![Page 1: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479
Noam Rinetzky
Lecture 2: Operational Semantics
1
Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik Poll, Mooly Sagiv, Jean Souyris, Eran Tromer, Avishai Wool, Eran Yahav
![Page 2: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/2.jpg)
2
universe
Verification by over-approximation
Under Approximation
Exact set of configurations/behaviors
Over Approximation
![Page 3: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/3.jpg)
3
universe
Program semantics
Exact set of configurations/behaviors
![Page 4: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/4.jpg)
4
Program analysis & verification
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?
![Page 5: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/5.jpg)
5
What does P do?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?
![Page 6: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/6.jpg)
6
What does P mean?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…
syntax semantics
![Page 7: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/7.jpg)
7
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
• Cat-transformer
![Page 8: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/8.jpg)
8
Program semantics & Verification
![Page 9: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/9.jpg)
9
Agenda
• Operational semantics– Natural operational semantics– Structural operational semantics
![Page 10: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/10.jpg)
10
What does P mean?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…
syntax semantics
![Page 11: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/11.jpg)
11
“Standard” semantics
y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
![Page 12: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/12.jpg)
12
“Standard” semantics (“state transformer”)
y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
![Page 13: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/13.jpg)
13
“Standard” semantics (“state transformer”)
y = ?; y=3, x=9x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
![Page 14: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/14.jpg)
14
“Standard” semantics (“state transformer”)
y = ?; y=3, x=9x = y * 2 y=3, x=6if (x % 2 == 0) { y=3, x=6 y = 42; y=42, x=6} else { y = 73; … foo(); …} assert (y == 42); y=42, x=6
…-1,0,1, …
y x…-1,0,1,…
![Page 15: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/15.jpg)
15
“State transformer” semantics
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=3,x=6
![Page 16: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/16.jpg)
16
“State transformer” semantics
initialstates
badstates
reachablestates
y=4,x=1
y=4,x=8y=4,x=8
![Page 17: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/17.jpg)
17
“State transformer” semantics
initialstates
badstates
reachablestates
y=4…,x=…
![Page 18: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/18.jpg)
18
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=4,x=1y=4,x=8
y=3,x=6
y=4,x=8
“State transformer” semanticsMain idea: find (properties of) all reachable states*
y=4…,x=…
![Page 19: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/19.jpg)
19
“Standard” (collecting) semantics(“sets-of states-transformer”)
y = ?; x = ?; {(y,x) | y,x ∈ Nat}x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
![Page 20: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/20.jpg)
20
“Standard” (collecting) semantics(“sets-of states-transformer”)
y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)}
x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)}
if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)}
y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)}
} else { y = 73; { }
foo(); { }
} assert (y == 42); {(y=42, x=6),(y=42,x=8),(y=42, x=…)}
Yes
![Page 21: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/21.jpg)
21
“Set-of-states transformer” semantics
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=4,x=1
y=4,x=1
y=3,x=6
y=4,x=1
![Page 22: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/22.jpg)
22
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
![Page 23: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/23.jpg)
23
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
• Cat-transformer
![Page 24: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/24.jpg)
24
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
![Page 25: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/25.jpg)
25
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
![Page 26: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/26.jpg)
26
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
![Page 27: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/27.jpg)
27
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=E, x=E} else { y = 73; … foo(); …} assert (y%2 == 0) y=E, x=E ?
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
![Page 28: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/28.jpg)
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
28
![Page 29: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/29.jpg)
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
29
![Page 30: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/30.jpg)
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
30
![Page 31: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/31.jpg)
31
How do we say what P mean?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…
syntax semantics
![Page 32: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/32.jpg)
32
Agenda
• Operational semantics– Natural operational semantics– Structural operational semantics
![Page 33: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/33.jpg)
33
Programming Languages
• Syntax • “how do I write a program?”
– BNF– “Parsing”
• Semantics • “What does my program mean?”
– …
![Page 34: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/34.jpg)
34
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
![Page 35: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/35.jpg)
35
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
![Page 36: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/36.jpg)
36
What semantics do we want?
