Software Verification

Similar documents
Abstractions and Decision Procedures for Effective Software Model Checking

The algorithmic analysis of hybrid system

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Automatic Generation of Polynomial Invariants for System Verification

Static Program Analysis using Abstract Interpretation

Model Checking & Program Analysis

Model Checking: An Introduction

Automata-Theoretic Model Checking of Reactive Systems

MACHINE COMPUTING. the limitations

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Flat counter automata almost everywhere!

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Program verification using Hoare Logic¹

Static Program Analysis

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

The State Explosion Problem

Computer-Aided Program Design

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

COEN6551: Formal Hardware Verification

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

IC3 and Beyond: Incremental, Inductive Verification

Program Analysis Part I : Sequential Programs

Alan Bundy. Automated Reasoning LTL Model Checking

Automatic Verification of Parameterized Data Structures

Program verification

Hoare Logic and Model Checking

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Constraint Solving for Program Verification: Theory and Practice by Example

Safety and Liveness Properties

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Algorithmic verification

Reasoning About Imperative Programs. COS 441 Slides 10b

Learning to Verify Branching Time Properties

Timed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang

Discrete Fixpoint Approximation Methods in Program Static Analysis

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Logic Model Checking

Theory of Computation. Theory of Computation

Theoretical Foundations of the UML

Deductive Verification

Chapter 4: Computation tree logic

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

1 Definition of a Turing machine

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

SAT-Based Verification with IC3: Foundations and Demands

Software Verification with Abstraction-Based Methods

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

CS477 Formal Software Dev Methods

Static Program Analysis

Topics in Model-Based Reasoning

BASIC CONCEPTS OF ABSTRACT INTERPRETATION

Constraint Solving for Program Verification: Theory and Practice by Example

Automatic determination of numerical properties of software and systems

Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University

Introduction to Axiomatic Semantics

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Advanced topic: Space complexity

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Automata-based Verification - III

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Warm-Up Problem. Please fill out your Teaching Evaluation Survey! Please comment on the warm-up problems if you haven t filled in your survey yet.

Principles of Program Analysis: A Sampler of Approaches

Incremental Proof-Based Verification of Compiler Optimizations

Reversal-Bounded Counter Machines

Model Checking. Boris Feigin March 9, University College London

Temporal Logic of Actions

Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 3: Practical SAT Solving

An introduction to Uppaal and Timed Automata MVP5 1

Mechanics of Static Analysis

Automata, Logic and Games: Theory and Application

3-Valued Abstraction-Refinement

- Introduction to propositional, predicate and higher order logics

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

A Certified Denotational Abstract Interpreter (Proof Pearl)

Abstract Interpretation and Static Analysis

Design of Embedded Systems: Models, Validation and Synthesis (EE 249) Lecture 9

Finite-State Model Checking

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Automata-theoretic analysis of hybrid systems

Course Runtime Verification

Chapter 5. Finite Automata

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

An Efficient State Space Generation for the Analysis of Real-Time Systems

Undecidable Problems. Z. Sawa (TU Ostrava) Introd. to Theoretical Computer Science May 12, / 65

«ATutorialon Abstract Interpretation»

Computer Science and State Machines

Linear-time Temporal Logic

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

CS256/Winter 2009 Lecture #6. Zohar Manna

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

Revisiting Synthesis of GR(1) Specifications

Transcription:

Software Verification Grégoire Sutre LaBRI, University of Bordeaux, CNRS, France Summer School on Verification Technology, Systems & Applications September 2008 Grégoire Sutre Software Verification VTSA 08 1 / 286

Part I Introduction Grégoire Sutre Software Verification Introduction VTSA 08 2 / 286

Outline Introduction 1 Software Verification: Why? 2 Software Verification: How? Grégoire Sutre Software Verification Introduction VTSA 08 3 / 286

Outline Introduction 1 Software Verification: Why? 2 Software Verification: How? Grégoire Sutre Software Verification Introduction VTSA 08 4 / 286

Ubiquity of Software in Modern Life Once upon a time, lecturers used hand-written transparencies with an overhead projector. pens transparencies scissors sticky tape lamp lenses mirror screen Nowadays softwares are used to design the slides and to project them Similar evolution in many, many areas Grégoire Sutre Software Verification Introduction VTSA 08 5 / 286

Ubiquity of Software in Modern Life Once upon a time, lecturers used hand-written transparencies with an overhead projector. pens transparencies scissors sticky tape lamp lenses mirror screen Nowadays softwares are used to design the slides and to project them Similar evolution in many, many areas Grégoire Sutre Software Verification Introduction VTSA 08 5 / 286

Why? Some advantages of software over dedicated hardware components Reduce time to market Less time to write the slides (really?) Ability to re-organize the presentation Reduce costs No pen, no transparencies Re-usability of slides, ability to make minor modifications for free Increase functionality Automatic generation of some slides (table of contents) Nicer overlays (sticky tape is not required anymore!) Ability to display videos But software is not without risk... Grégoire Sutre Software Verification Introduction VTSA 08 6 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

Bugs are Frequent in Software Grégoire Sutre Software Verification Introduction VTSA 08 7 / 286

