Professional Documents
Culture Documents
Textbook Verified Software Theories Tools and Experiments 10Th International Conference Vstte 2018 Oxford Uk July 18 19 2018 Revised Selected Papers Ruzica Piskac Ebook All Chapter PDF
Textbook Verified Software Theories Tools and Experiments 10Th International Conference Vstte 2018 Oxford Uk July 18 19 2018 Revised Selected Papers Ruzica Piskac Ebook All Chapter PDF
Textbook Verified Software Theories Tools and Experiments 10Th International Conference Vstte 2018 Oxford Uk July 18 19 2018 Revised Selected Papers Ruzica Piskac Ebook All Chapter PDF
https://textbookfull.com/product/intelligence-science-and-big-
data-engineering-8th-international-conference-
iscide-2018-lanzhou-china-august-18-19-2018-revised-selected-
papers-yuxin-peng/
https://textbookfull.com/product/security-protocols-xxvi-26th-
international-workshop-cambridge-uk-march-19-21-2018-revised-
selected-papers-vashek-matyas/
https://textbookfull.com/product/soft-computing-systems-second-
international-conference-icscs-2018-kollam-india-
april-19-20-2018-revised-selected-papers-ivan-zelinka/
E-Business and Telecommunications: 15th International
Joint Conference, ICETE 2018, Porto, Portugal, July
26–28, 2018, Revised Selected Papers Mohammad S.
Obaidat
https://textbookfull.com/product/e-business-and-
telecommunications-15th-international-joint-conference-
icete-2018-porto-portugal-july-26-28-2018-revised-selected-
papers-mohammad-s-obaidat/
Verified Software
Theories, Tools, and Experiments
10th International Conference, VSTTE 2018
Oxford, UK, July 18–19, 2018
Revised Selected Papers
123
Lecture Notes in Computer Science 11294
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7408
Ruzica Piskac Philipp Rümmer (Eds.)
•
Verified Software
Theories, Tools, and Experiments
10th International Conference, VSTTE 2018
Oxford, UK, July 18–19, 2018
Revised Selected Papers
123
Editors
Ruzica Piskac Philipp Rümmer
Yale University Uppsala University
New Haven, CT, USA Uppsala, Sweden
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
This volume contains the proceedings of the 10th International Working Conference on
Verified Software: Theories, Tools, and Experiments (VSTTE 2018), held during July
18–19, 2018, as part of the Federated Logic Conference (FLoC) in Oxford, UK, and
affiliated with the 30th International Conference on Computer-Aided Verification
(CAV).
The goal of the VSTTE conference series is to advance the state of the art in the
science and technology of software verification, through the interaction of theory
development, tool evolution, and experimental validation. We solicited contributions
describing significant advances in the production of verified software, i.e., software that
has been proven to meet its functional specifications. Submissions of theoretical,
practical, and experimental contributions were equally encouraged, including those that
focus on specific problems or problem domains. We were especially interested in
submissions describing large-scale verification efforts that involve collaboration, theory
unification, tool integration, and formalized domain knowledge. We also welcomed
papers describing novel experiments and case studies evaluating verification techniques
and technologies. The topics of interest included education, requirements modeling,
specification languages, specification/verification/certification case studies, formal
calculi, software design methods, automatic code generation, refinement methodolo-
gies, compositional analysis, verification tools (e.g., static analysis, dynamic analysis,
model checking, theorem proving, satisfiability), tool integration, benchmarks, chal-
lenges, and integrated verification environments.
The inaugural VSTTE conference was held at ETH Zurich in October 2005, and the
following editions took place in Toronto (2008 and 2016), Edinburgh (2010),
Philadelphia (2012), Atherton (2013), Vienna (2014), San Francisco (2015), and
Heidelberg (2017).
This year there were 24 submissions. Each submission was reviewed by at least
three Program Committee members. The committee decided to accept 19 papers for
presentation at the conference. The program also included three invited talks, given by
Cesare Tinelli (University of Iowa, USA), Stuart Matthews (Altran UK), and Rayna
Dimitrova (University of Leicester, UK).
