(Optimal) Program Analysis of Sequential and Parallel Programs

Transcription

1 (Optimal) Program Analysis of Sequential and Parallel Programs Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany 3rd Summer School on Verification Technology, Systems, and Applications Luxemburg, September 6-10, 2010

2 Dream of Automatic Analysis program analyzer result main() { x=17; if (x>63) { y=17;x=10;x=x+1;} else { x=42; while (y<99) { y=x+y;x=y+1;} y=11;} x=y+1; printf(x); } G( Φ FΨ) specification of property

3 Fundamental Problem Rice s Theorem (informal version): All non-trivial semantic properties of programs from a Turing-complete programming language are undecidable. Consequence: For Turing-complete programming languages: Automatic analyzers of semantic properties, which are both correct and complete are impossible. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

4 What can we do about it? Give up automatic : interactive approaches: proof calculi, theorem provers, Give up sound :??? Give up complete : approximative approaches: Approximate analyses: data flow analysis, abstract interpretation, type checking, Analyse weaker formalism: model checking, reachability analysis, equivalence- or preorderchecking,

5 What can we do about it? Give up automatic automatic : interactive approaches: proof calculi,, theorem provers,, Give up sound sound : :??? Give up complete : approximative approaches: Approximate analyses: data flow analysis, abstract interpretation, type checking, Analyse weaker formalism: model checking, reachability analysis, equivalence- or preorderchecking,

6 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Apology for not giving proper credit in these lectures! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

7 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Apology for not giving proper credit in these lectures! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

8 From Programs to Flow Graphs 0 main() { x=17; if (x>63) { y=17;x=10;x=x+1;} else { x=x+42; while (y<99) { y=x+y;x=y+1;} y=11;} x=y+1; } x=17 1 y>63 2 y:=17 (y>63) 5 x=x+42 y< x:=10 (y<99) x=y x:=x+1 10 y:=11 x:=y y=x+y Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

9 Dead Code Elimination Goal: find and eliminate assignments that compute values which are never used Fundamental problem: undecidability use approximate algorithm: e.g.: ignore that guards prohibit certain execution paths Technique: 1) perform live variables analyses: variable x is live at program point u iff there is a path from u on which x is used before it is modified 2) eliminate assignments to variables that are not live at the target point Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

10 Live Variables y>63 0 x=17 1 (y>63) y live 2 5 y:=17 x=x x:=10 (y<99) y<99 x=y+1 7 y=x+y 8 y live 4 9 x:=x+1 x dead y:=11 10 x:=y+1 11

11 Live Variables Analysis {y} {x,y} {y} y>63 0 x=17 1 (y>63) 2 y:=17 {x,y} {y} {x,y} {x,y} 5 x=x+42 {y} 3 {x,y} {y} 6 x:=10 (y<99) 4 9 x:=x+1 y:=11 10 x:=y+1 11 y<99 x=y+1 7 {x,y} y=x+y 8 {y}

12 Interpretation of Partial Orders in Approximate Program Analysis x y: x is more precise information than y. y is a correct approximation of x. X for X L, where (L, ) is the partial order: the most precise information consistent with all informations x X. Example: order for live variables analysis: (P(Var), ) with Var = set of variables in the program Remark: often dual interpretation in the literature!

13 Complete Lattice Complete lattice (L, ): a partial order (L, ) for which the least upper bound, X, exists for all X L. In a complete lattice (L, ): X exists for all X L: X = { x L x X } least element exists: = L = greatest element exists: = = L Example: for any set A let P(A) = {X X A } (power set of A). (P(A), ) is a complete lattice. (P(A), ) is a complete lattice.

14 Specifying Live Variables Analysis by a Constraint System Compute (smallest) solution over (L, ) = (P(Var), ) of: A[ fin] init, for fin, the termination node A[ u] f ( A[ v]), for each edge e = ( u, s, v) e where init = Var, f e :P(Var) P(Var), f e (x) = x\kill e gen e, with kill e = variables assigned at e gen e = variables used in an expression evaluated at e

15 Specifying Live Variables Analysis by a Constraint System Remarks: 1. Every solution is correct (whatever this means). 2. The smallest solution is called MFP-solution; it comprises a value MFP[u] L for each program point u. 3. MFP abbreviates maximal fixpoint for traditional reasons. 4. The MFP-solution is the most precise one.

16 Backwards vs. Forward Analyses Live Variables Analysis is a Backwards Analysis, i.e.: analysis info flows from target node to source node of an edge the initial inequality is for the termination node of the flow graph A[ te] init, for te, the termination point A[ u] f ( A[ v]), for each edge e = ( u, s, v) E Dually, there are Forward Analyses i.e..: e analysis info flows from source node to target node of an edge. the initial inequality is for the start node of the flow graph A[ st] init, for st,the start node A[ v] f ( A[ u]), for each edge e = ( u, s, v) E e Examples: reaching definitions, available expressions, constant propagation,... Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

17 Data-Flow Frameworks Correctness generic properties of frameworks can be studied and proved Implementation efficient, generic implementations can be constructed Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

18 Three Questions Do (smallest) solutions always exist? How to compute the (smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

19 Three Questions Do (smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

20 Knaster-Tarski Fixpoint Theorem Definitions: Let (L, ) be a partial order. f : L L is monotonic iff x,y L : x y f(x) f(y). x L is a fixpoint of f iff f(x)=x. Fixpoint Theorem of Knaster-Tarski: Every monotonic function f on a complete lattice L has a least fixpoint lfp(f) and a greatest fixpoint gfp(f). More precisely, lfp(f) = { x L f(x) x } least pre-fixpoint gfp(f) = { x L x f(x) } greatest post-fixpoint