A Critical Software Bug: Ariane 5.01 «On 4 June 1996, the maiden flight of the Ariane 5 launcher ended in a failure. Only about 40 seconds after initiation of the flight sequence, at an altitude of about 3700 m, the launcher veered off its flight path, broke up and exploded.» «The failure of the Ariane 5.01 was caused by the complete loss of guidance and attitude information 37 seconds after start of the main engine ignition sequence (30 seconds after lift-off). This loss of information was due to specification and design errors in the software of the inertial reference system.» Grégoire Sutre Software Verification Introduction VTSA 08 8 / 286

A Critical Software Bug: Ariane 5.01 «On 4 June 1996, the maiden flight of the Ariane 5 launcher ended in a failure. Only about 40 seconds after initiation of the flight sequence, at an altitude of about 3700 m, the launcher veered off its flight path, broke up and exploded.» «The failure of the Ariane 5.01 was caused by the complete loss of guidance and attitude information 37 seconds after start of the main engine ignition sequence (30 seconds after lift-off). This loss of information was due to specification and design errors in the software of the inertial reference system.» Grégoire Sutre Software Verification Introduction VTSA 08 8 / 286

Software in Embedded Systems Embedded systems in: cell phones, satellites, airplanes, cars, wireless routers, MP3 players, refrigerators,... Examples of Critical Systems attitude and orbit control systems in satellites X-by-wire control systems in airplanes and in cars (soon) Increasing importance of software in embedded systems custom hardware replaced by processor + custom software software is a dominant factor in design time and cost (70 %) Critical embedded systems require exhaustive validation Grégoire Sutre Software Verification Introduction VTSA 08 9 / 286

Software Complexity Grows Exponentially As computational power grows... Moore s law: «the number of transistors on a chip doubles every two years»... software complexity grows... Wirth s Law: «software gets slower faster than hardware gets faster»... and so does the number of bugs! Watts S. Humphrey: «5 10 bugs per 1000 lines of code after product test» Growing need for automatic validation techniques Grégoire Sutre Software Verification Introduction VTSA 08 10 / 286

Software Complexity Grows Exponentially As computational power grows... Moore s law: «the number of transistors on a chip doubles every two years»... software complexity grows... Wirth s Law: «software gets slower faster than hardware gets faster»... and so does the number of bugs! Watts S. Humphrey: «5 10 bugs per 1000 lines of code after product test» Growing need for automatic validation techniques Grégoire Sutre Software Verification Introduction VTSA 08 10 / 286

Software Complexity Grows Exponentially As computational power grows... Moore s law: «the number of transistors on a chip doubles every two years»... software complexity grows... Wirth s Law: «software gets slower faster than hardware gets faster»... and so does the number of bugs! Watts S. Humphrey: «5 10 bugs per 1000 lines of code after product test» Growing need for automatic validation techniques Grégoire Sutre Software Verification Introduction VTSA 08 10 / 286

Software Complexity Grows Exponentially As computational power grows... Moore s law: «the number of transistors on a chip doubles every two years»... software complexity grows... Wirth s Law: «software gets slower faster than hardware gets faster»... and so does the number of bugs! Watts S. Humphrey: «5 10 bugs per 1000 lines of code after product test» Growing need for automatic validation techniques Grégoire Sutre Software Verification Introduction VTSA 08 10 / 286

Outline Introduction 1 Software Verification: Why? 2 Software Verification: How? Grégoire Sutre Software Verification Introduction VTSA 08 11 / 286

Software Testing Running the executable (obtained by compilation) on multiple inputs usually on the target platform Testing is a widespread validation approach in the software industry can be (partially) automated can detect a lot of bugs But Costly and time-consuming Not exhaustive Grégoire Sutre Software Verification Introduction VTSA 08 12 / 286

Software Testing Running the executable (obtained by compilation) on multiple inputs usually on the target platform Testing is a widespread validation approach in the software industry can be (partially) automated can detect a lot of bugs But Costly and time-consuming Not exhaustive Grégoire Sutre Software Verification Introduction VTSA 08 12 / 286

Dream of Software Model-Checking x = 1; if (y <= 10) { y = 10; } else { while (x < y) { x = 2 * x; y = y - 1; } } x = y + 1; Program Model Checker Results Requirements Grégoire Sutre Software Verification Introduction VTSA 08 13 / 286

Fundamental Limit: Undecidability Rice s Theorem Any non-trivial semantic property of programs is undecidable. Classical Example: Termination There exists no algorithm which can solve the halting problem: given a description of a program as input, decide whether the program terminates or loops forever. Grégoire Sutre Software Verification Introduction VTSA 08 14 / 286

Practical Limit: Combinatorial Explosion Implicit in Rice s Theorem is an idealized program model, where programs have access to unbounded memory. In reality programs are run on a computer with bounded memory. Model-checking becomes decidable for finite-state systems. But even with bounded memory, complexity in practice is too high for finite-state model-checking: 1 megabyte (1 000 000 bytes) of memory 10 2 400 000 states 1000 variables 64 bits 10 19 200 states optimistic limit for finite-state model checkers: 10 100 states Grégoire Sutre Software Verification Introduction VTSA 08 15 / 286

More Realistic Objectives for Software Verification Incomplete Methods Approximate Algorithms Always terminate Indefinite answer (yes / no /?) Exact Semi-Algorithms Definite answer (yes / no) May not terminate Topics of the lecture Static Analysis Abstraction Refinement Grégoire Sutre Software Verification Introduction VTSA 08 16 / 286

