COMS W4117
Compilers and Translators:
Software Verification Tools
Lecture 9: Verifying Safety Properties in Flow Graphs
October 2, 2007
Lecture Outline
- Review
- Temporal safety and liveness properties
- Control-flow graphs as finite automata
- Non-safety properties as finite automata
- Checking safety properties
- Formal definition of a safety property
- Reading
1. Review
- Dominators
- Depth-first ordering
- Edges in a depth-first spanning tree
- Reducible flow graphs
- Natural loops
2. Temporal Safety and Liveness Properties
- Safety means something bad never happens.
- We never acquire a lock twice in a row.
- Liveness means something good eventually happens.
- We eventually get a response for every request.
3. Control Flow Graphs as Finite Automata
- Unless specified otherwise, the term "finite automaton" will refer to a
nondeterministic finite automaton with epsilon transitions (see ALSU, p. 147).
- Consider the flow graph G for program fragment:
do {
KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){
request = request->Next;
KeReleaseSpinLock();
nPackets++;
}
} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
We can attach input symbols to the nodes of G.
We can thus think of the flow graph as a nondeterministic finite automaton.
The set of sequences of input symbols spelled out by the paths
in G from the entry to some node defines a language L(G).
4. Safety Properties as Finite Automata
- Consider the safety property:
- No lock can be followed by a lock;
- No unlock can be followed by a lock.
- The complement non-safety property can be represented
by language recognized by a finite automaton NFSA where
- The set of states is {Unlocked, Locked, Error}.
- Set of input symbols is {L, U}.
- Transition function move: States × Inputs → States
|
L |
U |
| Unlocked |
Locked |
Error |
| Locked |
Error |
Unlocked |
| Error |
Error |
Error |
- Start state is Unlocked.
- Error is the only final state.
- L(NSFA) = L(UL)*U | (LU)*L.
- Safe sequences are (L|U)* - L(NSFA).
5. Verification Algorithm
- The program is safe if none of the paths in its flow graph
spells out a sentence in L(NSFA).
- In other words, the program is safe if L(G) ∩ L(NFSA) = ∅.
- Or, if L(G) is contained in the complement of L(NFSA).
- Verification algorithm is to determine whether there is any sequence of moves
from the initial state (ENTRY, start) of the Cartesian product automaton
G × NSFA to some product state of
the form (v, err) where v is any node of G and err is the
error state of NSFA.
6. Formal Definition of a Safety Property
- Let A be a set of symbols.
- Let f:A* → {true, false}.
- f is a safety property iff for all t in A*
- f(t) ⇔ for all prefixes p of t there exists a suffix s such that f(ps)
- Equivalently,
- ¬f(t) ⇔ ¬(for all prefixes p of t there exists a suffix s such that f(ps))
7. Reading
aho@cs.columbia.edu