sen-material: handouts/ho09.tex@efad8155513f (annotated)

276 d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3	\usepackage{../langs}
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	4	\usepackage{../graphics}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	5	\usepackage{../grammar}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	6	\usepackage{multicol}
276 d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8	\begin{document}
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9
335 06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	10	\section*{Handout 9 (Static Analysis)}
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	11
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	12	If we want to improve the safety and security of our programs,
337 92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	13	we need a more principled approach to programming. Testing is
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	14	good, but as Dijkstra famously said:
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	15
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	16	\begin{quote}\it
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	17	``Program testing can be a very effective way to show the
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	18	\underline{\smash{presence}} of bugs, but it is hopelessly
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	19	inadequate for showing their \underline{\smash{absence}}.''
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	20	\end{quote}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	21
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	22	\noindent While such a more principled approach has been the
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	23	subject of intense study for a long, long time, only in the
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	24	past few years some impressive results have been achieved. One
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	25	is the complete formalisation and (mathematical) verification
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	26	of a microkernel operating system called seL4.
337 92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	27
92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	28	\begin{center}
92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	29	\url{http://sel4.systems}
92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	30	\end{center}
92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	31
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	32	\noindent This work was in 2011 included in the MIT Technology
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	33	Review in the annual list of the world’s ten most important
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	34	emerging
337 92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	35	technologies.\footnote{\url{http://www2.technologyreview.com/tr10/?year=2011}}
338 f1491e0d7be0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 337 diff changeset	36	While this work is impressive, its technical details are too
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	37	enormous for an explanation here. Therefore let us look at
337 92a718b88e14 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 335 diff changeset	38	something much simpler, namely finding out properties about
338 f1491e0d7be0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 337 diff changeset	39	programs using \emph{static analysis}.
335 06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	40
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	41	Static analysis is one technique that checks properties of a
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	42	program without actually running the program. This should
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	43	raise alarm bells with you---because almost all interesting
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	44	properties about programs are equivalent to the halting
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	45	problem, which we know is undecidable. For example estimating
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	46	the memory consumption of programs is in general undecidable,
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	47	just like the halting problem. Static analysis circumvents
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	48	this undecidability-problem by essentially allowing answers
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	49	\emph{yes} and \emph{no}, but also \emph{don't know}. With
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	50	this ``trick'' even the halting problem becomes
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	51	decidable\ldots{}for example we could always say \emph{don't
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	52	know}. Of course this would be silly. The point is that we
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	53	should be striving for a method that answers as often as
347 efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	54	possible either \emph{yes} or \emph{no}---just in cases when
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	55	it is too difficult we fall back on the
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	56	\emph{don't-know}-answer. This might sound all like abstract
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	57	nonsense. Therefore let us look at a concrete example.
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	58
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	59
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	60	\subsubsection*{A Simple, Idealised Programming Language}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	61
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	62	Our starting point is a small, idealised programming language.
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	63	This language contains variables holding integers. We want to
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	64	find out what the sign of these integers will be when the
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	65	program runs. This seems like a very simple problem, but it
347 efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	66	will turn out even such a simple analysis if approached
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	67	naively is in general undecidable, just like Turing's halting
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	68	problem. I let you think why?
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	69
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	70
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	71	Is sign-analysis of variables an interesting problem? Well,
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	72	yes---if a compiler can find out that for example a variable
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	73	will never be negative and this variable is used as an index
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	74	for an array, then the compiler does not need to generate code
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	75	for an underflow-test. Remember some languages are immune to
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	76	buffer-overflow attacks because they add bound checks
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	77	everywhere. This could potentially drastically speed up the
efad8155513f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 346 diff changeset	78	generated code.
346 5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	79
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	80	Since we want to
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	81
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	82	\begin{multicols}{2}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	83	\begin{plstx}[rhs style=,one per line,left margin=9mm] : \meta{Exp} ::= \meta{Exp} \texttt{+} \meta{Exp}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	84	\| \meta{Exp} \texttt{*} \meta{Exp}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	85	\| \meta{Exp} \texttt{=} \meta{Exp}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	86	\| \meta{num}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	87	\| \meta{var}\\
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	88	\end{plstx}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	89	\columnbreak
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	90	\begin{plstx}[rhs style=,one per line]
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	91	: \meta{Stmt} ::= \meta{label} \texttt{:}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	92	\| \meta{var} \texttt{:=} \meta{Exp}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	93	\| \texttt{jmp?} \meta{Exp} \meta{label}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	94	\| \texttt{goto} \meta{label}\\
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	95	: \meta{Prog} ::= \meta{Stmt} \ldots{} \meta{Stmt}\\
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	96	\end{plstx}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	97	\end{multicols}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	98
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	99	\begin{lstlisting}[numbers=none,
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	100	language={},xleftmargin=10mm]
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	101	a := 1
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	102	n := 5
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	103	top: jmp? n = 0 done
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	104	a := a * n
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	105	n := n + -1
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	106	goto top
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	107	done:
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	108	\end{lstlisting}
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	109
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	110	\begin{lstlisting}[numbers=none,
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	111	language={},xleftmargin=10mm]
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	112	n := 6
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	113	m1 := 0
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	114	m2 := 1
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	115	loop: jmp? n = 0 done
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	116	tmp := m2
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	117	m2 := m1 + m2
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	118	m1 := tmp
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	119	n := n + -1
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	120	goto top
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	121	done:
5a6e8b7d20f7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 338 diff changeset	122	\end{lstlisting}
338 f1491e0d7be0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 337 diff changeset	123
f1491e0d7be0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 337 diff changeset	124	\bigskip
276 d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125
335 06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	126	\noindent What would be missing in comparison with real
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	127	(low-level machine) code? Well, the numbers we assume to be
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	128	arbitrary precision, which is not the case in real code. There
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	129	basic number formats have a rang and might over-run or
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	130	under-run from this range. Our assumption about variables,
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	131	does not correspond to actual registers, which are only
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	132	limited on real hardware. Obviously, real code has richer
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	133	operations than just addition, multiplication and equality.
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	134	But this are not really essential limitations of our simple
06d5fc15594d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	135	examples.
276 d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	136
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	137	\end{document}
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	138
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	139	%%% Local Variables:
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	140	%%% mode: latex
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	141	%%% TeX-master: t
d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	142	%%% End:

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Mon, 08 Dec 2014 11:14:33 +0000
changeset 347	efad8155513f
parent 346	5a6e8b7d20f7
child 350	54d6fc856950
permissions	-rw-r--r--