More Realistic Objectives for Software Verification Incomplete Methods Approximate Algorithms Always terminate Indefinite answer (yes / no /?) Exact Semi-Algorithms Definite answer (yes / no) May not terminate Topics of the lecture Static Analysis Abstraction Refinement Grégoire Sutre Software Verification Introduction VTSA 08 16 / 286

Static Analysis Tentative Definition Compile-time techniques to gather run-time information about programs without actually running them Example Detection of variables that are used before initialization Always terminates Applies to large programs Simple analyses (original goal was compilation) Indefinite answer (yes / no /?) In the Lecture Data Flow Analysis Abstract Interpretation Grégoire Sutre Software Verification Introduction VTSA 08 17 / 286

Static Analysis Tentative Definition Compile-time techniques to gather run-time information about programs without actually running them Example Detection of variables that are used before initialization Always terminates Applies to large programs Simple analyses (original goal was compilation) Indefinite answer (yes / no /?) In the Lecture Data Flow Analysis Abstract Interpretation Grégoire Sutre Software Verification Introduction VTSA 08 17 / 286

Abstraction Refinement Tentative Definition Analysis-time techniques to verify programs by model-checking and refinement of finite-state approximate models Example Verification of safety and fairness of a mutual exclusion algorithm Complex analyses (properties expressed in temporal logics) Definite answer (yes / no) May not terminate Modeling of the program into a finite-state transition system In the Lecture Abstract Model Refinement for Safety Properties Grégoire Sutre Software Verification Introduction VTSA 08 18 / 286

Abstraction Refinement Tentative Definition Analysis-time techniques to verify programs by model-checking and refinement of finite-state approximate models Example Verification of safety and fairness of a mutual exclusion algorithm Complex analyses (properties expressed in temporal logics) Definite answer (yes / no) May not terminate Modeling of the program into a finite-state transition system In the Lecture Abstract Model Refinement for Safety Properties Grégoire Sutre Software Verification Introduction VTSA 08 18 / 286

Common Ingredient: Property-Preserving Abstraction Abstraction Process Interpret programs according to a simplified, abstract semantics. Property-Preserving Abstraction Formally relate the abstract semantics with the standard semantics, so as to preserve relevant properties. Preservation of Properties Program interpretation with this abstract semantics therefore gives correct information about properties of real runs. Grégoire Sutre Software Verification Introduction VTSA 08 19 / 286

Abstract Interpretation Example: Sign Analysis Objective of Sign Analysis Discover for each program point the sign of possible run-time values that numerical variables can have at that point. The abstract semantics tracks the following information, for each variable x: x < 0 x 0 x = 0 x 0 x > 0 Grégoire Sutre Software Verification Introduction VTSA 08 20 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; x > 0 2 if (y 10) { 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; x > 0 2 if (y 10) { x > 0 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); x > 0 x > 0 x > 0 y > 0 Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; x > 0 2 if (y 10) { x > 0 3 y = 10; x > 0 y > 0 4 } 5 else { x > 0 y > 0 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { x > 0 x > 0 x > 0 y > 0 x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { x > 0 x > 0 x > 0 y > 0 x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; x > 0 y > 0 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { x > 0 x > 0 x > 0 y > 0 x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; x > 0 y > 0 8 y = y - 1; x > 0 y 0 9 } 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } x > 0 x > 0 x > 0 y > 0 5 else { x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } x > 0 y > 0 x > 0 y 0 x > 0 y 0 x < y 10 } 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } x > 0 x > 0 x > 0 y > 0 5 else { x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } 10 } x > 0 y > 0 x > 0 y 0 x > 0 y 0 x > 0 y 0 x < y 11 x = y + 1; 12 assert(x > 0); Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } x > 0 x > 0 x > 0 y > 0 5 else { x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); x > 0 y > 0 x > 0 y 0 x > 0 y 0 x > 0 y 0 x < y x > 0 y 0 (x > 0 y > 0) (x > 0 y 0) Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } x > 0 x > 0 x > 0 y > 0 5 else { x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); x > 0 y > 0 x > 0 y 0 x > 0 y 0 x > 0 y 0 x < y x > 0 y 0 (x > 0 y > 0) (x > 0 y 0) x > 0 y 0 Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Abstract Interpretation Example: Sign Analysis 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } x > 0 x > 0 x > 0 y > 0 5 else { x > 0 y > 0 6 while (x < y) { x > 0 y > 0 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 assert(x > 0); x > 0 y > 0 x > 0 y 0 x > 0 y 0 x > 0 y 0 x < y x > 0 y 0 (x > 0 y > 0) (x > 0 y 0) x > 0 y 0 Grégoire Sutre Software Verification Introduction VTSA 08 21 / 286

Credits: Pioneers (1970 s) Iterative Data Flow Analysis Gary Kildall John Kam & Jeffrey Ullman Michael Karr... Abstract Interpretation Patrick Cousot & Radhia Cousot Nicolas Halbwachs... And many, many more... Apologies! Grégoire Sutre Software Verification Introduction VTSA 08 22 / 286

Outline of the Lecture Control Flow Automata Data Flow Analysis Abstract Interpretation Abstract Model Refinement Grégoire Sutre Software Verification Introduction VTSA 08 23 / 286

Outline of the Lecture Control Flow Automata Data Flow Analysis Static Analysis Abstract Interpretation Abstract Model Refinement Grégoire Sutre Software Verification Introduction VTSA 08 23 / 286

