A Fixpoint Calculus for Local and Global Program Flows

Transcription

1 A Fixoint Calculu for Local and Global Program Flow Rajeev Alur Univerity of Pennylvania Swarat Chaudhuri Univerity of Pennylvania P. Madhuudan Univerity of Illinoi, Urbana-Chamaign Abtract We define a new fixoint modal logic, the viibly uhdown µ-calculu (VP-µ), a an extenion of the modal µ-calculu. The model of thi logic are execution tree of tructured rogram where the rocedure call and return are made viible. Thi new logic can exre uhdown ecification on the model that it claical counterart cannot, and i motivated by recent work on viibly uhdown language [4]. We how that our logic naturally cature everal intereting rogram ecification in rogram verification and dataflow analyi. Thi include a variety of rogram ecification uch a comuting combination of local and global rogram flow, re/ot condition of rocedure, ecurity roertie involving the context tack, and interrocedural dataflow analyi roertie. The logic can cature flow-enitive and interrocedural analyi, and it ha contruct that allow kiing rocedure call o that local flow in a rocedure can alo be tracked. The logic generalize the emantic of the modal µ-calculu by conidering ummarie intead of node a firt-cla object, with aroriate contruct for concatenating ummarie, and naturally cature the way in which uhdown model are model-checked. The main reult of the aer i that the model-checking roblem for VP-µ i effectively olvable againt uhdown model with no more effort than that required for weaker logic uch a CTL. We alo invetigate the exreive ower of the logic VP-µ: we how that it encomae all roertie exreed by a correonding uhdown temoral logic on linear tructure (CARET [2]) a well a by the claical µ-calculu. Thi make VP-µ the mot exreive known rogram logic for which algorithmic oftware model checking i feaible. In fact, the decidability of mot known rogram logic (µ-calculu, temoral logic LTL and CTL, CARET, etc.) can be undertood by their interretation in the monadic econd-order logic over tree. Thi i not true for the logic VP- µ, making it a new owerful tractable rogram logic. Categorie and Subject Decritor D.2.4 [Software Engineering]: Software/Program Verification Model checking; F.3.1 [Theory of Comutation]: Secifying and Verifying and Reaoning Thi reearch wa artially uorted by ARO URI award DAAD and NSF award CCR Permiion to make digital or hard coie of all or art of thi work for eronal or claroom ue i granted without fee rovided that coie are not made or ditributed for rofit or commercial advantage and that coie bear thi notice and the full citation on the firt age. To coy otherwie, to reublih, to ot on erver or to reditribute to lit, require rior ecific ermiion and/or a fee. POPL 06 January 11 13, 2006, Charleton, South Carolina, USA. Coyright c 2006 ACM /06/ $5.00. about Program; F.4.1 [Theory of Comutation]: Mathematical Logic Temoral logic General Term Algorithm, Theory, Verification Keyword Logic, ecification, verification, µ-calculu, infinitetate, model-checking, game, uhdown ytem 1. Introduction The µ-calculu [20, 16] i a modal logic with fixoint interreted over labeled tranition ytem, or equivalently, over their tree unfolding. It i an extenively tudied ecification formalim with alication to rogram analyi, comuter-aided verification, and databae query language [13, 25]. From a theoretical erective, it tatu a the canonical temoral logic for regular requirement i due to the fact that it exreivene exceed that of all commonly ued temoral logic uch a LTL, CTL, and CTL, and equal that of alternating arity tree automata or the biimulation-cloed fragment of monadic econd-order theory over tree [14, 18]. From a ractical tandoint, iterative comutation of fixoint naturally ugget ymbolic evaluation, and ymbolic model checker uch a SMV check CTL roertie of finite-tate model by comiling them into µ-calculu formula [8, 21]. In thi aer, we focu on the role of µ-calculu to ecify roertie of labeled tranition ytem correonding to uhdown automata, or equivalently, Boolean rogram [5] or recurive tate machine (RSM) [3, 7]. Such uhdown model can cature the control flow in tyical equential imerative rogramming language with recurive rocedure call, and are central to interrocedural dataflow analyi [22] and oftware model checking [6, 17]. While algorithmic verification of µ-calculu roertie of uch model i oible [26, 10], claical µ-calculu cannot exre uhdown ecification that require inection of the tack or matching of call and return. Even though the general roblem of checking uhdown roertie of uhdown automata i undecidable, algorithmic olution have been rooed for checking many different kind of non-regular roertie [19, 12, 15, 11, 2, 4]. Thee include acce control requirement uch a a module A hould be invoked only if the module B belong to the call-tack, bound on tack ize uch a after any oint where hold, the number of interrut-handler in the call-tack hould never exceed 5 and the claical Hoare-tyle correctne requirement of rogram module with re- and ot-condition, uch a if hold when a module i invoked, the module mut return, and q mut hold on return. In the rogram analyi literature, it ha been argued that data flow analyi, uch a the comutation of live variable and very buy exreion, can be viewed a evaluating µ-calculu formula over abtraction of rogram [24, 23]. Thi correondence doe not hold when we need to account for local data flow ath. For intance, for an exreion e that involve a variable local to a rocedure P, the et of control oint within P at which e i very

2 buy (that i, e i guaranteed to be ued before any of it variable get modified), cannot be ecified uing a µ-calculu formula even though interrocedural dataflow analyi can comute thi information. The goal of thi aer i to identify a fixoint calculu that can exre uch uhdown requirement and yet ha a decidable model checking roblem with reect to uhdown model. Our earch for uch a calculu wa guided by the recently rooed framework of viibly uhdown language for linear-time roertie [4]. In thi variation of uhdown automata over word, the inut ymbol determine when the uhdown automaton can uh or o, and thu the tack deth at every oition. The reulting cla of language i cloed under union, interection, and comlementation, and roblem uch a incluion that are undecidable for context-free language are decidable for viibly uhdown automata. Thi imlie that checking uhdown roertie of uhdown model i feaible a long a the call and return are made viible allowing the tack of the roerty and the model to ynchronize. Thi viibility requirement eem only natural while writing requirement about re/ot condition or for interrocedural flow roertie. The linear-time temoral logic CARET i baed on the ame rincile: it formula are interreted over equence tagged with call and return, and it yntax include for each temoral