We would like to thank the invited speakers and the authors for their excellent
contributions to the program this year, the Program Committee and external reviewers
for diligently reviewing the submissions, and the organizers of FLoC and CAV 2018
for their help in organizing this event. We also thank Natarajan Shankar for his tireless
stewardship of the VSTTE conference series over the years.
The VSTTE 2018 conference and the present volume were prepared with the help of
EasyChair.
Program Committee
June Andronick CSIRO—Data61 and UNSW, Australia
Martin Brain University of Oxford, UK
Michael Butler University of Southampton, UK
Supratik Chakraborty IIT Bombay, India
Roderick Chapman Protean Code Limited, UK
Cristina David University of Cambridge, UK
Dino Distefano Facebook and Queen Mary University of London, UK
Mike Dodds University of York, UK
Patrice Godefroid Microsoft Research, USA
Arie Gurfinkel University of Waterloo, Canada
Liana Hadarean Synopsys, USA
Bart Jacobs KU Leuven, Belgium
Swen Jacobs CISPA and Saarland University, Germany
Cezary Kaliszyk University of Innsbruck, Austria
Andy King University of Kent, UK
Tim King Google, USA
Vladimir Klebanov SAP, Germany
Akash Lal Microsoft Research, India
Nuno Lopes Microsoft Research, UK
Alexander Malkis Technical University of Munich, Germany
Yannick Moy AdaCore, France
Gennaro Parlato University of Southampton, UK
Andrei Paskevich Université Paris-Sud, LRI, France
Ruzica Piskac Yale University, USA
Markus Rabe University of California, Berkeley, USA
Philipp Rümmer Uppsala University, Sweden
Peter Schrammel University of Sussex, UK
Natarajan Shankar SRI International, USA
Tachio Terauchi Waseda University, Japan
Mattias Ulbrich Karlsruhe Institute of Technology, Germany
Philipp Wendler LMU Munich, Germany
Thomas Wies New York University, USA
Greta Yorsh Queen Mary University of London, UK
Aleksandar Zeljić Uppsala University, Sweden
Damien Zufferey MPI-SWS, Germany
VIII Organization
Additional Reviewers
Cesare Tinelli
Stuart Matthews
Altran Technologies, SA
stuart.matthews@altran.com
Rayna Dimitrova
1 Introduction
Data flow proofs are safe inductive annotations of the data flow graph of a
program. In this paper we explore the potential and the limitations of data flow
proofs for program verification on a theoretical level.
Farzan and Kincaid recently showed that data flow proofs can be used effec-
tively for software verification [5]. Oh et al. showed that a static program analysis
can often be computed significantly faster on the data flow graph than on the
control flow graph [13,14].
Compared to proofs that annotate the control flow graph (Floyd proofs1 ),
data flow proofs have the advantage of being sparse [13,14]. Temporal sparseness
means the data flow graph abstracts away from the linear ordering of statements
in the control flow graph and only retains a partial order. Spatial sparseness elim-
inates the need to “carry over” information about a variable from where it is
assigned to where it is used over many locations where that information is irrele-
vant. Additionally, in verification data flow proofs exhibit projective sparseness.
Data flow graphs are often not connected, thus one may discard all components
that are not connected to the property.
The other side of the medal is that data flow proofs are limited in proving
power because the data flow graph loses some information that is present in the
control flow graph.
We formalize the notion of a “data flow” and use tree languages to denote
sets of data flows. We observe that the tree language induced by taking all the
1
Note the subtle difference between Floyd-style proofs [8] and Hoare-style proofs [10]:
The former are annotations of the control flow graph while the latter are annotations
of the program’s source code.
c Springer Nature Switzerland AG 2018
R. Piskac and P. Rümmer (Eds.): VSTTE 2018, LNCS 11294, pp. 1–16, 2018.
https://doi.org/10.1007/978-3-030-03592-1_1
2 J. Hoenicke et al.
traces of the control flow graph and converting them to data flow trees is non-
regular even for very simple examples. However, we show that the path-closure
of this non-regular language is always regular, and that it is indeed equal to the
language of data flow trees obtained from simply unwinding the data flow graph.
We gain the insight that the loss of proving power of data flow proofs compared
to Floyd proofs is a consequence of this overapproximation.
