1 how to transform an abstract analyzer into an abstract verifier
Post on 22-Dec-2015
224 views
TRANSCRIPT
1
How to transform an abstract analyzer into an abstract verifier
2
Type verification in a functional languagewe choose the let-polymorphic type
interpreter type verification à la ML
• same type system
• verification does not require any fixpoint computation
3
Abstract verificationF= abstract semantic evaluation functionS = specification of the property, i.e., abstraction
of the intended concrete semanticspartial correctness: (lfp F) S
sufficient partial correctness condition: F( S)S
4
The language: syntaxtype ide = Id of string
type exp = | Eint of int | Var of ide | Sum of exp * exp | Diff of exp * exp | Ifthenelse of exp * exp * exp | Fun of ide * exp | Rec of ide * exp | Appl of exp * exp | Let of ide * exp * exp | Letrec of ide * exp * exp
5
The abstract domain of parametric polytypes
type evalt = Notype| Vvar of string| Intero | Mkarrow of evalt * evalt
type tscheme = Forall of (string list) * evalt
type eval = tscheme * (evalt * evalt) list
6
Abstract verification of types F( S)S
a program is an expression in the language its specification S is its intended type
rather than taking an element of eval, we take an element of evalt• a further abstraction in which we forget quantifiers and constraints
• not important for closed expressions without global environment
the abstract semantic evaluation function Fis of course the abstract interpreter sem
what is the meaning of F( S)
7
The meaning of F( S)S
in a language with constructs which create a global environment (typically containing functions),
S is an abstract environment associating to each global name its specification
the new expression is evaluated in such an environment• assuming that all the global values satisfy their specification
• using the specification rather than the semantics for the global objects small, modular proofs, which allow us to locate possible bugs
in our language we have closed expressions only F( S) is exactly the same as F for all the syntactic constructs,
apart from recursive function definition, where S(when available, top level) has to be used as first approximation of their abstract value
8
The implementation of F( S)
let new (e:exp) spec =
let r = emptyenv in
match e with
| Rec(i,e1) -> sem e1 (bind(r,i,(Forall([],spec),[])))
| _ -> sem e r)
9
Why checking F( S)S rather than lfp FS
why computing F( S)rather than lfp F
no fixpoint computation more efficient possible even with non-noetherian domains
modular proofs in which the proof of a component uses the specification rather
than the semantics of the other components
10
The implementation of F( S)S
let le (t,spec) = let sigma = unifylist [(spec,t)] in match sigma with
|Fail -> false |Subst(_) -> let t1= (generalize spec (Subst []) emptyenv,[]) in let t2= (generalize (applysubst sigma spec) (Subst []) emptyenv,[]) in abstreq(t1,t2)
let check (e:exp) spec = let r = emptyenv in match new e spec with
|(Forall(_,Notype),_) -> false |(Forall(_,t1),_) -> le(t1,spec)
11
Examples 1# let f x = x in f f;;
- : '_a -> '_a = <fun>
#let ff = Let(Id "f",Fun(Id "x", Var(Id "x")),Appl(Var(Id "f"),Var(Id "f")));;
# sem1 ff [] 0;;
- : evalt * (string * evalt) list = Mkarrow (Vvar "var2", Vvar "var2"), []
# check ff (Mkarrow (Vvar "a", Vvar "a"));;
- :bool = true
# check ff (Mkarrow (Intero, Intero));;
- :bool = true
# check ff (Mkarrow (Intero, Vvar "a"));;
- :bool = false
# check ff (Mkarrow (Mkarrow (Vvar "a", Vvar "a"), Mkarrow (Vvar "a", Vvar "a")));;
- :bool = true
# check ff (Mkarrow (Mkarrow (Vvar "a", Vvar "a"), Mkarrow (Vvar "a", Vvar "b")));;
- :bool = false
12
Examples 2# sem1 monster [] 2;;
- : evalt * (string * evalt) list = Mkarrow(Mkarrow (Vvar "var43", Vvar "var43"), Mkarrow(Mkarrow (Vvar "var43", Vvar "var36"), Mkarrow(Intero, Mkarrow (Vvar "var43", Vvar "var36")))), []
# check monster (Mkarrow(Mkarrow (Vvar ”A", Vvar ”A"), Mkarrow(Mkarrow (Vvar ”A", Vvar ”B"),Mkarrow(Intero, Mkarrow (Vvar ”A", Vvar ”B")))));;
- :bool = true
13
Examples 3# let loop = Rec(Id "loop",Fun(Id "p",Fun(Id "f",Fun(Id "x",Ifthenelse(Appl(Var(Id "p"),Var(Id
"x")),Var(Id "x"), Appl(Appl(Appl(Var(Id "loop"),Var(Id "p")),Var(Id "f")), Appl(Var(Id
"f"),Var(Id "x"))))))));;
# sem1 loop [] 0;; - : evalt * (string * evalt) list =Mkarrow (Mkarrow (Vvar "var15", Intero), Mkarrow (Mkarrow
(Vvar "var15", Vvar "var15"), Mkarrow (Vvar "var15", Vvar "var15"))), []
# check loop (Mkarrow(Mkarrow (Vvar "a", Intero), Mkarrow(Mkarrow (Vvar "a", Vvar "a"), Mkarrow (Vvar "a", Vvar "a"))));;
- :bool = true
# check loop (Mkarrow(Mkarrow (Vvar "b", Intero), Mkarrow(Mkarrow (Vvar "a", Vvar "a"), Mkarrow (Vvar "a", Vvar "a"))));;
- :bool = false
# check loop (Mkarrow(Mkarrow (Intero, Intero), Mkarrow(Mkarrow (Intero, Intero), Mkarrow (Intero, Intero ))));;
- :bool = true