21 Knaster-Tarski Fixpoint Theorem L: pre-fixpoints of f gfp(f) fixpoints of f lfp(f) post-fixpoints of f Picture from: Nielson/Nielson/Hankin, Principles of Program Analysis

22 Smallest Solutions Always Exist Define functional F : L n L n from right hand sides of constraints such that: σ solution of constraint system iff σ pre-fixpoint of F Functional F is monotonic. By Knaster-Tarski Fixpoint Theorem: F has a least fixpoint which equals its least pre-fixpoint. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

23 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

24 Workset-Algorithm W = ; forall ( program points v) { A[ v] = ; W = W { v} ; } A[ fin] = init; while W { v = Extract( W ); forall ( u, s with e = ( u, s, v) edge) { t = fe( A[ v]); if ( t A[ u]) { A[ u] = A[ u] t; W = W { u} ; } } } Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

25 Invariants of the Main Loop a) A[ u] MFP[ u] f.a. prg. points u b1) A[ fin] init b2) v W A[ u] f ( A[ v]) f.a. edges e = ( u, s, v) e If and when workset algorithm terminates: A is a solution of the constraint system by b1)&b2) A[ u] MFP[ u] f.a. u Hence, with a): A[ u] = MFP[ u] f.a. u Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

26 How to Guarantee Termination Lattice (L, ) has finite heights algorithm terminates after at most #prg points (heights(l)+1) iterations of main loop Lattice (L, ) has no infinite ascending chains algorithm terminates Lattice (L, ) has infinite ascending chains: algorithm may not terminate; use widening operators in order to enforce termination Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

27 Widening Operator [Cousot] : L L L is called a widening operator iff 1) x,y L: x y x y 2) for all sequences (l n ) n, the (ascending) chain (w n ) n w 0 = l 0, w i+1 = w i l i+1 for i > 0 stabilizes eventually.

28 Workset-Algorithm with Widening W = ; forall ( program points v) { A[ v] = ; W = W { v} ; } A[ fin] = init; while W { v = Extract( W ); forall ( u, s with e = ( u, s, v) edge) { t = fe( A[ v]); if ( t A[ u]) { A[ u] = A[ u] t; W = W { u} ; } } } Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

29 Invariants of the Main Loop a) A[ u] MFP[ u] f.a. prg. points u b1) A[ fin] init b2) v W A[ u] f ( A[ v]) f.a. edges e = ( u, s, v) With a widening operator we enforce termination but we loose invariant a). e Upon termination, we have: A is a solution of the constraint system by b1)&b2) A[ u] MFP[ u] f.a. u Compute a sound upper approximation (only)! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

30 Example of a Widening Operator: Interval Analysis The goal Find save interval for the values of program variables, e.g. of i in: for (i=0; i<42; i++) if (0<=i and i<42) { } A1 = A+i; M[A1] = i;..., e.g., in order to remove the redundant array range check.

31 Example of a Widening Operator: Interval Analysis The lattice... ({ } { } ) ( ) Z { } Z { } L, = [ l, u] l, u +, l u,... has infinite ascending chains, e.g.: [0,0] [0,1] [0,2]... A widening operator: [ l, u ] [ l, u ] = [ l, u ], where l l if l l u if u u = and u = otherwise + otherwise A chain of maximal length arising with this widening operator: [3,7] [3, + ] [, + ]

32 Analyzing the Program with the Widening Operator Result is far too imprecise! Example taken from: H. Seidl, Vorlesung Programmoptimierung

33 Remedy 1: Loop Separators Apply the widening operator only at a loop separator (a set of program points that cuts each loop). We use the loop separator {1} here. Identify condition at edge from 2 to 3 as redundant!

34 Remedy 2: Narrowing Iterate again from the result obtained by widening --- Iteration from a prefix-point stays above the least fixpoint! --- We get the exact result in this example (but not guaranteed)!

35 Remarks Can use a work-list instead of a work-set Special iteration strategies in special situations Semi-naive iteration Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

36 Recall: Specifying Live Variables Analysis by a Constraint System Compute (smallest) solution over (L, ) = (P(Var), ) of: A[ fin] init, for fin, the termination node A[ u] f ( A[ v]), for each edge e = ( u, s, v) e where init = Var, f e :P(Var) P(Var), f e (x) = x\kill e gen e, with kill e = variables assigned at e gen e = variables used in an expression evaluated at e

37 Recall: Questions Do (smallest) solutions always exist? How to compute the (smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

38 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

39 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

40 Assessing Data Flow Frameworks Execution Semantics Abstraction MOP-solution sound? how precise? MFP-solution sound? precise? Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

41 Live Variables x := 17 {y} y := 17 x := 10 x := x+1 x := 42 y := 11 y := x+y x := y+1 x := y+1 out(x) infinitely many such paths MOP[ v] = { y} = { y}

42 Meet-Over-All-Paths Solution (MOP) Forward Analysis = p Paths[ entry, u] p MOP[ u] : F ( init) Backward Analysis = p Paths[ u, exit ] p MOP[ u] : F ( init) Here: Join-over-all-paths ; MOP traditional name Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

