COMS W4117
Compilers and Translators:
Software Verification Tools
Lecture 10: Pushdown Systems and Temporal Safety
October 4, 2007
Lecture Outline
- Review
- Program dependency graphs
- Context-free language reachability
- Pushdown systems
- Reachability in a pushdown system
- Reading
1. Review
- Temporal safety and liveness properties
- Control-flow graphs as finite automata
- Non-safety properties as finite automata
- Checking safety properties
2. Program Dependency Graphs
- Consider the following function:
foo() {
if (p1) {
Acq;
Rel;
foo();
} else if (p2) {
Acq;
foo();
Rel;
} else {
S;
}
}
Program dependency graph is the flow graph plus a call edge from
each call site to the entry of the called function and a return
edge from the function exit to the point following call site.
However, these call and return edges can lead to spurious paths.
Therefore, we label the call and return edges by labeled brackets.
Dyck languages
- The grammar D
-
S → [1 S ]1 S | [2 S ]2 S | ε
- generates strings of matching balanced parentheses.
We can now restrict ourselves to all paths p in the flow graph from ENTRY to any block
such that the Dyck labels on the path are a prefix of a sentence in L(D).
3. Context-free Language Reachability
- The context-free language reachability problem is the following:
Given a labeled directed graph (N, E) and a context-free language L,
is there a labeled path in the graph from node u to node v that
spells out a sentence in L.
- Yannakakis [1990] gives an O(|N|3) algorithm to solve this problem.
- Yannakakis also showed that if L is regular, then there is an O(|N| + |E|) algorithm.
4. Pushdown Systems
- A pushdown system consists of:
- G, a finite set of global states
- L, a finite set of local/stack symbols
- (g0, w0), an initial configuration where w0 is in L*
- A transition relation, →, on (G × L) × (G × L*)
- Σ, a finite set of input symbols
- Lbl, a function that maps G × L into Σ ∪ {ε}
- There are three types of transitions mapping configurations to configurations:
- Next maps (g, s) → (h, t). Here the global state goes from g to h
and the symbol s on top of the stack is replaced by t.
- Call maps (g, s) → (h, uv). Here the global state goes from g to h
and the symbol s on top of the stack is replaced by v and then u is pushed on top of v.
- Return maps (g, s) → (h, ε). Here the global state goes from g to h
and the symbol s on top of the stack is popped.
- Example of a boolean program
bool g = T;
main() {
L0: flip();
L1: flip();
L2: assert(g);
}
flip() {
L3: g = !g;
L4: ;
}
Transition rules
- (T, L0) → (T, L3 L1)
- (F, L0) → (F, L3 L1)
- (T, L1) → (T, L3 L2)
- (F, L1) → (F, L3 L2)
- (T, L3) → (F, L4)
- (F, L3) → (T, L4)
- (T, L4) → (T, ε)
- (F, L4) → (F, ε)
Show that the program goes from configuration (T, L0) to (T, L2)
5. Reachability in a Pushdown System
- Reachability problem: Given a PDS = (G, L, (g0, w0), → Σ Lbl)
and a g in G, does there exist a stack s in L* such that the PDS in a sequence of
zero or more transitions can go from configuration
(g0, w0) to configuration (g, s).
6. Reading
aho@cs.columbia.edu