modality, beide it claical global verion, a local verion that jum from a call-tate to the matching return-tate, and thu, can exre non-regular roertie, without cauing undecidability. In order to develo a viibly uhdown branching-time logic, we conider tructured tree a model. In a tructured tree, node are labeled with atomic rooition a in Krike model, and edge are tagged a call, return, or local. To aociate a tructured tree with a rogram (or it abtraction), we mut chooe the et of obervable atomic tate roertie, tag edge correonding to call and return from rogram block aroriately, and then take the tree unfolding of thi abtract rogram model. The abtract model can be an abtraction of the rogram at any level of abtraction: from the keletal control-flow grah to boolean redicate abtraction of rogram. We define the viibly uhdown µ-calculu (VP-µ) over tructured tree. The variable of the calculu evaluate not over et of tate, but rather over et of ubtree that cature ummarie of comutation in the current rogram block. The fixoint oerator in the logic then comute fixoint of ummarie. For a given tate of a tructured tree, conider the ubtree rooted at uch that the leave correond to exit from the current block: different ath in the ubtree correond to different comutation of the rogram, and the firt unmatched return edge along a ath lead to a leaf (ome ath may be infinite correonding to cycle that never return in the abtracted rogram). In order to be able to relate ath in thi ubtree to the tree rooted at the leave, we allow marking of the leave: a 1-ary ummary i ecified by the root and a ubet U of the leave of the ubtree rooted at. Each formula of the logic i evaluated over uch a ummary. The central contruct of the logic correond to concatenation of call tree: the formula call ϕ{ψ} hold at a ummary, U if the tate ha a call-edge to a tate t, and there exit a ummary t, V atifying ϕ and for each leaf v that belong to V, the ubtree v, U atifie ψ. Our logic i bet exlained uing the ecification of local reachability: let u identify the et of all ummarie, U uch that there i a local ath from to ome node in U (i.e. all call from the initial rocedure mut have returned before reaching U). In our logic, thi i written a the formula ϕ = µx. ret R 1 loc X call X{X}. The above mean that X i the mallet et of ummarie of the form,u uch that (1) there i a ret-labeled edge from to ome node in U, (2) there i a loc-labeled edge from to t and there i a ummary t, U in X, or (3) there i a call-labeled edge from to t and a ummary t, V in X uch that from each v V, v, U i a ummary in X. Notice that the above formula identifie the ummarie in the natural way it will be comuted on a uhdown ytem: comute the local ummarie of each rocedure, and udate the reachability relation uing the call-to-return ummarie found in the rocedure called. Uing the above formula, we can tate local reachability of a tate atifying a: µy.( loc Y call ϕ{y }) which intuitively tate that Y i the et of ummarie (, U) where there i a local ath from to U that goe through a tate atifying. The initial ummary (involving the initial tate of the rogram) atifie the formula only if a -labeled tate i reachable in the to-mot context, which cannot be tated in the tandard µ-calculu. Thi examle alo illutrate how local flow in the context of dataflow analyi can be catured uing our logic. In general, we allow marking of the leave with k color: a k-colored ummary rooted at a node conit of k ubet of the leave of the ubtree rooted at thi node. The k-ary concatenation formula call ϕ{ψ 1,... ψ k } ay that the called rocedure hould atify ϕ, and the ubtree at the return node labeled with color i hould atify the requirement ψ i. While the concatenation oeration i a owerful recurive contruct that allow the logic to exre uhdown roertie, multile color allow exreion of branching-time roertie that can roagate between the called and the calling context. The main reult of thi aer i that the logic VP-µ can be model-checked effectively. Given a model of a rogram a a recurive tate machine [3, 7], or equivalently a uhdown ytem, and a VP-µ formula ϕ, we how that we can model-check whether the tree unfolding of the model atifie ϕ in exonential time (the rocedure i exonential in both the formula and the model). For a fixed formula ϕ, however, the model-checking roblem i only olynomial in the number of tate in the model and exonential in the number of control location where a rocedure in the model may return. The model-checking algorithm work by comuting fix-oint of the ummary et inductively, and illutrate how the emantic of the logic naturally ugget a model-checking algorithm. The comlexity of model-checking VP-µ i EXPTIMEcomlete, which matche the comlexity of model-checking the tandard µ-calculu on uhdown ytem (in fact, model-checking alternating reachability roertie i already EXPTIME hard [26]). Finally, we tudy ome exreivene iue for the logic VP- µ. We firt how that VP-µ cature the temoral logic CARET, which i a linear-time temoral logic over viibly uhdown word that can cature everal intereting uhdown ecification roertie. Thi how that our branching-time logic cature the relevant counterart logic over linear model, much the ame way a the tandard µ-calculu cature the temoral logic LTL. Thi make VP-µ the mot exreive known ecification logic of rogram with a decidable model checking roblem with reect to Boolean rogram. We alo how that the notion of k-color in the logic i imortant by roving a hierarchy theorem: formula of VP-µ that ue k color are trictly weaker than formula that ue (k + 1) color. Finally, we how that the atifiability roblem for VP-µ i undecidable. Note that thi i not an iue a we are really only intereted in the model-checking roblem; in fact the reult erve to illutrate how owerful the logic VP-µ i. The aer i organized a follow. Section 2 introduce tructured tree and ummarie and Section 3 define the logic VP-µ. In Section 4 we reent variou roertie that can be exreed uing VP-µ, including reachability, local reachability, exreion for variou temoral modalitie like eventually and until, ecurity roertie that involve inection of tack, tack overflow roertie, roertie decribing re and ot-condition for rocedure, roertie of acce control and ome data-flow analyi roertie