43 Coincidence Theorem Definition: A framework is positively-distributive if f( X)= { f(x) x X} for all X L, f F. Theorem: For any instance of a positively-distributive framework: MOP[u] = MFP[u] for all program points u (if all program points reachable). Remark: A framework is positively-distributive if a) and b) hold: (a) it is distributive: f(x y) = f(x) f(y) f.a. f F, x,y L. (b) it is effective: L does not have infinite ascending chains. Remark: All bitvector frameworks are distributive and effective. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

44 Lattice for Constant Propagation unknown value lattice L : { ρ ρ : Var ( Z { })} { } : ρ ρ ' : ρ = ( ρ, ρ ' x : ρ( x) ρ '( x))

45 x := 17 ( ρ( x), ρ( y), ρ( z)) x := 2 x := 3 y := 3 y := 2 z := x+y (2,3,5) out(x) (3,2,5) MOP[ v] = (,,5) Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

46 x := 17 ( ρ( x), ρ( y), ρ( z)) (,, ) x := 2 x := 3 (2,, ) (3,, ) y := 3 (2,3, ) (,, ) z := x+y (,, ) out(x) y := 2 (3,2, ) M FP[ v] = (,, ) MOP[ v] = (,,5) Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

47 Correctness Theorem Definition: A framework is monotone if for all f F, x,y L: x y f(x) f(y). Theorem: In any monotone framework: MOP[u] MFP[u] for all program points u. Remark: Any "reasonable" framework is monotone. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

48 Assessing Data Flow Frameworks Execution Semantics Abstraction MOP-solution sound MFP-solution sound precise, if distrib. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

49 Where Flow Analysis Looses Precision Execution semantics MOP MFP Widening Potential loss of precision Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

50 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

51 Abstract Interpretation constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Often used as reference semantics: sets of reaching runs: (D, ) = (P(Edges * ), ) or (D, ) = (P(Stmt * ), ) sets of reaching states ( collecting semantics ): (D, ) = (P(Σ * ), ) with Σ = Var Val Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

52 Abstract Interpretation constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Assume a universally-disjunctive abstraction function α : D D #. Correct abstract interpretation: Show α(o(x 1,...,x k )) # o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) # MFP # [u] f.a. u Correct and precise abstract interpretation: Show α(o(x 1,...,x k )) = o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) = MFP # [u] f.a. u Use this as a guideline for designing correct (and precise) analyses! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

53 Abstract Interpretation Constraint system for reaching runs: Operational justification: Let R[u] be components of smallest solution over P(Edges *). Then Prove: { ε} R[ st], for st, the start node { } R[ v] R[ u] e, for each edge e = ( u, s, v) op R[ u] = R [ u] = { r Edges * st r u} for all u def a) R op [u] satisfies all constraints (direct) R[u] R op [u] f.a. u b) w R op [u] w R[u] (by induction on w ) R op [u] R[u] f.a. u

54 Abstract Interpretation Constraint system for reaching runs: { ε} R[ st], for st, the start node { } R[ v] R[ u] e, for each edge e = ( u, s, v) Derive the analysis: Replace {ε} by init ( ) { e } by f e Obtain abstracted constraint system: # R st init st [ ], for, the start node R [ v] f ( R [ u]), for each edge e = ( u, s, v) # # e

55 Abstract Interpretation MOP-Abstraction: Define α MOP : P(Edges *) L by { } α ( ) ( ) MOP R = f init r R where fε = Id, f = f f r s e e s Remark: For all transfer functions f e are monotone, the abstraction is correct: α ΜOP (R[u]) R # [u] f.a. prg. points u If all transfer function f e are universally-distributive, the abstraction is correct and precise: α ΜOP (R[u]) = R # [u] f.a. prg. points u Justifies MOP vs. MFP theorems (cum grano salis).

56 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

57 Challenges for Automatic Analysis Data aspects: infinite number domains dynamic data structures (e.g. lists of unbounded length) pointers... Control aspects: recursion concurrency creation of processes / threads synchronization primitives (locks, monitors, communication stmts...)... infinite/unbounded state spaces Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

58 Classifying Analysis Approaches control aspects data aspects analysis techniques Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

59 (My) Main Interests of Recent Years Data aspects: algebraic invariants over Q, Z, Z m (m = 2 n ) in sequential programs, partly with recursive procedures invariant generation relative to Herbrand interpretation Control aspects: recursion concurrency with process creation / threads synchronization primitives, in particular locks/monitors Technics: fixpoint-based automata-based (linear) algebra syntactic substitution-based techniques...

60 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

61 A Note on Karr s Algorithm Markus Müller-Olm FernUniversität Hagen (on leave from Universität Dortmund) Joint work with Helmut Seidl (TU München) ICALP 2004, Turku, July 12-16, 2004

62 What this Excursion is About x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x 1 +5 x 3 :=x 3 +x 2 x 3 = x 1 2 x 2 = 2x 1-1

63 Affine Programs Basic Statements: affine assignments: x 1 := x 1-2x 3 +7 unknown assignments: x i :=? abstract too complex statements Affine Programs: control flow graph G=(N,E,st), where N E N Stmt N st N finite set of program points set of edges start node Note: non-deterministic instead of guarded branching

64 The Goal: Precise Analysis Given an affine program, determine for each program point all valid affine relations: a 0 + a i x i = 0 More ambitious goal: a i Q 5x 1 +7x 2-42=0 determine all valid polynomial relations (of degree d): p(x 1,,x k ) = 0 p Q[x 1,,x n ] 5x 1 x 22 +7x 33 =0

65 Applications of Affine (and Polynomial) Relations Data-flow analysis: definite equalities: x = y constant detection: x = 42 discovery of symbolic constants: x = 5yz+17 complex common subexpressions: xy+42 = y 2 +5 loop induction variables Program verification strongest valid affine (or polynomial) assertions (cf. Petri Net invariants)

66 Karr s Algorithm [Karr, 1976] Determines valid affine relations in programs. Idea: Perform a data-flow analysis maintaining for each program point a set of affine relations, i.e., a linear equation system. Fact: Set of valid affine relations forms a vector space of dimension at most k+1, where k = #program variables. can be represented by a basis. forms a complete lattice of height k+1.

