Internationalization and the Java Stack Part 2 Matt Wheeler.
Part 2: Reachability analysis of stack-based systems
description
Transcript of Part 2: Reachability analysis of stack-based systems
![Page 1: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/1.jpg)
Part 2: Reachability analysis of stack-based
systems
![Page 2: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/2.jpg)
From Finite to Infinite-State Systems
• So far, algorithms for systems with finite state spaces– semi-algorithms in the presence of
recursion
![Page 3: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/3.jpg)
Control
Data
Acyclic Looping Infinite
Finite
Infinite
Yes Yes Yes
Yes No No
Decidability of reachability analysis
Single thread of control:Finite
![Page 4: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/4.jpg)
Control
Data
Acyclic Looping Infinite
Finite
Infinite
Yes Yes No
Yes No No
Decidability of reachability analysis
Multiple threads of control:Finite
![Page 5: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/5.jpg)
Decidability vs. Expressiveness• Unbounded state Undecidable• Is the unbounded system able to
encode a Turing machine?– Single-counter machines? NO– Two-counter machines? YES– Single-stack machines? NO– Two-stack machines? YES
![Page 6: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/6.jpg)
State representation• Explicit representation infeasible• Symbolic representation is the key
– For the transition system– For the reachable states
![Page 7: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/7.jpg)
Pushdown systems (G, L, g0, l0, )
g, h G : finite set of control statesl, m L : finite set of stack symbols g0 : initial control state l0 : initial stack symbol : set of transitions
![Page 8: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/8.jpg)
RemarksThe classical definition of a pushdown system has,in addition, an alphabet I of input symbols.
Each transition depends on the control state, the top of the stack, and the input symbol.
The language L I* of a classical pushdown systemcontains those input sequences for which there is anexecution leading to the empty stack.
We are only concerned with reachability analysis and will therefore ignore I.
![Page 9: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/9.jpg)
Three kinds of transitions:(g, l) (h, m) (step)(g, l) (h, m n) (call)(g, l) (h, ) (return)
Configuration: g, l
g, l h, m g, l
h,nm
g, l h,
![Page 10: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/10.jpg)
Modeling sequential programs
• An element in G is a valuation to global variables
• An element in L is a valuation to local variables and– current instruction address for the frame
at the top of the stack– return instruction address for the other
frames
![Page 11: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/11.jpg)
Examplebool a = F;
void main( ) {L1: a = T;L2: flip(a);L3: }
void flip(bool x) {L4: a = !x;L5: } (F, )
(F, _, L3)(F, _, L3 T, L5)(T, _, L3 T, L4)(T, _, L2)(F, _, L1)
(a, x, pc)
![Page 12: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/12.jpg)
Reachability problem
Given pushdown system (G, L, g0, l0, ) and control state g, does there exist a stack ls L* such that (g0, l0) * (g, ls)?
![Page 13: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/13.jpg)
Naïve algorithm
Add (g0, l0) to R
(g, ls) R (g, ls) (g’, ls’)
Add (g’, ls’) to R
![Page 14: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/14.jpg)
• R is unbounded so algorithm won’t terminate
• Two solutions:– Summary-based (a.k.a. interprocedural
dataflow analysis)– Automata-based
Problem with the naïve algorithm
![Page 15: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/15.jpg)
Automata-based algorithm
Add (g0, l0) to R
(g, ls) R (g, ls) (g’, ls’)
Add (g’, ls’) to R
Key idea:Use a finite automaton to symbolically represent R
![Page 16: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/16.jpg)
Symbolic representationPushdown system (G, L, g0, l0, )
Representation automaton (Q, L, T, G, F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
![Page 17: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/17.jpg)
g s1 s2l l
m
h
m
Represents the set of configurations: { (h, m), (g, l m* l) }A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) : The set of configurations reachable from a regular set is also regular.
![Page 18: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/18.jpg)
Remarks
Buchi’s theorem does not contradict the fact that pushdown systems can accept non-regular languages over the input alphabet I.
The classical definition of a pushdown system has,in addition, an alphabet I of input symbols.
The language of reachable stack configurations is a language over the alphabet L.The accepted language is a language over the alphabet I.
![Page 19: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/19.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
![Page 20: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/20.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
![Page 21: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/21.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1l1
s2,2l2
![Page 22: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/22.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
![Page 23: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/23.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
l0
![Page 24: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/24.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
l0
l1
![Page 25: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/25.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
l0
l1
![Page 26: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/26.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
l0
l1
l0
![Page 27: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/27.jpg)
Pushdown system:
(G, L, g0, l0, )- G = {g0, g1, g2}- L = {l0, l1, l2}- (g0, l0) (g1, l1l0) (g1, l1) (g2, l2l0) (g2, l2) (g0, l1) (g0, l1) (g0, )
g0l0 s0
g1
g2
s1,1
l0l1
s2,2l2
l0
l1
l0
{ (g0, l0 l0l0+ l1l0l0+), (g1, l1l0+), (g2, l2l0l0+) }
![Page 28: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/28.jpg)
Reachability analysis for concurrent pushdown systems
• Undecidable in general• Three approaches
– restrict computation model, e.g., Esparza-Podelski 00
– sound and imprecise approaches, e.g., Bouajjani-Esparza-Touili 03, Flanagan-Qadeer 03
– unsound but precise approaches
![Page 29: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/29.jpg)
Context-bounded verification of concurrent software
Context Context Context
Context switch Context switch
Analyze all executions with small number of context switches !