Based on these tree languages, we can extend existing language based refine-
ment schemes using tree interpolation to obtain a CEGAR-style algorithm that
computes a data flow proof from a data flow graph of a program with some
property.
We also characterize the proving power of data flow proofs semantically by
comparing them to Floyd proofs. We arrive at the result that the proving power
of data flow proofs precisely equals that of Floyd proofs that are based on the
Cartesian abstraction of the given program.
Our contributions are the following:
– We introduce data flow trees as a means to formally compare the data flow
denotations of the control flow graph and the data flow graph.
– We show that the step from the data flow trees of the control flow graph to
the data flow trees of the data flow graph corresponds precisely to the step
from some tree language to its path-closure.
– We characterize the proving power of data flow proofs (a consequence of
the loss of precision through the path-closure) by showing that it equals the
proving power of Floyd proofs over the Cartesian abstraction of a program.
– We show how to construct a set of constrained Horn clauses from a data
flow graph whose models correspond to data flow proofs for the underlying
program.
2 Example
Fig. 1. Program P as a control flow graph, the traces of P as a regular expression, and
the data flow graph of P , called P # .
Fig. 2. The set of data flow trees where each element is the data flow graph of a trace
in Traces(P ) (left-hand side, with n ∈ N), and the set of data flow trees induced by
P # (right-hand side, with m, n ∈ N).
if all of its traces are infeasible, i.e., cannot be executed because of a blocking
assume statement.
The right part of Fig. 1 depicts the data flow graph P # of P . For each state-
ment of the control flow graph P there is a corresponding node in the data flow
graph P # . The edges are labelled by variables. An edge (s1 , x, s2 ) in the data
flow graph is added if the statement s1 defines the value of a variable x, s2 uses
the variable x, and there is a path s1 ... s2 in the control flow graph, such that x
is not defined by another statement between s1 and s2 .
It is possible to convert each trace into a data flow graph by interpreting
it as a control flow graph that only executes this single trace. This data flow
graph is acyclic. Thus it forms a DAG. By copying nodes with multiple outgoing
edges a data flow tree for each trace is induced. For the traces of P the set of
corresponding data flow trees is sketched on the left-hand side of Fig. 2. The
square brackets with superscript n denote that x++ (resp. y++ ) can be taken n
times respectively, i.e., the tree has height n + 2 and each inner node is an x++
(resp. y++ ) node. All edges are labelled with x (resp. y). Since the number of
occurrences of x++ and y++ in any trace of P is the same, the two branches
must have the same height.
4 J. Hoenicke et al.
Fig. 3. The set DFT(P # ) is path-closed. This means that if the two data flow trees
on the left are contained, so are the two data flow trees on the right.
The data flow graph P # also induces a set of data flow trees. These can be
seen as the trees accepted by a tree automaton similar to P # . These are given
on the right-hand side of Fig. 2. The data flow graph cannot ensure that the
statements x++ and y++ are taken the same number of times. Thus, we use m
and n to denote that the number of repetitions of these statements may differ
in each branch.
In fact, the set DFT(Traces(P )) is not a regular tree language, since a finite
tree automaton cannot ensure that the two branches are of the same height. On
the other hand, DFT(P # ) is a regular tree language recognized by a deterministic
root-frontier (also called top-down) tree automaton. The language class accepted
by root-frontier tree automata are the path-closed languages. In Fig. 3 we illus-
trate the consequences of path-closure to the tree language DFT(Traces(P )).
Given this intuition, we can observe that DFT(P # ) equals the path closure of
DFT(Traces(P )) in this example. We will show in Sect. 4 that this is the case
for all programs.
However, even though the abstraction introduced by P # is very coarse, we
can still prove P correct on it. This is because the property also holds for all
the data flow trees obtained from P # . It does not depend on x++ and y++ to
be executed the same number of times. One might wonder if there is an easy
syntactic way to see if there is a data flow proof. However, this is not the case as
the following example shows. If one changes the error guard to assume x-y<0 ,
the program is still correct (the error state in the control flow graph is not
reachable) but it is unprovable using the data flow graph. This is because the
property does not hold for the trees in DFT(P # ) where m = n.