67 Deficiencies of Karr s Algorithm Basic operations are complex non-invertible assignments union of affine spaces O(n k 4 ) arithmetic operations n size of the program k number of variables Numbers may have exponential length

68 Our Contribution Reformulation of Karr s algorithm: basic operations are simple O(n k 3 ) arithmetic operations numbers stay of polynomial length: O(n k 2 ) Moreover: generalization to polynomial relations of bounded degree show, algorithm finds all affine relations in affine programs Ideas: represent affine spaces by affine bases instead of lin. eq. syst. use semi-naive fixpoint iteration keep a reduced affine basis for each program point during fixpoint iteration

69 Affine Basis

70 Concrete Collecting Semantics Smallest solution over subsets of Q k of: where V[ st] Q k V[ v] f ( V[ u]), for each edge ( u, s, v) x : = t i x : =? s { } f ( X ) = x[ x t( x)] x X i { Q} f ( X ) = x[ x c] x X, c i i First goal: compute affine hull of V[u] for each u.

71 Abstraction Affine hull: { λ λ Q λ } aff ( X ) = x x X,, = 1 i i i i i The affine hull operator is a closure operator: aff ( X ) X, aff ( aff ( X )) = X, X Y aff ( X ) aff ( Y ) Affine subspaces of Q k ordered by set inclusion form a complete lattice: ({ Q k } ) ( D, ) = X aff ( X ) = X,. Affine hull is even a precise abstraction: Lemma : f ( aff ( X )) = aff ( f ( X )). s s

72 Abstract Semantics Smallest solution over (D, ) of: V # [ st] Q V [ v] f ( V [ u]), for each edge ( u, s, v) # # s k # Lemma: V [ u] = aff ( V[ u]) for all program points u.

73 Basic Semi-naive Fixpoint Algorithm forall ( v N) G[ v] = ; G[ st] = {0, e1,..., ek }; W = {( st,0),( st, e1),...,( st, ek )}; while W { ( u, x) = Extract( W ); forall ( s, v with ( u, s, v) E) { t = s x; if ( t aff ( G[ v])) { G[ v] = G[ v] { t} ; W = W { ( v, t) }; } } }

74 Example 0 1 x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x , 0, 1, aff 1, 3, x 3 :=x 3 +x

75 Correctness Theorem: a) Algorithm terminates after at most nk + n iterations of the loop, where n = N and k is the number of variables. # b) For all, we have ( fin[ ]) = [ v N aff G v V v]. Invariants for b) I1: v N : G[ v] V[ v] and ( u, x) W : x V[ u]. { } ( ) I2: (u,s,v) E: aff G[ v] s x ( u, x) W f ( aff ( G[ u]). s

76 Complexity Theorem: # a) The affine hulls V [ u] = aff ( V[ u]) can be computed in time 3 O( n k ), where n = N + E. b) In this computation only arithmetic operations on numbers 2 with O( n k ) bits are u sed. Store diagonal basis for membership tests. Propagate original vectors.

77 Point + Linear Basis

78 Example 0 1 x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x , 0, 1, , x 3 :=x 3 +x , 0 0 2

79 Determining Affine Relations Lemma: a is valid for X a is valid for aff ( X ). suffices to determine the affine relations valid for affine bases; can be done with a linear equation system! Theorem: a) The vector spaces of all affine relations valid at the program 3 points of an affine program can be computed in time O( n k ). b) This computation performs arithmetic operations on integers 2 with O( n k ) bits only.

80 Example a + a x + a x + a x = 0 is valid at x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x 1 +5 a + 2a + 3a + 4a = a + 2a = a = 0 a = a, a = 2 a, a = x x 1 is valid at x 3 :=x 3 +x , 0 0 2

81 Also in the Paper Non-deterministic assignments Bit length estimation Polynomial relations Affine programs + affine equality guards validity of affine relations undecidable Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

82 End of Excursion 1

83 (Optimal) Program Analysis of Sequential and Parallel Programs Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany 3rd Summer School on Verification Technology, Systems, and Applications Luxemburg, September 6-10, 2010

84 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

85 Interprocedural Analysis Main: c:=a+b procedures P: c:=a+b P() Q() call edges R() Q: a:=7 c:=a+b R: a:=7 c:=a+b P() recursion R()

86 Running Example: (Definite) Availability of the single expression a+b The lattice: false a+b not available false true a+b available Initial value: false c:=c+3 true false true c:=a+b true a:=7 false c:=a+b a:=42 false

87 Intra-Procedural-Like Analysis Conservative assumption: procedure destroys all information; information flows from call node to entry point of procedure Main: false true false st M u 1 u 2 c:=a+b P() λ x. false a:=7 P: st P r P true false c:=a+b true The lattice: false true false u 3 false r M P() λ x. false