Outline of the Lecture Control Flow Automata Data Flow Analysis Static Analysis Abstract Interpretation Abstraction Refinement Abstract Model Refinement Grégoire Sutre Software Verification Introduction VTSA 08 23 / 286

Part II Control Flow Automata Grégoire Sutre Software Verification Control Flow Automata VTSA 08 24 / 286

Outline Control Flow Automata 3 Syntax and Semantics 4 Verification of Control Flow Automata Grégoire Sutre Software Verification Control Flow Automata VTSA 08 25 / 286

Outline Control Flow Automata 3 Syntax and Semantics 4 Verification of Control Flow Automata Grégoire Sutre Software Verification Control Flow Automata VTSA 08 26 / 286

Short Introduction to Control Flow Automata Requirement for verification: formal semantics of programs Formal Semantics Formalization as a mathematical model of the meaning of programs Denotational Operational Axiomatic Operational Semantics Labeled transition system describing the possible computational steps First Step Towards an Operational Semantics Program text Graph-based representation Grégoire Sutre Software Verification Control Flow Automata VTSA 08 27 / 286

Short Introduction to Control Flow Automata Requirement for verification: formal semantics of programs Formal Semantics Formalization as a mathematical model of the meaning of programs Denotational Operational Axiomatic Operational Semantics Labeled transition system describing the possible computational steps First Step Towards an Operational Semantics Program text Graph-based representation Grégoire Sutre Software Verification Control Flow Automata VTSA 08 27 / 286

Short Introduction to Control Flow Automata Requirement for verification: formal semantics of programs Formal Semantics Formalization as a mathematical model of the meaning of programs Denotational Operational Axiomatic Operational Semantics Labeled transition system describing the possible computational steps First Step Towards an Operational Semantics Program text Graph-based representation Grégoire Sutre Software Verification Control Flow Automata VTSA 08 27 / 286

Short Introduction to Control Flow Automata Requirement for verification: formal semantics of programs Formal Semantics Formalization as a mathematical model of the meaning of programs Denotational Operational Axiomatic Operational Semantics Labeled transition system describing the possible computational steps First Step Towards an Operational Semantics Program text Graph-based representation Control flow automaton Grégoire Sutre Software Verification Control Flow Automata VTSA 08 27 / 286

Control Flow Graph Start 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; true y := 10 x := 1 false y 10 false x<y x := y+1 true x := 2*x; y := y-1 12 Exit Grégoire Sutre Software Verification Control Flow Automata VTSA 08 28 / 286

Control Flow Automaton q 1 1 x = 1; 2 if (y 10) { 3 y = 10; 4 } 5 else { 6 while (x < y) { 7 x = 2 * x; 8 y = y - 1; 9 } 10 } 11 x = y + 1; 12 q 2 q 3 q 6 x y y := 10 q 11 q 12 x := 1 y 10 y>10 x := y+1 x<y q 7 x := 2*x y := y-1 q 8 Grégoire Sutre Software Verification Control Flow Automata VTSA 08 29 / 286

Labeled Directed Graphs Definition A labeled directed graph is a triple G = V, Σ, where: V is a finite set of vertices, Σ is a finite set of labels, V Σ V is a finite set of edges. Notation for edges: v σ v instead of (v, σ, v ) σ A path in G is a finite sequence v 0 0 v 0,..., v k that v i = v i+1 for each 0 i < k. σ Notation for paths: v 0 0 v1 v k σ k v k σ k v k of edges such Grégoire Sutre Software Verification Control Flow Automata VTSA 08 30 / 286

Labeled Directed Graphs Definition A labeled directed graph is a triple G = V, Σ, where: V is a finite set of vertices, Σ is a finite set of labels, V Σ V is a finite set of edges. Notation for edges: v σ v instead of (v, σ, v ) σ A path in G is a finite sequence v 0 0 v 0,..., v k that v i = v i+1 for each 0 i < k. σ Notation for paths: v 0 0 v1 v k σ k v k σ k v k of edges such Grégoire Sutre Software Verification Control Flow Automata VTSA 08 30 / 286

Labeled Directed Graphs Definition A labeled directed graph is a triple G = V, Σ, where: V is a finite set of vertices, Σ is a finite set of labels, V Σ V is a finite set of edges. Notation for edges: v σ v instead of (v, σ, v ) σ A path in G is a finite sequence v 0 0 v 0,..., v k that v i = v i+1 for each 0 i < k. σ Notation for paths: v 0 0 v1 v k σ k v k σ k v k of edges such Grégoire Sutre Software Verification Control Flow Automata VTSA 08 30 / 286

Control Flow Automata: Syntax Definition A control flow automaton is a quintuple Q, q in, q out, X, where: Q is a finite set of locations, q in Q is an initial location and q out Q is an exit location, X is a finite set of variables, Q Op Q is a finite set of transitions. Op is the set of operations defined by: cst ::= c Q var ::= x X expr ::= cst var expr expr, with {+, -, *} guard ::= expr expr, with {<,, =,,, >} Op ::= guard var := expr Grégoire Sutre Software Verification Control Flow Automata VTSA 08 31 / 286

Control Flow Automata: Syntax Definition A control flow automaton is a quintuple Q, q in, q out, X, where: Q is a finite set of locations, q in Q is an initial location and q out Q is an exit location, X is a finite set of variables, Q Op Q is a finite set of transitions. Op is the set of operations defined by: cst ::= c Q var ::= x X expr ::= cst var expr expr, with {+, -, *} guard ::= expr expr, with {<,, =,,, >} Op ::= guard var := expr Grégoire Sutre Software Verification Control Flow Automata VTSA 08 31 / 286