Different from bounded-depth model checking• no bound on the computation within each context
![Page 30: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/30.jpg)
• Many subtle concurrency errors are manifested in executions with a small number of context switches
• Context-bounded analysis can be performed efficiently
Why context-bounded analysis?
![Page 31: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/31.jpg)
KISS: a static analysis tool
• Technique to use any sequential checker to perform context-bounded concurrency analysis
• Found a number of concurrency errors in NT device drivers even with a context-switch bound of two
![Page 32: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/32.jpg)
Driver KLOC # Fields # RacesTracedrv 0.5 3 0Moufiltr 1.0 14 0Kbfiltr 1.1 15 0Imca 1.1 5 1Startio 1.1 9 0Toaster/toastmon 1.4 8 1Diskperf 2.4 16 01394diag 2.7 18 01394vdev 2.8 18 1Fakemodem 2.9 39 6Toaster/bus 5.0 30 0Serenum 5.9 41 2Toaster/func 6.6 24 5Mouclass 7.0 34 1 Kbdclass 7.4 36 1Mouser 7.6 34 1Fdc 9.2 92 9
Total:30 races
![Page 33: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/33.jpg)
Zing: an explicit-state model checker
• Case study (Naik-Rehof 04): Concurrent transaction management code from Microsoft product group
• Analyzed by the Zing model checker after automatically translating to the Zing input language– Found three bugs each requiring between
three and four context switches
![Page 34: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/34.jpg)
• Many subtle concurrency errors are manifested in executions with a small number of context switches
• Context-bounded analysis can be performed efficiently
Why context-bounded analysis?
![Page 35: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/35.jpg)
Polynomially-bounded executions
•Context bounding leads to polynomial bound on the number of executions– n threads, each executing k steps– total no. of executions = ( nk )– With context bound c, no. of
executions = O( (n2.k)c )
![Page 36: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/36.jpg)
0
500000
1000000
1500000
2000000
# contexts
# re
acha
ble
stat
es
TM1
![Page 37: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/37.jpg)
020000400006000080000
100000120000
# contexts
# re
acha
ble
stat
es
TM2
p-bt
![Page 38: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/38.jpg)
Reachability analysis• Rechability analysis of finite-data
concurrent programs is decidable for bounded number of context switches
![Page 39: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/39.jpg)
Sequentialprogram QKISS Sequential
CheckerConcurrentprogram P
No error found
Error in Q indicateserror in P
KISS: A static checker for concurrent software
![Page 40: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/40.jpg)
Sequentialprogram QKISSConcurrent
program P
KISS: A static checker for concurrent software
No error found
Error in Q indicateserror in P
SDV
![Page 41: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/41.jpg)
KISS strategy
• Q encodes executions of P with small number of context switches– instrumentation introduces lots of extra paths to
mimic context switches• Leverage all-path analysis of sequential
checkers
Sequentialprogram QKISSConcurrent
program P
SDV
![Page 42: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/42.jpg)
PnpStop( ) { int t; de->stopping = T; t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); WaitEvent(& de->stopEvent);
}
DispatchRoutine( ) { int t; if (! de->stopping) { AtomicIncr(& de->count); // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent);
}}
![Page 43: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/43.jpg)
DispatchRoutine( ) { int t; if (! de->stopping) { AtomicIncr(& de->count); // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent);
}}
PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent);
}
![Page 44: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/44.jpg)
PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent);
}
DispatchRoutine( ) { int t; CODE; if (! de->stopping) { CODE; AtomicIncr(& de->count); // do useful work // … CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; }}
if ( !done ) { if ($) { done = T; PnpStop( ); }}
CODE bool done = F;
![Page 45: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/45.jpg)
PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent);
}
DispatchRoutine( ) { int t; CODE; if (! de->stopping) { CODE; AtomicIncr(& de->count); // do useful work // … CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; }}
if ( !done ) { if ($) { done = T; PnpStop( ); }}
CODE bool done = F;
main( ) { DispatchRoutine( ); }
![Page 46: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/46.jpg)
PnpStop( ) { int t; CODE; de->stopping = T; CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; WaitEvent(& de->stopEvent); CODE;}
DispatchRoutine( ) { int t; if ($) return; if (! de->stopping) { if ($) return; AtomicIncr(& de->count); // do useful work // … if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent);
}}
if ( !done ) { if ($) { done = T; PnpStop( ); }}
CODE bool done = F;
main( ) { PnpStop( ); }
![Page 47: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/47.jpg)
KISS features (I)• KISS trades off soundness for scalability• Sound for event-driven systems
– embedded software, TinyOS• Unsoundness is precisely quantifiable
for other systems– e.g., for 2-thread program, explores all
executions with up to two context switches
![Page 48: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/48.jpg)
KISS features (II)• Cost of analyzing a concurrent program
P = cost of analyzing a sequential program Q– Size of Q asymptotically same as size of P
• Allows any sequential checker to analyze concurrency
![Page 49: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/49.jpg)
However…• Hard limit on number of explored
contexts– e.g., two context switches for concurrent
program with two threads
![Page 50: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/50.jpg)
Is a tuning knob possible?Given a concurrent boolean program P and a positive integer c, does P go wrong by failing an assertion via anexecution with at most c contexts?