88 Context-Insensitive Analysis Conservative assumption: Information flows from each call node to entry of procedure and from exit of procedure back to return point Main: false true true st M u 1 u 2 c:=a+b P() a:=7 P: st P r P true false c:=a+b true The lattice: false true false u 3 true r M P()

89 Context-Insensitive Analysis Conservative assumption: Information flows from each call node to entry of procedure and from exit of procedure bac to return point Main: false true st M u 1 c:=a+b P() P: st P true false The lattice: false true false true u 2 a:=7 r P true false false u 3 false r M P()

90 Recall: Abstract Interpretation Recipe constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Assume a universally-disjunctive abstraction function α : D D #. Correct abstract interpretation: Show α(o(x 1,...,x k )) # o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) # MFP # [u] f.a. u Correct and precise abstract interpretation: Show α(o(x 1,...,x k )) = o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) = MFP # [u] f.a. u Use this as a guideline for designing correct (and precise) analyses! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

91 Example Flow Graph Main: e 0 : e 1 : st M u 1 u 2 c:=a+b P() P: e 4 : st P c:=a+b The lattice: false true e 2 : a:=7 r P e 3 : u 3 P() r M

92 Let s Apply Our Abstract Interpretation Recipe: Constraint System for Feasible Paths Operational justification: Same-level runs: S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p r { w Nodes stmain } R( u) = r Edges : uw for all u { } S( v ) S( u) e e = ( u, s, v ) base edge S(v) S( u) S( p) e = ( u, p, v) call edge p p Reaching runs: Main { ε} R( st ) st entry point of Main { } R( v ) R( u) e e = ( u, s, v ) basic edge R( v ) R( u) S( p) e = ( u, p, v ) call edge R( st ) R( u) e = ( u, p, v ) call edge, st entry point of p Main p p

93 Context-Sensitive Analysis Idea: Phase 1: Compute summary information for each procedure as an abstraction of same-level runs Phase 2: Use summary information as transfer functions for procedure calls in an abstraction of reaching runs Classic approaches for summary informations: 1) Functional approach: [Sharir/Pnueli 81, Knoop/Steffen: CC 92] Use (monotonic) functions on data flow informations! 2) Relational approach: [Cousot/Cousot: POPL 77] Use relations (of a representable class) on data flow informations! 3) Call string approach: [Sharir/Pnueli 81], [Khedker/Karkare: CC 08] Analyse relative to finite portion of call stack!

94 Formalization of Functional Approach Abstractions: Abstract same-level runs with α : Edges ( L L) : α Funct { fr r R } Funct ( R) = for R Edges Abstract reaching runs with α : Edges L : α MOP 1. Phase: Compute summary informations, i.e., functions: # # S ( p) S ( rp ) rp return point of p # S ( stp ) id stp entry point of p # # # S ( v) f S ( u) e = ( u, s, v) base edge e MOP { fr init r R } ( R) = ( ) for R Edges # # # S (v) S ( p) S ( u) e = ( u, p, v) call edge 2. Phase: Use summary informations; compute on data flow informations: # R ( stmain ) init stmain entry point of Main # # # R ( v ) f ( R ( u) ) e = ( u, s, v ) basic edge e # # # R ( v ) S ( p) ( R ( u) ) e = ( u, p, v ) call edge # # R ( st ) R ( u) e = ( u, p, v ) call edge, st entry point of p p p

95 Functional Approach Theorem: Correctness: For any monotone framework: α MOP (R[u]) R # [u] f.a. u Completeness: For any universally-distributive framework: α MOP (R[u]) = R # [u] f.a. u Remark: Alternative condition: framework positively-distributive & all prog. point dyn. reachable a) Functional approach is effective, if L is finite... b)... but may lead to chains of length up to L height(l) at each program point (in general). Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

96 Functional Approach for Availability of Single Expression Problem Observations: Just three montone functions on lattice L: λ x. false k (ill) false true λ x. x λ x. true i (gnore) g (enerate) Functional composition of two such functions f,g : L L: h f f = h if if h = i h { g, k} Analogous: precise interprocedural analysis for all (separable) bitvector problems in time linear in program size.

97 Context-Sensitive Analysis, 1. Phase Main: P() g c:=a+b Q() i P: i i g c:=a+b g the lattice: k i g R() g i k Q: k a:=7 k i g c:=a+b g k R: k a:=7 g i g c:=a+b g P() g k R() g

98 Context-Sensitive Analysis, 2. Phase Main: g false P: i true g false the lattice: false P() true Q() false true true true true false true false R() true Q: k k true g R: k g false g false true false true P() true false R() true

99 Functional Approach Theorem: Correctness: For any monotone framework: α MOP (R[u]) R # [u] f.a. u Completeness: For any universally-distributive framework: Remark: α MOP (R[u]) = R # [u] f.a. u Alternative condition: framework positively-distributive & all prog. point dyn. reachable a) Functional approach is effective, if L is finite... b)... but may lead to chains of length up to L height(l) at each program point. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

100 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

101 Precise Interprocedural Analysis through Linear Algebra Markus Müller-Olm FernUniversität Hagen (on leave from Universität Dortmund) Joint work with Helmut Seidl (TU München) POPL 2004, Venice, January 14-16, 2004

102 Finding Invariants... x 1 -x 2 -x 3 -x 2 x 3 = 0 Main: 0 P: 5 x 1 :=x 2 x 3 :=x x 3 :=0 x 1 -x 2 -x 3 = x 1 :=x 1 +x P() x 1 -x 2 -x 3 = 0 8 P() x 1 :=x 1 -x 2 -x 3 x 1 :=x 1 -x 2 4 x 1 = 0 9