As we will see in Sect. 5, being provable in the data flow graph abstraction
coincides precisely with the fact that P has a Cartesian Floyd proof, i.e., it
suffices to only reason about each variable independently. In this example, the
Cartesian assertion x ≥ 0 ∧ y ≥ 0 is a safe inductive loop invariant for P .
A Tree-Based Approach to Data Flow Proofs 5
3 Preliminaries
In this section we fix our notation for trees and tree languages and present the
notion of path-closure and afterwards we fix our notation for programs and Floyd
proofs.
A path-closed tree language L is uniquely defined by the set of its tree paths,
i.e., the set of all paths (with directions) from any leaf in any tree to the root.
def
tree-paths(L) = {(p1 , a1 ) ... (pn , an ) | ∃t ∈L.p1 is a leaf of t ∧ pn =
∧ ∀i < n.pi+1 = parent(pi )
∧ ∀i ≤ n.t(pi ) = ai }
6 J. Hoenicke et al.
t t t
∈L ∈ L =⇒ ∈L
a a a
s1 . . . si . . . sn t 1 . . . ti . . . t n s1 . . . ti . . . sn
Fig. 4. Illustration of path-closure, taken from [11]: If the left and the middle tree
are in the tree language L, then, for L to be path-closed, the right tree must also be
contained.
For simplicity, we assume that each statement σ ∈ Σ occurs only once in the
program. Thus we can define a source and a target function for a statement as
def def
src(σ) = tgt(σ) = where (, σ, ) ∈ δ
P can be viewed as a finite automaton over the alphabet Σ. Then the language
of the automaton P is the set of all sequences of statements that start in 0 and
end in err and that respect the control flow. We call this set the traces of P
and denote it by Traces(P ). We make the following assumptions on the form of
P that do not restrict expressivity but avoid some corner cases. This will allow
for a simpler presentation later in the paper.
– There is only one statement in P that leads to the error location err ; we call
this statement the error guard σerr .
– The program starts with an assume statement that initializes every variable
to a nondeterministic value. If there are no variables, the program starts with
assume true . By convention, these initialization statements do not read any
variables.
– There is no location that is not visited by any trace.
The Functions use and def. The ingredients for constructing a data flow graph
are the control flow graph together with the functions use and def.
The function use : Σ → 2Var assigns every statement σ a set of variables that
are read by σ. The function def : Σ → 2Var assigns every statement σ a set of
variables that are written by σ.
For this section we rely on the reader’s intuition for what it means that a
statement reads or writes a variable. For our result concerning tree languages it
is irrelevant how use and def are chosen. We will give well-formedness constraints
for use and def in Sect. 5.
Data Flow Graph. Following [12] we define the reaching definitions of a location
∈ Loc wrt. a variable x ∈ Var as all the statements that define x and that are
the beginning of a control flow path to where x is not overwritten.
def
RDP (x, ) = {σ0 ∈ Σ |σ0 σ1 ... σn ∈ Paths(P )
∧ tgt(σn ) =
∧x ∈ def(σ0 )
∧∀i ∈ {1, ... , n}.x ∈ def(σi )}
A data flow edge connects two statements and is decorated with a program
variable. The data flow edge (σ, x, σ ) exists in P if σ is a reaching definition for
x at src(σ ), and σ reads x. The data flow graph P # of a program P is the set
of all the data flow edges that exist in P . Formally:
def
P # = {(σ, x, σ ) ∈ Σ × Var × Σ | σ ∈ RDP (x, src(σ )) ∧ x ∈ use(σ )}
For a trace τ we define DF G(τ ) as the data flow graph of the straight-line
program that corresponds to τ .
Data Flow Trees. We define data flow trees as a special kind of trees.
Definition 1 (Dataflow tree). Let Σ be a set of statements and Var be the
set of variables used in Σ. Let use and def be two functions mapping statements
to sets of variables. Then we define a data flow tree t as a tree where
– the ranked alphabet is (Σ, rank), where rank is the function that assigns a
statement the cardinality of its use-set, i.e.,
def
rank(σ) = |use(σ)| ,
– the index set is the set of program variables, i.e.,
Pos t ⊆ Var ∗ ,
– for every position p and every variable x that is used by statement t(p) there
exists a position p in Pos t that is the child of p at index x and whose state-
ment t(p ) defines x, i.e.,
∀p ∈ Pos t , x ∈ use(t(p)).∃p ∈ Pos t .p = childt (x, p) ∧ x ∈ def(t(p )).