Control Flow Automata: Syntax q 1 x := 1 { } q1, q Q = 2, q 3, q 6, q 7, q 8, q 11, q 12 q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 q in = q 1 q out = q 12 X = {x, y} (q 1, x := 1, q 2 ), (q 2, y 10, q 3 ), = (q 2, y>10, q 6 ), (q 3,y := 10, q 11 ),... Grégoire Sutre Software Verification Control Flow Automata VTSA 08 32 / 286

Programs as Control Flow Automata Control flow automata can model: flow of control (program points), numerical variables and numerical operations, non-determinism (uninitialized variables, boolean inputs). Control flow automata cannot model: pointers recursion threads... But they are complex enough for verification...... and for learning! Grégoire Sutre Software Verification Control Flow Automata VTSA 08 33 / 286

Programs as Control Flow Automata Control flow automata can model: flow of control (program points), numerical variables and numerical operations, non-determinism (uninitialized variables, boolean inputs). Control flow automata cannot model: pointers recursion threads... But they are complex enough for verification...... and for learning! Grégoire Sutre Software Verification Control Flow Automata VTSA 08 33 / 286

Programs as Control Flow Automata Control flow automata can model: flow of control (program points), numerical variables and numerical operations, non-determinism (uninitialized variables, boolean inputs). Control flow automata cannot model: pointers recursion threads... Forget about these... But they are complex enough for verification...... and for learning! Grégoire Sutre Software Verification Control Flow Automata VTSA 08 33 / 286

Verification of Safety Properties Goal Check that nothing bad can happen. Bad behaviors specified e.g. as assertion violations in the original program An assertion violation can be modeled as a location: assert(x > 0) = if (x > 0) then { BAD: } Goal (refined) Check that there is no run that visits a location q contained in a given set Q BAD Q of bad locations. Grégoire Sutre Software Verification Control Flow Automata VTSA 08 34 / 286

Verification of Safety Properties Goal Check that nothing bad can happen. Bad behaviors specified e.g. as assertion violations in the original program An assertion violation can be modeled as a location: assert(x > 0) = if (x > 0) then { BAD: } Goal (refined) Check that there is no run that visits a location q contained in a given set Q BAD Q of bad locations. Grégoire Sutre Software Verification Control Flow Automata VTSA 08 34 / 286

Verification of Safety Properties Goal Check that nothing bad can happen. Bad behaviors specified e.g. as assertion violations in the original program An assertion violation can be modeled as a location: assert(x > 0) = if (x > 0) then { BAD: } Goal (refined) Check that there is no run that visits a location q contained in a given set Q BAD Q of bad locations. Grégoire Sutre Software Verification Control Flow Automata VTSA 08 34 / 286

Runs: Examples q 1 q 2 q 3 q 6 x y y := 10 q 11 q 12 x := 1 y 10 y>10 x := y+1 x<y q 7 x := 2*x y := y-1 q 8 (q 1, 0, 0) x := 1 (q 2, 1, 0) y 10 (q 3, 1, 0) y := 10 (q 11, 1, 10) x := y+1 (q 12, 11, 10) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 35 / 286

Runs: Examples q 1 q 2 q 3 q 6 x y y := 10 q 11 q 12 x := 1 y 10 y>10 x := y+1 x<y q 7 x := 2*x y := y-1 q 8 (q 1, 159, 27) x := 1 (q 2, 1, 27) y>10 (q 6, 1, 27) x<y (q 7, 1, 27) x := 2*x (q 8, 2, 27) y := y-1 (q 6, 2, 26) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 35 / 286

Labeled Transition Systems Definition A labeled transition system is a quintuple C, Init, Out, Σ, where : C is a set of configurations Init C and Out C are sets of initial and exit configurations Σ is a finite set of actions C Σ C is a set of transitions Post (c, σ) = { } c C c σ c Post (U, σ) = c U Post (c, σ) Post (c) = σ Σ Post (c, σ) Post (U) = c U Post (c) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 36 / 286

Labeled Transition Systems Definition A labeled transition system is a quintuple C, Init, Out, Σ, where : C is a set of configurations Init C and Out C are sets of initial and exit configurations Σ is a finite set of actions C Σ C is a set of transitions Post (c, σ) = { } c C c σ c Post (U, σ) = c U Post (c, σ) Post (c) = σ Σ Post (c, σ) Post (U) = c U Post (c) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 36 / 286

Labeled Transition Systems Definition A labeled transition system is a quintuple C, Init, Out, Σ, where : C is a set of configurations Init C and Out C are sets of initial and exit configurations Σ is a finite set of actions C Σ C is a set of transitions Pre (c, σ) = { } c C c σ c Pre (c, σ) Pre (U, σ) = c U Pre (c, σ) Pre (c) = σ Σ Pre (U) = c U Pre (c) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 36 / 286

Semantics of Expressions and Guards Consider a finite set X of variables. A valuation is a function v : X R. Expressions: e v Guards: v = g c v = c [c Q] x v = v(x) [x X] e 1 + e 2 v = e 1 v + e 2 v e 1 - e 2 v = e 1 v e 2 v e 1 * e 2 v = e 1 v e 2 v v = e 1 < e 2 if e 1 v < e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 = e 2 if e 1 v = e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 > e 2 if e 1 v > e 2 v Grégoire Sutre Software Verification Control Flow Automata VTSA 08 37 / 286