3 uch a very buy exreion. Section 5 how how recurive tate machine model of rogram can be model-checked againt VP-µ formula, Section 6 contain reult on exreivene and undecidability of atifiability, and we conclude with ome dicuion in Section Structured tree Let AP be a finite et of atomic rooition, and I = {call,ret,loc} a fixed et of tag. We are intereted in tree whoe node and edge are reectively labeled by rooition and tag, and model abtract tate and tatement in equential, tructured, oibly recurive rogram. Formally, an (AP, I)-labeled tree i a tule S = (S, 0, E, λ, η), where (S, 0, E) i a tree with node et S, root node 0 and edge relation E, the node-labeling function λ : S 2 AP label node with et of rooition they atify, and the tranition-labeling function η : E I tag tranition a rocedure call (labeled by call), rocedure return (ret), or local a tatement within rocedure (loc). For a I, we write a horthand for (, ) E and η((, )) = a. A finite ath in an (AP, I)-labeled tree i a equence π = n over S uch that ( i, i+1) E for all 1 i < n. We will extend η to ath in S a follow. Let e i rereent the tranition ( i, i+1) in the above ath π. Then η(π) i the word η(e 1)η(e 2)... η(e n 1) over the alhabet I. Such a labeling let u mark certain ath in S a matched. A ath π in S i called matched if and only if w = η(π) i of the form w := loc call w ret ww. Given node and in S, we call a matching return of if and only if there i a matched ath π = n uch that ret n. Intuitively, model the firt tate that the underlying rogram reache on oing the context of off it tack frame. The et of matching return of i written a MR(). Then: DEFINITION 1. A tructured tree over AP i an (AP, I)-labeled tree with root 0 that atifie MR( 0) =. (a) 2 1 (b) q q 7 5 q q q color 2 q color 1 12 Legend: ret call loc Figure 1. (a) A tructured tree (b) A 2-colored ummary Intuitively, ath from the root in tructured tree do not have exce return that do not match any call a tructured tree model the branching behavior of a rogram from a tate to, at mot, the end of the rocedural context where lie. Alo oberve that the maximal ubtree rooted at an arbitrary node in a tructured tree i not, in general, tructured. Fig. 1-a how a tructured tree, with node 1,..., 15 and tranition labeled call, ret and loc. Some of the node are labeled by rooition and q. Note articularly the matching return relation; for intance, the node 10, 11, 12, and 15 are matching return for the node 2. Alo, MR( 1) = Summarie We are intereted in ubtree of tructured tree wholly contained within rocedural context; uch a ubtree model the branching behavior of a rogram from a tate to each return oint of it context. Each uch ubtree rooted at ha a ummary comriing (1) the node, and (2) the et of all node that are reached on return from it context, i.e., MR(). Alo, in order to demand different temoral requirement at different return for a context, we introduce a coloring of node in MR() intuitively, a return get color i if it i to atify the i-th requirement. Note that uch colored ummarie are defined for all and that, in articular, we do not require to be an entry node of a rocedure. Set of uch ummarie define the emantic of formula in VP-µ. Formally, for a non-negative integer k, a k-colored ummary i a tule, U 1, U 2,..., U k, where S and U 1, U 2,..., U k MR(). For examle, in Fig. 1-a, 1 i a valid 0-colored ummary, and 2, { 11, 12}, { 10, 12} and 3, { 6}, are valid 2-colored ummarie. The et of all ummarie in S, each k-colored for ome k, i denoted by S. Oberve how each ummary decribe a ubtree along with a coloring of ome of it leave. For intance, the ummary = 2, { 11, 12}, { 10, 12} mark the ubtree in Fig. 1-b. Such a tree may be contructed by taking the ubtree of S rooted at node 2, and choing off the ubtree rooted at MR( 2). Note that becaue of unmatched infinite ath from the root, uch a tree may in general be infinite. Now, node 11 and 12 are aigned the color 1, and node 10 and 12 are colored 2. The node 15 i not colored. Alo, note that in the linear-time etting, a air (, ), where MR(), would uffice a a ummary, and that thi i the way in which traditional ummarization-baed deciion rocedure have defined ummarie. On the other hand, for branching-time reaoning, uch a imle definition i not enough. 3. A fixoint calculu of call and return 3.1 Syntax In addition to being interreted over ummarie, the logic VP-µ differ from claical calculi like the modal µ-calculu [20] in a crucial way: it yntax and emantic exlicitly recognize the rocedural tructure of rogram via modalitie call, ret and loc. A ditinction i made between call-edge, along which a rogram uhe frame on it tack, ret-edge, which require a o from the tack, and loc-edge, which change the rogram counter and local and global tore without modifying the tack. Alo, in order to enforce different return condition at differently colored return in a ummary, it can a formula a arameter to call modalitie. Formally, let AP be a finite et of atomic rooition, Var be a finite et of variable, and {R 1, R 2,...} be a et of marker. Then, for AP and X Var, formula ϕ of VP-µ are defined by: ϕ := X ϕ ϕ ϕ ϕ µx.φ νx.φ call ϕ{ψ 1, ψ 2,..., ψ k } [call] ϕ{ψ 1, ψ 2,..., ψ k } loc ϕ [loc] ϕ ret R i [ret] R i, where k 0 and i 1. Let u define the yntactic horthand tt = and ff = for ome AP. Alo, let the arity of a VP-µ formula ϕ be the maximum k uch that ϕ ha a ubformula of the form call ϕ {ψ 1,..., ψ k } or [call]ϕ {ψ 1,..., ψ k }. Intuitively, the marker R i in a formula are bound by call and [call] modalitie, and variable X are bound by fixoint quantifier µx and νx. We require our call-formula to bind all the marker in their coe. Formally, let the maximum marker index ind(ϕ) of a formula ϕ be defined inductively a: ind(ϕ 1 ϕ 2) = ind(ϕ 1 ϕ 2) = max{ind(ϕ 1),ind(ϕ 2)}; ind( loc ϕ) = ind([loc]ϕ) = ind(µx.ϕ) = ind(νx.ϕ) = ind(ϕ); and

4 (a) (c) P 1 foo P 2 color 1 1 color 2 2 (b) P 1 P 2 color 1 r 1 r2 r 3 color 2 Figure 2. (a) Local modalitie (b) Call modalitie (c) Matching context. ind( ret R i) = ind([ret]r i) = i. For each AP and X Var, let u define ind() = ind(x) = 0. Finally, let u have ind( call ϕ{ψ 1,..., ψ k }) = ind([call]ϕ{ψ 1,..., ψ k }) = max{ind(ψ 1),...,ind(ψ k )}. We will only be intereted in formula where for every ubformula χ of the form call χ {ψ 1,..., ψ k } or [call]χ {ψ 1,..., ψ k }, we have ind(χ ) k. Such a formula ϕ i aid to be marker-cloed if ind(ϕ) = 0. The et Free(ϕ) of free variable in a VP-µ formula ϕ i defined a: Free(ϕ 1 ϕ 2) = Free(ϕ 1 ϕ 2) = Free(ϕ 1) Free(ϕ 2); Free( loc ϕ) = Free([loc]ϕ) = Free(ϕ); and Free( ret R i) = Free([ret]R i) =. We have Free( call ϕ{ψ 1,..., ψ k }) = Free([call]ϕ{ψ 1,..., ψ k }) = Free(ϕ) Free(ψ 1)... Free(ψ k ); for each AP and X Var, Free() = and Free(X) = {X}. Finally, we have Free(µX.ϕ) = Free(νX.ϕ) = Free(ϕ) \ {X}. A formula ϕ i aid to be variable-cloed if it ha Free(ϕ) =. We call ϕ cloed if it i marker-cloed and variablecloed. 