A Tree-Based Approach to Data Flow Proofs 9
We call a data flow tree that has a data flow proof infeasible.
The infeasibility of a data flow tree implies the infeasibility of all of its lin-
earizations {τ | DFT(DFG(τ ))}. However, the other direction does not hold in
general: A data flow tree may be feasible even though all of its linearizations
are infeasible. It follows from Theorem 2 that this is not the case if we restrict
ourselves to Cartesian assertions.
We define the set data flow trees that is denoted by the data flow graph P # .
For intuition, the data flow tree belonging to a trace τ of P is obtained in two
steps. First we build the data flow graph of τ , DFG(τ ), which has the shape of
a directed acyclic graph (DAG). Second we convert this acyclic graph to a tree
by duplicating nodes going backwards from the last statement of τ , which is the
error statement σerr . So σerr will be the root of the tree.
Note that in case of a loop-free data flow graph, the DFT-operator yields a
singleton set. We will sometimes abuse notation, and use the singleton set to
refer to its element.
The following theorem will show that DFT(P # ) is precisely the path-closure of
DFT(Traces(P )).
Theorem 1. The data flow tree language denoted by P # , is equal to the path-
closure of the data flow tree language derived from P , i.e.,
In this section we give one more characterization of the power of data flow proofs.
We define data flow proofs and Cartesian Floyd proofs. We start by giving an
overview of the relevant sections of the paper by Oh et al. [13] and point out
critical aspects like the functions use and def. Using on this technical apparatus,
we prove the equivalence between data flow proofs and Cartesian Floyd proofs.
Afterwards we give a set of Horn constraints that can be used to compute a data
flow proof from a data flow graph if one exists.
A Tree-Based Approach to Data Flow Proofs 11
Data Flow Proof. We define a data flow proof as an inductive annotation of the
data flow graph.
The nodes in P # are statements. The set of incoming edges in P # of state-
ment σ where variable x is flowing in P # is
def
inP # (σ, x) = {(σ , x, σ) | ∃σ .(σ , x, σ) ∈ P # }.
A data flow proof κ for program P is a mapping from the edges of the data flow
graph P # to the set of formulas, i.e., κ : P # → Formulas, such that
– for all statements σ ∈ Σ with use(σ) = {x1 , ... , xn }, and for all tuples of
incoming edges (ex1 , ... , exn ) ∈ inP # (σ, x1 ) × · · · × inP # (σ, xn ) and for all
outgoing data flow edges of σ, eout ∈ outP # (σ)
12 J. Hoenicke et al.
{ κ(exi )} σ {κ(eout )}, if σ = σerr
1≤i≤n
and { κ(exi )} σerr {⊥}, if σ = σerr
1≤i≤n
– and for every data flow edge (σ, x, σ ), the formula κ((σ, x, σ )) contains no
variable other than x, i.e.,
This definition follows Kincaid and Farzan [5] except that it also ensures the
unreachability of the error location. The first condition ensures that for each
statement every combination of assertions at its incoming data flow edges guar-
antees the assertion at all of its outgoing edges. The second condition states that
each data flow edge e = (σ, x, σ ), κ(e) contains only the variable x. Note that
for a statement with an empty use-set the conjunction is empty, i.e., the Hoare
triple should hold for the pre-condition .
Cartesian Floyd Proofs. Intuitively, Cartesian Floyd proofs allow only assertions
that do not relate the values of different variables. We call an assertion ϕ a
Cartesian assertion if it is , ⊥, or a conjunction where each conjunct only
refers to one program variable x ∈ Var , i.e.,
Let Di denote the domain of the program variables xi for each variable
xi ∈ Var . Then, D1 × · · · × Dn is the domain of the program state (assuming a
linear ordering of the variable set Var ). Also, each ϕi defines a subset Mi ⊆ Di
and the the Cartesian assertion ϕ = ϕ1 ∧ ... ∧ ϕn describes a set of states that
is the Cartesian product M1 × ... × Mn .