Semantics of Expressions and Guards Consider a finite set X of variables. A valuation is a function v : X R. Expressions: e v Guards: v = g c v = c [c Q] x v = v(x) [x X] e 1 + e 2 v = e 1 v + e 2 v e 1 - e 2 v = e 1 v e 2 v e 1 * e 2 v = e 1 v e 2 v v = e 1 < e 2 if e 1 v < e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 = e 2 if e 1 v = e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 e 2 if e 1 v e 2 v v = e 1 > e 2 if e 1 v > e 2 v Grégoire Sutre Software Verification Control Flow Automata VTSA 08 37 / 286

Semantics of Operations The semantics op of an operation op is defined as a binary relation between valuations before op and valuations after op: op (X R) (X R) Examples with X = {x, y} x*y 10 = {(v, v) v(x) v(y) 10} x := 3*x = {(v, v ) v (x) = 3 v(x) v (y) = v(y)} Operations: op (v, v ) g if v = g and v = v (v, v ) x := e if { v (x) = e v v (y) = v (y) for all y x Grégoire Sutre Software Verification Control Flow Automata VTSA 08 38 / 286

Semantics of Operations The semantics op of an operation op is defined as a binary relation between valuations before op and valuations after op: op (X R) (X R) Examples with X = {x, y} x*y 10 = {(v, v) v(x) v(y) 10} x := 3*x = {(v, v ) v (x) = 3 v(x) v (y) = v(y)} Operations: op (v, v ) g if v = g and v = v (v, v ) x := e if { v (x) = e v v (y) = v (y) for all y x Grégoire Sutre Software Verification Control Flow Automata VTSA 08 38 / 286

Semantics of Operations The semantics op of an operation op is defined as a binary relation between valuations before op and valuations after op: op (X R) (X R) Examples with X = {x, y} x*y 10 = {(v, v) v(x) v(y) 10} x := 3*x = {(v, v ) v (x) = 3 v(x) v (y) = v(y)} Operations: op (v, v ) g if v = g and v = v (v, v ) x := e if { v (x) = e v v (y) = v (y) for all y x Grégoire Sutre Software Verification Control Flow Automata VTSA 08 38 / 286

Operational Semantics of Control Flow Automata Definition The interpretation of a control flow automaton Q, q in, q out, X, is the labeled transition system C, Init, Out, Op, defined by: C = Q (X R) Init = {q in } (X R) and Out = {q out } (X R) (q, v) op (q, v ) if q op q and (v, v ) op Two kinds of labeled directed graphs Control Flow Automata Use: program source codes Syntactic objects Finite Interpretations (LTS) Use: program behaviors Semantic objects Uncountably infinite Grégoire Sutre Software Verification Control Flow Automata VTSA 08 39 / 286

Operational Semantics of Control Flow Automata Definition The interpretation of a control flow automaton Q, q in, q out, X, is the labeled transition system C, Init, Out, Op, defined by: C = Q (X R) Init = {q in } (X R) and Out = {q out } (X R) (q, v) op (q, v ) if q op q and (v, v ) op Two kinds of labeled directed graphs Control Flow Automata Use: program source codes Syntactic objects Finite Interpretations (LTS) Use: program behaviors Semantic objects Uncountably infinite Grégoire Sutre Software Verification Control Flow Automata VTSA 08 39 / 286

Control Paths, Execution Paths and Runs A control path is a path in the control flow automaton: op q 0 0 q1 q k 1 op k 1 q k An execution path is a path in the labeled transition system: (q 0, v 0 ) op 0 (q 1, v 1 ) (q k 1, v k 1 ) op k 1 (q k, v k ) A run is an execution path that starts with an initial configuration: (q in, v in ) op 0 (q 1, v 1 ) (q k 1, v k 1 ) op k 1 (q k, v k ) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 40 / 286

Control Paths, Execution Paths and Runs A control path is a path in the control flow automaton: op q 0 0 q1 q k 1 op k 1 q k An execution path is a path in the labeled transition system: (q 0, v 0 ) op 0 (q 1, v 1 ) (q k 1, v k 1 ) op k 1 (q k, v k ) A run is an execution path that starts with an initial configuration: (q in, v in ) op 0 (q 1, v 1 ) (q k 1, v k 1 ) op k 1 (q k, v k ) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 40 / 286

Execution Path: Example q 1 q 2 q 3 q 6 x y y := 10 q 11 q 12 x := 1 y 10 y>10 x := y+1 y := y-1 x<y q 7 x := 2*x q 8 (q 1, 159, 27) x := 1 (q 2, 1, 27) y>10 (q 6, 1, 27) x<y (q 7, 1, 27) x := 2*x (q 8, 2, 27) y := y-1 (q 6, 2, 26) Grégoire Sutre Software Verification Control Flow Automata VTSA 08 41 / 286

Control Path: Example q 1 q 2 q 3 q 6 x y y := 10 q 11 q 12 x := 1 y 10 y>10 x := y+1 x<y q 7 x := 2*x y := y-1 q 8 q 1 q 2 q 6 q 7 q 8 q 6 x := 1 y>10 x<y x := 2*x y := y-1 Grégoire Sutre Software Verification Control Flow Automata VTSA 08 42 / 286