3.2 Semantic Like in the modal µ-calculu, formula in VP-µ encode et, in thi cae et of ummarie. Alo like in the µ-calculu, modalitie and boolean and fixed-oint oerator allow u to encode comutation on thee et. To undertand the emantic of local ( loc and [loc]) modalitie in VP-µ, conider the 2-colored ummary = 3, { 6}, { 8} in the tree S in Fig. 1-a. We oberve that when control move from node 3 to 5 along a local edge, the current context tay the ame, but the et of return that can end it and are reachable from the current control oint get retricted (MR( 5) MR( 3)). The temoral requirement that we demand on return from the current context tay the ame modulo thi retriction. Conequently, the 2- colored ummary = 5,, { 8} decribe rogram flow from thi oint to the end of the current context and the requirement to be atified at the latter. We ue modalitie loc and [loc] to reaon about uch local ucceion. For intance, in thi cae, ummary will be aid to atify the formula loc q. An intereting viual inight about the tructure of the tree S for come from Fig. 2-a. Note that the tree S for hang from the former by a local edge; additionally, (1) every leaf of S i a leaf of S, and (2) uch a leaf get the ame color in and. Succeion along call edge i more comlex, becaue along uch an edge, a frame i uhed on a rogram tack and a new calling context get defined. In Fig. 1-a, take the ummary = 2, { 11}, { 12}, and uoe we want to aert a 3- arameter call formula call ϕ {q,,tt} at 2. Thi require u to conider a 3-colored ummary of the context tarting at 3, where matching return of 3 atifying q, and tt are reectively marked by color 1, 2 and 3. Clearly, thi ummary i = 3, { 6}, { 8}, { 6, 8}. Our formula require that atifie ϕ. In general, we could have formula of the form ϕ = call ϕ {ψ 1, ψ 2,..., ψ k }, where ψ i are arbitrary VP-µ formula. To ee what thi mean, look at the ummarie r 1 = 6,, { 12} and r 2 = 8, { 11},, which cature flow (under the aumed coloring of MR( 2)) from 6 and 8 to the end of the context they are in. To ee if ϕ i atified, we will need to conider a ummary rooted at 3 where the color i i aigned to node 6 and 8 reciely when r 1 and r 2 reectively atify ψ i. Now, we require to atify ϕ. So far a the tructure of thee tree go, we find that the above require a lit of the tree S for ummary in the way hown in Fig. 2-b. The root of thi tree mut have a call-edge to the root of the tree for, which mut atify ϕ. At each leaf of S colored i, we mut be able to concatenate a ummary tree S atifying ψ i uch that (1) every leaf in S i a leaf of S, and (2) each uch leaf get the ame et of color in S and S. A for the return modalitie, we ue them to aert that we return at a oint colored i. Becaue the binding of thee color to temoral requirement wa fixed at a context that called the current context, the ret-modalitie let u relate a ath in the latter with the continuation of a ath in the former. For intance, in Fig. 2- c, where the rectangle abtract the art of a rogram unfolding within the body of a rocedure foo, the marking of return oint 1 and 2 by color 1 and 2 i viible inide foo a well a at the call ite of foo. Thi let u match ath P 1 and P 2 inide foo reectively with ath P 1 and P 2 in the calling rocedure. Thi let VP-µ cature the uhdown tructure of branching-time run of a rocedural rogram. Let u now decribe the emantic of VP-µ formally. A VP-µ formula ϕ i interreted in an environment that interret variable in Free(ϕ) a et of ummarie in a tructured tree S. Formally, an environment i a ma E : Free(ϕ) 2 S. Let u write [ϕ] S E to denote the et of ummarie in S atifying ϕ in environment E (uually S will be undertood from the context, and we will imly write [ϕ] E ). For a ummary =, U 1, U 2,..., U k, where S and U i MR() for all i, atifie ϕ, i.e., [ϕ] E, if and only if one of the following hold: ϕ = AP and λ() ϕ = for ome AP, and / λ() ϕ = X, and E(X) ϕ = ϕ 1 ϕ 2 uch that [ϕ 1] E or [ϕ 2] E ϕ = ϕ 1 ϕ 2 uch that [ϕ 1] E and [ϕ 2 ] E ϕ = call ϕ {ψ 1, ψ 2,..., ψ m}, and there i a t S uch that (1) call t, and (2) the ummary t = t, V 1, V 2,..., V m, where for all 1 i m, V i = MR(t) { :, U 1 MR( ),..., U k MR( ) [ψ i ] E}, i uch that t [ϕ ] E ϕ = [call] ϕ {ψ 1, ψ 2,..., ψ m}, and for all t S uch that call t, the ummary t = t, V 1, V 2,..., V m, where for all 1 i m, V i = MR(t) { :, U 1 MR( ),..., U k MR( ) [ψ i ] E}, i uch that t [ϕ ] E ϕ = loc ϕ, and there i a t S uch that loc t and the ummary t = t, V 1, V 2,..., V k, where V i = MR(t) U i, i uch that t [ϕ ] E ϕ = [loc] ϕ, and for all t S uch that loc t, the ummary t = t,v 1, V 2,..., V k, where V i = MR(t) U i, i uch that t [ϕ ] E

5 ϕ = ret R i, and there i a t S uch that ret t and t U i ϕ = [ret] R i, and for all t S uch that ret t, we have t U i ϕ = µx.ϕ, and S for all S S atifying [ϕ ] E[X:=S] S ϕ = νx.ϕ, and there i ome S S uch that (1) S [ϕ ] E[X:=S] and (2) S. Here E[X := S] i the environment E uch that (1) E (X) = S, and (2) E (Y ) = E(Y ) for all variable Y X. We ay a node atifie a formula ϕ if the 0-colored ummary atifie ϕ. A tructured tree S rooted at 0 i aid atify ϕ if 0 atifie ϕ (we denote thi by S = ϕ). A few obervation are in order. Firt, while VP-µ doe not allow formula of form ϕ, it i cloed under negation o long a we tick to cloed formula. Given a cloed VP-µ formula ϕ, conider the formula Neg(ϕ), defined inductively in the following way: Neg() =, Neg( ) =, Neg(X) = X Neg(ϕ 1 ϕ 2) = Neg(ϕ 1) Neg(ϕ 2), and Neg(ϕ 1 ϕ 2) = Neg(ϕ 1) Neg(ϕ 2) If ϕ = call ϕ {ψ 1, ψ 2,..., ψ k }, then Neg(ϕ) = [call] Neg(ϕ ){Neg(ψ 1),Neg(ψ 2),...,Neg(ψ k )} If ϕ = [call] ϕ {ψ 1, ψ 2,..., ψ k }, then Neg(ϕ) = call Neg(ϕ ){Neg(ψ 1),Neg(ψ 2),...,Neg(ψ k )} Neg( loc ϕ ) = [loc]neg(ϕ ), and Neg([loc]ϕ ) = loc Neg(ϕ ) Neg( ret R i) = [ret]r i, and Neg([ret]R i) = ret R i Neg(µX.ϕ) = νx.neg(ϕ), and Neg(νX.ϕ) = µx.neg(ϕ) Performing induction on the tructure of ϕ, we obtain: THEOREM 1. For all cloed VP-µ formula ϕ, [ϕ] = S \ [Neg(ϕ)]. Second, note that the emantic of cloed VP-µ formula i indeendent of the environment; cutomarily, we will evaluate uch formula in the unique emty environment : S. More imortantly, the emantic of uch a formula ϕ doe not deend on current color aignment; in other word, for all =, U 1, U 2,..., U k, [ϕ] iff [ϕ]. Conequently, when ϕ i cloed, we can infer that node atifie ϕ from ummary atifie ϕ. Third, every VP-µ formula ϕ(x) with a free variable X can be viewed a a ma ϕ(x) : 2 S 2 S defined a follow: for all environment E and all ummary et S S, ϕ(x)(s) = [ϕ(x)] E[X:=S]. It i not hard to verify that thi ma i monotonic, and that therefore, by the Tarki-Knater theorem, it leat and greatet fixed oint exit. The formula µx.ϕ(x) and νx.ϕ(x) reectively evaluate to thee two et. From Tarki- Knater, we alo know that for a VP-µ formula ϕ with one free variable X, the et [µx.ϕ] lie in the equence of ummary et, ϕ( ), ϕ(ϕ( )),..., and that [νx.