• Captures the aspects of computations we care about– “adequate”
• Hides irrelevant details– “fully abstract”
• Compositional
![Page 37: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/37.jpg)
What semantics do we want?
• Captures the aspects of computations we care about– “adequate”
• Hides irrelevant details– “fully abstract”
• Compositional
![Page 38: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/38.jpg)
38
Formal semantics
“Formal semantics is concerned with rigorously specifying the meaning, or behavior, of
programs, pieces of hardware, etc.”
Semantics with Applications – a Formal Introduction (Page 1)Nielsen & Nielsen
![Page 39: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/39.jpg)
39
Formal semantics
“This theory allows a program to be manipulated like a formula –
that is to say, its properties can be calculated.”
Gérard Huet & Philippe Flajolet homage to Gilles Kahn
![Page 40: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/40.jpg)
40
Why formal semantics?
• Implementation-independent definition of a programming language
• Automatically generating interpreters – and some day maybe full fledged compilers
• Verification and debugging– if you don’t know what it does, how do you know
its incorrect?
![Page 41: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/41.jpg)
41
Why formal semantics?
• Implementation-independent definition of a programming language
• Automatically generating interpreters – and some day maybe full fledged compilers
• Verification and debugging– if you don’t know what it does, how do you know
its incorrect?
![Page 42: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/42.jpg)
42
Levels of abstractions and applications
Program Semantics
Assembly-level Semantics(Small-step)
Static Analysis(abstract semantics)
![Page 43: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/43.jpg)
43
Semantic description methods
• Operational semantics– Natural semantics (big step) [G. Kahn]– Structural semantics (small step) [G. Plotkin]
• Trace semantics• Collecting semantics• [Instrumented semantics]
• Denotational semantics [D. Scott, C. Strachy]
• Axiomatic semantics [C. A. R. Hoare, R. Floyd]
![Page 44: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/44.jpg)
Operational Semantics
![Page 45: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/45.jpg)
45
http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html
![Page 46: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/46.jpg)
46
A simple imperative language: While
Abstract syntax:a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2
S ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S
![Page 47: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/47.jpg)
47
Concrete Syntax vs. Abstract Syntax
a
y
:=x
S
a
z
:=y
Sa
x
:=z
S
;
S;
S
a
x
:=z
S
a
y
:=x
S;
S ;
S
a
z
:=y
S
z:=x; x:=y; y:=z
z:=x; (x:=y; y:=z) (z:=x; x:=y); y:=z
![Page 48: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/48.jpg)
48
Exercise: draw an AST
S S;
S
y:=1; while (x=1) do (y:=y*x; x:=x-1)
![Page 49: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/49.jpg)
49
Syntactic categories
n Num numeralsx Var program variablesa Aexp arithmetic expressionsb Bexp boolean expressionsS Stm statements
![Page 50: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/50.jpg)
50
Semantic categories
Z Integers {0, 1, -1, 2, -2, …}
T Truth values {ff, tt}State Var Z
Example state: s=[x5, y7, z0]Lookup: s x = 5Update: s[x6] = [x6, y7, z0]
![Page 51: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/51.jpg)
51
Example state manipulations
• [x1, y7, z16] y =• [x1, y7, z16] t =• [x1, y7, z16][x5] =• [x1, y7, z16][x5] x =• [x1, y7, z16][x5] y =
![Page 52: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/52.jpg)
52
Semantics of arithmetic expressions
• Arithmetic expressions are side-effect free• Semantic function A Aexp : State Z• Defined by induction on the syntax tree
A n s = nA x s = s xA a1 + a2 s = A a1 s + A a2 s
A a1 - a2 s = A a1 s - A a2 s
A a1 * a2 s = A a1 s A a2 s
