CSE 637

Program Semantics and Verification

• Examples:

Operating Systems

Embedded Systems (e.g. Heart Stimulator)

Protocols

• Main Characteristics:

Termination is rather an error than a desired outcome.

Reactive Systems

Program Environment

Properties of Reactive Systems

• Safety Property

Something BAD never happens.

Checking safety property is same as checking if a BAD state is ever reachable.

Example: It never happens that all traffic lights are simultaneously green.

• Liveness Property

Something GOOD should eventually happen.

Verification Problem

• Problem Statement:Given : A program P, and a property φ.

Prove : Whether P satisfies φ.

• Examples of Properties:- Program is syntactically correct. (BNF)- Program is type correct (type checking). (AST, Rules)- Array type: array (index) out of bound. (Symbolic execution) a [u + 3*v] = 5, evaluate (u+3*v)- All cars are going to eventually pass the intersection.

Co

mp

lexity of

Pro

perty

Compiler Passes

scanner parserIntermediate

code generation

Control/data-flow analysis

AST 3ACString of tokens

String of chars

Compiler Passes (contd.)

• if a > b then x = 1 else x = x + 1

• if a > b then x = 1 else x = x + 1

scanner

parser

id op id id op cnst id op id op cnst

if then else

> = =

a b x 1 x +

x 1

i > 0

x = a

y = d

i = i - 1

x = c

y = b

a > b

while i > 0 do

1. x = a

2. y = b

if (a > b)

3. x = c

else

4. y = d

5. i = i – 1

od

b0

b1

b2

b3

b4

b5

b8

b7

b6

b9

Example: Reaching Definitions

truefalse

Example: Reaching Definitions (contd.)

while i > 0 do

1. x = a

2. y = b

if (a > b)

3. x = c

else

4. y = d

5. i = i – 1

od

gen(b0) = gen(b1) = gen(b4) = gen(b7) = Ø

kill(b0) = Ø

gen(b2) = {1}, kill(b2) = {3}

gen(b3) = {2}, kill(b3) = {4}

gen(b5) = {3}, kill(b5) = {1}

gen(b6) = {4}, kill(b6) = {2}

gen(b8) = {5}, kill(b7) = Ø

b out(b) = gen(b) U (in(b) – kill(b))

in

out

gen

kill

Reaching Definitions Algorithm

Input: CFG with gen[B], kill[B] computed for each block B.Output: in[B], out[B] for each block B.Method: iterative least fixpoint computation starting with in[B] = Ø.

/* Initialize out[B] on the assumption that in[B] = Ø for all B */

(1) for each block B do out[B] := gen[B]; end;(2) change := true;(3) while change do begin /* fixpoint iteration */(4) change := false;(5) for each block B do begin /* graph traversal */

in[B] := Up in pred(B) out[p];oldout := out[B];out[B] := gen[B] U (in[B] – kill[B]);if ( out[B] ≠ oldout ) then change := true;

end; end;