ϕ] i a member of the equence S,ϕ(S), ϕ(ϕ(s)),... Fourth, a VP-µ formula ϕ may alo be viewed a a ma ϕ : (U 1, U 2,..., U k ) S, where S i the et of all node uch that U 1, U 2,..., U k MR() and the ummary, U 1, U 2,..., U k atifie ϕ. Naturally, S = if no uch exit. Now, while a VP- µ formula can demand that the color of a return from the current context i i, it cannot aert that the color of a return mut not be i (i.e., there i no formula of the form, ay, ret R i). It follow that the outut of the above ma will tay the ame if we grow any of the et U i of matching return rovided a inut. Formally, let =, U 1,..., U k and =, U 1,... U k be two ummarie uch that U i U i for all i. Then for every environment E and every VP-µ formula ϕ, [ϕ] E if [ϕ] E. Such monotonicity over marking ha an intereting ramification. Let u uoe that in the emantic claue for formula of the form call ϕ {ψ 1, ψ 2,..., ψ k } and [call]ϕ {ψ 1, ψ 2,..., ψ k }, we allow t = t, V 1,..., V k to be any k-colored ummary uch that (1) t [ϕ ] E, and (2) for all i and all V i,, U 1 MR( ), U 2 MR( ),..., U k MR( ) [ψ i] E. Intuitively, from uch a ummary, one can grow the et U i to get the maximal t that we ued in thee two claue. From the above dicuion, VP-µ and thi modified logic have equivalent emantic. Finally, let u ee what would haen if we did allow formula of form ret R i (at a ummary,u 1,..., U k, the above hold iff there i an edge ret t uch that t / U i). It turn out that formula involving the above need not be monotonic, and hence their fixoint may not exit. To ee why, conider the formula ϕ = call ( ret R 1 ret ( R 1)){X}) and a tructured tree where the root lead to two ret-children 1 and 2, both of which are leave. Let S 1 = { 1, }, and S 2 = { 1,, 2, }. Viewing ϕ a a ma ϕ : 2 S 2 S, we ee that ϕ(s 1) i not a ubet of ϕ(s 2). 3.3 Biimulation cloure Biimulation i a fundamental relation in the analyi of labeled tranition ytem. The equivalence induced by a variety of branching-time logic, including the µ-calculu, coincide with biimulation. In thi ection, we tudy the equivalence induced by VP-µ, that i, we want to undertand when two node atify the ame et of VP-µ formula. Conider two tructured tree S 1 = (S 1,in 1, E 1, λ 1, η 1) and S 2 = (S 2,in 2, E 2, λ 2, η 2). Let S be S 1 S 2 (we can aume that the et S 1 and S 2 are dijoint), S be the et of all ummarie in S 1 and S 2, and η denote the labeling of S a given by η 1 and η 2. The biimulation relation S S i the greatet relation uch that whenever t hold, (1) η() = η(t), (2) for every edge a a, there i an edge t t uch that t, and (3) for a every edge t t a, there i an edge uch that t. We write S 1 S 2 if in 1 in 2. VP-µ i interreted over ummarie, o we need to lift the biimulation relation to ummarie. A ummary, U 1,... U k S i aid to be biimulation-cloed if for every air u, v MR() of matching return of, if u v, then for each 1 i k, u U i reciely when v U i. Thu, in a biimulation-cloed ummary, the marking doe not ditinguih among biimilar node, and thu, return formula (formula of the form ret R i and [ret]r i) do not dintinguih among biimilar node. Two biimulation-cloed ummarie =, U 1,..., U k and t = t, V 1,..., V k in S and having the ame number of color are aid to be biimilar, written t, iff t, and for each 1 i k, for all u MR() and v MR(t), if u v, then u U i reciely when v V i. Thu, root of biimilar ummarie are biimilar and the correonding marking are union of the ame equivalence clae of the artitioning of the matching return induced by biimilarity. Note that every 0-ary ummary i biimulation-cloed, and biimilarity of 0- ary ummarie coincide with biimilarity of their root. Conider tree S and T in Fig. 3. We have named the node 1, 2, t 1, t 2 etc. and labeled ome of them with rooition. Note that 2 4, hence the ummary 1, { 2}, { 4} in S i not biimulation-cloed. Now conider the biimulation-cloed ummarie 1, { 2, 4}, { 3} and t 1, {t 2}, {t 3}. By our definition they are biimilar. However, the (biimulation-cloed) ummarie 1, { 2, 4}, { 3} and t 1, {t 3}, {t 2} are not. We now want to rove that biimilar ummarie atify the ame VP-µ formula. For an inductive roof, we need to conider the environment alo. We aume that the environment E ma VP-µ

6 S Legend: ret loc T Figure 3. Biimilarity. variable to ubet of S (the union of the et of ummarie of the dijoint tructure). Such an environment i aid to be biimulationcloed if for every variable X, and for every air of biimilar ummarie t, E(X) reciely when t E(X). LEMMA 1. If E i a biimulation-cloed environment and ϕ i a VP-µ formula, [ϕ] E i biimulation-cloed. Proof: The roof i by induction on the tructure of the formula ϕ. Conider two biimulation-cloed biimilar ummarie =, U 1,... U k and t = t,v 1,... V k, and a biimulation-cloed environment E. We want to how that [ϕ] E reciely when t [ϕ] E. If ϕ i a rooition or negated rooition, the claim follow from biimilarity of node and t. When ϕ i a variable, the claim follow from biimulation cloure of E. We conider a few intereting cae. Suoe ϕ = ret R i. atifie ϕ reciely when ha a return-edge to ome node in U i. Since and t are biimilar, thi can haen reciely when t ha a return edge to a node t biimilar to, and from definition of biimilar ummarie, t mut be in V i, and thu t mut atify ϕ. Suoe ϕ = call ϕ {ψ 1,... ψ m}. Suoe atifie ϕ. Then there i a call-ucceor of uch that, U 1,... U m atifie ϕ, where U i = {u MR( ) u, U 1 MR(u),... U k MR(u) [ψ i ] E}. Since and t are biimilar, there exit a callucceor t of t uch that t. For each 1 i m, let V i = {v MR(t ) u U i. u v}. Verify that the ummarie, U 1,... U m and t, V 1,... V m are biimilar. By induction hyothei, t, V 1,... V m atifie ϕ. Alo, for each v V i, for 1 i m, the ummary v, V 1 MR(v),... V k MR(v) i biimilar to u, U 1 MR(u),... U k MR(u), for ome u U i, and hence, by induction hyothei, atifie ψ i. Thi etablihe that t atifie ϕ. Cae ϕ = µx.ϕ. Let X 0 =. For i 0, let X i+1 = [ϕ ] E[X:=Xi ]. Then [ϕ] E = i 0 X i. Since E i biimulation cloed, and X 0 i biimulation-cloed, by induction, for i 0, each X i i biimulation-cloed, and o i [ϕ] E. A a corollary, we get that if S 1 S 2, then for every cloed VP-µ formula ϕ, S 1 = ϕ reciely when S 2 = ϕ. The roof alo how that to decide whether a tructured tree atifie a cloed VP- µ formula, during the fixoint evaluation, one can retrict attention only to biimulation-cloed ummarie. In other word, we can redefine the emantic of VP-µ o that the et S of ummarie contain only biimulation-cloed ummarie. It alo ugget that to evaluate a cloed VP-µ formula over a tructured tree, one can reduce the tructured tree by collaing biimilar node a in the cae of claical model checking. If the two tructured tree S 1 and S 2 are not biimilar, then there exit a µ-calculu formula (in fact, of the much imler Henney- Milner modal logic, which doe not involve any fixoint) that i atified at the root of only one of the two tree. Thi doe not immediately yield a VP-µ formula that ditinguihe the two tree becaue VP-µ formula cannot aert requirement acro t 2 t 1 t 4 t 3 return-edge in a direct way. However, a more comlex encoding i oible. We defer the detail to the full aer. Thu, two tructured tree atify the ame et of cloed VP-µ formula reciely when they are biimilar. Let u conider two arbitrary node and t (in the ame tructured tree, or in two different tructured tree). When do thee two node