Note that in principle every program with a Floyd proof can be made into
a program with a Cartesian Floyd proof by replacing all variables by a single
variable that holds the whole program state. This technique is usually called
packing (or variable packing). However packing influences the shape of the data
flow graph; packing all variables together yields a data flow graph that is iso-
morphic to the control flow graph. For further descriptions of packing see [3,13].
Oh et al. do not discuss Cartesian abstraction explicitly. However they dis-
tinguish non-relational and relational abstract domains and use variable packing
for the relational domains. This amounts to our notion of Cartesian abstraction.
Safe use and def. Oh et al.’s define precise and overapproximated use and def
functions. We adapt this to our notation and define safe use and def functions,
which correspond to the overapproximated functions. This will allow us to relate
A Tree-Based Approach to Data Flow Proofs 13
Definition 5 (Safe use and def). Let σ be a statement, let ϕ and ψ be Carte-
sian assertions.
x∈
/ def(σ) =⇒ ({ϕ} σ {ψ} ⇐⇒ π(x, ϕ) |= π(x, ψ))
– We call use safe if, given {ϕ} σ {ψ} holds, the weakened precondition, that
only uses the projection to variables in use(σ), is strong enough such that
the parts of the postcondition that constrain variables in def(σ) can still be
concluded. Formally:
{ π(x, ϕ)} σ { π(x, ψ)}
x∈Var x∈Var
=⇒ { π(x, ϕ)} σ { π(x, ψ)}
x∈use(σ) x∈def(σ)
Concrete Syntactic use and def. In Table 1 we give concrete definitions for use
and def that are safe for any program in our programming language. The defini-
tion shows that there is an easily computable instance of use and def. However,
there is much room for optimization here, in general and with respect to given
program. More complicated programming languages (for example with pointers)
may introduce the need for more involved definitions.
The main difficulty here is to correctly deal with assume statements. We
introduce a fresh auxiliary variable a ∈
/ Var . The data flow edges labelled with
a allow data flow proofs to express that an assume statement blocks execution
of another statement even though their variables are disjoint. Because a does
not occur in any statement, no value constraint will be put on a, but data flow
edges labelled by a may be annotated with ⊥ expressing unreachability of the
following statements.
Proposition 2. use and def, as defined in Table 1, are safe use- and def-
functions for any program.
14 J. Hoenicke et al.
σ use(σ) def(σ)
x := e vars(e) ∪ {a} {x}
assume ϕ Var ∪ {a} Var ∪ {a}
Equivalence of Data Flow Proofs and Cartesian Floyd Proofs. We state the
equivalence between data flow proofs and Cartesian Floyd proofs.
Theorem 2 (Data flow proof vs. Cartesian Floyd proof ). There exists a
data flow proof for P if and only if there exists a Cartesian Floyd proof for P .
From Theorem 2 it immediately follows that the proof rule is sound, complete
with respect to Cartesian Floyd proofs, and that the power of Cartesian Floyd
proofs is the best we can achieve with data flow proofs.
Data Flow Proofs via Horn Constraint Solving. We can use standard tools for
Horn constraint solving [1] in order to compute a data flow proof. Given a data
flow graph P # , we construct a set of Horn clauses whose solution is a data flow
proof for P .
For each node σ of P # and every variable x ∈ use(σ) we introduce a predicate
Iσ,x (x). For every edge (σ, x, σ ) ∈ P # , with use(σ) = {x1 , ... , xn }, we add the
following Horn constraint.
∀x1 , ... , xn , x.Iσ,x1 (x1 ) ∧ ... ∧ Iσ,xn (xn ) ∧ sf(σ) → Iσ ,x (x )
For the error guard σerr , with use(σerr ) = {x1 , ... , xn }, we add the following
Horn constraint.
∀x1 , ... , xn , x.Iσerr ,x1 (x1 ) ∧ ... ∧ Iσerr ,xn (xn ) ∧ sf(σerr ) → ⊥
6 Related Work
Farzan and Kincaid renewed the interest in data flow graphs in the context of
verification. They propose to iteratively compute an annotation on the data flow
graph, convert it to an annotation of the control flow graph, and use a possible
counterexample for safety of the control flow graph to refine the data flow graph
[5,6]. In this paper we assume that the data flow graph is fixed.