Outline Control Flow Automata 3 Syntax and Semantics 4 Verification of Control Flow Automata Grégoire Sutre Software Verification Control Flow Automata VTSA 08 43 / 286

Forward Reachability Set Post Set of all configurations that are reachable from an initial configuration Post = ρ :run {(q, v) (q, v) occurs on ρ} = i N Post i (Init) = q in op 0 op k 1 q {q} ( op k 1 op 0 ) [(X R)] Grégoire Sutre Software Verification Control Flow Automata VTSA 08 44 / 286

Forward Reachability Set Post on Running Example q 1 q 2 q 3 q 6 q 11 x := 1 y 10 y>10 y := 10 x := y+1 x y x<y q 7 x := 2*x y := y-1 q 8 q 1 : R R q 2 : {1} R q 3 : {1} ], 10] q 6 : {1} ]10, + [ {2} ]9, + [ {4} ]8, + [... q 12 Grégoire Sutre Software Verification Control Flow Automata VTSA 08 45 / 286

Forward Reachability Set Post on Running Example q 1 q 2 q 3 q 6 q 11 q 12 x := 1 y 10 y>10 y := 10 x := y+1 x y x<y q 7 x := 2*x y := y-1 q 8 q 6 : i N q 1 : R R q 2 : {1} R q 3 : {1} ], 10] q 6 : {1} ]10, + [ {2} ]9, + [ {4} ]8, + [... { x = 2 i y + i > 10 i 1 = 2 i 1 < y + 1 Grégoire Sutre Software Verification Control Flow Automata VTSA 08 45 / 286

Backward Reachability Set Pre Set of all configurations that can reach an exit configuration Pre = i N Pre i (Out) = = {q} q op 0 op k 1 q out {q} q op 0 op k 1 q out ( op 0 1 op k 1 1) [(X R)] ( ( op k 1 op 0 ) 1) [(X R)] Grégoire Sutre Software Verification Control Flow Automata VTSA 08 46 / 286

Verification of Control Flow Automata Goal (Repetition) Check that there is no run that visits a location q contained in a given set Q BAD Q of bad locations. Define the set Bad of bad configurations by: Bad = Q BAD (X R). Goal (Equivalent Formulation) Undecidability Check that Post is disjoint from Bad The location reachability and configuration reachability problems are both undecidable for control flow automata. Proof by reduction to location reachability in two-counters machines. Grégoire Sutre Software Verification Control Flow Automata VTSA 08 47 / 286

Two-Counters Machines as Control Flow Automata Two-Counters (Minsky) Machines Finite-state automaton extended with: two counters over nonnegative integers test for zero, increment and guarded decrement Reachability is undecidable for this class. Any two-counters machine can (effectively) be represented as a control flow automaton in this restricted class: two variables: X = {c 1, c 2 } allowed guards: x = 0 and x 0 for each x X allowed assignments: x := x+1 and x := x-1 for each x X Grégoire Sutre Software Verification Control Flow Automata VTSA 08 48 / 286

Two-Counters Machines as Control Flow Automata Two-Counters (Minsky) Machines Finite-state automaton extended with: two counters over nonnegative integers test for zero, increment and guarded decrement Reachability is undecidable for this class. Any two-counters machine can (effectively) be represented as a control flow automaton in this restricted class: two variables: X = {c 1, c 2 } allowed guards: x = 0 and x 0 for each x X allowed assignments: x := x+1 and x := x-1 for each x X Grégoire Sutre Software Verification Control Flow Automata VTSA 08 48 / 286

Tentative Solution: Approximation Techniques Definition An invariant is any set Inv C such that Post Inv. Idea: 1 Compute an invariant Inv (easier to compute than Post ) 2 If Inv is disjoint from Bad then Post is also disjoint from Bad Rest of the lecture: Computation of precise enough invariants Grégoire Sutre Software Verification Control Flow Automata VTSA 08 49 / 286

Tentative Solution: Approximation Techniques Definition An invariant is any set Inv C such that Post Inv. Idea: 1 Compute an invariant Inv (easier to compute than Post ) 2 If Inv is disjoint from Bad then Post is also disjoint from Bad Rest of the lecture: Computation of precise enough invariants Grégoire Sutre Software Verification Control Flow Automata VTSA 08 49 / 286

Summary Computational model for programs: control flow automata syntax semantics Undecidability in general of model-checking for control flow automata Tentative solution: computation of invariants Grégoire Sutre Software Verification Control Flow Automata VTSA 08 50 / 286

Part III Data Flow Analysis Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 51 / 286

Outline Data Flow Analysis 5 Classical Data Flow Analyses 6 Basic Lattice Theory 7 Monotone Data Flow Analysis Frameworks Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 52 / 286

Outline Data Flow Analysis 5 Classical Data Flow Analyses 6 Basic Lattice Theory 7 Monotone Data Flow Analysis Frameworks Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 53 / 286

Short Introduction to Data Flow Analysis Tentative Definition Compile-time techniques to gather run-time information about data in programs without actually running them Applications Code optimization Avoid redundant computations (e.g. reuse available results) Avoid superfluous computations (e.g. eliminate dead code) Code validation Invariant generation Conservative approximations Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 54 / 286

Live Variables Analysis: Definition Definition A variable x is live at location q if there exists a control path starting from q where x is used before it is modified. q q x := 1 y := x+3 x := 1 y := y+3 x y x := 0 x 0 x := 0 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 55 / 286