atify the ame et of cloed VP-µ formula? From the argument o far, biimilarity i ufficient. However, the atifaction of a cloed VP-µ formula at a node deend olely on the ubtree rooted at and truncated at the matching return of. In fact, the full ubtree rooted at may not be tructured a it can contain exce return. For a tructured tree S, and a node, let S denote the tructured tree rooted at obtained by deleting all the return-edge leading to the node in MR(). For intance, in Fig. 3, S 1 comrie node 1 and 5 and the loc-edge connecting them. It i eay to check that if ϕ i a cloed VP-µ formula then atifie ϕ in the original tructured tree reciely when S atifie ϕ. If and t are not bimilar, and the non-biimilarity can be etablihed within the tructured ubtree S and S t rooted at thee node, then ome cloed VP-µ formula can ditinguih them. THEOREM 2. Two node and t atify the ame et of cloed VP- µ formula reciely when S S t. 4. Secifying requirement In thi ection, we exlore how to ue VP-µ a a ecification language. On one hand, we will ee how VP-µ and claical temoral logic differ fundamentally in tyle of exreion; on the other, we will exre roertie not exreible in logic like the µ-calculu. The C rogram in Fig. 4 will be ued to illutrate ome of our ecification. Alo, becaue fixoint formula are tyically hard to read, we will define ome yntactic ugar for VP-µ uing CTLlike temoral oerator. Reachability Let u exre in VP-µ the reachability roerty Reach that ay: a node t atifying rooition can be reached from the current node before the current context end. A a rogram tart with an emty tack frame, we may omit the retriction about the current context if model the initial rogram tate. Now conider a nontrivial witne π for Reach that tart with an edge call. There are two oibilitie: (1) a node atifying i reached in the new context or a context called tranitively from it, and (2) a matching return of i reached, and at, Reach i once again atified. To deal with cae (2), we mark a matching return that lead to by color 1. Let X tore the et of ummarie of form, where atifie Reach. Then we want the ummary,mr() to atify call ϕ {X}, where ϕ tate that can reach one of it matching return of color 1. In cae (1), there i no return requirement (we do not need the original call to return), and we imly aert call X{}. Before we get to ϕ, note that the formula loc X cature the cae when π tart with a local tranition. Combining the two cae and uing CTL-tyle notation, the formula we want i EF = µx.( loc X call X{} call ϕ {X}). Now oberve that ϕ alo exree reachability, excet (1) it target need to atify ret R 1, and (2) thi target need to lie in the ame rocedural context a. In other word, we want to exre what we call local reachability of ret R 1. It i eay to verify that ϕ = µy.( ret R 1 loc Y call Y {Y }). We cannot merely ubtitute for ret R 1 in ϕ to exre local reachability of. However, a formula EF l for thi roerty i

7 eaily obtained by retricting the formula EF : EF l = µx.( loc X call ϕ {X}). For examle, conider the tructured tree in Fig. 4 that model the unfolding of the C rogram in the ame figure. The tranition in the tree are labeled by line number, and ome of the node are labeled by rooition. Suoe we have a rooition free(x) that i true immediately after a line where x i freed, EF l free(x) hold at the entry oint of rocedure foo (node 1). Generalizing, we will allow to be any VP-µ formula that kee EF and EF l cloed. It i eay to verify that the formula AF, which tate that along all ath from the current node, a node atifying i reached before the current context terminate, i given by AF = µx.( ([loc]x [call]ϕ {X})), where ϕ demand that a matching return colored 1 be reached along all local ath: ϕ = µy.( ([ret]r 1 [loc]y [call]y {Y })). A in the reviou cae, we can define a correonding oerator AF l that aert local reachability along all ath. For intance, in Fig. 4, AF l free(x) doe not hold at node 1. Note that the highlight of thi aroach to ecification i the way we lit a rogram unfolding along rocedure boundarie, ecify thee iece modularly, and lug the ummary ecification o obtained into their call ite. Thi interrocedural reaoning ditinguihe it from logic uch a the µ-calculu that would reaon only about global run of the rogram. Alo, there i a ignificant difference in the way fixoint are comuted in VP-µ and the µ-calculu. Conider the fixoint comutation for the µ-calculu formula µx.( X) that exree reachability of a node atifying. The emantic of thi formula i given by a et S X of node which i comuted iteratively. At the end of the i-th te, S X comrie node that have a ath with at mot (i 1) tranition to a node atifying. Contrat thi with the evaluation of the outer fixoint in the VP-µ formula EF. Aume that ϕ (intuitively, the et of jum from call to return ) ha already been evaluated, and conider the et S X of ummarie for EF. At the end of the i-th hae, thi et contain all = uch that ha a ath coniting of (i 1) call and loc-tranition to a node atifying. However, becaue of the ubformula call ϕ {X}, it alo include all where reache via a ath of at mot (i 1) local and jum tranition. Note how return edge are conidered only a art of ummarie lugged into the comutation. Invariance and until Now conider the invariance roerty on ome ath from the current node, roerty hold everywhere till the end of the current context. A VP-µ formula EG for thi i obtained from the identity EG = Neg(AF Neg()). The formula AG, which aert that hold on each oint on each run from the current node, can be written imilarly. Other claic branching-time temoral roertie like the exitential weak until (written a E( 1 W 2)) and the exitential until (E( 1 U 2)) are alo exreible. The former hold if there i a ath π from the current node uch that 1 hold at every oint on π till it reache the end of the current context or a node atifying 2 (if π doen t reach either, 1 mut hold all along on it). The latter, in addition, require 2 to hold at ome oint on π. The for-all-ath analog of thee roertie (A( 1 U 2) and A( 1 W 2)) aren t hard to write either. Neither i it difficult to exre local or ame-context verion of thee roertie. Conider the maximal ubequence π of a rogram ath π from uch that each node of π belong to the 1 int a, *g; 2 void foo () 3 { 4 int *x, b=1; 5 x = ALLOC(int); 6 g = x; 7 bar (); 8 free (x); 9 b = a*a + b*b; 10 return; 11 } 12 void bar () 13 { 14 int y; 15 a++; 16 if (y==0) 17 free(g); 18 ele 19 foo (); 20 return; 21 } 8 free(x) c foo mod 17 g(e) free(g) ue e mod l (e) Figure 4. A C examle mod l (e) c bar ame rocedural context a. A VP-µ formula EG l for exitential local invariance demand that hold on ome uch π, while AG l aert the ame for all π. Similarly, we can define exitential and univeral local until roertie, and correonding VP-µ formula E( 1 U l 2) and A( 1 U l 2). For intance, in Fig. 4, E( free(g) U l free(x)) hold at node 1 (wherea E( free(g) U free(x)) doe not). Weak verion of thee formula are alo written with eae. For intance, it i eay to verify that we can write generic exitential, local, weak until roertie a E( 1 W l 2) = νx.