103 through Linear Algebra Linear Algebra vectors vector spaces, sub-spaces, bases linear maps, matrices vector spaces of matrices Gaussian elimination... Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

104 Applications definite equalities: x = y constant propagation: x = 42 discovery of symbolic constants: x = 5yz+17 complex common subexpressions: xy+42 = y 2 +5 loop induction variables program verification... Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

105 A Program Abstraction Affine programs: affine assignments: x 1 := x 1-2x 3 +7 unknown assignments: x i :=? abstract too complex statements! non-deterministic instead of guarded branching Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

106 The Challenge Given an affine program (with procedures, parameters, local and global variables,...) over R : (R the field Q or Z p, a modular ring Z m, the ring of integers Z, an effective PIR,...) determine all valid affine relations: a 0 + a i x i = 0 a i R 5x+7y-42=0 determine all valid polynomial relations (of degree d): p(x 1,,x k ) = 0 p R [x 1,,x n ] 5xy 2 +7z 3-42=0 and all this in polynomial time (unit cost measure)!!!

107 Infinity Dimensions push-down arithmetic Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

108 Use a Standard Approach for Interprocedural Generalization of Karr? Functional approach [Sharir/Pnueli, 1981], [Knoop/Steffen, 1992] Idea: summarize each procedure by function on data flow facts Problem: not applicable Call-string approach [Sharir/Pnueli, 1981], [Khedker/Karkare: CC 08] Idea: take just a finite piece of run-time stack into account Problem: not exact Relational approach [Cousot/Cousot, 1977] Idea: summarize each procedure by approximation of I/O relation Problem: not exact Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

109 Towards the Algorithm...

110 Concrete Semantics of an Execution Path Every execution path π induces an affine transformation of the program state: x : = x + x + 1; x : = x + 1 ( v) x3 : x3 1 ( x1 : x1 x2 1 ( v) ) = = + = v1 1 = x3 : = x v v v1 1 = v v3 1

111 Affine Relations An affine relation can be viewed as a vector: 5 = = 1 x 1-3 x corresponds to a 3 0 Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

112 Affine Assignments induce linear wp- Transformations on Affine Relations { x + x + 5 = 0 } x : = 4x + x + 3 { x 3x + 2 = 0} weakest precondition! A linear transformation: = Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

113 WP of Affine Relations Every execution path π induces a linear transformation of affine post-conditions into their weakest pre-conditions: T x : = x + x + 1; x : = x + 1 ( a) ( T ) = x : = x + x + 1 x : = x + 1 ( a) = x : = x + x a a a a 3 T 1 T = a 0 a1 a 2 a 3 Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

114 Observations Only the zero relation is valid at program start: 0 : 0+0x x k = 0 Thus, relation a 0 +a 1 x 1 + +a k x k =0 is valid at program point v iff M a = 0 for all M { π T π reaches v} iff M a = 0 for all M Span { π T π reaches v} iff M a = 0 for all M in a basis of Span { π T π reaches v} Matrices M form a vector space of dimension (k+1) x (k+1) Sub-spaces form a complete lattice of height O(k 2 ).

115 Let s Apply Our Abstract Interpretation Recipe: Constraint System for Feasible Paths Operational justification: Same-level runs: S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p r { ω Nodes stmain ω } R( u) = r Edges : u for all u { } S( v ) S( u) e e = ( u, s, v ) base edge S(v) S( u) S( p) e = ( u, p, v) call edge p p Reaching runs: Main { ε} R( st ) st entry point of Main { } R( v ) R( u) e e = ( u, s, v ) basic edge R( v ) R( u) S( p) e = ( u, p, v ) call edge R( st ) R( u) e = ( u, p, v ) call edge, st entry point of p Main p p

116 Algorithm for Computing Affine Relations 1) Compute a basis B with: Span B = Span { π T π reaches v} for each program point by a precise abstract interpretation: Lattice: Subspaces of IF (k+1) x (k+1) Replace: { ε} { } concatenation { } e by A for affine assignment edge e = ( u, s, v ) 2) Solve the linear equation system: M a = 0 for all M B by I ( I identity matrix) by matrix product (lifted to subspaces) e Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

117 Theorem In an affine program: The following vector spaces of matrices can be computed precisely: α(r(v)) = Span { π T π R(v) } for each prg. point v. The vector spaces { a F k+1 affine relation a is valid at v } can be computed precisely for all prg. points v. The time complexity is linear in the program size and polynomial in the number of variables: O(n k 8 ) (n size of the program, k number of variables) Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

118 An Example Main: 0 P: 0 x 1 :=x x 3 :=0 2 2 P() 3 3 x 1 :=x 1 -x 2 -x 3 x 3 :=x 3 +1 x 1 :=x 1 +x 2 +1 P() x 1 :=x 1 -x stable! =

119 An Example a + a x + a x + a x = 0 is valid at Main: 0 1 x 1 :=x 2 x 3 := a a a1 = a1 0 and = a a a a3 a = 0 a = a = a x 1 :=x 1 -x 2 -x 3 4 P() Span are valid at , Just the affine relations of the form a x a x a x = 0 (a F)