A (a1) s = A a1 s --- not needed
A - a s = 0 - A a1 s
• Compositional• Properties can be proved by structural induction
![Page 53: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/53.jpg)
53
Arithmetic expression exercise
Suppose s x = 3Evaluate A x+1 s
![Page 54: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/54.jpg)
54
Semantics of boolean expressions
• Boolean expressions are side-effect free• Semantic function B Bexp : State T• Defined by induction on the syntax tree
B true s = ttB false s = ffB a1 = a2 s =
B a1 a2 s =
B b1 b2 s =
B b s =
![Page 55: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/55.jpg)
55
Operational semantics
• Concerned with how to execute programs– How statements modify state– Define transition relation between configurations
• Two flavors– Natural semantics: describes how the overall
results of executions are obtained• So-called “big-step” semantics
– Structural operational semantics: describes how the individual steps of a computations take place• So-called “small-step” semantics
![Page 56: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/56.jpg)
56
Natural operating semantics (NS)
![Page 57: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/57.jpg)
57
Natural operating semantics (NS)
• aka “Large-step semantics”
S, s s’
all steps
![Page 58: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/58.jpg)
58
Natural operating semantics
• Developed by Gilles Kahn [STACS 1987]• Configurations
S, s Statement S is about to execute on state ss Terminal (final) state
• TransitionsS, s s’ Execution of S from s will terminate
with the result state s’
– Ignores non-terminating computations
![Page 59: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/59.jpg)
59
Natural operating semantics
• defined by rules of the form
• The meaning of compound statements is defined using the meaning immediate constituent statements
S1, s1 s1’, … , Sn, sn sn’ S, s s’
if…
premise
conclusion
side condition
![Page 60: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/60.jpg)
60
Natural semantics for While
x := a, s s[x Aas][assns]
skip, s s[skipns]
S1, s s’, S2, s’ s’’S1; S2, s s’’
[compns]
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
axioms
![Page 61: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/61.jpg)
61
Natural semantics for While
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
while b do S, s s if B b s = ff[whileffns]
Non-compositional
![Page 62: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/62.jpg)
62
Example
• Let s0 be the state which assigns zero to all program variables
x:=x+1, s0
skip, s0 s0
s0[x1]
skip, s0 s0, x:=x+1, s0 s0[x1] skip; x:=x+1, s0 s0[x1]
x:=x+1, s0 s0[x1]if x=0 then x:=x+1 else skip, s0 s0[x1]
![Page 63: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/63.jpg)
63
Derivation trees
• Using axioms and rules to derive a transition S, s s’ gives a derivation tree– Root: S, s s’– Leaves: axioms– Internal nodes: conclusions of rules• Immediate children: matching rule premises
![Page 64: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/64.jpg)
64
Derivation tree example 1• Assume s0=[x5, y7, z0]
s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]
(z:=x; x:=y); y:=z, s0 s3
(z:=x; x:=y), s0 s2 y:=z, s2 s3
z:=x, s0 s1 x:=y, s1 s2
[assns] [assns]
[assns][compns]
[compns]
![Page 65: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/65.jpg)
65
Derivation tree example 1• Assume s0=[x5, y7, z0]
s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]
(z:=x; x:=y); y:=z, s0 s3
(z:=x; x:=y), s0 s2 y:=z, s2 s3
z:=x, s0 s1 x:=y, s1 s2
[assns] [assns]
[assns][compns]
[compns]
![Page 66: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/66.jpg)
66
Top-down evaluation via derivation trees
• Given a statement S and an input state sfind an output state s’ such that S, ss’
• Start with the root and repeatedly apply rules until the axioms are reached– Inspect different alternatives in order
• In While s’ and the derivation tree is unique
![Page 67: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/67.jpg)
