lecture 01 - introduction eran yahav 1. goal understand program analysis & synthesis apply...
Post on 19-Dec-2015
214 views
TRANSCRIPT
![Page 1: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/1.jpg)
PROGRAM ANALYSIS & SYNTHESIS
Lecture 01 - Introduction
Eran Yahav
![Page 2: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/2.jpg)
Goal
Understand program analysis & synthesis apply these techniques in your research understand jargon/papers conduct research in this area
We will cover some areas in more depth than others
What will help us TA: Nimrod Partush lecture summaries 3-5 homework assignments Small lightweight project No exam
![Page 3: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/3.jpg)
December 31, 2008
![Page 4: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/4.jpg)
Zune Bug
1 while (days > 365) {
2 if (IsLeapYear(year)) {
3 if (days > 366) {
4 days -= 366;
5 year += 1;
6 }
7 } else {
8 days -= 365;
9 year += 1;
10 }
11 }
![Page 5: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/5.jpg)
Zune Bug
1 while (366 > 365) {
2 if (IsLeapYear(2008)) {
3 if (366 > 366) {
4 days -= 366;
5 year += 1;
6 }
7 } else {
8 days -= 365;
9 year += 1;
10 }
11 }Suggested solution: wait for tomorrow
![Page 6: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/6.jpg)
February 25, 1991
![Page 7: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/7.jpg)
Patriot Bug - Rounding Error Time measured in 1/10 seconds Binary expansion of 1/10:
0.0001100110011001100110011001100.... 24-bit register
0.00011001100110011001100 error of
0.0000000000000000000000011001100... binary, or ~0.000000095 decimal
After 100 hours of operation error is 0.000000095×100×3600×10=0.34
A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time
Suggested solution: reboot every 10 hours
![Page 8: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/8.jpg)
August 13, 2003
I just want to say LOVE YOU SAN!!
(W32.Blaster.Worm)
![Page 9: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/9.jpg)
Windows Exploit(s) Buffer Overflow
void foo (char *x) {
char buf[2];
strcpy(buf, x);
}
int main (int argc, char *argv[]) {
foo(argv[1]);
}
./a.out abracadabra
Segmentation fault
Stack grows this way
Memory addresses
Previous frame
Return address
Saved FP
char* x
buf[2]
…
ab
ra
ca
da
br
(YMMV)
![Page 10: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/10.jpg)
(In)correct Usage of APIs Application Trend: Increasing number of libraries and
APIs
– Non-trivial restrictions on permitted sequences of operations
Typestate: Temporal safety properties
– What sequence of operations are permitted on an object?
– Encoded as DFA
e.g. “Don’t use a Socket unless it is connected”
init connected closed
err
connect() close()
getInputStream()getOutputStream()
getInputStream()getOutputStream()getInputStream()
getOutputStream()
close()
*
![Page 11: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/11.jpg)
Challengesclass SocketHolder { Socket s; }
Socket makeSocket() { return new Socket(); // A }
open(Socket l) { l.connect(); }talk(Socket s) { s.getOutputStream()).write(“hello”); }
main() { Set<SocketHolder> set = new HashSet<SocketHolder>(); while(…) { SocketHolder h = new SocketHolder(); h.s = makeSocket(); set.add(h) } for (Iterator<SocketHolder> it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); }}
![Page 12: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/12.jpg)
Testing is Not Enough
Observe some program behaviors What can you say about other
behaviors?