(( 1 2) ( 2 loc X call ϕ {X})), where ϕ aert local reachability of ret R 1 a before. Interrocedural dataflow analyi It i well-known that many claic dataflow analyi roblem can be reduced to temoral logic model-checking over rogram abtraction [24, 23]. For examle, conider the roblem of finding very buy exreion in a rogram that arie in comiler otimization. An exreion e i aid to be very buy at a rogram oint if every ath from mut evaluate e before any variable in e i redefined. Let u firt aume that all variable are in coe all the time along every ath from. Now label every node in the rogram unfolding right after a tatement evaluating e by a rooition ue(e), and every node reached via redefinition of a variable in e by mod(e) (ee Fig. 4). Becaue of loo in the flow grah, we would not exect every ath from to eventually atify ue(e); however, we can demand that each oint in uch a loo will have a ath to a loo exit from where a ue of e would be reachable. Then a VP-µ formula that demand that e i very buy at i A((EF ue(e) mod(e)) W ue(e)). Note that thi roerty ue the ower of VP-µ to reaon about branching time. However, comlication arie if we are conidering interrocedural ath and e ha local a well a global variable. Suoe in Fig 4, the global variableaand the local variablebare two obervable, and we want to check if the exreion e = (a 2 +b 2 ), ued 5

8 in line 9, i very buy at line 6. We would, a before, track change to a and b between line 6 and 9. But we mut note that a oon a an interrocedural ath π between thee two oint leave the current context, the obervable b fall out of coe. Thi ath may ubequently come back to rocedure foo becaue of recurion, and a new intance of b may be created. However, modification of thi new intance ofbhould not caue e not to be very buy in the current context. In other word, we hould only be concerned with the local ue ofb. For the ame reaon, ue of e in a different context hould not be of interet of u. On the other hand, the global variable a need to be tracked through every context along a ath before a local ue of e on it. Local temoral roertie come of ue in covering uch cae. Let u define two rooition mod g(e) and mod l (e) that are true at oint where, reectively, a global or a local variable in e i modified. The VP-µ roerty we aert at i νx.(((ef l ue(e)) mod g(e) mod l (e)) ue(e)) (ue(e) ([loc]x [call]ψ{x,tt})), where the formula ψ track global variable likeain new context: ψ = µy.( mod g(e) (([ret]r 1 ret R 2) ([call]y {Y,tt} [loc]y ))). Note the ue of the formula ret R 2 to enure that [ret]r 1 i not vacuouly true. Puhdown ecification The domain where VP-µ tand out mot clearly from reviouly tudied fixoint calculi i that of uhdown ecification, i.e., ecification involving the rogram tack. We have already introduced a cla of uch ecification exreible in VP-µ: that of local temoral roertie. For intance, the formula EF l need to track the rogram tack to know whether a reachable node atifying i indeed in the initial calling context. Some uch ecification have reviouly been dicued in context of the temoral logic CARET. On the other hand, it i well-known that the modal µ-calculu i a regular ecification language (i.e., it i equivalent in exreivene to a cla of finitetate tree automata), and cannot reaon about the tack in thi way. We have already een an alication of thee richer ecification in rogram analyi. In the ret of thi ection, we will ee more of them. Neted formula and tack inection Interetingly, we can exre certain roertie of the tack jut by neting VP-µ formula for (non-local) reachability and invariance. To undertand why, recall that VP-µ formula for reachability and invariance only reaon about node aearing before the end of the context where they were aerted. Now let u try to exre a tack inection roerty uch a if rocedure foo i called, rocedure bar mut not be on the call tack. Secification like thi have reviouly been ued in reearch on oftware ecurity [19, 15], and are not exreible by regular ecification like the µ-calculu. While the temoral logic CARET can exre uch roertie, it require a at-time oerator called caller to do o. To exre thi roerty in VP-µ, we define rooition c foo and c bar that reectively hold at every call ite forfoo andbar. Now, auming control tart infoo, conider the formula ϕ = EF(c bar call (EF c foo){}). Thi formula demand a rogram ath where, firt, bar i called (there i no return requirement), and then, before that context i oed off the tack, a call ite for foo i reached. It follow that the roerty we are eeking i Neg(ϕ). Other tack inection roertie exreible in VP-µ include when rocedure foo i called, all rocedure on the tack mut have the neceary rivilege. Combining reaoning about the rogram tack with reaoning about the global evolution of the rogram, VP-µ can even ecify dynamic ecurity contraint where rivilege of rocedure change dynamically deending on the rivilege ued o far. Stack overflow One of the hazard of uing recurive call in a C-like language i that tack overflow, caued by unbounded recurion, i a eriou ecurity vulnerability. VP-µ can ecify requirement that afeguard againt uch error. Once again, neted modalitie come handy. Suoe we aert AG( call ff {}) throughout every context reached through k call in ucceion without intervening return (thi can be ket track of uing a k-length chain of call modalitie). Thi will diallow further call, bounding the tack to height k. Other ecification for tack boundedne include: every call in every rogram execution eventually return. Thi roerty require the rogram tack to be emty infinitely often. Though thi requirement doe not ay how large the tack may get even if a call return, it may till overflow the tack at ome oint. Further, in certain cae, a call may not return becaue of cycle introduced by abtraction. However, it doe rule out infinite recurive loo in many cae; for intance, the rogram in Fig. 4 will fail thi roerty becaue of a real recurive cycle. We cature it by aerting AG Termin at the initial rogram oint, where Termin = [call](af l ( ret R 1)){tt}. Precondition and otcondition For a rogram tate, let u conider the et Jm() of node to which a call from may return. Then the requirement: roerty hold at ome node in Jm() i catured by the VP-µ formula jum = call (EF l ret R 1){}. The dual formula [jum], which require to hold at all uch jum target, i alo eaily contructed. An immediate alication of thi i to encode the artial and total correctne requirement oular in formalim like Hoare logic and JML [9]. A artial correctne requirement for a rocedure A aert that if recondition Pre i atified whenai called, then if A terminate, otcondition Pot hold uon return. Total