![Page 51: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/51.jpg)
Context Context Context
Context switch Context switch
Problem:• Unbounded computation possible within each context!• Unbounded execution depth and reachable state space• Different from bounded-depth model checking
![Page 52: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/52.jpg)
Global store g, valuation to global variablesLocal store l, valuation to local variables Stack s, sequence of local storesState (g, s)
Sequential boolean program
![Page 53: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/53.jpg)
Global store g, valuation to global variablesLocal store l, valuation to local variables Stack s, sequence of local storesState (g, s)
Sequential boolean program
Transition relation:(g, s) (g’, s’)
![Page 54: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/54.jpg)
Reachability problem for sequential boolean program
Given (g, s), is there s’ such that (g, s) * (error,s’)?
Reach(g, s) = { (g’,s’) | (g, s) * (g’, s’) }
![Page 55: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/55.jpg)
Aggregate stateSet of stacks ssAggregate state (g, ss) = { (g,s) | s ss }
Reach(g, ss) = ∪{Reach(g,s) | s ss}
![Page 56: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/56.jpg)
Aggregate transition relation
• Suppose G = { g’1,…, g’n }• There is a unique partition of Reach(g, ss) into aggregate states: (g’1, ss’1) … (g’n, ss’n)
(g, ss) (g’1, ss’1)..
(g, ss) (g’n, ss’n)
iff Reach(g,ss) = (g’1, ss’1) … (g’n, ss’n)
![Page 57: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/57.jpg)
Theorem (Buchi, Schwoon00)
• If ss is regular and (g, ss) (g’, ss’), then ss’ is regular.
• If ss is given as a finite automaton A, then a finite automaton A’ for ss’ can be constructed from A in polynomial time.
![Page 58: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/58.jpg)
Algorithm
Solution:Compute automaton for ss’ such that (g, {s}) (error, ss’) and check if ss’ is nonempty.
Problem:Given (g, s), is there s’ such that (g, s) * (error,s’)?
![Page 59: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/59.jpg)
Global store g, valuation to global variablesLocal store l, valuation to local variables Stack s, sequence of local storesState (g, s1, s2)
Concurrent boolean program
Transition relation:(g, s1) (g’, s’1) in thread 1
(g, s1, s2) 1 (g’, s’1, s2)(g, s2) (g’, s’2) in thread 2
(g, s1, s2) 2 (g’, s1, s’2)
![Page 60: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/60.jpg)
Reachability problem for concurrent boolean program
Given (g, s1, s2), are there s’1 and s’2 such that (g, s1, s2) reaches (error, s’1, s’2) via an execution with at most c contexts?
![Page 61: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/61.jpg)
Aggregate transition relation
(g, ss1) (g’, ss’1) in thread 1(g, ss1, ss2) 1 (g’, ss’1, ss2)
(g, ss1, ss2) 2 (g’, ss1, ss’2)(g, ss2) (g’, ss’2) in thread 2
(g, ss1, ss2) = { (g, s1, s2) | s1 ss1, s2 ss2 }
![Page 62: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/62.jpg)
Algorithm: 2 threads, c contexts
1 2
1 2
1 2Depth c
(g, {s1}, {s2})
Compute the set of reachable aggregate states.Report an error if (g, ss1, ss2) is reachable andg = error, ss1 is nonempty, and ss2 is nonempty.
![Page 63: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/63.jpg)
Complexity: 2 threads, c contexts
1 2
1 2
1 2
Depth of tree = context bound cBranching factor bounded by G 2 (G = # of global stores)Number of edges bounded by (G 2) (c+1)
Each edge computable in polynomial time
Depth c
(g, {s1}, {s2})
![Page 64: Part 2: Reachability analysis of stack-based systems](https://reader035.fdocuments.us/reader035/viewer/2022081604/56814c52550346895db966fa/html5/thumbnails/64.jpg)
Results• Algorithm for checking if a concurrent
boolean program P fails an assertion via an execution with at most c contexts
• Algorithm for checking if a concurrent boolean program P with unbounded fork-join parallelism fails an assertion via an execution with at most c contexts