120 Extensions Also in the paper: Local variables, value parameters, return values Computing polynomial relations of bounded degree Affine pre-conditions Formalization as an abstract interpretation In follow-up papers (see webpage): Computing over modular rings (e.g. modulo 2 w ) or PIRs Forward algorithm Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

121 End of Excursion 2 Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

122 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

123 Interprocedural Analysis of Parallel Programs Main: c:=a+b P: c:=a+b P() Q() P() parallel call edge R() Q: a:=7 c:=a+b R: a:=7 c:=a+b P() R() Q()

124 Interleaving- Operator (Shuffle-Operator) Example: a, b, x, y a, b x, y = a, x, b, y, a, x, y, b x, a, b, y, x, a, y, b, x, y, a, b Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

125 Constraint System for Same-Level Runs Operational justification: r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p Same-level runs: [Seidl/Steffen: ESOP 2000] S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p { } S( v ) S( u) e e = ( u, s, v) base edge S(v) S( u) S( p) e = ( u, p, v ) call edge S(v) S( u) ( S( p ) S( p )) e = ( u, p p, v) parallel call edge p p Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

126 Constraint System for a Variant of Reaching Runs Operational justification: r { c Config stq u } R( u, q) = r Edges : c, At ( c) for progam point u and procedure r { c Config stq } P( q) = r Edges : c q Reaching runs: [Seidl/Steffen: ESOP 2000] R( u, q) S( u) u program point in procedure q R( u, q) S( v ) R( u, p) e = ( v, p,_) call edge in proc. q R( u, q) S( v ) ( R( u, p ) P( p )) e = ( v, p p, _) parallel call edge in proc. q, i = 0, 1 i 1 i 0 1 Interleaving potential: P( p) R( u, p) u program point and p procedure Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

127 Interleaving- Operator (Shuffle-Operator) Example: a, b, x, y a, b x, y = a, x, b, y, a, x, y, b x, a, b, y, x, a, y, b, x, y, a, b The only new ingredient: interleaving operator must be abstracted! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

128 Case: Availability of Single Expression [Seidl/Steffen: ESOP 2000] Abstract shuffle operator: # i g k i i g k g g g k k k k k f f : = f f f f # The lattice: k (ill) i (gnore) g (enerate) Main lemma: { i} fj { g, k, i} : fn... fj + 1 fj... f1 = f { g k}, j = 1 Treat other (separable) bitvector problems analogously... j precise interprocedural analyses for all bitvector problems!

129 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Appendix Conclusion Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

130 Precise Fixpoint-Based Analysis of Programs with Thread-Creation and Procedures Markus Müller-Olm Westfälische Wilhelms-Universität Münster Joint work with: Peter Lammich [same place] CONCUR 2007

131 (My) Main Interests of Recent Years Data aspects algebraic invariants over Q, Z, Z m (m = 2 n ) in sequential programs, partly with recursive procedures invariant generation relative to Herbrand interpretation Control aspects recursion concurrency with process creation / threads synchronization primitives, in particular locks/monitors Technics used fixpoint-based automata-based (linear) algebra syntactic substitution-based techniques...

132 Another Program Model Procedures Entry point, e q, of Q P: 0 Q: 4 Recursive procedure calls A 1 call P spawn Q 5 C call Q 2 6 Basic actions B 3 7 D Spawn commands Return point, x q, of Q

133 Spawns are Fundamentally Different P: 0 Q: 4 A C 1 5 call P spawn Q call Q 2 6 B D 3 7 P induces trace language: L = { A n ( B m (C i D j ) n m 0, i j 0 } Cannot characterize L by constraint system with and. [Bouajjani, MO, Touili: CONCUR 2005]

134 Gen/Kill-Problems Class of simple but important DFA problems Assumptions: Lattice (L, ) is distributive Transfer functions have form f e (l)= (l kill e ) gen e with kill,gen L Examples: bitvector problems, e.g. available expressions, live variables, very busy expressions,... Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

135 Data Flow Analysis Goal: Compute, for each program point u: Forward analysis: MOP F [u] = α F (Reach[u]), where α F (X) = { f w (x 0 ) w X } Backward analysis: MOP B [u] = α B (Leave[u]), where α B (X) = { f w ( ) w R X } w { w c emain c atu c } * w { w c emain c atu c } Reach[u] = :{[ ]} ( ) Leave[u] = :{[ ]} _ ( ) at ( c) w : ( uw) c u f = f f, for w = e e w e e 1 n n 1 Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

136 Data Flow Analysis Goal: Compute, for each program point u: Forward analysis: MOP F [u] = α F (Reach[u]), where α F (X) = { f w (x 0 ) w X } Backward analysis: MOP B [u] = α B (Leave[u]), where α B (X) = { f w ( ) w R X } Problem for programs with threads and procedures: We cannot characterize Reach[u] and Leave[u] by a constraint system with operators concatenation and interleaving. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

137 One Way Out [Lammich/MO: CONCUR 2007] Derive alternative characterization of MOP-solution: reason on level of execution paths exploit properties of gen/kill-problems Characterize the path sets occuring as least solutions of constraint systems Perform analysis by abstract interpretation of these constraint systems Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

138 Forward Analysis Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

139 Directly Reaching Paths and Potential Interleaving at u e Main Reaching path: Directly reaching path: Potential interference: a suitable interleaving of the red and blue paths the red path set of edges in the blue paths (note: no order information!) Formalization by augmented operational semantics with markers (see paper)