67
Top-down evaluation example
• Factorial program with s x = 2• Shorthand: W=while (x=1) do (y:=y*x; x:=x-1)
y:=1; while (x=1) do (y:=y*x; x:=x-1), s s[y 2][x1]
y:=1, s s[y 1] W, s[y 1] s[y 2, x 1]
y:=y*x; x:=x-1, s[y 1] s[y 2][x1] W, s[y 2][x1] s[y 2, x 1]
y:=y*x, s[y 1] s[y 2] x:=x-1, s[y 2] s[y 2][x1]
[assns]
[compns]
[assns]
[compns]
[whileffns]
[whilettns]
[assns]
![Page 68: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/68.jpg)
68
Program termination
• Given a statement S and input s– S terminates on s if there exists a state s’ such that
S, s s’– S loops on s if there is no state s’ such that
S, s s’• Given a statement S– S always terminates if
for every input state s, S terminates on s– S always loops if
for every input state s, S loops on s
![Page 69: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/69.jpg)
69
Semantic equivalence
• S1 and S2 are semantically equivalent if for all s and s’ S1, s s’ if and only if S2, s s’
• Simple examplewhile b do Sis semantically equivalent to:if b then (S; while b do S) else skip– Read proof in pages 26-27
![Page 70: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/70.jpg)
70
Properties of natural semantics
• Equivalence of program constructs– skip; skip is semantically equivalent to skip – ((S1; S2); S3) is semantically equivalent to
(S1; (S2; S3))– (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40)
![Page 71: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/71.jpg)
71
Equivalence of (S1; S2); S3 and S1; (S2; S3)
![Page 72: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/72.jpg)
72
Equivalence of (S1; S2); S3 and S1; (S2; S3)
(S1; S2), s s12, S3, s12 s’ (S1; S2); S3, s s’
S1, s s1, S2, s1 s12
S1, s s1, (S2; S3), s12 s’ (S1; S2); S3, s s’
S2, s1 s12, S3, s12 s’
Assume (S1; S2); S3, s s’ then the following unique derivation tree exists:
Using the rule applications above, we can construct the following derivation tree:
And vice versa.
![Page 73: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/73.jpg)
73
Deterministic semantics for While
• Theorem: for all statements S and states s1, s2
if S, s s1 and S, s s2 then s1=s2
• The proof uses induction on the shape of derivation trees (pages 29-30)– Prove that the property holds for all simple
derivation trees by showing it holds for axioms– Prove that the property holds for all composite
trees: • For each rule assume that the property holds for its
premises (induction hypothesis) and prove it holds for the conclusion of the rule
single node
#nodes>1
![Page 74: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/74.jpg)
74
The semantic function Sns
• The meaning of a statement S is defined as a partial function from State to State
Sns: Stm (State State)
• Examples:Sns skips = s
Sns x:=1s = s [x 1]
Sns while true do skips = undefined
Sns S s = s’ if S, s s’ undefined otherwise
![Page 75: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/75.jpg)
75
Structural operating semantics (SOS)
![Page 76: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/76.jpg)
76
Structural operating semantics (SOS)
• aka “Small-step semantics”
S, s S’, s’
first step
![Page 77: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/77.jpg)
77
Structural operational semantics
• Developed by Gordon Plotkin• Configurations: has one of two forms:
S, s Statement S is about to execute on state ss Terminal (final) state
• Transitions S, s g = S’, s’ Execution of S from s is not completed and
remaining computation proceeds from intermediate configuration
g = s’ Execution of S from s has terminated and the final state is s’
• S, s is stuck if there is no such that S, s
first step
![Page 78: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/78.jpg)
78
Structural semantics for While x:=a, s s[xAas][asssos]
skip, s s[skipsos]
S1, s S1’, s’ S1; S2, s S1’; S2, s’ [comp1
sos]
if b then S1 else S2, s S1, s if B b s = tt[ifttsos]
if b then S1 else S2, s S2, s if B b s = ff[ifffsos]
S1, s s’ S1; S2, s S2, s’ [comp2
sos]
When does this happen?