Farzan et al. [7] also introduced inductive data flow graphs, which achieve
compact representations of many interleaving traces through a parallel represen-
tation. They use Craig interpolants to detect when interleaved statements don’t
influence each other. The branching of inductive data flow graphs is computed
from interpolants where as in this paper it is fixed (given through the functions
use and def).
Oh et al. [13,14] showed that any abstract interpretation-style program anal-
ysis can be done on the data flow graph instead of the control flow graph. We
transfer their result into the setting of verification. While the step from analysis
to verification is generally a trivial one, we account for several subtle differences
between their setting and our setting of verification. The non-fixed assertion lan-
guage has consequences for the computation of the data flow graph. The demand
for a safe inductive annotation also means we have to formulate a set of con-
straints instead of an abstract post operator. Our setting furthermore allows us
to leverage a third dimension of sparseness (next to so-called temporal and spa-
tial sparseness mentioned by Oh et al.); in particular we only consider program
parts that have a data flow to the error guard.
Denaro et al. [4] investigated the potential of data flow analysis for software
testing. They show experimentally that the set of data flows of the executions
of a program is significantly different from the data flows denoted by the data
flow graph.
The notion of viewing a control flow graph as the denotation of a set of traces
as in trace refinement schemes [9] has inspired the view on the data flow graph
as a denotation of a set of data flow trees.
7 Future Work
Much of the effectiveness of sparse program analysis depends on the computa-
tion of a good data flow graph, and the same is to be expected for program
Another random document with
no related content on Scribd:
Sure. Sure he would. This was Wednesday, a Rec. night. Tonight,
after supper, Belle and her Three Graces would make a night round.
"Personal service"—if you had the credits. He had the credits. He'd
take a fall—hell, a couple, why not—out of old Belle herself. Not that
Belle looked any better than the others, but at least she put a little
life into it. A couple of hours with Belle, twelve credits; a bottle, four
more. All right, he had them. Tonight he was really going to make a
night of it. Yeah.
Yeah?
Yeah. And the next day, Thursday, all day ... yeah! His head ached,
stomach churned; that burning back of the eye-balls; the awful, tight-
drawn humming of nerves. And on just one bottle? God, that acid-
burn gin. No, old Belle had been in rare form and he got two bottles
instead of one. But even so ... must be that stew the night before. Oh
death!
He fought the day, his work, all day. He missed quota. The fingers
were just a blistering mist before his eyes. He drank water and
gagged on it. He paced his cell. He sweated. God! Could a man live
like this?
"Boy! Say there, boy. Look alive, eh?"
Mr. Boswell, the old electronic shyster. It was afternoon, finally, of the
everlasting, miserable day. Jay 7 looked up to watch sullenly as, the
usual afterthought, Mr. Boswell rolled on off to plug in his cord; and
rolled back. Made a noise, a harrumph-type, throat clearing,
introductory noise. Mr. Boswell had no throat but he was a believer in
certain niceties, form and procedure.
"Well now, boy. Let me see, where are we? Oh yes. Bring you up to
date. My latest petition for further continuance pending a review of
the transcr...."
Suddenly, it was all too much. Jay 7 was mad, furious. He, in a word,
blew his gin-throbbing top. He was on his feet, shaking hands, white-
knuckled, gripping bars. "Goddamnit!" he shouted, "Goddamnit, you
rotten old fraud, I've had enough, you hear me? I got a by-God-
bellyfull enough."
Suddenly, it was all too much. Jay 7 was furious with the old
electronic shyster. He was on his feet, shaking hands, white
knuckled, gripping bars.
"Oh?" inquired Mr. Boswell, mildly. "Enough is enough, eh? But how
can we be sure that alternatives...."
"All right, all right." Jay 7 wouldn't get anything out of him by
shouting, he knew that. He was still tense and shaking but he
managed to lower his voice to a tense, confidential whisper of
appeal. "But I can't take much more of this. And the uncertainty. I've
got to know. How much longer, huh? Please, please, Mr. Boswell,
man to man ... when will the trial come? How much longer before we
go to court, I—we—get my acquital, huh? Man to man, when can I
walk out of here a free man?"
