Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety...
34
Model Checking Lecture 5
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
2
Transcript of Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety...
Model Checking
Lecture 5
Outline
1 Specifications logic vs automata linear vs branching safety vs liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Outline
1 Specifications logic vs automata linear vs branching safety vs liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
- Slide 1
- Slide 2
- From Finite to Inifinite-State Systems
- Slide 4
- Decidability vs Expressiveness
- Slide 6
- State representation
- Pushdown systems
- Slide 9
- Modeling sequential programs
- Example
- Reachability problem
- Naiumlve algorithm
- Problem with the naiumlve algorithm
- Algorithm I
- Step rule
- Call rule
- Return rule
- Summary rule
- Slide 20
- Slide 21
- Slide 22
- Algorithm II
- Symbolic representation
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
-