Concurrency makes things worse
Smart testing is useful requires the techniques that we will see
in the course
![Page 13: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/13.jpg)
Program Analysis & Synthesis*
High-level Language
/ Specification
Low-level language/ Implementation
* informally speaking
analy
sissy
nth
esis
![Page 14: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/14.jpg)
Static Analysis
Reason statically (at compile time) about the possible runtime behaviors of a program
“The algorithmic discovery of properties of a program by inspection of its source text1”-- Manna, Pnueli
1 Does not have to literally be the source text, just means w/o running it
![Page 15: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/15.jpg)
Static Analysis
x = ?if (x > 0) { y = 42;} else { y = 73; foo();} assert (y == 42);
Bad news: problem is generally undecidable
![Page 16: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/16.jpg)
universe
Static Analysis
Central idea: use approximation
Under Approximation
Exact set of configurations/behaviors
Over Approximation
![Page 17: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/17.jpg)
Over Approximation
x = ?if (x > 0) { y = 42;} else { y = 73; foo();} assert (y == 42);
Over approximation: assertion may be violated
![Page 18: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/18.jpg)
Lose precision only when required Understand where precision is lost
Precision
main(…) { printf(“assertion may be violated\n”);}
![Page 19: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/19.jpg)
Static Analysis
Formalize software behavior in a mathematical model (semantics)
Prove properties of the mathematical model Automatically, typically with approximation
of the formal semantics
Develop theory and tools for program correctness and robustness
![Page 20: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/20.jpg)
Static Analysis
Spans a wide range type checking … up to full functional verification
General safety specifications Security properties (e.g., information flow) Concurrency correctness conditions (e.g.,
progress, linearizability) Correct use of libraries (e.g., typestate)
Under-approximations useful for bug-finding, test-case generation,…
![Page 21: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/21.jpg)
Static Analysis: Techniques Abstract Interpretation Dataflow analysis Constraint-based analysis Type and effect systems
(we will not be able to cover all in depth)
![Page 22: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/22.jpg)
Static Analysis for Verification
program
specification
Abstractcounterexample
Analyzer
Valid
![Page 23: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/23.jpg)
Verification Challenge I
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Determine what states can arise during any execution
Challenge: set of states is unbounded
![Page 24: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/24.jpg)
Abstract Interpretation
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Recipe1)Abstraction2)Transformers3)Exploration
Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states
Determine what states can arise during any execution
![Page 25: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/25.jpg)
1) Abstraction
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
concrete state
abstract state (sign)
: Var Z
#: Var{+, 0, -, ?}
x y i
3 1 7 x y i
+ + +
3 2 6
x y i
…
![Page 26: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/26.jpg)
2) Transformers
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
concrete transformer
abstract transformer
x y i
+ + 0
x y i
3 1 0y = y + 1
x y i
3 2 0
x y i
+ + 0
y = y + 1
+ - 0 + ? 0
+ 0 0 + + 0
+ ? 0 + ? 026
![Page 27: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/27.jpg)
3) Exploration
+ + ? + + ?
x y i
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
+ + ?
+ + ?
? ? ?
x y i
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
![Page 28: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/28.jpg)
Incompleteness
28
main(int i) { int x=3,y=1;
do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y}
+ ? ?
+ ? ?
x y i
+ ? ?
+ + ?
? ? ?
x y i
+ ? ?
+ ? ?
+ ? ?
![Page 29: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/29.jpg)
29
Parity Abstraction
challenge: how to find “the right” abstraction
while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); }}
![Page 30: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/30.jpg)
30
Finding “the right” abstraction?
pick an abstract domain suited for your property numerical domains domains for reasoning about the heap …
combination of abstract domains
another approach abstraction refinement
![Page 31: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/31.jpg)
Example: Shape (Heap) Analysis
t
x
n
x
t n
x
t n n
x
t n n
xtt
x
ntt
nt
x
tx
t
xemp
void stack-init(int i) {
Node* x = null;
do {
Node t =
malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
} assert(acyclic(Top))
t
x
n n
x
t n n
x
t n n n
x
t n n n
x
t n n n
top
![Page 32: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/32.jpg)
Following the Recipe (In a Nutshell)
1) Abstraction
Concrete state Abstract state
x
t n n n
x
tn
2) Transformers
n
x
tn
t n
xn
t->n = x
![Page 33: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/33.jpg)
x
t n n
t
x
n
x
t n
x
t n n
xtt
x
ntt
nt
x
tx
t
xemp
x
t n
n
x
t n
n
n
x
tn
t n
xn
x
t n
n
3) Explorationvoid stack-init (int i)
{
Node* x = null;
do {
Node t =
malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))x
t n
Top n
nt
x Top
tx Top x
t n
Top n
![Page 34: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/34.jpg)
Example: Polyhedra (Numerical) Domain
proc MC(n:int) returns (r:int) var t1:int, t2:int; begin if (n>100) then r = n-10; else t1 = n + 11; t2 = MC(t1); r = MC(t2); endif; end
var a:int, b:int; begin b = MC(a); end
What is the result of this program?
