Automated Formal Static Analysis and Retrieval of Source Code - JKU

More documents

Recommendations

Info

2.2. FORWARD SYMBOLIC EXECUTION IN THE THEOREMA SYSTEM 15 Here f is a new (second order) symbol – a name for the function defined by the program. In the case of recursive programs, f may occur in some p i ’s and g i ’s. Each of the n paths of the program has associated a object–level formula p i [x] – the accumulated If–conditions on that path, and the object–level term g i [x] – the symbolic expression of the return value obtained by composing all the assignments (symbolic execution). Note that p i [x] and g i [x] do not contain other free variables than x. The computing idea for the program semantics Σ is as follows: Σ works by forward symbolic execution on all branches of the program, using as state the current substitution for the active variables. Σ produces a conjunction of clauses – conditional definitions for f[x]. Each clause depends on the accumulated [negated] conditions of the If statements leading to a certain Return statement, whose argument (symbolically evaluated) represents the corresponding value of f[x]. Definition 2.2.2. ( ) 1. Σ[P ] = Σ[{¯x → ¯x0 }, P ] { ¯x0 →¯x} ∀¯x 2. Σ[σ, 〈Return[t]〉 ⌣ P ] = (f[ ¯x 0 ] = tσ) 3. Σ[σ, 〈v := t〉 ⌣ P ] = Σ[σ ◦ {v → tσ}, P ] 4. Σ[σ, 〈If[ϕ, P T , P F ]〉 ⌣ P ] = ∧ { ϕσ =⇒ Σ[σ, P T ⌣ P ] ¬ϕσ =⇒ Σ[σ, P F ⌣ P ] When the execution of the program starts, all the input variables become active by instantiating them with corresponding symbolic values. After the program is processed all the input variables become universally quantified (Definition 2.2.2.1). A Return statement (Definition 2.2.2.2) determines the computation of the output state. From this state we are interested in the program function and its computed values (the argument t of the Return statement). The assignment statement (Definition 2.2.2.3) updates the current state. For a conditional (Definition 2.2.2.4), there are two different expressions for the program function to be computed: one when the symbolic formula ϕσ might hold and one in the opposite case. Remarks. 1. The way Σ handles the If statement ensures: covered) and ∀ i≠j p i ∧ p j = F (branches are mutually disjoint). ∨ i=1,n p i = I f (all branches are 2. The program function Σ effectively translates an imperative program into a functional program. From this point on, one could reason about the program using the Scott fixpoint theory ([LSS84], pag. 86), however we prefer a purely logical approach.
16CHAPTER 2. PROGRAM VERIFICATION BY SYMBOLIC EXECUTION IN THEOREMA 2.2.2.3 Partial Correctness We define inductively the meta–level function Γ, generating the verification conditions (at objectlevel) insuring the partial correctness of the programs. The function Γ has three arguments: • σ is the current state of the program; • Φ is an object-level formula representing the accumulated conditions on the path currently analyzed; • P is the program (or the rest of it) which is analyzed. We consider: (i)γ, γ – a variable or a constant and respectively a sequence of variable and/or constants from the theory Υ, (ii) basic functions h (i.e. functions from the object theory), (iii) additional functions g (i.e. functions computed by other programs), (iv) arbitrary functions u. The symbol y is a new constant name standing for the program function. An expression like e τ←w denotes that τ is replaced by w in e, where w is a new variable name. The coherence (safety) conditions are generated for each call of a function h and state that the function h is called upon arguments which satisfy its input specification (h may be also P , case which corresponds to the recursive call) (see definitions 2.2.3.4 and 2.2.3.5). The functional conditions are generated at the end of each branch, insuring that the return value satisfies the output specification O P (see definitions 2.2.3.2 and 2.2.3.3). Definition 2.2.3. ( ) 1. Γ[P ] = Γ[{¯x → ¯x0 }, I f [¯x 0 ], P ] {¯x0 →¯x} ∀¯x 2. Γ[σ, Φ, 〈Return[γ]〉 ⌣ P ] = ( ) Φ ⇒ O f [¯x 0 , γσ] 3. Γ[σ, Φ, 〈Return[t τ←u[γ] ]〉 ⌣ P ] = Γ[σ, Φ, 〈w := u[γ], Return[t τ←w ]〉 ⌣ P ] 4. Γ[σ, Φ, 〈v := γ〉 ⌣ P ] = Γ[σ ◦ {v → γσ}, Φ, P ] 5. Γ[σ, Φ, 〈v := h[γ]〉 ⌣ P ] = ∧ { Φ ⇒ I h [γσ] Γ[σ ◦ {v → h[γσ]}, Φ ∧ I h [γσ], P ] 6. Γ[σ, Φ, 〈v := g[γ]〉 ⌣ P ] = ∧ { Φ ⇒ I g [γσ] Γ[σ ◦ {v → c}, Φ ∧ I g [γσ] ∧ O g [γσ, c], P ] 7. Γ[σ, Φ, 〈v := t τ←u[γ] 〉 ⌣ P ] = Γ[σ, Φ, 〈w := u[γ], v := t τ←w 〉 ⌣ P ]
Page 1: J O H A N N E S K E P L E R U N I V
Page 5: Abstract In this thesis two approac
Page 8 and 9: viii
Page 10 and 11: Chapter 1 Introduction From the han
Page 12 and 13: 3 Contributions of the Thesis The s
Page 14 and 15: Next section starts by describing t
Page 16 and 17: Chapter 2 Program Verification by S
Page 18 and 19: 2.1. BACKGROUND 9 From the practica
Page 20 and 21: 2.1. BACKGROUND 11 A program is see
Page 22 and 23: 2.2. FORWARD SYMBOLIC EXECUTION IN
Page 26 and 27: 2.2. FORWARD SYMBOLIC EXECUTION IN
Page 28 and 29: 2.3. THE SIMPLIFICATION OF THE VERI
Page 30 and 31: 2.4. IMPLEMENTATION AND EXAMPLES 21
Page 36 and 37: Chapter 3 Code Search Integration F
Page 38 and 39: 3.1. BACKGROUND 29 Figure 3.1: Sour
Page 40 and 41: 3.1. BACKGROUND 31 The programming
Page 42 and 43: 3.2. INTEGRATION OF MINDBREEZE CODE
Page 62 and 63: Chapter 4 Conclusions In this thesi
Page 64 and 65: 55 How the database is used. For ea
Page 66 and 67: Bibliography [***] ***. Mindbreeze
Page 68 and 69: BIBLIOGRAPHY 59 [Hoa69] [How73] [KF
Page 70 and 71: BIBLIOGRAPHY 61 [VHBP00] [Wil94] W.
Page 72: Eidesstattliche Erklärung Ich erkl

Automated Formal Static Analysis and Retrieval of Source Code - JKU

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?