"Man to man? You are just a boy, boy. Show it all the time. Man to
man? Well ... perhaps it is time you did grow up a bit. So. You want
to know when you will leave here a free man? I'll tell you. Never."
"Never?!?"
"Never. Hasn't that been obvious from the start? Look. You know the
charges, the evidence against you. In your actions, in your mind,
either way you are guilty, boy. Regardless of the degree, you are
guilty. The evidence is undeniable. You know better than I how guilty
you are."
"No!"
"You are so eager to leave here? Why?"
"Just to get out. To be free. Isn't that enough?"
"Nonsense, lad; nonsense. You are doing fine here, just fine. Look at
it this way. You are here for the common good, yours and society's,
in protective custody. You have made rather a nice adjustment. Quite
nice, really. To accept it gracefully, gratefully, is best. And, with me as
your counsel, there is no reason why we cannot hope to continue
your case indefinitely—for years, for decades. Why...."
"No! No, they can't, you can't do that to me." A highly unoriginal
protest. Mr. Boswell made a mild sound of disapproval. At such times
he regretted the limitations of construction that did not permit him a
shake of the head.
"Years? Decades? No! I can't stand it; I can't, I won't. I'll find a way
out. I'll make a way."
"Suicide? Oh now, my boy, please. To take your own life? A
shameful thing. And not at all fair to my firm."
"No, not suicide. I—I'll break out. Damn you, I will. I'll grab your
damned wire—I can reach it from here; I'll pull your plug. You'll have
to take me out of here or I'll let your juice run out and you'll die.
Boswell, you're going to hide me under that machinery of yours and
take me out."
"Oh? But my boy—what then?"
"Then I'll be out, that's what."
"Then you will be out. Out of here; out in the street; out of protective
custody; outside the law. You would be alone then, lad; alone with
your guilt, cast out, apart from society and the sound, stable order
you find here. And would not every decent man's hand be against
you? Think, my boy, what that means. Could you face it?" During
these remarks, as Jay 7 clung, hot-eyed and shaking to the bars, Mr.
Boswell had backed prudently well away, out of reach from the cell
door.
"Yes! I don't care. To hell with you; to hell with all of them. I've got to
get out of here. Come back, you coward. I tell you I've got to get out,
out, out!"
Mr. Boswell backed across the corridor and pulled his plug from the
socket. The wire rolled back neatly on the spool. "Time—no more
time; other clients." He peered myopically through thick lenses back
toward the cell. "Please, lad—it pains me to hear you talk so wildly."
"I've got to get out, you hear? Out!"
"Well, my boy, if it has become such a phobia with you and you feel
you have got to do so foolish a thing ... why don't you just walk out?"
"Walk out? What in hell are you talking about? How can I walk out of
this cell?"
"Now, now, boy. You are only in protective custody, to protect you
from yourself, from an outraged society, you understand. That cell
isn't locked. Never has been. You know that."
"That's a lie!" The man, Jay 7, threw himself against the bars,
pressed against them, every muscle straining. "It's locked, locked.
You can see. It won't open."
"Now, now," said Mr. Boswell again, starting to swing around on his
wheels, "that door opens inward. You get your food through it, your
work; the other—ah—amenities, girls ... eh? Nobody ever unlocks
that door, isn't that right? They all just push it open. Right? Eh? It
opens in."
"You lie. It's a damned, rotten, filthy lie." He was yelling, shaking,
rattling the door; pushing at the door.
"Easy, boy," said Mr. Boswell, "easy now. If you say so ... perhaps
you are right after all. So. We adjust, eh? See you Sunday. There
are some details, questions of improper punctuation in the transcript
of your involuntary confession we must go over; something we can
use in the next preliminary hearing. Eh? Good night, boy." Mr.
Boswell rolled off, smoothly as always, down the corridor.
Jay 7 quit pushing then, all at once and completely, and hung limply,
two hands circling two solid bars, leaning heavily against the cell
door. He sobbed once and then sniffed. He felt thirsty. So ... well, he
had his cup, his own faucet. He could get a nice, cold drink of water
any time he wanted it. He sniffed again and turned away from the
barred door.
THE END
*** END OF THE PROJECT GUTENBERG EBOOK A PRISON
MAKE ***
Updated editions will replace the previous one—the old editions will
be renamed.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.