![Page 35: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/35.jpg)
McCarthy 91 functionproc MC (n : int) returns (r : int) var t1 : int, t2 : int;begin /* (L6 C5) top */ if n > 100 then /* (L7 C17) [|n-101>=0|] */ r = n - 10; /* (L8 C14) [|-n+r+10=0; n-101>=0|] */ else /* (L9 C6) [|-n+100>=0|] */ t1 = n + 11; /* (L10 C17) [|-n+t1-11=0; -n+100>=0|] */ t2 = MC(t1); /* (L11 C17) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0|] */ r = MC(t2); /* (L12 C16) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0; r-t2+10>=0; r-91>=0|] */ endif; /* (L13 C8) [|-n+r+10>=0; r-91>=0|] */end
var a : int, b : int;begin /* (L18 C5) top */ b = MC(a); /* (L19 C12) [|-a+b+10>=0; b-91>=0|] */end
if (n>=101) then n-10 else 91
![Page 36: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/36.jpg)
36
Some things that should trouble you
does a result always exist? does the recipe always converge? is the result always “the best”? how do I pick my abstraction? how do come up with abstract
transformers?
![Page 37: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/37.jpg)
37Change the abstraction to match the program
Abstraction Refinement
program
specification
Abstractcounterexample
abstraction
AbstractionRefinement
Abstractcounterexample
Verify
Valid
![Page 38: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/38.jpg)
38
Recap: program analysis
Reason statically (at compile time) about the possible runtime behaviors of a program
use sound over-approximation of program behavior
abstract interpretation abstract domain transformers exploration (fixed-point computation)
finding the right abstraction?
![Page 39: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/39.jpg)
Program Synthesis
Automatically synthesize a program that is correct-by-construction from a (higher-level) specification
program
specification
Synthesizer
![Page 40: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/40.jpg)
Program Synthesis: Techniques Gen/Test Theorem Proving Games SAT/SMT Solvers Transformational Synthesis Abstract Interpretation … (we will not be able to cover all in
depth)
![Page 41: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/41.jpg)
Synthesis Challenge I
signum(int x) {
if (x>0) return 1;
else if (x<0) return -1;
else return 0;
}
Challenge: Generate efficient assembly code for “signum”
# x in d0add.l d0, d0 | add d0 to itselfsubx.l d1,d1 | subtract (d1+carry) from d1negx.l d0 | put (0-d0-carry) into d0addx.l d1, d1 | add (d1+carry) to d1# signum(x) is now in d1
![Page 42: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/42.jpg)
42
Superoptimizer [Massalin, 1987]
exhaustive search over assembly programs order search by increasing program length check input/output “equivalence” with original
code boolean test – construct boolean formula for
functions and compare them not practical
probabilistic test – run many times on some inputs and check if the outputs of both programs are the same
expensive, only applied to critical pieces of code (e.g., common libraries)
![Page 43: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/43.jpg)
43
Denali Superoptimizer[Joshi, Nelson, Randall, 2001]
“a refutation-based automatic theorem-prover is in fact a general-purpose goal-directed search engine, which can perform a goal-directed search for anything that can be specified in its declarative input language. Successful proofs correspond to unsuccessful searches, and vice versa.”
(more details later in the course…)
• Turn the search of a program into a search of counter-example in a theorem prover
![Page 44: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/44.jpg)
{ ……………… …… …………………. …………………….…………………………}
P1()
Synthesis of Atomic Sections
44
{ …………………………… ……………………. …}
P2()
ato
mic
ato
mic
{ ………………….. …… ……………………. ……………… ……………………}
P3()
ato
mic
Safety Specification: S
![Page 45: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/45.jpg)
{ ……………… …… …………………. …………………….…………………………}
P1()
{ …………………………… ……………………. …}
P2()
{ ………………….. …… ……………………. ……………… ……………………}
P3()
Safety Specification: S
45
Synthesis of Atomic Sections
![Page 46: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/46.jpg)
lessatomic
moreatomic
46
Semantic Optimized Search[vechev, yahav, bacon and rinetzky, 2007]
![Page 47: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/47.jpg)
47
unsigned int got_lock = 0; ...1: while(*) { ...2: if (*) {3: lock();4: got_lock++; } ...5: if (got_lock != 0){6: unlock(); }7: got_lock--; ... }
lock() {lock: LOCK:=1;}unlock(){unlock: LOCK:=0;}
SpecificationP1: do not acquire a lock twiceP2: do not call unlock without holding the lock
P1: always( line=lock implies next( line!=lock w-until line=unlock ))P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock ))
(slide adapted with permission from Barbara Jobstmann)
Program Repair as a Game [Jobstmann et. al. 2005]
![Page 48: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/48.jpg)
48
How to Repair a Reactive System?