![Page 79: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/79.jpg)
79
Structural semantics for While
while b do S, s if b then
S; while b do S) else
skip, s
[whilesos]
![Page 80: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/80.jpg)
80
Derivation sequences• A derivation sequence of a statement S starting in state s is either• A finite sequence 0, 1, 2 …, k such that
1. 0 = S, s
2. i i+1
3. k is either stuck configuration or a final state
• An infinite sequence 0, 1, 2, … such that1. 0 = S, s
2. i i+1
• Notations:– 0 k k 0 derives k in k steps
– 0 * 0 derives in a finite number of steps
• For each step there is a corresponding derivation tree
![Page 81: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/81.jpg)
81
Derivation sequence example
• Assume s0=[x5, y7, z0](z:=x; x:=y); y:=z, s0
x:=y; y:=z, s0[z5] y:=z, (s0[z5])[x7] ((s0[z5])[x7])[y5]
(z:=x; x:=y); y:=z, s0 x:=y; y:=z, s0[z5]
z:=x; x:=y, s0 x:=y, s0[z5]
z:=x, s0 s0[z5]
• Derivation tree for first step:
![Page 82: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/82.jpg)
82
Evaluation via derivation sequences
• For any While statement S and state s it is always possible to find at least one derivation sequence from S, s– Apply axioms and rules forever or until a terminal
or stuck configuration is reached• Proposition: there are no stuck configurations
in While
![Page 83: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/83.jpg)
83
Factorial (n!) example
• Input state s such that s x = 3y := 1; while (x=1) do (y := y * x; x := x – 1)
y :=1 ; W, s W, s[y1] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y1] ((y := y * x; x := x – 1); W), s[y1] (x := x – 1; W), s[y3] W , s[y3][x2] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y3][x2] ((y := y * x; x := x – 1); W), s[y3] [x2] (x := x – 1; W) , s[y6] [x2] W, s[y6][x1] if (x =1) then ((y := y * x; x := x – 1); W else skip, s[y6][x1] skip, s[y6][x1] s[y6][x1]
![Page 84: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/84.jpg)
84
Program termination
• Given a statement S and input s– S terminates on s if there exists a finite derivation
sequence starting at S, s– S terminates successfully on s if there exists a
finite derivation sequence starting at S, s leading to a final state
– S loops on s if there exists an infinite derivation sequence starting at S, s
![Page 85: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/85.jpg)
85
Properties of structural operational semantics
• S1 and S2 are semantically equivalent if:– for all s and which is either final or stuck,
S1, s * if and only if S2, s * – for all s, there is an infinite derivation sequence
starting at S1, s if and only if there is an infinite derivation sequence starting at S2, s
• Theorem: While is deterministic:– If S, s * s1 and S, s * s2 then s1=s2
![Page 86: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/86.jpg)
86
Sequential composition
• Lemma: If S1; S2, s k s’’ then
there exists s’ and k=m+n such thatS1, s m s’ and S2, s’ n s’’
• The proof (pages 37-38) uses induction on the length of derivation sequences– Prove that the property holds for all derivation
sequences of length 0– Prove that the property holds for all other derivation
sequences: • Show that the property holds for sequences of length k+1
using the fact it holds on all sequences of length k (induction hypothesis)
![Page 87: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/87.jpg)
87
The semantic function Ssos
• The meaning of a statement S is defined as a partial function from State to State
Ssos: Stm (State State)
• Examples:Ssos skip s = s
Ssos x:=1 s = s [x 1]
Ssos while true do skip s = undefined
Ssos S s = s’ if S, s * s’ undefined else
![Page 88: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/88.jpg)
88
An equivalence result
• For every statement in WhileSns S = Ssos S
• Proof in pages 40-43
![Page 89: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/89.jpg)
Language Extensions
• abort statement (like C’s exit w/o return value)
• Non-determinism• Parallelism• Local Variables• Procedures– Static Scope– Dynamic scope
![Page 90: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/90.jpg)
While + abort
• Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| abort
• Abort terminates the execution– In “skip; S” the statement S executes– In“abort; S” the statement S should never execute
• Natural semantics rules: …?• Structural semantics rules: …?