correctne, additionally, require A to terminate. Thee requirement cannot be exreed uing regular ecification. In VP-µ, let u ay that at every call ite to rocedure A, rooition c A hold. Then a formula for artial correctne, aerted at the initial rogram tate, i AG((Pre c A) [jum]pot). Total correctne i exreed a AG((Pre c A) (Termin [jum]pot)). Acce control The ability of VP-µ to handle local and global variable imultaneouly i ueful in other domain, e.g., acce control. Conider a rocedure A that can be called with a high or low rivilege, and uoe we have a rule that A can acce a databae (rooition acce i true when it doe) only if it i called with a high rivilege (riv hold when it i). It i temting to write a roerty ϕ = riv AG ( acce) to exre thi requirement. However, a context where A ha low rivilege may lead to another where A ha high rivilege via a recurive invocation, and ϕ will not letaacce the databae even in thi new context. The formula we are looking for i really ϕ = riv AG l ( acce), aerted at every call ite fora. Multile return condition A we hall ee in Section 6.2, the theoretical exreivene of VP-µ deend on the fact that we can a multile return condition a arameter to VP-µ call

9 formula. We can alo ue thee arameter to remember event that haen within the coe of a call and take action accordingly on return. To ee how, we go back to Figure 4; now we intereted in the roertie of the ointer variable x and g. Suoe control tart at foo and move on tobar; alo, let u ignore the recurion in line 19 and aume the call to bar in line 7 return. Before thi call, x and g oint to the ame memory location. Now conider two cenario once thi call return: (1) the globalgwa freed in the new context before the return, o that x now oint to a freed location, (2) g wa not freed, o that x till oint to allocated memory. Suoe our requirement for the next rogram oint in the two cae are: (1) x mut not be freed in foo, (2) x hould be freed to avoid memory leak. We exre thee requirement by aerting the VP-µ formula ϕ at the rogram oint callingbar: ϕ = call ψ {[loc] free(x),[loc]free(x)}, where ψ i a fixed-oint roerty that tate that: each ath in the new context mut (1) ee free(g) at ome oint and then reach ret R 1, or (2) atify free(g) until ret R 2 hold. We omit the detail for want of ace. 5. Model-checking In thi ection, we introduce the roblem of model-checking VP- µ over unfolding of recurive tate machine. Our rimary reult i an iterative, ymbolic deciion rocedure to olve thi roblem. Aealingly, thi algorithm follow directly from the oerational emantic of VP-µ and ha the ame comlexity a the bet algorithm for model-checking µ-calculu over imilar abtraction. We alo how a matching lower bound. 5.1 Recurive tate machine Recurive tate machine (RSM) are rogram abtraction that model interrocedural control flow in recurive rogram [3]. While exreively equivalent to uhdown ytem, RSM are more viual and tightly couled to rogram control flow. For thi reaon, we will ue them a our ytem model. Syntax. A recurive tate machine (RSM) M over a et of rooition AP i a tule ( M 1, M 2,..., M m,tart), where each M i i a rocedure of the form (L i, B i, Y i,en i,ex i, δ i, κ i). The meaning of the comonent of M i i ummarized in the following: L i i a finite et of control location, and B i i a finite et of boxe. Y i : B i {1, 2,..., m} i a ma that aign a rocedure to every box. En i L i i a non-emty et of entry location, and Ex i L i i a non-emty et of exit location. Let Call i = {(b, en) : b B i, en En Yi (b)} denote the et of call in M i, and let Retn i = {(b, ex) : b B i, ex Ex Yi (b)} denote the et of return in M i. Then δ i (L i Retn i) (L i Call i) define the et of RSM edge. κ i i a labeling function κ i : (L i Call i Retn i) 2 AP that aociate a et of rooition to each control location, call and return. A control location tart S i Li in one of the comonent i choen a the initial location. We aume that for every ditinct i and j, L i, Call i, Retn i, N j, Call j, and Retn j are airwie dijoint. We refer to arbitrary call, return and control location in M a vertice. The et all vertice i given by V = S i (Li Call i Retn i), and the et of vertice in rocedure j i denoted by V j. We alo write B = S i Bi to denote the collection of all boxe in M. Finally, the extenion of all function δ i, κ i and Y i foo bar err 5 g err g 0 g g g 7 g 0 19 g g 1 g 1 bar g 1 17 g 8 g g g 1 g g g foo g 1 g 20 1 Figure 5. A recurive tate machine. are denoted reectively by δ : V V, κ : V 2 AP, and Y : B {1, 2,..., m}. Fig. 5 deict an RSM extracted from the C rogram in Fig. 4. Here we are intereted in the behavior of the ointer variable g, and variable and tatement not relevant to thi behavior are abtracted out. We ue two rooition g 0 and g 1 that are true reectively when g oint to free and allocated memory. The rocedure and vertice in thi RSM correond to rocedure and control tate in Fig. 4; tranition correond to line of C code and are labeled by line number. Each rocedure ha two entry and exit oint correonding to the two oible abtract value ofg. Pointer aignment and call to free and ALLOC change the value of thee rooition in the natural way. Note in articular that we cannot tell without a global ide-effect analyi whether x and g oint to the ame location before line 8. We model thi uncertainty uing nondeterminim. Semantic. The emantic of an RSM M are defined by an infinite grah C(M) = (C, c 0, E C, λ C, η C), known a it configuration grah. Here, C i a et of configuration, c 0 i the initial configuration, E C C C i a tranition relation, and function λ C : C 2 AP and η C : E C {call,ret,loc} reectively label configuration and tranition. Stealing notation for tructured tree, we write c c if (c, c ) E C and η C((c, c )) = a. The et C of configuration in C(M) comrie all element (γ, u) B V uch that either γ = ǫ and u V, or γ = b 1... b n (with n 1) and (1) u V Y (bn), and (2) for all i {1,..., n 1}, b i+1 B Y (bi ). The initial configuration i c 0 = (ǫ,tart). The configurationlabeling function λ G i defined a: λ G((γ, u)) = κ(u), for all (γ, u) B V. Now we can define the tranition relation E G and the tranition-labeling function η G in G. For c = (γ, u), c = (γ, u ) and a {call,ret,loc}, we have a tranition c a c if and only if one of the following hold: Local move: u (L i Retn i) \ Ex i, (u, u ) δ i, γ = γ, and a = loc; Procedure call: u = (b,en) Call i, u = en, γ = γ.b, and a = call; Return from a call: u Ex i, γ = γ.b, u = (b, u), and a = ret Configuration tree We will evaluate VP-µ formula on configuration tree of RSM, which are unfolding of configuration grah of RSM. Conider an RSM M with configuration grah C(M) = (C, c 0, E C, λ C, η C). The configuration tree of M i a tructured tree Conf (M) = (S, 0, E, λ, η), whoe et of node S C + and et of tranition E S S are the leat et contructed by the following rule: 1. c 0 S.