1. Add freedom choice for the system, space of permitted
modifications to the system
2. Source code ➝ transition system (game) non-determinism in the program (demonic) non-determinism in permitted modification (angelic)
3. Specification ➝ monitor acceptance4. Check if we can find system choices s.t. model
is accepted by monitor product of trans. system and monitor search for winning strategy in game
(slide adapted with permission from Barbara Jobstmann)
![Page 49: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/49.jpg)
49
unsigned int got_lock = 0; ...1: while(*) { ...2: if (*) {3: lock();4: got_lock = 1; } ...5: if (got_lock != 0){6: unlock(); }7: got_lock = 0; ... }
lock() {lock: LOCK:=1;}unlock(){unlock: LOCK:=0;}
SpecificationP1: do not acquire a lock twiceP2: do not call unlock without holding the lock
P1: always( line=lock implies next( line!=lock w-until line=unlock ))P2: ( line!=unlock w-until line=lock )) and always( line=unlock implies next( line!=unlock w-until line=lock ))
(slide adapted with permission from Barbara Jobstmann)
Repaired Program
![Page 50: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/50.jpg)
50
Partial Programs and SKETCH[aLisp: Andre et al 2002, Sketch: Solar-Lezama et al 2006] partial program freedom in games
defines a space of program Given a partial program P with
control variables C (“holes”), a specification S, the goal is to find an assignment for C such that P[C] S
double(x) { return 2 * x;}
double(x) { return x + x;}
Synthesizer
double(x) { return ?? * x;}
![Page 51: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/51.jpg)
51
SKETCH: isolate rightmost 0bit[W] isolate0 (bit[W] x) { // W: word size
bit[W] ret=0; for (int i = 0; i < W; i++) if (!x[i]) { ret[i] = 1; break; } return ret;}
bit[W] isolate0Fast (bit[W] x) implements isolate0 { return ~x & (x+1);}
bit[W] isolate0Sketched(bit[W] x) implements isolate0 { return ~(x + ??) & (x + ??);}
(Hacker’s Delight, H.S. Warren)
![Page 52: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/52.jpg)
Synthesis as generalized SAT The sketch synthesis problem
c x spec(x) = sketch(x,c)
Counter-example driven solver
I = x = random-input()do I = I {x}
find c such that iI (spec(i)=sketch(c,i)) if cannot find c then exit(“non-satisfiable sketch'') find x such that spec(x) sketch(x,c) while x != nilreturn c
![Page 53: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/53.jpg)
53
SMARTEdit[Lau et al, 2000]
synthesize editor macros (programs) from examples
behind the scenes: machine learning techniques
![Page 54: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/54.jpg)
54
![Page 55: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/55.jpg)
55
![Page 56: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/56.jpg)
56
![Page 57: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/57.jpg)
57
Recap: program synthesis
Automatically synthesize a program that is correct-by-construction from a (higher-level) specification
many techniques games games with abstraction (abstract
interpretation)
![Page 58: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/58.jpg)
58
Coming up (extremely optimistic! more likely, we’ll cover half of it)
principle of program analysis overview of dataflow why dataflow works? abstract interpretation basics a taste of operational semantics numerical domains heap domains shape analysis
approaches to program synthesis program synthesis using games abstraction-guided synthesis games with abstraction synthesis with machine learning techniques a tiny bit on SAT/SMT based synthesis
![Page 59: Lecture 01 - Introduction Eran Yahav 1. Goal Understand program analysis & synthesis apply these techniques in your research understand jargon/papers](https://reader031.vdocuments.pub/reader031/viewer/2022032800/56649d2f5503460f94a06921/html5/thumbnails/59.jpg)
References
Patriot bug: http://www.cs.usyd.edu.au/~alum/patriot_bug.
html Patrick Cousot’s NYU lecture notes
Zune bug:
http://www.crunchgear.com/2008/12/31/zune-bug-explained-in-detail/
Blaster worm: http://www.sans.org/security-resources/malwar
efaq/w32_blasterworm.php Interesting CACM article
http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
http://journals.cambridge.org/download.php?file=%2FMSC%2FMSC19_05%2FS0960129509990041a.pdf&code=d5af66869c1881e31339879b90c07d0c