90
![Page 91: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/91.jpg)
Comparing semanticsStructuralsemantics
Naturalsemantics
Statement
abort
abort; S
skip; S
while true do skip
if x = 0 then abort else y := y / x
91
• The natural semantics cannot distinguish between looping and abnormal termination‒ Unless we add a special error state
• In the structural operational semantics looping is reflected by infinite derivations and abnormal termination is reflected by stuck configuration
Conclusions
![Page 92: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/92.jpg)
92
While + non-determinism
• Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| S1 or S2
• Either S1 is executed or S2 is executed• Example: x:=1 or (x:=2; x:=x+2)– Possible outcomes for x: 1 and 4
![Page 93: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/93.jpg)
While + non-determinism:natural semantics
S1, s s’S1 or S2, s s’
[or1ns]
S2, s s’S1 or S2, s s’
[or2ns]
93
![Page 94: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/94.jpg)
While + non-determinism:structural semantics
?[or1sos]
?[or2sos]
94
![Page 95: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/95.jpg)
95
While + non-determinism
• What about the definitions of the semantic functions?– Sns S1 or S2 s
– Ssos S1 or S2 s
![Page 96: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/96.jpg)
Comparing semanticsStructuralsemantics
Naturalsemantics
Statement
x:=1 or (x:=2; x:=x+2)
(while true do skip) or (x:=2; x:=x+2)
96
• In the natural semantics non-determinism will suppress non-termination (looping) if possible
• In the structural operational semantics non-determinism does not suppress non-terminating statements
Conclusions
![Page 97: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/97.jpg)
While + parallelism
Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| S1 S2
• All the interleaving of S1 and S2 are executed
• Example: x:=1 (x:=2; x:=x+2)– Possible outcomes for x: 1, 3, 4
97
![Page 98: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/98.jpg)
98
While + parallelism:structural semantics
S1, s S1’, s’ S1S2, s S1’S2, s’ [par1
sos]
S1, s s’ S1S2, s S2, s’ [par2
sos]
S2, s S2’, s’ S1S2, s S1S2’, s’ [par3
sos]
S2, s s’ S1S2, s S1, s’ [par4
sos]
![Page 99: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/99.jpg)
99
While + parallelism:natural semantics
Challenge problem:Give a formal proof that this is in fact impossible.
Idea: try to prove on a restricted version of While without loops/conditions
![Page 100: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/100.jpg)
100
Example: derivation sequencesof a parallel statement
x:=1 (x:=2; x:=x+2), s
![Page 101: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/101.jpg)
Conclusion
• In the structural operational semantics we concentrate on small steps so interleaving of computations can be easily expressed
• In the natural semantics immediate constituent is an atomic entity so we cannot express interleaving of computations
101
![Page 102: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/102.jpg)
102
While + memory
Abstract syntaxS ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S| x := malloc(a)| x := [y]|[x] := y
State : Var Z State : Stack HeapStack : Var ZHeap : Z Z
Integers as memory addresses
![Page 103: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/103.jpg)
From states to traces
![Page 104: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/104.jpg)
104
Trace semantics
• Low-level (conceptual) semantics• Add program counter (pc) with states– = State + pc
• The meaning of a program is a relation Stm
• Execution is a finite/infinite sequence of states• A useful concept in defining static analysis as
we will see later
![Page 105: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/105.jpg)
Example
1: y := 1;
while 2: (x=1) do (
3: y := y * x;
4: x := x - 1
)
5:
105
![Page 106: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/106.jpg)
106
Traces1: y := 1;
while 2: (x=1) do (
3: y := y * x;
4: x := x - 1
)
5:
{x2,y3},1 [y:=1] {x2,y1},2 [(x=1)] {x2,y1},3 [y:=y*x] {x2,y2},4 [x:=x-1] {x1,y2},2 [(x=1)] {x1,y2},5
{x3,y3},1 [y:=1] {x3,y1},2 [(x=1)] {x3,y1},3 [y:=y*x] {x3,y3},4 [x:=x-1] {x2,y3},2 [(x=1)] {x2,y3},3 [y:=y*x] {x2,y6},4 [x:=x-1] {x1,y6},2 [(x=1)] {x1,y6},5
…
Set of traces is infinite therefore trace semantics is incomputable in general
![Page 107: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/107.jpg)
Operational semantics summary
• SOS is powerful enough to describe imperative programs– Can define the set of traces– Can represent program counter implicitly– Handle goto statements and other non-trivial control
constructs (e.g., exceptions)• Natural operational semantics is an abstraction• Different semantics may be used to justify different
behaviors• Thinking in concrete semantics is essential for a
analysis writer
107
![Page 108: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik](https://reader036.vdocuments.us/reader036/viewer/2022062805/5697bff01a28abf838cbaa74/html5/thumbnails/108.jpg)
The End