140 Forward MOP-solution Theorem: For gen/kill problems: MOP F [u] = α F (DReach[u]) α PI (PI[u]), where α PI (X) = { gen e e X }. Remark DReach[u] and PI[u] can be characterized by constraint systems (see paper) α F (DReach[u]) and α PI (PI[u]) can be computed by an abstract interpretation of these constraint systems Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

141 Characterizing Directly Reaching Paths Same level paths: Directly reaching paths: Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

142 Backwards Analysis Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

143 Directly Leaving Paths and Potential Interleaving at u e Main Leaving path: Directly leaving path: Potential interference: a suitable interleaving of orange, black and parts of blue paths a suitable interleaving of orange and black paths the edges in the blue paths Formalization by augmented operational semantics with markers (see paper)

144 Interleaving from Threads created in the Past Theorem: For gen/kill problems: MOP B [u] = α B (DLeave[u]) α PI (PI[u]), where α PI (E) = { gen e e E }. Remark We know no simple characterization of DLeave[u] by a constraint system. Main problem: Threads generated in a procedure instance survive that instance. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

145 Representative Directly Leaving Paths at u 3 5 A representative directly leaving path: Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

146 Interleaving from Threads created in the Future Lemma α B (DLeave[u]) = α B (RDLeave[u]) (for gen/kill problems). Corollary MOP B [u] = α B (RDLeave[u]) α PI (PI[u]) (for gen/kill problems). Remark RDLeave[u] and PI[u] can be characterized by constraint systems (see paper) α B (RDLeave[u]) and α PI (PI[u]) can be computed by an abstract interpretation of these constraint systems Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

147 Also in the Paper Formalization of these ideas constraint systems for path sets validation with respect to operational semantics Parallel calls in combination with threads threads become trees instead of stacks... Analysis of running time: global information in time linear in the program size Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

148 Summary Forward- and backward gen/kill-analysis for programs with threads and procedures More efficient than automata-based approach More general than known fixpoint-based approach Current work: Precise analysis in presence of locks/monitors (see papers at SAS 2008, CAV 2009 for first results) Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

149 End of Excursion 3

150 Appendix Regular Symbolic Analysis of Dynamic Networks of Pushdown Systems

151 DPNs: Dynamic Pushdown-Networks A dynamic pushdown-network (over a finite set of actions Act) consists of: P, a finite set of control symbols Γ, a finite set of stack symbols, a finite set of rules of the following form a pγ p w 1 1 a pγ p w p w (with p,p 1,p 2 P, γ Γ, w 1,w 2 Γ *, a Act). Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

152 DPNs: Dynamic Pushdown-Networks A State of a DPN is a word in (PΓ*) + : p w p w p w p P w k * k k (with i, i Γ, > 0)... an infinite state space The transition relation of a DPN: ( γ a ) p p w : u pγ v u p w v a ( a γ ) p p w p w : u pγ v u p w p w v a Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

153 Example Consider the following DPN with a single rule a pγ pγγ qγ Transitions: pγ qγ pγγ qγ qγ pγγγ qγ qγ qγ pγγγγ qγ qγ qγ qγ pγγγγγ Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

154 Reachability Analysis Given: Model of a system: M Set of system states: Bad Reachability analysis: Can a state from Bad be reached from an initial states of the system? σ,..., σ : Init σ σ Bad? 0 k 0 k Applications: Check safety properties: Bad is a set of states to be avoided More applications by iterated computation of reachability sets for submodels of the system model, e.g. data-flow analysis...

155 Given: Model of a system: M Set of system states: Bad Reachability Analysis Reachability analysis: Can a state from Bad be reached from an initial state of the system? σ,..., σ : Init σ σ Bad? 0 k 0 Def.: - pre*(x) = df { σ σ X: σ * σ } - post*(x) = df { σ σ X: σ * σ} k Equivalent formulations of reachability analysis: pre*(bad) Init post*(init) Bad Computation of pre* or post* is key to reachability analysis

156 Reachability Analysis of Finite State Systems ϕ n ϕ 0 =Init ϕ 1 ϕ 2 ϕ 3 ϕ n-1 Bad ϕ0 = df Init ϕi + 1 = df ϕi post( ϕi ) post( X) = ' X : ' Bad reachable from initial state df { σ σ σ σ } Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

157 Reachability Analysis of Finite State Systems ϕ n-1 =ϕ n ϕ 0 =Init ϕ 1 ϕ 2 ϕ 3 Bad ϕ0 = df Init ϕi + 1 = df ϕi post( ϕi ) post( X) = ' X : ' Bad not reachable from initial state df { σ σ σ σ } Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

158 Problems with Infinite-State Systems State setsφ i can be infinite symbolic representation of (certain) infinite state sets Here: by finite automata Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

159 Example: Representation of an Infinite State Set of a DPN by a Word Automaton An automaton A: p q γ p q γ p q γ γ The regular set of states represented by A: L( A) = * ( qγ qγ pγ ) *... an infinite set of states. Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,

160 Problems with Infinite-State Systems State setsφ i can be infinite symbolic representation of (certain) infinite state sets Here: by finite (word) automata Iterated computation of reachability sets does not terminate in general Methods for acceleration of the computation Here: by computing with finite automata

161 Computing pre* for DPNs with Finite Automata Theorem [Bouajjani, MO, Touili, 2005] For every DPN and every regular state set R, pre*(r) is regular and can be computed in polynomial time. Proof: [Bouajjani/Esparza/Maler, 1997] Generalization of a known technique for single pushdown systems: saturation of an automaton for R. Reachability analysis is effective for regular sets Bad of states! Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10,