, 2

if S, 1 and S, 2 then 1= 2

• The proof uses induction on the shape of derivation trees (pages 29-30)– Prove that the property holds for all simple

derivation trees by showing it holds for axioms– Prove that the property holds for all composite

trees: • For each rule assume that the property holds for its

premises (induction hypothesis) and prove it holds for the conclusion of the rule

single node

#nodes>1

45

The semantic function Sns

• The meaning of a statement S is defined as a partial function from State to State

Sns: Stm (State State)

• Examples:Sns skip = Sns x:=1 = [x 1]

Sns while true do skip = undefined

Sns S = ’ if S, ’ undefined else

By Astronaut David R. Scott, Apollo 15 commander. [Public domain], via Wikimedia Commons

Small Step Semantics

S,

first step

46

47

Structural operational semantics

• Developed by Gordon Plotkin• Configurations: has one of two forms:

S, Statement S is about to execute on state Terminal (final) state

• Transitions S, g = S’, ’ Execution of S from is not completed

and remaining computation proceeds from intermediate configuration

g = ’ Execution of S from has terminated and the final state is ’

• S, is stuck if there is no such that S,

first step

48

Structural semantics for While x:=a, [xAa][asssos]

skip, [skipsos]

S1, S1’, ’ S1; S2, S1’; S2, ’

[comp1sos]

if b then S1 else S2, S1, if B b = tt[ifttsos]

if b then S1 else S2, S2, if B b = ff[ifffsos]

S1, ’ S1; S2, S2, ’

[comp2sos]

When does this happen?

49

Structural semantics for While

while b do S, if b then

S; while b do S) else

skip,

[whilesos]

50

Executing structural operational semantics

51

Derivation sequences• A derivation sequence of a statement S starting in state

is either• A finite sequence 0, 1, 2 …, k such that

1. 0 = S, 2. i i+1

3. k is either stuck configuration or a final state

• An infinite sequence 0, 1, 2, … such that1. 0 = S, 2. i i+1

• Notations:– 0 k k 0 derives k in k steps

– 0 * 0 derives in a finite number of steps

• For each step there is a corresponding derivation tree

52

Derivation sequence example

• Assume 0=[x5, y7, z0](z:=x; x:=y); y:=z, 0

x:=y; y:=z, 0[z5] y:=z, (0[z5])[x7] ((0[z5])[x7])[y5]

(z:=x; x:=y); y:=z, 0 x:=y; y:=z); y:=z, 0[z5]

z:=x; x:=y, 0 x:=y, 0[z5]

z:=x, 0 0[z5]

• Derivation tree for first step:

53

Evaluation via derivation sequences

• For any While statement S and state it is always possible to find at least one derivation sequence from S, – Apply axioms and rules forever or until a terminal

or stuck configuration is reached• Proposition: there are no stuck configurations

in While

Next lecture:operational semantics II

55

Natural semantics for While

x := a, [x Aa][assns]

skip, [skipns]

S1, ’, S2, ’ ’’S1; S2, ’’ [compns]

S1, ’ if b then S1 else S2, ’

if B b = tt[ifttns]

S2, ’ if b then S1 else S2, ’

if B b = ff[ifffns]

while b do S, if B b = ff[whileffns]

S, ’, while b do S, ’ ’’while b do S, ’’

if B b = tt[whilettns]

56

Structural semantics for While x := a, [x Aa][asssos]

skip, [skipsos]

S1, S1’, ’ S1; S2, S1’; S2,

[comp1sos]

if b then S1 else S2, S1, if B b = tt[ifttsos]

if b then S1 else S2, S2, if B b = ff[ifffsos]

S1, ’ S1; S2, S2, ’

[comp2sos]

while b do S, if b then S; while b do S) else skip,

[whilesos]