Live Variables Analysis: Definition Definition A variable x is live at location q if there exists a control path starting from q where x is used before it is modified. q q x := 1 y := x+3 x := 1 y := y+3 x y x := 0 x 0 x := 0 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 55 / 286

Live Variables Analysis: Definition Definition A variable x is live at location q if there exists a control path starting from q where x is used before it is modified. q q x := 1 y := x+3 x := 1 y := y+3 x y x := 0 x 0 x := 0 x live, y live Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 55 / 286

Live Variables Analysis: Definition Definition A variable x is live at location q if there exists a control path starting from q where x is used before it is modified. q q x := 1 y := x+3 x := 1 y := y+3 x y x := 0 x 0 x := 0 x live, y live Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 55 / 286

Live Variables Analysis: Definition Definition A variable x is live at location q if there exists a control path starting from q where x is used before it is modified. q q x := 1 y := x+3 x := 1 y := y+3 x y x := 0 x 0 x := 0 x live, y live x not live, y live Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 55 / 286

Live Variables Analysis: Running Example q 1 x := 1 q 2 y 10 y>10 q 3 q 6 x y y := 10 x<y q 7 y := y-1 x := y+1 q 11 x := 2*x q 8 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 q 2 y 10 y>10 q 3 q 6 x y y := 10 x<y q 7 y := y-1 x := y+1 q 11 x := 2*x q 8 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 x y Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 q 1 q 2 q 3 x y q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Running Example q 1 x := 1 0 : Initialization 1 : Local information 2 : Propagation ( ) q 2 y 10 y>10 q 3 q 6 x y y := 10 x := y+1 q 11 q 12 x<y q 7 x := 2*x y := y-1 q 8 x y q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 56 / 286

Live Variables Analysis: Formulation Control Flow Automaton: Q, q in, q out, X, System of equations: variables L q for q Q, with L q X ( ) L q = Gen op Lq \ Kill op L(q out ) = q q op Gen op = { Var(g) Var(e) if op = g if op = x := e Kill op = { {x} if op = g if op = x := e f op (X) = Gen op (X \ Kill op ) Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 57 / 286

Live Variables Analysis: Formulation Control Flow Automaton: Q, q in, q out, X, System of equations: variables L q for q Q, with L q X ( L q = Lq ) L(q out ) = q q op f op Gen op = { Var(g) Var(e) if op = g if op = x := e Kill op = { {x} if op = g if op = x := e f op (X) = Gen op (X \ Kill op ) Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 57 / 286

Live Variables Analysis: Applications Code Optimization Dead code elimination x := e q 1 q 2 If x is not live at location q 2 then we may remove the assignment x := e on the edge from q 1 to q 2. This is sound since the analysis is conservative Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 58 / 286

Available Expressions Analysis: Definition Definition A expression e is available at location q if every control path from q in to q contains an evaluation of e which is not followed by an assignment of any variable x occurring in e. y := x-1 z := x*y x := x-1 z := x*y x*y 0 y := x-1 x*y 0 z := x-1 q q Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 59 / 286

Available Expressions Analysis: Definition Definition A expression e is available at location q if every control path from q in to q contains an evaluation of e which is not followed by an assignment of any variable x occurring in e. y := x-1 z := x*y x := x-1 z := x*y x*y 0 y := x-1 x*y 0 z := x-1 q q Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 59 / 286

Available Expressions Analysis: Definition Definition A expression e is available at location q if every control path from q in to q contains an evaluation of e which is not followed by an assignment of any variable x occurring in e. y := x-1 z := x*y x := x-1 z := x*y x*y 0 y := x-1 x*y 0 z := x-1 q q x-1 available, x*y not available Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 59 / 286

Available Expressions Analysis: Definition Definition A expression e is available at location q if every control path from q in to q contains an evaluation of e which is not followed by an assignment of any variable x occurring in e. y := x-1 z := x*y x := x-1 z := x*y x*y 0 y := x-1 x*y 0 z := x-1 q q x-1 available, x*y not available Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 59 / 286

Available Expressions Analysis: Definition Definition A expression e is available at location q if every control path from q in to q contains an evaluation of e which is not followed by an assignment of any variable x occurring in e. y := x-1 z := x*y x := x-1 z := x*y x*y 0 y := x-1 x*y 0 z := x-1 q q x-1 available, x*y not available x-1 not available, x*y available Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 59 / 286

Available Expressions Analysis: Other Example q 1 a := c*d b+1 10 q 2 b+1>10 q 3 q 6 a b c := 5 a<b q 7 a := b+1 a := 2*a q 11 b := 2*a q 8 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d b+1 10 q 2 b+1>10 q 3 q 6 a b c := 5 a<b q 7 a := b+1 a := 2*a q 11 b := 2*a q 8 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 c*d b+1 2*a q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 c*d b+1 2*a q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 c*d b+1 2*a q 1 q 2 q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

Available Expressions Analysis: Other Example q 1 a := c*d 0 : Initialization 1 : Local information 2 : Propagation ( ) b+1 10 q 2 q 3 q 6 a b c := 5 a := 2*a q 11 q 12 b+1>10 a<b q 7 b := 2*a a := b+1 q 8 q 1 q 2 c*d b+1 2*a q 3 q 6 q 7 q 8 q 11 q 12 Grégoire Sutre Software Verification Data Flow Analysis VTSA 08 60 / 286

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback