49th IEEE Conference on Decision and Control Atlanta, GA Pre-Conference Workshop on Verification of Control Systems December 14, 2010 Verification of Control Systems by Abstract Interpretation Patrick Cousot CIMS-NYU & ENS [email protected] cs.nyu.edu/~pcousot [email protected] di.ens.fr/~cousot

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 1 © P. Cousot Motivation

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 2 © P. Cousot All computer scientists have experienced bugs

Ariane 5.01 failure Patriot failure Mars orbiter loss Russian Proton-M rocket carrying 3 Glonass-M satellites (overflow error) (float rounding error) (unit error) (unknown programming error)

• Checking the presence of bugs is great • Proving their absence is even better!

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 3 © P. Cousot Abstract interpretation

Patrick Cousot & Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238—252, Los Angeles, California, 1977. ACM Press, New York, NY, USA

Patrick Cousot & Radhia Cousot. Systematic design of program analysis frameworks. In Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages pages 269—282, San Antonio, Texas, 1979. ACM Press, New York, U.S.A.

Patrick Cousot & Radhia Cousot. Abstract interpretation frameworks. Journal of Logic and Computation, 2(4):511—547, August 1992.

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 4 © P. Cousot Abstract interpretation • Started in the 70’s • Statically and automatically inferring properties of the behavior of programs/computer systems for program analysis (proof, verification, optimization, transformation, etc.) • Based on the idea that undecidability and complexity of automated static program analysis can be fought by approximation • Applications of abstract interpretation do scale up!

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 5 © P. Cousot Application to static analysis and verification • Static analysis consists in automatically answering questions about the runtime executions of programs • Static means « at compile time », by examining the program text only, without executions on computers • Automatic means by a computer, without human intervention during the analysis

Program Static analyzer Answer Question program Computer

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 6 © P. Cousot Fighting undecidability and complexity in program verification • Any automatic program verification method will definitely fail on infinitely many programs (Gödel) • Solutions: • Ask for human help (theorem-prover based deductive methods) • Consider (small enough) finite systems (model- checking) • Do complete abstractions or else sound approximations (abstract interpretation)

Program Static analyzer Answer Question program Don’t know Computer 49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 7 © P. Cousot An informal introduction to abstract interpretation

P. Cousot & R. Cousot. A gentle introduction to formal verification of computer systems by abstract interpretation. In Logics and Languages for Reliability and Security, J. Esparza, O. Grumberg, & M. Broy (Eds), NATO Science Series III: Computer and Systems Sciences, © IOS Press, 2010, Pages 1—29.

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 8 © P. Cousot 1) Define the programming language semantics Formalize the concrete execution of programs (e.g. transition system) y y (x,y)

t=0 x t=2 x t=… t=1 t

Trajectory Space/time trajectory in state space

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 9 © P. Cousot II) Define the program properties of interest Formalize what you are interested to know about program behaviors

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 10 © P. Cousot III) Define which specification must be checked Formalize what you are interested to prove about program behaviors

Forbiden zone

Possible trajectories

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 11 © P. Cousot IV) Choose the appropriate abstraction Abstract away all information on program behaviors irrelevant to the proof

Zone interdite

Possible trajectories

Abstraction of the trajectories

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 12 © P. Cousot V) Mechanically verify in the abstract The proof is fully automatic

Forbidden zone

Possible trajectories

Abstraction of the trajectories

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 13 © P. Cousot Soundness of the abstract verification Never forget any possible case so the abstract proof is correct in the concrete

Forbidden zone

Possible trajectories

Abstraction of the trajectories

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 14 © P. Cousot Unsound validation: testing Try a few cases

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 15 © P. Cousot Unsound validation: bounded model-checking Simulate the beginning of all executions

Forbidden zone

Possible trajectories

Bounded model-checking

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 16 © P. Cousot Unsound validation: static analysis Many static analysis tools are unsound (e.g. Coverity, etc.) so inconclusive

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 17 © P. Cousot Incompleteness When abstract proofs may fail while concrete proofs would succeed

Forbidden zone Alarm !!!

Possible trajectories

Error or false alarm ?

By soundness an alarm must be raised for this overapproximation!

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 18 © P. Cousot True error The abstract alarm may correspond to a concrete error

Forbidden zone Alarm !!!

Possible trajectories

Error

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 19 © P. Cousot False alarm The abstract alarm may correspond to no concrete error (false negative)

Forbidden zone Alarm !!!

Possible trajectories

False alarm

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 20 © P. Cousot What to do about false alarms? • Automatic refinement: inefficient and may not terminate (Gödel) • Domain-specific abstraction: • Adapt the abstraction to the programming paradigms typically used in given domain-specific applications • e.g. synchronous control/command: no recursion, no dynamic memory allocation, maximum execution time, etc.

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 21 © P. Cousot Just a bit less informally ...

Patrick Cousot & Radhia Cousot. Basic Concepts of Abstract Interpretation. In Building the Information Society , René Jacquard (Ed.), Kluwer Academic Publishers, pp. 359—366, 2004. (IFIP WCC 2004 Toulouse, Topical Day on Abstract Interpretation, Tuesday 24 August 2004).

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 22 © P. Cousot Lemma 5 A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. ST ￿ ￿ ￿￿ Definition 6 (termination proof)￿ A termination proof for a trace￿ semantics is the Lemma 5 A semantics = Σ, T , is terminating if and only if tdm[T ]=Σ. ST proof, using the definitionST of ￿ as￿ hypothesis, that it is terminating for all states, that￿￿ is ST ΣDefinitiontdm[T￿] 6 (a (termination variant is Init proof)tdm[T￿A]whereterminationInit proofΣ isfor a given a trace set semantics of initial states).is the ST proof,⊆ using the definition of ⊆ as hypothesis, that⊆ it is terminating for all states, that is ￿￿ ST Σ Σtdm, τ[,T￿Init] (a variant is Init tdm[T￿]whereInit Σ is a given set of initial states). ⊆￿ ￿ ⊆ ⊆ ￿￿ post r X ￿ s￿ s X : r(s, s￿) Σ, τ, Init { | ∃ ∈ } Lemma￿ Σ 5￿ A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. post r X s￿ s X : r(s, s￿) T ￿ { | ∃ ∈ S} ￿￿ ￿ ￿ ￿￿ 7.4 Functions LemmaΣ 5 A semanticsn = Σ, T , is terminating if and only if tdm[T ]=Σ. lfp￿ F = F ( ) T n￿0 S ￿ ￿ ￿￿ ⊥ ⊥ We let (S S ... S) ￿ S be set set of n-aryDefinition partial functions 6n (terminationon S which is defined proof) A termination proof for a trace semantics is the lfp￿ F = F ( ) T × × × −→ ￿n￿0 S ntimes Definition⊥0 6 (termination⊥ n+1 n proof)n A termination￿ proof￿ for a trace semantics is the proof,F ↑ ￿ using,..., theF definition↑ ￿ F ↑ F of(F ↑ ) asuntil hypothesis,F (F ↑ ) F ↑ that it is terminating forT all states, that is n+1 ⊥ T ￿ S as (S S ... S) ￿ S ￿ f (S) proof,(Lemmax1,...,x0 using 5 nA￿,y semantics the definitionf n+1x1,...,x= Σn of, T￿￿n￿,y, is￿ asnS terminating hypothesis, if and￿ that only￿ it if tdm is terminating[T￿￿]=Σ. for all states, that is × ￿ × ￿￿× −→￿ { ∈￿ | Lemma￿ F ↑ ￿ 5 A,...,￿ semantics￿∈ F∧￿↑ T ￿=F ↑Σ, TF (,F is￿∈↑ terminating) until ￿F ( ifF and↑ ) onlyF ↑ if tdm[T ]=Σ. Σ tdm[T ] (a variantST ￿ is Init￿T tdm[T ]whereInit Σ is a given￿￿ set of initial states). ntimes Semantics0 ⊥￿ ￿ andSn+1 specification￿ nS￿ ￿n ￿ ￿ ￿ ￿￿ Σ ⊆Ftdm↓ ￿[TF ↑], (a..., variantF ↓ is ￿InitF￿↓ tdmF⊆(F[↓T)]whereuntil InitF (F ↓ )=Σ Fis↓ a⊆ given set of initial states). ￿￿ f) y = y￿ and we write f(x1,...,xn) for theDefinition⊆ unique0 y such 6￿ (termination that x1n,...,x+1 proof)nn,y⊆A terminationf.n proof for￿ ⊆ a trace￿ semantics is the ￿￿ ⇒￿ ￿￿} ￿ DefinitionSmall-stepF ↓ ￿ F 6operational↑ , (termination..., F￿ ↓semantics￿ proof)F ↓ (of￿￿∈FA a( Fterminationprogram)↓ ) until proofF (F ↓for)= aF trace↓ semantics T is the The composition of unary function is f g(•x)=F (g(x)). f S S is total when SST ◦ proof, using the￿ definition￿ ￿ of as hypothesis,￿ that it is terminating for all states, that is proof,lfpΣ￿ using,F τ, theFInit↓ definition∈ F ↑−→ of ST as hypothesis, that it is terminating for all states, that is dmn[f]=S which is written f S S. Σ Σtdm⊥, τ[T￿,￿]Init (a variant￿ ￿ ￿ is Init STtdm[T￿]whereInit Σ is a given set of initial states). ∈ −→ Σ ￿lfp￿tdm￿ F[T￿] (aF ↓ variant￿ ￿F ↑ is Init tdm[T￿]whereInit Σ is a given set of initial states). ⊆⊆post⊥ ￿r X￿ s ⊆⊆s X : r(s, s⊆⊆) ￿￿ ￿￿ • Reachablepostτ = lfpr statesXλR￿.￿s￿ R￿ sτ X : r(s, s￿) ￿ ∗ ⊆ {Σ {| ∃◦| ∈∃ ∈ } } 7.5 Images τΣΣ∗,,=ττ,,lfpInitInit⊆ λR . Σ ∪R τ transitive closure τ￿τ∗∗ ￿ ∪ ◦ ￿post r X ￿ s￿ s X : r(s, s￿) post r X ￿ s￿ s X : r(s, s￿) The post-image of X S by a relation r (S)ispostλpostR . postrτX∗ ￿RInit{Inits￿| ∃ λs∈R .X Σ: r(s,R s￿})τ]=. ForλR . Initpost-imagepost τ (post R Init) τpost∗ . τ ∗￿{Init| ∃◦ ∈. ◦} . ⊆ ∈￿ τλ∗R post R Init{ ◦| ∃λR∈ Σ ∪R ◦ τ]=} λR Init post∪ τ (post R Init) X S S,wedefinepost2 r X ￿ s, s￿￿ s, s￿ X : r(.s￿,s￿￿) .Thedual∪ post-image ∪ lfppost⊆ λτ ∗XInitInit λXpost. s, sτ sXInit s X reachable states ⊆ × {￿ ￿ | ∃￿ postlfp￿∈⊆τ ∗λInitX .1Init} . post￿ τ X￿ is post r ￿ post r .Thepre-image is pre r ￿ post r− and∪λX the{s,￿ s￿duals￿| Init∈ pre-image⇒s￿ X∈ } ¬ ◦ ◦ ¬ lfp℘℘(⊆ΣλXΣΣ.)Init),, post τ{￿ X ￿| ∈ ⇒ ∈ } ℘(Σ℘()Σ, ), ￿= lfp⊆×λX . Init⊆￿∪ ←−−−−−−−−−−−−−−−−−−post∪λτR .Xpost R Init fixpoint￿ characterization⊆￿ is pre r ￿ pre r . Similarly for post2 r , preB￿2 r ,× and pre⊆￿2−−−−−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→∪r . λR . post R Init ￿ ⊆￿ ¬ ◦ ◦ ¬ Badpost τ Init ￿ AbsenceBB of∗ run-time errors • postpost ττ∗∗ InitInitInit==lfplfp⊆⊆⊆BλλXX..InitInit post￿ post￿ τ τXX postpostτ ∗∗ τInit∗ ⊆InitBadB ∪￿∪￿ 7.6￿ Ordinals ￿ BadBad ￿⊆ ⊆ B erroneous states postpost ττ InitInit ΣΣ BadBad no erroneous state is reachable from initial states The class of ordinals O, is an abstraction of well-founded∗∗ relations on sets. In Barnays- ￿ ￿￿ 999 Transition Transition⊆⊆ \\ abstraction abstraction abstraction and semantics and semantics G¨odel-Von Neumann set theory(1), the ordinals O are the well-ordered classes of all smaller ordinals so that 0 ,1 0+1= 0 ,2 49th iEEE1+1=9 ConferenceA transition on Decision Transition and0 Control,, 1 Atlanta,3 system GA, Pre-Conference2+1= WorkshopΣ ,on Verificationτ is of Control0 a, abstraction 1Systems,transition, 2 Dec. 14,,. 2010 . . , the relation 23 τ (© ΣP. and Cousot) on a non-empty semantics set Σ of states. ￿ ￿ ￿ AA99transitiontransition Transition Transition system system￿ ￿Σ abstraction abstraction, τ ￿Σis, aτtransitionis a transition and and relation semantics semanticsτ relation∈￿(Σ) onτ a non-empty(Σ) on set aΣ non-emptyof states. set Σ of states. ∅ { } It is deterministic{ } if￿ and￿ only{ if τ }is a function. The∈￿transition semantics abstraction of a first infinite ordinal is ω ￿ 0, 1, 2,... . For anyIt is ordinaldeterministicδ,eitherif andδ ￿ onlyO or ifδ￿τ=isO a.The function. The transition semantics∈￿ abstraction of a { } ItA istransitiondeterministic system Σ,if∈τ and￿is a transition only if τ relationis a function.τ (Σ) on The a non-empty￿transition set Σ of semanticsstates. abstraction of a order on ordinals is written <. The successortrace function semantics is (δ) ￿=δ Σ, T￿δ iswritten the transitionδ + 1, system τ = Σ, ατ (T￿) where the transition AtraceA transition semantics systemS systemT =￿ Σ￿Σ,,τ￿T ￿isisΣ a thetransition, τ transitionis a relationtransition system∈￿τ Sτ =(Σ￿ relationΣ), onατ a(T non-empty)￿ whereτ the set(transitionΣΣ)of onstates a. non-empty set Σ of states. ∈ It is deterministicS T if and∪ only{ } if ￿τ is a function. The transition semantics abstraction￿ of a the lub is (such that = 0) and the glbtraceabstraction is . semantics Anyα ordinalτ isS λ￿￿ is= either￿ ￿Σ￿, T a successor￿is the transitionS∈￿ system￿ τ￿ = ∈￿Σ, ατ (T ) where the transition ∅ abstractionIt is deterministicατ is ifT and￿ only if τ is a function. The transition￿ semantics abstraction of a ordinal λ = (δ) or a limit ordinal λ such thatIttrace isδ :deterministic semanticsλ = (δ) inS= whichΣ, Tif case￿ is and theλ =￿ transition onlyδ. if systemτ is aτ = function.Σ, ατ (T )S where The￿ thetransitiontransition￿ semantics abstraction of a abstraction ατSTis ￿ ￿￿ δ λ S ￿ ￿ ￿ ￿S ￿ trace∀￿ semantics￿ S = Σα, T is the℘(Σ￿ transition∈) ( systemΣ) τ = Σ, ατ (T ) where the transition abstraction ατ isST ￿ τ ￿ ￿￿∞ S ￿ ￿ ￿ O, ￿ is an increasing transfinite chain withtrace no strictly semantics decreasing chain.ατ = If∈ AΣ℘,(ΣTO∞then) −→is the ￿ (Σ) transition system τ = Σ, ατ (T ) where the transition ￿ ￿ (2) abstraction ατ is T￿ ∈ ⊆ ￿ −→ ￿ ￿ ￿ A, ￿, 0, A, , is a complete lattice . αSτ (T￿ ) ￿￿ s,￿ s￿￿ ￿s,￿￿s ￿ Σ￿ ∝ : ￿sss￿￿s ￿ T￿ S ￿ ￿ ατ (Tατ) ￿ατ℘{(￿s,Σ ∞ s￿)￿ |℘∃(￿s,Σ￿s(∞￿Σ∈))Σ ∝ : ￿sss(￿￿sΣ￿ )∈ T} ￿ ∪ ∩￿ abstraction ατ is ∈ {￿ ￿￿￿2−→| ∃ ￿ ∈ ∈ } ￿α￿rτ ￿ ￿s℘(∈ΣΣ￿∞2) r(￿s0,￿s(1Σ￿)−→) ￿ ￿ ατ (T￿rα) ￿￿(T∈￿){￿ss,∈ sΣ￿ |−→￿s,rs,(￿s0￿ s￿, ￿s1Σ)}∝ :￿s,￿sss￿s￿￿s ￿ Σ￿T : ￿sss ￿s T￿ γ￿ τ {{￿(Σ∈￿) ￿ | ∃| ℘(Σ￿ ∈￿ ) }￿ ￿ ∈ }∝￿ ￿ ￿ 8 Trace semantics ατ (T￿rτ ) ￿ ￿s s,Σ￿ s2￿{￿r(￿s￿s,￿,￿s∞￿s ￿￿) |￿Σ∃ ∝ : ￿sss∈￿￿s ￿ T ∈ } γτ ￿∈￿{(αΣ￿ ) −→￿ |℘∃(Σ0 ∞℘1)(2∈Σ ∞) ∈ (}Σ) ∈￿{ ∈ τ −→|2 ￿ } γτ (τ)￿r ￿ ￿r￿τ ∝￿s￿ Σ￿ ￿s r￿(￿sΣ, ￿s ) r(￿s0, ￿s1) γ (γττ)￿ ￿ ￿τ (Σ) ∈℘(Σ ∞0) 1 −→ ￿ Definition 2 (trace semantics) A trace semantics is a pair = τΣ, T ￿∈￿where{∝￿∈Σ−→is{ a| ∈ |} } ￿ ￿ ST ￿ ￿ ατ (T ) ￿ s, s￿￿ ￿s, ￿s ￿ Σ ∝ : ￿sss￿￿s ￿ T non-empty set of states and T￿ Σ￿ is a non-empty set of non-emptyγτ ( traces.τγ) τ γτ￿τ ∝ (Σ) ￿(Σ℘()Σ ∞) ℘(Σ ∞) ∞ ￿∈￿ −→ {￿ ￿ | ∃ ∈ ∈ } ⊆ ∈￿ −→ 2 γτ (τγ)τ ￿τ ∝ ￿ ￿ γτ (￿τ) ￿r ￿τ ∝ ￿s Σ r(￿s ,￿s ) Definition 3 (terminating semantics) A traceLemma semantics 7 ℘(Σ ∞=), Σ, T￿γτ is terminating(Σ￿), ￿ 0 1 ￿ ←−−−ατ 7 + ω Lemma 7 ￿℘(ΣST∞), ￿⊆￿ −−−→￿ ￿￿(Σ), ⊆￿ { ∈ | } if and only if T￿ Σ￿ (or equivalently T￿ Σ￿ = ). ￿ ⊆￿ −−−→←−−−ατ ￿￿ ⊆￿ ￿ ⊆ ∩ ∅Note that this transition abstractionγτ is￿￿ not7 an(Σ isomorphism) ℘( (e.g.,Σ ∞ for) Σ = a, b and { } T￿ =Noteanb thatn this1 , transitionα (T￿)= abstractiona, a , a, b is∈￿which not an trace isomorphism semantics−→ (e.g., includes for aΣω = T￿a,). b and Definition 4 (termination domain) The terminationn domain￿ ofτ = Σ, T￿ γ is tdm[T￿] ω { } T￿ = {a b |n 1 }, α (T￿T )={￿a,γ aτ￿(,τ￿a,) b￿} which￿τ trace∝ semantics includes a ￿∈ T￿). ω Termination￿ proofs￿ τS can￿ proceedτ￿ by induction￿ on the transition relation α (T￿)whenit ￿ dmn[T￿ Σ￿ ]. Lemma{ | 7 ℘}(Σ ∞), {￿ ￿ ￿ ￿}(Σ), τ ￿∈￿ ¬ ∩ is well-founded,Termination￿ proofsas shown can⊆￿ by proceed Lem.−−−→←−−−ατ9 bybelow.￿￿ induction￿￿ ⊆￿ on the transition relation ατ (T )whenit (1)Mendelson, Elliott. An Introduction to Mathematicalis Logic well-founded,Limit, 4th closure ed., Chapman asrequires shown & byHall, that Lem. London, an infinite9 below. 1997. trace that can be covered by parts of traces in (2) Note that this transition abstraction is not an isomorphism (e.g., for Σ = a, b and A complete lattice is usually a set, it must be extendedT￿ shouldLimit to a closure be class. in T￿ Howeverrequires[?, Sect. for that 2.6]. a given an infinite transition trace that can be covered by parts of traces in system, we can use a maximal ordinal to bound the class￿￿ of ordinalsn needed￿ in ranking functions.￿ ω {￿ } TT =shoulda b be inn T￿[?1, Sect., ατ ( 2.6].T )= a,γτ a , a, b which trace semantics includes a T ). ￿ ￿ ￿ LemmaDefinition{ | 87 (limit℘(}Σ closed)∞), The{ set￿ T ￿℘￿(Σ∞()Σ￿ of}) traces, is limit closed if and only if ￿∈￿ Termination proofs can proceed←−−−α￿τ ∈ by￿ induction on the transition relation ατ (T )whenit 6 Definition 8 (limit￿ closed) ⊆￿The−−−→ set T ℘￿￿(Σ∞) of traces⊆￿ is limit closed if and only if ￿ ω ￿ ∈ ￿ ￿ ￿ is well-founded,￿s Σ :( asn shownN : ￿s ￿ byΣ Lem.∗,￿s ￿￿ 9Σ∞below.: ￿s ￿￿sn￿sn+1￿s ￿￿ T ) (￿s T ) ￿ ω ￿ ￿ ￿ ￿ Note∀￿s ∈ thatΣ :( this∀n ∈ N transition: ∃￿s ￿ ∈ Σ∗, ￿s ￿￿ ∈ abstractionΣ∞ : ￿s ￿￿sn￿sn+1￿s ￿￿ is∈ notT ) ⇒ an(￿s isomorphism∈ T ) ￿￿ (e.g., for Σ = a, b and Limit∀ closure∈ ∀ requires∈ ∃ that∈ an∈ infinite trace that∈ can⇒ be∈ covered by￿￿ parts of traces in ￿ n ￿ ω {￿ } T￿ should= a b be inn T￿ [1?,, Sect.ατ (T 2.6].)= a, a , a, b which trace semantics includes a T ). { | ￿ } {￿ 7 ￿ ￿ ￿} ￿∈ Termination proofs can proceed7 by induction on the transition relation α (T￿)whenit Definition 8 (limit closed) The set T￿ ℘(Σ￿ ) of traces is limit closed if and only if τ is well-founded, as shown by Lem. 9∈below.∞ ￿ ω ￿ ￿ ￿ ￿ Limit￿s closureΣ :(requiresn N : ￿s that￿ Σ an∗, ￿s ￿￿ infiniteΣ∞ : trace￿s ￿￿sn￿sn+1 that￿s ￿￿ canT ) be covered(￿s T ) by parts of traces in ∀ ∈ ∀ ∈ ∃ ∈ ∈ ∈ ⇒ ∈ ￿￿ T￿ should be in T￿ [?, Sect. 2.6].

Definition 8 (limit closed) The set7T￿ ℘(Σ￿ ) of traces is limit closed if and only if ∈ ∞ ￿ ω ￿ ￿ ￿ ￿ ￿s Σ :( n N : ￿s ￿ Σ∗,￿s ￿￿ Σ∞ : ￿s ￿￿sn￿sn+1￿s ￿￿ T ) (￿s T ) ∀ ∈ ∀ ∈ ∃ ∈ ∈ ∈ ⇒ ∈ ￿￿

7 Lemma 5 A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. 01 Fixpoint abstractionT and approximation FixpointLemma abstraction. 5 A semanticsRecallS from= [Σ12￿,￿,T￿ 7.1.0.4],￿ is terminating that if and only if tdm￿ [T￿]=Σ. ￿￿ 02 Lemma 5 A semantics T = Σ, ￿T , is terminating if and only if tdm￿[T ]=Σ. Lemma 5 A semantics ST = Σ￿, T ,￿ is terminating if and only if tdm[T ]=Σ. ￿￿ ST ￿ ￿ ￿￿ 03 LemmaTheoremDefinition 7 If L, 6￿ (termination, is aS complete￿ proof) lattice￿ orA a cpo,terminationF L L proofis increasing,for a traceL, semantics￿￿ is the ￿ ⊥￿ (6),(7) ∈ → ￿ T 04 Definitionis a poset, α 6 (terminationL L is continuous proof) A, terminationF L L commutes proof for (resp. a trace semi- semantics isS the proof,DefinitionDefinition using 6 6 the (termination (termination definition proof)of proof)asAA hypothesis,terminationtermination proofthat proof itforfor is a a terminating trace trace semantics semantics for allisis states, theT the that is ￿￿ ∈ → ∈ → ST T S 05 commutes)proof,proof, using using with the theF that definition definition is α F of of= FSasTasα hypothesis, hypothesis,(resp. α F that thatF it it isα is terminating) thenterminatingα(lfp ￿ forF )= for all all states, states,S that that is is Σproof,tdm using[T￿] the (a definition variant is◦ ofInit Tas◦tdm hypothesis,[T￿]where◦ thatInit it is◦ terminatingΣ is a given for set all states, of initial that states). is 06 ￿ SSTST ￿ ￿ ⊥ lfpΣΣ￿⊆ tdmF (resp.[[￿TT￿]] (a (aα( variantlfp variant￿ F ) is isInitlfpInit￿ tdm⊆Ftdm).[￿T￿[T]where]whereInitInit Σ Σis⊆is a given a given set set of initial of initial states). states). ￿￿ 07 Σα( )tdm[T ] (a variant is Init α( tdm) [T ]whereInit Σ is a given set of initial states). ⊆⊆⊥ ⊥ ￿ ⊆⊆⊆⊥ ⊆⊆⊆ ￿￿ ￿￿ ￿￿ 08 ApplyingΣ, Lem.τ, Init7 to L, ¬ L, , we get Cor. 8 and by duality Cor. 9 below. 09 ￿ΣΣ,,, τττ,,,InitInitInit ￿ ￿ ←− −− ￿ post￿ r X￿￿ ￿ s ￿ −−s¬ −→ X￿ : r￿(s, s ) 10 ￿post rr XX￿ ￿ ss ￿ ss XX: :r(rs,(s, s s) ) ￿ LemmaCorollaryExamplepost 5r 8AX (David semantics￿￿￿ s{￿￿￿ Park)|s∃ X∈If:Fr(=s, sL￿)Σ￿ ￿, T￿L} is, increasing is terminating on a complete if and Boolean only if tdm[T￿]=Σ. 11 Σ {{{ |||∃∃∃ ∈∈∈ T ∈ }→}} identity lattice ΣΣL, , , then lfpS￿ F = gfp￿ ￿ ￿F . ￿￿ 12 ￿ ◦ ◦ ￿ ⊥ ¬￿ ¬ ⊥ ¬⊥ ¬ ¬ 13 DefinitionCorollary 9 6If (terminationL, . ., is a complete proof) lattice orA atermination dcpo, F L transitiveL proofis increasing,closurefor a trace semantics is the 14 ττ∗∗ ====lfplfplfplfp⊆⊆⊆⊆λλ￿λRλRRR.￿. ΣΣΣ￿￿ΣRRRRτττ τ ∈ → T γ L L is co-continuous∪∪∪∪(8)◦◦,◦ F◦ L L commutes with F that is γ F = F γ S 15 proof,∈ using→ the definition of∈ →as hypothesis, that it is◦ terminating◦ for all states, that is then γ(gfp ￿ F )=gfp ￿ F . T 16 ￿. γ( ) . S ￿ . Σ tdmλλRR[T...post￿post]postpost (aRR variantRRInitInitInitInit￿◦λλRλR isλR.R.InitΣ.ΣΣ ΣRRR◦tdmRττ]=]=τ]=[τTλλ]=R]whereRλ.RInitλInit.RInit. InitpostpostInitpostττpost(post(τpostΣ(postτisRR( apostInitRInit given)Init)R)Init set) of initial states). 17 ◦ ◦◦ ∪∪ ◦ ◦ ◦ ∪∪ ⊆6 Fixpoint strongest contract∪⊆∪ precondition∪ ∪ ⊆ ￿￿ 18 . commutativity 19 postpost ττ∗∗ InitInit==lfplfp⊆⊆λλXX. Init.Init postpostττ XX Followingpost [10ττ∗],∗ letInitInit us== definelfplfp⊆⊆λ theλXX abstractionInit. Init∪∪ postpost generalizingτ Xτ X [15] to tracesreachable states 20 Bad ∪ ⇒ BadBadwlp[T￿ ] λ Q￿ . s s￿s T￿ : s￿s∪ Q￿ 21 Bad ￿ postpost ττ∗∗ InitInit BadBad ∀ ∈ ∈ (6) post1 ￿τ Init Bad ￿ + ￿ 22 αΣiswlp,postcontinuousτ−, [InitQτ]∗∗ ￿ifInit andλ⊆⊆P only. Bad￿s if￿s it￿ preservesΣ (s existingP ) lubs￿(s of￿s increasingQ) chains. (7) ⊆ ∈ ∈ ⇒ ∈ 23 The continuity hypothesis⊆ for ￿α can1 be restricted to the iterates of the least fixpoint of F . ￿ ￿ wlp− [Q￿ ] (8) γ is co-continuous￿ + if and only￿ if it preserves￿ existing glbs of decreasing￿ chains.+ ￿´ 24 49thsuch iEEE Conference that on Decision℘( andΣ Control,), Atlanta GA, Pre-Conference Workshop￿ on Verification℘( Σof Control), Systems,and Dec. 14,P 2010A = wlp [ ￿τ ]( 24E A ). By fixpoint © P. Cousot 99 Transition Transition←−−−−−−−−−− abstraction abstraction￿ ￿ ￿ and and semantics semantics 25 ￿ ⊆￿ −−−−−−−−−−→λ T . wlp[T ]Q ￿ ⊇￿ post9 Transitionr X s￿ abstractions X : r(s, s￿) and semantics 26 abstraction,9 Transition it￿ follows from abstraction (1-a) and Cor. 8 that and semantics AA transitiontransition system system{ | Σ∃Σ,,ττ∈isis a atransitiontransition} relation relationττ (Σ(Σ)) on on a a non-empty non-empty set setΣΣofofstatesstates. . 27 A transition system Σ, τ is a transition relation τ (Σ) on a non-empty set Σ of states. Theorem 10 P = gfp￿￿ ⊆ λ￿￿P . EA ( B pre[t]P ) and∈￿∈￿PA = lfp ⊆ λ P . EA 28 AItIttransition is is deterministicdeterministic systemA ifif and and￿Σ Σ only, only￿τ is if ifτ aτ istransitionis a a function. function. relation The Thetransitiontransition∈￿τ (Σ semantics semantics) on a non-empty abstraction abstraction setofof aΣ aof states. ItΣ is deterministic if and only if∪τ¬is a∩ function. The transition∅ semantics¬ ∩ abstraction of a 29 B ￿ ￿￿ ￿ ∈￿ ￿￿ ( tracetracepre semantics semantics[t]P ) where pre==[t]QΣΣ￿,,TTs isis thes the￿ transitionQ transition: s, s￿ system systemt and preτ τ==[t]QΣΣ,￿,αατ (τpreT(T)[t)](wherewhereQ)= the thetransitiontransition It∪ is deterministicTT if and{￿ only| ∃ ∈ if τ is￿ a function.￿∈ } The transition¬ ￿¬ semantics abstraction of a 30 straces￿ : semanticss, s￿ tSS s￿=￿￿QΣ,. T￿￿ is the transition￿ systemSS τ￿=￿ Σ, ατ￿(￿T ) where the transition { abstractionabstraction| ∀ ￿ ￿∈ααττ isis⇒ST ∈ ￿ } ￿￿ S ￿ ￿ ￿￿￿ 31 traceabstraction semanticsα is n= Σ, T is the transition system τ = Σ, ατ (T ) where the transition Iflfp the￿ setFΣ=of statesτ isSFT finite,( ￿ as) assumed￿ in model-checking [2￿], theS fixpoint￿ definition￿ 32 abstraction αn￿0is ￿￿ of P⊥ in Th. 10 isτ computable⊥ααττ iteratively,℘℘((ΣΣ∞∞ up)) to combinatorial((ΣΣ)) explosion. The code 33 A ￿ ατ ∈∈ ℘(Σ ∞−→−→) ￿ ￿ (Σ) 34 to check the precondition s ￿￿ PA can proceed by exhaustive￿￿ enumeration.￿￿ In case 0 ￿ ααττ((TnT+1)) ￿￿∈ s,s,n s s￿ ￿￿ −→￿s,￿s,￿s￿s￿ n ￿ ΣΣ∝∝: :￿sss￿sss￿￿s￿￿s￿ ￿ TT ￿ ￿ F ↑ ,...,F ↑∈￿ατ F{{￿￿↑ ℘(￿Σ￿|F|∞∃∃()F ↑ ∈∈) (until￿Σ) F∈∈(F}}↑￿) F ↑ 35 this does￿ not scale up or forατ infinite(T ) ￿￿ states, systems, s22￿ bounded￿s, ￿s ￿ Σ model-checking∝ : ￿sss￿￿s ￿ T [5] is an ⊥ k ￿r ∈￿s Σ￿￿ r(￿s−→,￿s ) ￿ ￿ 36 i ￿r ￿￿ + ￿s{￿ Σ ￿ |r∃(￿s00, ￿s11∈) ∈ } alternative using i=0 ￿τ instead￿ of ￿τ { but,∈ ￿ by| Th.2 6, the} bounded￿ prefix abstraction￿ ατ (￿Tr ) ￿{ ￿s∈ s,Σ￿ s| ￿ r(￿s￿0s,, ￿s￿s}1￿) Σ ∝ : ￿sss￿￿s ￿ T 37 ￿0 ￿￿ γ n+1￿ (Σ{)￿n ℘￿(Σ￿|￿∃∞)n ∈ ∈￿ } ￿ αk(T ) ￿ ￿s T ￿s ￿ k isγτ unsoundτ for{(Σ)∈ approximating℘|2(Σ ∞) both} PA and PA. 38 F ↓ F ↑ , ..., F ↓ ∈￿F ↓−→ ￿F (F ↓ ) until F (F ↓ )=F ↓ ￿ ∈ ￿| | γ ￿r∈￿￿ (Σ￿s)−→Σ ℘(Σ￿r(￿s0),￿s1) γ (τ) τ ￿￿τ ∝ ∞ 39 7 Contract￿ ￿ precondition￿γττ (τ) ￿￿∈￿ inference￿τ ∝ { ∈−→ by| data flow} analysis ￿ ￿ ￿ 40 γ (τ)γ ￿τ ∝ (Σ) ℘(Σ ∞) Instead of state-based￿ reasonings,￿ τ τ as￿ in Sect. 4 and 6, we can consider symbolic (or 41 lfp￿ F F ↓ F ↑ ∈￿ −→ even syntactic) reasonings movingγ (τ) the code￿τ assertions to the code entry, when the 42 ⊥ ￿ ￿ τ ￿ ∝ γγττ 43 effLemmaect is the 7 same.℘(Σ￿￿ This), can be done by(Σ a), sound data flow analysis [18]when Lemma 7 ℘(Σ∞∞), α (Σ), ￿ . ⊆￿ ←−−−←−−−ατγτ τ ￿￿ ⊆￿ 44 1.τthe∗ = valuelfp⊆ ofλ￿ theR ￿ visibleΣ ⊆￿ sideR−−−→−−−→ effτect￿￿ free Boolean⊆￿ expression on scalar or collection Lemma 7 ℘(Σ ∞),∪ ◦ (Σ), 45 variablesNoteNote that that in￿ the this thisassert transition transition⊆￿is exactly−−−→←−−−ατ abstraction abstraction￿￿ the same⊆￿ is is as not not the an anvalue isomorphism isomorphism of this expression (e.g., (e.g., for when forΣΣ== a,a, b b andand γτ { } 46 LemmaT￿￿evaluated= annb 7 onn entry;℘1(Σ￿, α )(,T￿￿)= a, a , a,(Σ b), which trace semantics includes aωω T￿{￿). } T =Note. a b thatn￿￿ this1 ,∞α transitionττ (T )=. a, abstraction a , a, b iswhich not. trace an isomorphism semantics includes (e.g., fora Σ T=). a, b and 47 2.λtheR { value{post|| ofR the￿ Init expression}} λ⊆￿R checked←−−−{{￿α￿Στ ￿ on￿R￿￿￿￿ programτ￿￿}]=}⊆￿ entryλR isInit checkedpost in anτassert(postonR￿∈￿￿∈Init) Terminationn proofs◦ can−−−→ proceed by◦ induction on the transition relation ατ (Tω￿)whenit{ } 48 T￿ =Terminationa b n 1 proofs, α (T can￿)= proceeda,∪ a by, a, induction b which on trace the∪ transition semantics relation includesατa(T )whenitT￿). all paths{ that| ￿ can} be takenτ from{￿ the program￿ ￿ ￿} entry. ￿∈ 49 isis well-founded, well-founded,Note that this as as shown shownλ transitionX . by bys, Lem. Lem. s abstractions 99Initbelow.below.s X is not an isomorphism (e.g., for ￿Σ = a, b and We proposeTermination a backward proofs data can flow proceed analysis￿ by to induction check￿ for both on the suffi transitioncient conditions relation1 ατ (T )whenit{ } 50 ￿ Limitn closure requires￿{ that￿ an￿| ∈ infinite⇒ trace∈ } that can be covered by parts of tracesω in ￿ andTis℘=2 well-founded,(.ΣLimita bΣ closure)n, ￿ as1requires, shownατ (T that)= by Lem. ana, infinite a9 below., a, trace b which that℘( canΣ trace), be covered semantics by parts includes of tracesa inT ). 51 ￿￿ {× | ⊆￿￿ }←−−−−−−−−−−−−−−−−−−λR . post{￿ R￿Init￿ ￿} ￿ ⊆￿ ￿∈ (6)TT￿ shouldshould be be in inTT￿ [[?−−−−−−−−−−−−−−−−−−→?,, Sect. Sect. 2.6]. 2.6]. ￿ 52 α is TerminationLimitcontinuous closureif and proofsonlyrequires if it preserves can that proceed an existing infinite lubsby induction of trace increasing that chains. on can the be transition covered by relation parts ofα tracesτ (T )whenit in (7) The continuity hypothesis for α can be restricted to the iterates of the least fixpoint of F . 53 postisT￿ well-founded,shouldτ Init be in=T￿lfp as[?,⊆ shown Sect.λX . 2.6]. byInit Lem.post9 below.τ X (8) γ is co-continuous∗ if and only if it preserves￿ existing￿ glbs of decreasing chains. 54 ∪ 7 BadLimit closure requires that an infinite7 trace that can be covered by parts of traces in ￿ ￿ postT shouldτ Init be in TΣ[?,Bad Sect. 2.6]. 7 ∗ ⊆ \ 5 7 9 Transition abstraction and semantics

A transition system Σ, τ is a transition relation τ (Σ) on a non-empty set Σ of states. ￿ ￿ ∈￿ It is deterministic if and only if τ is a function. The transition semantics abstraction of a ￿ ￿ trace semantics = Σ, T is the transition system τ = Σ, ατ (T ) where the transition ST ￿ ￿ S ￿ ￿ abstraction ατ is

α ℘(Σ￿ ∞) (Σ) τ ∈ −→ ￿ α (T￿) s, s￿ ￿s, ￿s ￿ Σ￿ ∝ : ￿sss￿￿s ￿ T￿ τ ￿ {￿ ￿ | ∃ ∈ ∈ }

7 01 which may have to be checked by a prior assert (e.g. assert((A!= null) && (A[i] 01 which may have to be checked by a prior assert (e.g. assert((A!= null) && (A[i] 02 == 0))). For simplicity, we assume that bj either refers to a scalar variable02 (written == 0))). For simplicity, we assume that bj either refers to a scalar variable (written 03 bj(x)) or to an element of a collection (written bj(X, i)). This defines 03 b (x)) or to an element of a collection (written b (X, i)). This defines 04 j j 04 05 E A ￿ s Σ c, b A : πs = c b s erroneous or05bad states E s Σ c, b A : πs = c b s erroneous or bad states { ∈ | ∃￿ ￿∈ ∧ ¬ } A ￿ { ∈ | ∃￿ ￿∈ ∧ ¬ } 06 E￿´ ￿s Σ￿ + i< ￿s : ￿s E erroneous or06bad runs. ￿´ ￿ + A ￿ i A EA ￿ ￿s Σ i< ￿s : ￿si EA erroneous or bad runs. 07 { ∈ | ∃ | | ∈ } 07 ￿ ￿ { ∈ | ∃ | | ∈ } ￿ ￿ 08 As part of the implicit specification, and for the sake of brevity, we consider08 that pro- As part of the implicit specification, and for the sake of brevity, we consider that pro- 09 gram executions should terminate. Otherwise the results are similar after09 revisiting gram executions should terminate. Otherwise the results are similar after revisiting 10 (1-a,1-b) for infinite runs as considered in [10]. 10 (1-a,1-b) for infinite runs as considered in [10]. 11 11 12 4 The contract precondition inference problem 12 4 The contract precondition inference problem 13 13 Definition 4 Given a transition system Σ, τ, I and a specification A,thecontract Definition 4 Given a transition system Σ, τ, I and a specification A,thecontract 14 ￿ ￿ 14 ￿ ￿ precondition inference problem consists in computing P ℘(Σ) such that when precondition inference problem consists in computing PA ℘(Σ) such that when 15 A ∈ 15 ∈ replacing the initial states I by P I, we have 16 replacing the initial states I by PA I, we have 16 A ∩ ∩ + + 17 ￿τ + ￿τ + (no new run is introduced) 17 (2) ￿τ ￿τ (no new run is introduced) (2) PA I I PA I I 18 ∩ ⊆ 18 ∩ ⊆ + + + ￿´ ￿τ + = ￿τ + ￿τ + E￿´ (all eliminated runs are bad runs). (3) ￿τ = ￿τ ￿τ EA (all eliminated runs are bad runs). 19 (3) I P I PA A 19 I PA I PA \ A \ ⊆ ￿￿

\ \ ⊆ 20 ￿￿

20 01 5 21 21 The following lemma shows that, according to Def. 4, no finite maximalFixpoint good abstraction. run is TheRecall following from lemma [12, 7.1.0.4] shows that that, according to Def. 4, no finite maximal good run is 02 22 ever eliminated.

22 ever eliminated. Lemma 7 If L, , is a complete lattice or a cpo, F L L is increasing, L,

03 23 ￿

54 fadol fi rsre xsiggb fdcesn chains. decreasing of glbs existing preserves it if only and if co-continuous is

23 ￿ ⊥￿ γ ∈ → ￿ (6)(8) ,(7)

04 is a poset, α L L is continuous , +F L￿´ L commutes+ (resp. semi- 24 53 . F of fixpoint least the of iterates the to restricted be can α

+ ￿´ + for Lemma hypothesis 5 continuity (3) The implies ￿τ EA ￿τ .

24 Lemma 5 (3) implies ￿τ E ￿τ . ￿￿ ∈ → (7) I ∈ → PA

I A PA 05 ∩ ¬ ⊆ ￿

52 fadol fi rsre xsiglb ficesn chains. increasing of lubs existing preserves it if only and if continuous is

∩ ¬ ⊆ commutes)25 with F that is α F = F α α (resp. α F F α) then α(lfp F )= 25 ◦ ◦ (6) ◦ ◦

06 ￿ + ⊥

+ 26 ￿Choosing P = I so that I 51 P = hence ￿τ = is a trivial solution, so we . 2 lfp ￿ F (resp. α(lfp F ) lfp ￿A F ).and A

26 Choosing PA = I so that I PA = hence ￿τ =07 is a trivialα( solution,) so we α( ) I PA

I PA ⊥ 27 ⊥ ￿ ⊥ 50 \ ∅ \ ∅ + 1 conditions cient ffi \ ∅ su both for ∅ check to analysis flow data backward a propose We

27 \ 08 + would like PA to be minimal, whenever possible (so that ￿τ is maximal). Please would like P to be minimal, whenever possible (so that ￿τ is maximal).28 Please ¬ 49 I PA

A I PA Applying Lem. 7 to L, L, , we get Cor. 8 and by duality Cor. 9 below. \

28 09 entry. program the from taken be can ￿ that paths ￿all ←− −− 48

\ 29 ￿ note￿ that−−¬ −→ this￿ is￿ not the weakest (liberal) precondition [15], which yields the weakest

note that this is not the weakest (liberal) precondition10 [15], which yields the weakest on an in checked is entry program on checked expression the of value the 2.

29 assert

Corollary30 8 (Davidcondition Park) If underF L whichL theis increasing code47 (either on a does complete not terminate Boolean or) terminates without

11 condition under which the code (either does not terminate or) terminates without entry; on ∈ evaluated → 30 ￿ ￿ 46

lattice L,31 , , thenassertionlfp failure,F = gfp whicheverF non-deterministic. choice is chosen.

12 ￿ ◦ ◦

seatytesm stevleo hsepeso when expression this of value the as same the exactly is the in variables assert 31 assertion failure, whichever non-deterministic choice is chosen. ￿ ⊥ ¬￿ ¬ ⊥ ¬⊥ ¬ ¬45

13 32

44 c reBoenepeso nsaa rcollection or scalar on expression Boolean free ect ff e side visible the of value the

32 Corollary 9 If L, Theorem, is a complete 6 The1. strongestlattice or(5) a dcpo,solutionF toL theL preconditionis increasing, inference problem in Def. 4

(5) 14 33 ￿ ￿ ￿￿ ∈ → (8) 43 ]when 18 [ analysis flow data sound a by done be can This same. the is ect ff 33 Theorem 6 The strongest solution to the precondition inferenceγ problemL L is in co-continuous Def. 4 , F L e L commutes with F that is γ F = F γ

15 34 is + ￿´ ◦ ◦

∈ → ￿ P ∈s →s￿s ￿τ 42 E . (4) 34 is + the when entry, code the to assertions code the ￿ moving reasonings A ￿ syntactic) even A

P s s￿s ￿τ E￿´ . 16 then γ(gfp35 F()=4) gfp γ( ) F . { | ∃ ∈ ∩ ¬ } ￿￿

A ￿ A 41 ecncnie yblc(or symbolic consider can we , 6 and 4 35 Sect. in as ￿ reasonings, ￿ state-based of Instead

{ | ∃ ∈ ∩ ¬ } 17 36 ￿￿

40 P

Instead￿ of reasoning on the set A of states from which there exists a good run

36 otatpeodto neec ydt o analysis flow data 18 by 6 Fixpoint inference strongest precondition contract Contract 7 precondition ￿ ￿

37 ￿

Instead of reasoning on the set PA of states from which there exists a good run without any error, we can reason39 on the complement P that is the set of states

37 19 A | | ∈

38 ￿

P Following [10], let us define the abstraction generalizing38 [15] to traces

￿ without any error, we can reason on the complement that is the set of states ￿ A A A k susudfrapoiaigboth approximating for unsound is k s ￿ . and T s ￿ ) T ( α

P P from which all runs are bad in that they always lead to an error. Define P to be ￿

38 20 ￿ ￿ ￿ A

Lemma 5 A semantics39￿ = Σ, T ￿, is terminating if￿ and only if￿tdm[T ]=Σ37 .

from which all runs are bad in that they always lead to anAbstraction error. Define bywlp Galois[PTT ] connectionstoλ beQ . s s￿s T : s￿s Q +

=0 S A￿￿ ￿ i ￿￿

lentv using alternative h one rfi abstraction prefix bounded the , 6 Th. by but, ￿τ of instead

39 21 ￿τ the set of states from which any complete run in ￿τ does fail.

40 36 + i ∀ ∈ ∈

+ 1 k +

the set of states from which any complete run in ￿τ does22 Definition fail. 6 (termination− ￿ proof) A.termination￿ proof for a trace semantics￿ is the san is ] 5 hsde o cl po o nnt tt ytm,buddmdlcekn [ model-checking bounded systems, state wlp [Q infinite ] for λ or P up s￿s scale Σ not ( does s Pthis ) (s￿s Q) +

40 concrezaon 41 ￿ ￿ ￿ ￿ 35 ST ￿´

∈ P PA = s s￿s ￿τ : s￿s EA .

23 proof, using the definition of as hypothesis,￿∈ thatA ￿ it is terminating∈ ⇒ for all∈ states, that is

T 1 + A 34 s precondition the check to a rce yehutv nmrto.I case In enumeration. exhaustive by proceed can ￿ 41 ￿´ P S wlp− [Q] ¬ { | ∀ ∈ ∈ }

PA PA = s s￿s ￿τ : s￿s EA . Σ tdm[T￿] (a variant is42Init +tdm[T￿]whereInit Σ is a given set of initial states). +

￿ 24 such that ℘(Σ￿ ), ￿ ￿ ℘(Σ), and P ￿= wlp[￿τ ](E￿´ ). By fixpoint ⊆ ⊆ ⊆ 33 ￿￿ A A of scmual trtvl,u ocmiaoilepoin h code The explosion. combinatorial to up iteratively, computable is 10 nTh. in A ¬ { | ∀ ∈ ∈ } ￿ P 42 43 5←−−−−−−−−−−￿ Basic￿ ￿ elements of abstract interpretation

25 ￿ ⊆￿ −−−−−−−−−−→λ T . wlp[T ]Q ￿ ⊇￿

Σ, τ, Init 32

,tefipitdefinition fixpoint the ], 2 [ model-checking in assumed as finite, is states of Σ 43 concrete concrete 44 set the If γ

5 Basic elements of abstract interpretation￿

26 ￿ abstraction,￿ abstracon it followsabstract fromabstract (1-a) and Cor. 8 that post r X s￿ s X : r(s, s￿) 31

∀ | { ￿￿ } ∈ ⇒ ￿∈

￿ ￿

44 domain implicaon 45 Galois connections. A Galois connection L, ￿ L, consists of posets L,

γ27 { | ∃ ∈ domain} implicaon α ￿ ￿ ￿ ←− −− ￿ s s . Q s t s s,

: ￿ ￿ ￿ ￿￿ ￿

Σ 30 −− −→

∃ | { ∪ ¬ ¬ } ￿∈ ￿

∈ ⊆ ⊆

45 Galois connections. A Galois connection L, ￿ L, consistsTheorem of46 posets 10 PA L,= bestgfp abstraction, L,λ P . EandA ( mapsB αpre[tL]P ) andL, γPAL= lfpL suchλ P . thatEA x L, y L : α(x) y ￿ ￿ α28 Σ ￿ ￿ ￿

s s Q ] t [ pre where ) P ] t [ pre ( )= Q ]( t [ pre Q ] t [ pre and t s s, : ←− −− Q B

￿ ￿ −− −→ ￿ ￿￿ ￿ ￿ ￿ ￿￿ ∪ ¬ ∩ ∈ 29 → α ∈ → ∅ ¬ ∀∩ ∈ ∈ ￿ ⇔

∅ 47 ∩ ¬ ∩ ¬

46 , L, and maps α L L, γ L L such that29 xτ ∗ =L,lfp(⊆ yBλR∪ .LpreΣ: [αtR](Px)τ)wherey prex[t]Qγ(y).s Thes￿ dualQ : iss, sL,￿ t and preL,[t]Q . Inpre a[ Galoist]( Q)= connection, the abstraction

◦ Σ

￿ ￿ ￿ 28 ￿ ￿

A

A A A ∪ γ P λ lfp = and ) P ] t [ pre ( P λ gfp = hoe 10 Theorem

E P B E P . α . ←− −− ⊆ ￿ ￿ ￿￿ ∈ → ∈ → ∀ ∈ ∈∪ ￿⊆ ⇔ { | ∃ ∈ ￿ ￿ ￿∈￿￿} ￿ ￿ ¬ ¬

47 30 s s￿ : s,48 s￿ t soundnesss￿ Q . ￿ −− −→ x ￿ γ(y). The dual is L, L, ￿ . In a Galois connection, the abstraction α preserves existing least upper27 bounds (lubs) hence is increasing so, by duality, the

←−γ −− λR . post{ R| Init∀ λ￿R . Σ ￿∈R τ⇒]=λR∈. Init} post τ (post R Init) ￿￿

48 ￿ ￿￿ −− −→ ￿ ￿ 31 ◦ 49 ◦ ∪ ∪ 26 that 8 Cor. and -a) 1

α preserves existing least upper bounds (lubs) hence isExample: increasingIf so,the by set duality,Σ of ( states the from isconcretization finite, follows it as assumedγ is inabstraction, increasing model-checking and preserves [2￿], the fixpoint existing definition greatest lower bounds (glbs). If

32 λX .50s, s￿ s Init s￿ X

−−−−−−−−−−→

49 25 T Q ] T [ wlp λ .

⊆￿ ⊇￿ ￿ {￿ ￿| ∈ ⇒ ∈ } ￿

￿ ￿ ￿

℘(Σ Σ), ←−−−−−−−−−− ℘(Σ),

P ￿ L, is a complete Boolean lattice with unique complement then the complement

A of A in Th. 10 is computable iteratively, up to combinatorial explosion. The code

concretization γ is increasing and preservesA existing greatest33 lower bounds (glbs). If

.B fixpoint By ). ]( ￿τ [ wlp = , ) and , ) Σ ( ℘ Σ ( ℘

←−−−−−−−−−−−−−−−−−− that such E

P ￿ × ⊆￿ 51λR . post R Init ￿￿ ⊆￿

24

￿ ￿ ´ −−−−−−−−−−−−−−−−−−→ ￿ ￿

50 ￿ + ￿ + ￿ ¬

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 © P. Cousot

] Q [ wlp

− P ¬

34 to check the￿ preconditionisomorphisms A canis proceedL, by exhaustiveL, (since enumeration.x y Inx case y).

L, is a complete Boolean lattice with unique complement then the complement521 ￿ ￿ ￿ ￿ 23

. ￿ ∈ ⇒ ∈

51 ￿ post τ ∗ Init = lfp⊆ λX Init∈ ￿ post￿ τ X ∈ ￿ ￿ ←− −− ￿ ￿ ¬ ⇔ ¬

￿ ￿ ￿

￿ ￿ 35 ¬ ∪ ￿ −−¬ −→

) Q s ￿ s ( ) P s ( P λ ] Q [ Σ s ￿ s this does not scale up or for infinitewlp state systems, bounded model-checking [5] is an

−

¬ .

53 22 ￿ ￿

isomorphism is L, L, (since x y x Bady). ￿

+

52 ￿ ￿ ￿ ￿ k 1

∈ ∈

←− −− ∀ (5) i +

￿ ￿ ￿ ￿ ¬ ⇔ 36 ¬post τ ∗ Init Bad Following [15], P is said to be stronger than Q and Q weaker than P if and only if P Q. −−¬ −→ alternative using ￿τ instead of ￿τ but, by Th. 621 , the bounded prefix abstraction

54 i=0 ￿ Q s ￿ s : T s ￿ s s Q λ ] T [ wlp 53 ⊆ . ￿ ￿ ￿ ￿ ⊆

37

(5) α (T￿ ) ￿s T￿ ￿s k is unsound for approximating20 both P and P .

54 Following [15], P is said to be stronger than Q and Q weaker than P if andk only￿ if P Q. ￿ A A otraces to ] 15 [ generalizing abstraction the define us let ], 10

38 ∈⊆ ￿| | [ Following 9 Transition abstraction and semantics 19

39 ￿ ￿ ￿ 4 18 ipitsrnetcnrc precondition 7 Contract contract ￿ precondition strongest inference Fixpoint 6 by data flow analysis

40 A transition system Σ, τ is a transition relation τ (Σ) on a non-empty set Σ of states.

￿ ￿ ∈￿ 17

￿

4 Instead of state-based reasonings,￿ as in Sect. 4 and 6, we can consider symbolic (or

41 It is deterministic if and only if τ is a function. The transition semantics abstraction of a ) ( γ

16

gfp )= F . F gfp ( γ then

even syntactic)￿ reasonings moving￿ the code￿ assertions to the code entry, when the

trace semantics = Σ, T is the transition￿ system τ = Σ, ατ (T ) where the transition

→ ∈ →

42 T ∈

15

◦ ◦ S ￿ ￿ S ￿ ￿

γ F = F γ is that F with commutes L L F , co-continuous is L L

abstractioneαffτectis is the same. This can be done by aγ sound data flow analysis [18]when

43 (8) ￿ → ∈ ￿￿ ￿

14

If 9 Corollary sincreasing, is L L F dcpo, a or lattice complete a is , 1. the value of the￿ visibleL, side effect free Boolean expression on scalar or collection

44 ατ ℘(Σ ∞) (Σ)

∈ −→ ￿ 13

⊥ ¬ ⊥

¬ ¬ ¬ ￿ ¬ ⊥

45 variables￿ in the assert is exactly￿ ￿ the same￿ as the value of this expression when

◦ ◦ 12

ατ (T ) ￿ s, s￿ ￿s, ￿s ￿ ￿ Σ ∝ : ￿sss￿￿s ￿ T . F gfp = F lfp then , , L,

{￿ ￿ | ∃ ∈ ∈lattice }

￿

46 ￿ 2 →

evaluated∈ on entry;￿

￿r ￿ ￿s Σ r(￿s0, ￿s1) 11

sicesn nacmlt Boolean complete a on increasing is L L F If

47 2. the value of the{ Park) expression∈ | (David 8 checked} onCorollary program entry is checked in an assert on

￿ 10

γτ (Σ) ℘(Σ ∞)

−−→ −− ¬

￿ ￿ ￿ ￿

48 −− ←− ∈￿ −→

09 ￿ all￿ paths that can be taken from the program entry.

L, to 7 Lem. Applying below. 9 Cor. duality by and 8 Cor. get we , L, γ (τ) ￿τ τ ¬ ∝

49 ￿

We propose a backward data flow analysis to check08 for both sufficient conditions 1

⊥ ⊥ ⊥

50 ￿ ) ( α ) ( α

07

). F lfp ) F lfp ( α (resp. F lfp

￿ and 2. ￿

51 γ ￿ ⊥ τ

￿

￿ 06

◦ ◦ ◦

Lemma 7(6)℘(Σ ∞), ◦ (Σ), α is that F with commutes) lfp ( α then ) α F F α (resp. α F = F )=

F 52 ￿ α is continuous⊆￿ ←−−−ατ ￿￿if and⊆￿ only if it preserves existing lubs of increasing chains.

05 ￿ −−−→

→ ∈ ￿￿ →

∈ (7)

53 The continuity hypothesis for α can be restricted to the iterates of the least fixpoint of F .

L α poset, a is omts(ep semi- (resp. commutes L L F , continuous is L Note that this transition abstraction is not an isomorphism (e.g., for Σ =04 a, b and

(7) ,

(8)(6)

￿ → ∈ ⊥￿

￿ n γ is co-continuous￿ if and only￿ if it preserves existing glbsω of{ decreasing￿ } chains.

54 T = a b n 1 , ατ (T )= a, a , a, b which trace semantics includes a T ). ￿

￿ 03 sincreasing, is L L F cpo, a or lattice complete a is , L, If 7 Lemma L, { | } {￿ ￿ ￿ ￿} ￿∈￿ Termination proofs can proceed by induction on the transition relation ατ (T )whenit

is well-founded, as shown by Lem. 9 below. 02

...]that 7.1.0.4] , 12 [ from Recall abstraction. Fixpoint 5 01 7 Lemma 5 A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. Lemma 5 LemmaA semantics 5 A semantics= Σ, T￿ ,= isST terminatingΣ, T￿￿ , is￿ terminating if and only if if andtdm only[T￿]= if tdmΣ. [T￿]=Σ. ￿￿ ST ￿ ST￿ ￿ ￿ ￿￿ ￿￿ Definition 6 (termination proof) A termination proof for a trace semantics is the DefinitionDefinition 6 (termination 6 (termination proof) A proof)termination￿ A termination proof for a proof tracefor semantics a trace semantics￿is the isS theT Lemmaproof, 5 usingA semantics the definition= ofΣ, T as, is hypothesis, terminating that if andit is only terminating if tdmT[T for]= allΣ. states,T that is T ST S S proof, usingproof, theΣ definition usingtdm[ theT￿] of (a definition variantas hypothesis,S of is Init￿ as hypothesis,tdm that￿ [T￿]where it is terminating thatInit it isΣ terminatingis for a all given states, for set all of that initial states, is states). that is￿￿ ￿ Lemma⊆ 5 ￿A semanticsST = Σ￿, T￿ S,T is terminating⊆ ￿ if and only if tdm⊆[T￿]=Σ. ￿￿ Σ tdm[T ]DefinitionΣ (a varianttdm[T ] is 6(aInit (termination variantStdmT is￿[InitT ]where￿ proof)tdmInit[T ]whereA terminationΣ isInit a givenΣ proofis set a of givenfor initial a set trace states). of￿￿ initial semantics states). is the ⊆ ⊆ ⊆ ⊆ ⊆ ⊆ ￿￿ ST ￿￿ DefinitionΣ 6, (terminationτ, Init proof) A termination proof for a trace semantics is the proof,Lemma using 5 A semantics the definition= Σ, T￿ of, is terminatingas hypothesis, if and only that if tdm it[T￿]= isΣ terminating. ST for all states, that is Σ, τ, Initproof,Σ using, ￿τ, theInit definition￿ST of ￿ as￿ hypothesis,ST that it is terminating for all states, that￿￿ is Σ tdmpost[T￿] (ar X variants isST Inits Xtdm: r([s,T￿]where s ) Init Σ is a given set of initial states). ￿ Σ ￿ ￿tdm[T￿] (a variant￿ ￿ is Init￿ tdm[T￿]whereInit ￿ Σ is a given set of initial states). Definition⊆post r 6X (terminations￿ { s proof)| ∃X∈:A⊆rtermination(s, s￿) proof} for a trace⊆ semantics is the ￿￿ post r X ￿⊆ sConvergence￿ s ￿X : r(s,⊆ s￿) acceleration⊆ ST ￿￿ proof,{ using|Σ∃ the∈ definition{ | of∃ ∈as} hypothesis, that} it is terminating for all states, that is Σ ST Σ Σ tdmΣΣ, ,τ[T,￿τ]Init, (aInit variant is Init tdm[T￿]whereInit Σ is a given set of initial states). Fixpoints⊆￿ ￿can be computed⊆ iteratively⊆ ￿￿ • post￿ r X ￿ s￿￿ s X : r(ns, s￿) postlfpr ￿XF{ =| ∃s￿∈ sF (X }): r(s, s￿) ￿ n￿n0 lfpΣΣ, τ￿, FInitn= { F| ∃( ∈) ⊥ }May not finitely converge lfp￿ F = ￿ F ⊥(￿ ) n￿0 postn￿Σ0⊥r X ￿ s￿ s X : r⊥(s, s￿) ⊥ ⊥{ | ∃n ∈ } lfp￿ F = 0 F ￿( ) n+1 n n ￿ ￿ AccelerateΣ F ↑ n ￿convergence0 ,..., byF ↑ a wideningF ↑ F (F ↑ ) until F (F ↑ ) F ↑ • ￿ ⊥ ￿￿ ⊥ ￿ F 0 ,...,τ ∗ = lfpF⊆nλ+1⊥R . FΣn nR Fτ(F n) until F (F ￿) F ￿ ￿ ↑ ￿ lfp￿ F =￿↑ n ￿F ↑( ) ◦ ↑ ↑ ↑ lfp￿0 F = Fn ( 0)n+1∪ n n ￿ ￿ ￿ ⊥ F ↑ ￿ ,...,n￿0 ￿F ↑ ￿ F ↑ F (F ↑ ) until F (F ↑ ) F ↑￿ ⊥⊥ ⊥ 0 ⊥￿ ⊥￿ n+1 n ￿n ￿ ￿ F ↓ ￿ F ↑ , ..., ￿F ↓ ￿ F ↓ F (F ↓ ) until F (F ↓ )=F ↓ 0 ￿ λR0 . post￿ ￿Rn+1Initn+1 λRnn. nRn τ]=λR￿ . Init ￿ ￿ post τ ￿(post R Init) F F followed,F ↑ 0...,0￿ ,..., ￿byF a narrowingF ↑ n◦￿+1FFn↑ +1nFFΣ(F(F↑ ) nn◦)untiluntilF (Fn↑ )F (￿FF↑ )=￿ F ￿ ￿ ↓ ￿ •↑ FF↓↑ ￿￿⊥F ↑ , ,...,...,↓ F￿↓ F ↑↓￿ F ↓ ￿∪FF(F↓↑↓ ) Funtil(F￿↑ F)(F￿↓until)=∪↓ F ↓ F (F↓ ↑ ) F ↑ ⊥ ￿ ￿￿￿ ￿ ￿ 0 lfp￿ F￿ F￿ ↓n+1λX F. ↑ns, s￿ s nInit￿ s￿ X ￿ ￿ Flfp↓￿￿F F ↑ F, ...,F F ↓ ￿ F ↓ F (F ↓ ) until F (F ↓ )=F ↓ ￿℘(0Σ ￿Σ↓ ￿),￿ ↑ ￿ {￿n+1 ￿| ∈ n⇒ ∈ } n℘(Σ), ￿ ￿ lfp￿ F F ↓ ⊥ F￿⊥↑ ￿ ￿ F ↓ ￿ F ↑ , ...,←−−−−−−−−−−−−−−−−−−F ↓λR . post￿ FR↓Init F (F ↓ ) until F (F ↓ )=F ↓ ⊥ ￿ ￿ ￿ × ￿ ⊆￿￿ −−−−−−−−−−−−−−−−−−→ ￿ ⊆￿ tolfp get￿ F anF over-approximation↓ . F ↑ • τ ∗⊥= lfpτ￿⊆ =λR￿lfpΣ λRR .τ R τ ￿ ∗ ⊆∪ ◦ Σ . ◦ τ ∗ = lfp⊆ λRpost. Στ ∗ InitR ￿=τ lfp⊆￿λX∪ Init ￿ post￿ τ X τlfp∗ =￿lfpF⊆ λR .F ↓Σ◦ R Fτ↑ ∪ λR . post∪￿R Init ∪￿λR◦. Σ R τ]=λR . Init post τ (post R Init) Bad⊥ . ◦ ∪ ◦ . ∪ . λR post R Init ◦ λR Σ R ◦ τ]=λR Init post τ (post R Init) λpostR . postτ R InitInit λXRBad.. s,Σ s￿ Rs Initτ]=s￿ λXR . Init post τ (post R Init) λR . post R Init ∗λR .◦ .Σ {￿ R∪￿| ∈τ◦]=⇒ ∈λR} .∪Init∪ post τ (post ∪R Init) 49th iEEE Conference onτ℘ Decision∗(Σ= and Control,lfp◦Σ Atlanta),⊆ GA,λ Pre-ConferenceR⊆ WorkshopΣ on Verification◦R of Controlτ Systems, Dec. 14, 2010 ℘ ( Σ ) , 26 © P. Cousot ￿ × ⊆￿ ←−−−−−−−−−−−−−−−−−−∪λR . post R◦ Init ￿ ∪⊆￿ −−−−−−−−−−−−−−−−−−→λX . s, s∪￿ s InitλXs.￿ X s, s￿ s Init s￿ X ℘(Σ Σ), {￿ ￿| ∈ ⇒ ∈{￿} ℘￿|(Σ∈), ⇒ ∈ } ℘λ(XΣ. ←−−−−−−−−−−−−−−−−−−s,Σ s)￿, s . Init s￿ X ℘(Σ), ￿post ×τ ∗ Init⊆￿=−−−−−−−−−−−−−−−−−−→lfp⊆ λλXR .postInit←−−−−−−−−−−−−−−−−−−R￿ Initpost￿ τ X￿ ⊆￿ ℘(Σ Σ),λR .￿post ×R{￿ Init￿|⊆￿∈λ−−−−−−−−−−−−−−−−−−→R⇒∪. ∈ λ}R R. post℘τ(ΣR]=)Init, λR . Init￿ post ⊆￿τ (post R Init) 9Bad Transition←−−−−−−−−−−−−−−−−−−◦ abstractionΣ ◦ and semantics ￿ × post⊆￿τ−−−−−−−−−−−−−−−−−−→∗ Init = lfpλR⊆ .λpostX . InitR ￿Initpost￿ τ ∪X ￿ ⊆￿ ∪ post τ Init Bad ∪ Bad post∗ τ ∗ Init = lfp⊆ λX . Init post τ X ⊆ λX . s, s￿ s Init ￿s￿ ￿ X post τ AInittransitionpost= τlfp∗ Init⊆ λ systemXBad. Init Σpost, τ{￿ isτ a￿X|transition∈ ⇒∪ ∈ relation} τ (Σ) on a non-empty set Σ of states. ∗ ℘(ΣBadΣ⊆), ￿ ￿ ℘(Σ), ￿ × ⊆￿ ←−−−−−−−−−−−−−−−−−−￿∪ λ￿R . post R Init ￿ ∈￿⊆￿ Bad It9 is Transitiondeterministicpost τ Init abstraction−−−−−−−−−−−−−−−−−−→if andBad only ifandτ is semantics a function. The transition semantics abstraction of a ∗ ￿ ￿ post τ trace9Init Transition semanticsBad abstraction=⊆ Σ, T andis the semantics transition system τ = Σ, ατ (T ) where the transition ∗ A transitionpost τ ∗ systemInit =ΣT,lfpτ ⊆isλ a Xtransition. Init relation￿ post￿ ττ X(Σ) on a non-empty set Σ of states. ⊆ ￿S ￿ ￿ ￿ ∪ ∈￿ S ￿ ￿ abstractionAIttransition isBaddeterministic systemατ ifisΣ and, τ onlyis a transition if τ is a function. relation τ The(transitionΣ) on a non-empty semantics set abstractionΣ of states. of a ￿ ￿ ￿ ∈￿ ￿ Ittrace is 9deterministic semantics Transitionif= andΣ only, T ifisτ the abstractionis a transition function. system The transitionτ = andΣ semantics, ατ ( semanticsT ) where abstraction the transitionof a post τ ∗ InitST ￿ Bad￿ ￿ ￿ S ￿ ￿ ￿ 9 Transitiontraceabstraction semanticsα abstractionτ is = Σ, T is theα transitionτ and℘ system( semanticsΣ ∞)τ = Σ, α(τ Σ(T)) where the transition ST ⊆￿ ￿ S ￿ ￿ abstraction α is ∈ −→ ￿ A transitionτ system ￿Σ,￿τ is a transition relation￿ τ (Σ) on￿ a non-empty set Σ of states. ατ ατ (T℘)(Σ ∞￿) s,(Σ s)￿ ￿s, ￿s ￿ Σ ∝ : ￿sss￿￿s ￿ T A transition system Σ, τ is a transition∈￿ ￿ ￿ relation−→{￿ ￿ τ￿ | ∃ (Σ)∈ on a non-empty∈￿ ∈ set} Σ of states. It is deterministicα￿τ if℘ and(Σ ∞) only if(Σ)τ is￿2 a function.￿ The transition semantics abstraction of a 9 Transition￿ ￿ ατ (T ) abstraction∈￿ s, s￿−→ ￿￿s,￿s ￿ ￿Σ and∝∈￿: ￿sss￿ semantics￿s ￿ T ￿ {￿r￿ ￿￿ | ∃ ￿s ￿∈Σ r(￿s0,￿￿s∈1)} It is deterministic if and onlyατ (T if) τ is as, function. s￿ ￿ ￿s,￿s ￿ Σ The∝ : ￿ssstransition￿￿s ￿ T semantics abstraction￿ of a trace semantics ￿r ￿ ={￿ ￿sΣ,￿Σ￿T| 2∃ {ris(￿s∈ the∈,￿s ) transition| ∈ } system} τ = Σ, ατ (T ) where the transition ￿ T ￿ ￿ 2 0 1 ￿ ￿ trace semantics = Σ, T is￿rS the￿ transitionγ￿s{￿τ ∈Σ r￿|(￿s0(, system￿sΣ1)) } ℘τ(Σ=∞Σ) , ατ (T )S where￿ the transition￿ A transitionabstractionT systemατ isγ Σ, τ{ ∈is(Σ) a transition| ℘(Σ￿ }) relation τ (Σ) on a non-empty set Σ of states. S ￿ ￿ τ ∈￿￿ ∞ −→ S ￿ ￿ γτ￿ ∈￿￿(Σ) −→℘(Σ ∞) ∈￿ abstraction ατ is γτ (τ) ￿τ ∝ It is deterministicγτif(τ) and∈￿￿ only￿τ ∝ −→￿ if τ is a function. The transition semantics abstraction of a γτ (τ) ￿τ ∝ ￿ ￿ ￿ ατ ℘(Σ ∞) (Σ) ￿ trace semantics = Σ, T is the transition system τ = Σ, ατ (T ) where the transition α T ℘(Σ￿ ) ∈ (Σ) −→ ￿ τS ￿ ∞￿ 7 S ￿ ￿ abstraction ατ is ∈ α (T￿−→) ￿ s, s￿ ￿s,￿s ￿ Σ￿ ∝ : ￿sss￿￿s ￿ T￿ ￿ τ 7￿ {￿ ￿ ￿ | ∃ ∈￿ ∈ } ατ (T￿) ￿ s,γ sτ￿ ￿s,￿s ￿ Σ ∝￿:2￿sss￿￿s ￿ T Lemma 7 ℘(Σ ∞), {￿ ￿ |￿r∃ ￿(Σ￿),∈￿s Σ r(￿s0,∈￿s1)} ￿ ⊆￿ ←−−−ατα￿τ 2 ￿￿℘(Σ{∞⊆￿)∈ |(Σ) } ￿r ￿ ￿s−−−→Σ ∈ r(￿s0, ￿s1) −→ ￿ ￿ { ￿∈ γτ| (Σ}) ℘(Σ￿∞) ￿ Note that this transitionατ (T ) abstraction￿ ∈￿￿s, s￿ is−→￿ nots,￿s ￿ anΣ isomorphism∝ : ￿sss￿￿s ￿ (e.g.,T for Σ = a, b and γτ (Σ) ℘{(￿Σ ∞)￿ | ∃ ∈ ∈ } { } T￿ = anb n 1 ,∈￿α (T￿)=γτ−→(τa,) a￿, a,￿τ ￿∝ b2 which trace semantics includes aω T￿). ￿ τ ￿r ￿ ￿s Σ r(￿s0, ￿s1) { | γτ (τ) } ￿ ￿τ ∝ {￿ {￿ ￿∈ ￿}| } ￿∈ ￿ γτ (Σ) ℘(Σ ∞) ∈￿ −→ 7 7 γτ (τ) ￿ ￿τ 7∝

7 Intuition for Widening

f f

f(x)6x

l fp f l fp f x Iteration Iteration with widening (using the derivative as in Newton-Raphson method)

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 27 © P. Cousot Lemma 5 A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. ST ￿ ￿ ￿￿ ￿ Definition 6 (termination proof)￿ A termination proof for a trace semantics is the Lemma 5 A semantics = Σ, T , is terminating if and only if tdm[T ]=Σ. ST ST ￿ ￿proof, using the definition of as hypothesis,￿￿ that it is terminating for all states, that is ST Definition 6 (termination proof) ΣA terminationtdm[T￿] (a proof variantfor is a traceInit semanticstdm[T￿]whereis theInit Σ is a given set of initial states). ST proof, using the definition of as hypothesis,⊆ that it is terminating for⊆ all states, that is ⊆ ￿￿ ST Σ tdm[T￿] (a variant is Init tdm[T￿]whereInit Σ is a given set of initial states). ⊆ ⊆ ⇒ ⊆ ￿￿ Σ, τ, Init ⇒ ￿ ￿ Σ, τ, Init Lemma 5 A semantics = Σ, T￿ , is terminating if and only if tdm[T￿]=Σ. ￿ ￿ ST post￿ r ￿X ￿ s￿ s X : r(s, s￿) ￿￿ Lemma 5 A semantics = Σ, T￿ {, is| terminating∃ ∈ if and only} if tdm[T￿]=Σ. Definition 6 (termination proof)ST ￿A termination￿ proof for a trace semantics is the ￿￿ post r X ￿ s￿ s X : r(s, s￿) ST { |proof,∃ ∈ using the definition} of as hypothesis, that it is terminating for all states, that is Definition 6 (terminationSΣT proof) A termination proof for a trace semantics is the Σ tdm[T￿] (a variant is Init tdm[T￿]whereInit Σ is a given set of initial states). ST ⊆ proof, usingLemma the definition 5 A⊆ semantics of as hypothesis,= Σ⊆, T￿ , that is terminating it is terminating if and for only all if states,tdm￿￿ [T￿]= thatΣ. is Σ ST T Σ tdm[T￿] (a variant is Init tdmS[T￿]where￿ n Init￿ Σ is a given set of initial states). ￿￿ ⊆ lfp￿ F⊆= F ( ) ⊆ ￿￿ ⇒ Definition 6 (terminationn￿0 proof) A termination proof for a trace semantics is the n ⊥ ⊥ T lfp￿ F = F ( ) S n￿0 proof, using the definition of as hypothesis, that it is terminating for all states, that is ⊥ ⊥Σ, τ⇒, Init 0 ￿ ST n+1 n n ￿ ￿ ￿ ￿ Σ tdm[T￿] (aF ↑ variant￿ is,...,Init tdmF[T￿↑]where￿InitF ↑ Σ isF a(F given↑ ) setuntil of initialF states).(F ↑ ) F ↑ 0 ￿ n+1Σ, τ, Initn⊆ n ⊥ ⊆ ￿ ￿ ⊆ ￿￿￿ F ↑ ￿ ,...,Fpost↑ r ￿X F￿↑ s￿ Fs (FX↑ :)r(s,until s￿) F (F ↑ ) F ↑ ￿ ⊥ ￿ { ￿| ∃ ∈ } ￿ ￿⇒ 0 ￿ n+1 n n ￿ ￿ post r X s sF ↓ X￿: rF(s,↑ s,) ..., F ↓ ￿ F ↓ F (F ↓ ) until F (F ↓ )=F ↓ 0 ￿ Σ n+1 n￿ { ￿ | ∃ ∈n ￿ } ￿ ￿ F ↓ ￿ F ↑ , ..., F ↓ ￿ F ↓ Σ, τF, (InitF ↓ ) until F (F ↓ )=F ↓ ￿ ￿ n ￿ lfp￿ F Σ= F ￿( ) ￿ ￿ n￿0 lfp￿ F F F ￿ ￿ ⊥ ⊥ ↓ ↑ lfp￿ F F ↓ F ↑ post r X ￿⊥s￿ ￿s X : ￿r(s, s￿) ￿ ￿ 0 ￿ n+1n {n | ∃ ∈ n } ￿ ￿ ⊥ F lfp￿,...,F = F F ( F) F (F ) until F (F ) F ↑ ￿ n￿0↑ ￿ ↑ ↑ ↑ ↑ ⊥⊥ τ⊥ = lfp λR . R τ￿ τ = lfp λR . R τ Σ ∗ ￿ ⊆ Σ ◦ ∗ ⊆ Σ 0 ◦ 0 ￿ ￿ n+1 n+1 n n n n ∪ ￿ ￿￿ ￿ ∪F ↓ ￿FF↑ ↑￿, ...,,...,F ↓ F ↑￿ F ↓￿ FF↑ (F ↓F)(Funtil↑ ) untilF (F ↓ )=F (FF↑↓) F ↑ n ⊥ lfp￿ F = F ￿( ) ￿ n￿0 ￿ ￿ ⊥￿ . ⊥ . . λR . post R Init λlfpR￿.F 0 F R ￿Fτ]=λRλR.nInit+1postpostRn Initτ (postnλRR InitΣ ) R ￿ τ]=￿ λR Init post τ (post R Init) ◦ FΣ↓ ↓ F ↑◦, ↑ ..., F ↓ F ↓ F (F ↓◦ ) until F (F ↓ ◦)=F ↓ ⊥ ￿ ∪￿ ￿ 0 ￿ ￿∪ n+1 n n ∪ ￿ ￿ ∪ F ↑ ￿ ,...,F ↑ ￿￿ F ↑ F (F ↑ ) until F (F ↑ ) F ↑ λX . s, s s Init s X⊥ λX . s, s￿ s Init s￿ X ￿ τ ∗ = lfp⊆￿ λR . Σ ￿ ￿ R τ￿ ￿ {￿ ￿| ∈ ⇒ ∈ } {￿lfp￿￿|F∈ F⇒↓∪ ∈ F◦}↑ ℘(Σ Σ), ℘(Σ), ℘(Σ Σ), ￿ 0￿ ￿ ℘(Σ), n+1 n n ￿ ￿ ￿ × ⊆￿ −−−−−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−−−−−λR .⊥post R FInit↓ ￿ F ↑￿ , ￿ ...,× F⊆￿↓ ⊆￿￿ −−−−−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−−−−−F ↓ Fλ(FR↓. post) untilR InitF (F ↓ )=￿F ↓ ⊆￿ λR . post R Init λR . Σ R τ]=λR . Init post￿ τ (post R Init) τ ∗ = lfp⊆ λ◦R . Σ R∪ τ◦ ∪ ￿◦ ￿ post τ ∗ Init = lfp⊆ λX . Init post￿ τ X∪ . ￿ ￿lfpλX .F s, spostF￿ ↓s InitτF∗s↑￿ InitX = lfp⊆ λX Init ￿ post￿ τ X ℘(Σ Σ), ∪ ⊥ {￿￿ ￿| ∈ ￿ ⇒ ∈ } ℘(Σ), ∪ Bad . ←−−−−−−−−−−−−−−−−−−. . . ￿ λ×R post⊆￿ −−−−−−−−−−−−−−−−−−→R InitλR◦ λBadpostR RΣInit R ◦ τ]=￿ λR ⊆￿Init post τ (post R Init) τ = lfp⊆ λR . ∪ R τ ∪ post τ ∗ Init Σ Bad ∗ . post τΣ ∪Init◦ Σ Bad ⊆ \ post τ ∗ Init = lfp⊆ λX λInitX . ￿s,post￿ s￿ ∗s τInitX s￿ X ℘(Σ Σ), {∪￿ ￿| ∈ ⇒ ⊆∈ } \ ℘(Σ), Bad . ←−−−−−−−−−−−−−−−−−−λR . post R .Init . ￿ × λR⊆￿post−−−−−−−−−−−−−−−−−−→R Init ◦ λR Σ R ◦￿τ]=λR⊆￿Init post τ (post R Init) post τ ∗ Init = lfp⊆ postλX .τ ∗InitInit postΣ Badτ X Σ Bad ∪ ∪ Soundness⊆ \ postand τ(In)completenessInit = lfp⊆ λX . Init post τ X Σ Bad post τ∪∗ Init = lfp⊆ λ⊆X . Init\∗λX￿ .post￿ s, s￿τ sXInit s￿ X ℘(Σ Σ), ∪ {￿ ￿| ∈ ⇒ ∈ } ℘(Σ∪), ⊆ \ post Badτ ∗ Init = lfp￿ ⊆ λX×. Init ⊆￿post←−−−−−−−−−−−−−−−−−−τ XλR . postΣ RBadInit ￿ ￿ ￿ ⊆￿ α(post τ Init)=α(lfpSoundnessλX . Init: Wepost effectivelyτ X−−−−−−−−−−−−−−−−−−→) computelfp￿ F F suchF that ∗ • post⊆ τ Init Σ Bad∪ ⊆ \ ↓ ↑ ￿ ￿ ∗ ∪ α(post ￿τ Init⊥ )=￿ α(lfp￿⊆ λX . Init post τ X) lfp￿ F F F post⊆ τ ∗\Init = lfp⊆ λ∗X . Init ￿ post￿ τ X ￿ ￿ ↓ ↑ α(post τ ∗ Init)=α(lfp⊆ λX . Init post τ X∪) lfp￿ F F ↓ F ↑ ∪ ￿ ⊥ ￿ ￿ ￿ Bad ∪ ￿ ⊥ ￿ ￿ F ↓ Bad = post τ ∗ Init = lfp⊆ λX . Init post τ X Σ Bad ∩ ∅ ￿ post τ ∗ Init ￿ Σ ∪Bad ⊆ \ F ↓ andBad check= that F ↓ ⊆ Bad \ = in the abstract, ∩ ∅ ∩ ∅ ￿ ￿ α(post τ ∗ Init)=α(lfp⊆ λX . Init post τ X) lfp￿ F F ↓ F ↑ proving post τ ∗ Init = lfp⊆ λX . Init∪ post τ X￿ Σ⊥ Bad￿ ￿ ∪ ⊆ \ ￿ [In]completenessF ↓ Bad = : may produce false alarms (e.g. take ￿ ￿ • ∩ α(post∅ τ ∗ Init)=α(lfp⊆ λX . Init post τ X) lfp￿ F F ↓ F ↑ ∪ ￿ ⊥ ￿ ￿ Bad = post ￿ τ ∗ Init so that no abstraction is possible) ¬ F ↓ Bad = ∩ ∅ 7 • In practice, can be7 made complete for domain- specific programs (such as synchronous control/ 7 command) with adequate abstractions.7

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 28 © P. Cousot 7 In practice ... • Proceed by structural induction in the syntax of programs • Use chaotic/asynchronous iterations within loops • Use many abstractions combined in an approximate reduced product with partial iterative reduction • Example: • x ∈ [1,13] • even(x) reduction: • x ∈ [2,12]

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 29 © P. Cousot Applications of abstract interpretation to the static analysis of aerospace control systems

Julien Bertrane, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, Xavier Rival. Static Analysis and Verification of Aerospace Software by Abstract Interpretation. AIAA Infotech@Aerospace 2010, AIAA 2010-3385, 20–22 April 2010, Atlanta, GA, http://pdf.aiaa.org/preview/2010/ CDReadyMIAA10_2358/PV2010_3385.pdf

Patrick Cousot. Integrating Physical Systems in the Static Analysis of Embedded Control Software. The Third Asian Symposium on Programming Languages and Systems (APLAS'05), Tsukuba, Japan, November 3—5, 2005. Lecture Notes in Computer Science, volume 3780, © Springer, Berlin, pp. 135—138.

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 30 © P. Cousot ASTRÉE

Patrick Cousot, Radhia Cousot, Jérôme Feret, Antoine Miné, David Monniaux, Laurent Mauborgne, Xavier Rival. The ASTRÉE Analyzer. ESOP 2005: The European Symposium on Programming, Edinburgh, Scotland, April 2—10, 2005. Lecture Notes in Computer Science 3444, © Springer, Berlin, pp. 21—30.

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 31 © P. Cousot Target language and applications • C programming language • Without recursion, longjump, dynamic memory allocation, conflicting side effects, backward jumps, system calls (stubs) • With all its horrors (union, pointer arithmetics, etc) • Reasonably extending the standard (e.g. size & endianess of integers, IEEE 754-1985 floats, etc) • Synchronous control/command • e.g. generated from Scade

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 32 © P. Cousot The semantics of C implementations is very hard to define The Semantics of C is Hard (Ex. 2: Runtime Errors) What is the effect of out-of-bounds array indexing? %catunpredictable.c #include int main () { int n, T[1]; n=2147483647; printf("n = %i, T[n] = %i\n", n, T[n]); } Yields different results on different machines: n=2147483647,T[n]=2147483647 Macintosh PPC n=2147483647,T[n]=-1208492044 Macintosh Intel n=2147483647,T[n]=-135294988 PC Intel 32 bits Bus error PC Intel 64 bits

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 33 © P. Cousot

MPI, 8/26/2008 — 46 — ľ P. Cousot Implicit specification • Absence of runtime errors: overflows, division by zero, buffer overflow, null & dangling pointers, alignment errors, … • Semantics of runtime errors: • Terminating execution: stop (e.g. floating-point exceptions when traps are activated) • Predictable outcome: go on with worst case (e.g. signed integer overflows result in some integer, some options: e.g. modulo arithmetics) • Unpredictable outcome: stop (e.g. memory corruption)

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 34 © P. Cousot II.P. Combination of abstract domains Abstract interpretation-based tools usually use several different abstract domains, since the design of a complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract domain examples used in the Astree´ staticAbstractions analyzer:2 y y y

x x x

Collecting semantics:1, 5 Intervals:20 Simple congruences:24 partial traces x [a, b] x a[b] ∈ ≡ y y y t x x

Octagons:25 Ellipses:26 Exponentials:27 x y a x2 + by2 axy d abt y(t) abt ± ± ￿ − ￿ − ￿ ￿ Such abstract49th domainsiEEE Conference on Decision (and and Control, more) Atlanta GA, are Pre-Conference described Workshop on Verification in moreof Control Systems, details Dec. 14, 2010 in Sects. III.H–III.I. 35 © P. Cousot The following classic abstract domains, however, are not used in Astree´ because they are either too imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest to prove the specification): y y y

x x x

Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics Octagon Abstract Domain Code Sample:

while (1) { • At !, the interval domain gives R=A-Z; L ≤ max(max A, (max Z)+(max V)). L=A; if (R>V) • In fact, we have L ≤ A. { ! L=Z+V;} ! • To discover this, we must know at ! that } R = A-Z and R > V. OctagonOctagon Abstract Abstract Domain Domain Solution: we need a numerical relational abstract domain. CodeExample Sample: of general purpose abstraction: octagons Code" The Sample:octagon abstract domain [Min´e03] is a good cost / precision trade-off. Octagon Abstract DomainN2 N3 "whileInvariants (1) of the form ± x± y ≤ c, with O( ) memory and O( ) time cost. •while (1) {{ • At !, the interval domain gives Code" Here,R=A-Z; Sample:R = A-Z cannot be discovered,• At !, but the we interval get L- domainZ ≤ max givesR which is sufficient. • Example:R=A-Z; LL ≤≤ max(maxmax(max AA,, (max (max ZZ)+(max)+(max VV)))).. " WeL=A;L=A; use many octagons on small packs of variables instead of a large one using if (R>V) • In fact, we have L ≤ A. whileallif variables (R>V) (1) to{ cut costs. • In fact, we have L ≤ A. { !! L=Z+V;} • At !, the interval domain gives R=A-Z;{ L=Z+V;} • To discover this, we must know at ! that PLDI’03!! - A Static Analyzer for Large Safety-Critical• To discoverL ≤ max(max Software this, weA must, (max knowZ)+(max at ! thatV)). 11/21 L=A; R = A-Z and R > V. }} R = A-Z and R > V. if (R>V) • In fact, we have L ≤ A. Solution:{ we! needL=Z+V; a numerical} relational abstract domain. Solution:! we need a numerical relational• To discoverabstract this, domain. we must know at ! that " The abstract domain [Min´e03]R = A-Z isand a goodR > costV. / precision trade-off. " }The octagonoctagon abstract domain [Min´e03] is a good cost / precisionII.P. Combination trade-o of abstractff. domains 2 Abstract3 interpretation-based tools usually use several different abstract domains, since the design of a " N2 Ncomplex3 one is best decomposed into a combination of simpler abstract domains. Here are a few abstract " InvariantsInvariants of of the the form form ±±xx±±yy ≤≤ cc,, with with OO((N )) memorymemory and and OO((Ndomain) examples) timetime used in the cost. cost.Astree´ static analyzer:2 y y y Solution:•"" Here,Here, RR ==weAA--ZZ needcannotcannot a numerical be be discovered, discovered,relational but but we we get getabstractLL--ZZ ≤≤ maxmax domain.RR whichwhich is is su suffifficient.cient. x x x " ""WeWe use use many many octagons octagons on on smallsmall packs packs ofof variables variables instead instead of of a a large large one one using using The octagon abstract domain [Min´e03] is a good cost / precision trade-o1, 5 ff. 20 24 • Collecting semantics: Intervals: Simple congruences: all variables to cut costs. partial traces x [a, b] x a[b] all variables to cut costs. 2 3 ∈ ≡ " Invariants of the form ± x± y ≤ c, with O(N ) memory and O(N )y time cost.y y t x x PLDI’03PLDI’03" Here, - - A A Static StaticR = Analyzer AnalyzerA-Z cannot for for Large Large be Safety-Critical Safety-Critical discovered, Software Software but we get L-Z ≤ max R which is11/11/ su2121fficient.

Octagons:25 Ellipses:26 Exponentials:27 49th iEEE" Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 36 x© P.y Cousota x2 + by2 axy d abt y(t) abt We use many octagons on small packs of variables instead of a large± ± one￿ using− ￿ − ￿ ￿ Such abstract domains (and more) are described in more details in Sects. III.H–III.I. The following classic abstract domains, however, are not used in Astree´ because they are either too all variables to cut costs. imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest to prove the specification): y y y PLDI’03 - A Static Analyzer for Large Safety-Critical Software 11/21 x x x

Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics Example of general purpose abstraction: Example of abstract domaindecision functor trees in Astrée: decision trees – Code Sample: /* boolean.c */ typedef enum {F=0,T=1} BOOL; BOOL B; void main () { unsigned int X, Y; while (1) { ... B=(X==0); ... if (!B) { The boolean relation abstract Y=1/X; domainThe boolean is parameterized relation abstract by the do- main is parameterized by the height } height of the decision tree (an ... of the decision tree (an analyzer } analyzeroption) and the option) abstract and domain the at } abstractthe leafs domain at the leaves

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 37 © P. Cousot MPI, 8/26/2008 — 66 — ľ P. Cousot Example of domain-specificExample of analysis abstraction: by Astrée ellipses(suite) typedef enum {FALSE = 0, TRUE = 1} BOOLEAN; BOOLEAN INIT; float P, X; void filter () { static float E[2], S[2]; if (INIT) { S[0] = X; P = X; E[0] = X; } else {P=(((((0.5*X)-(E[0]*0.7))+(E[1]*0.4)) +(S[0]*1.5))-(S[1]*0.7));} E[1] = E[0]; E[0] = X; S[1] = S[0]; S[0] = P; /* S[0], S[1] in [-1327.02698354, 1327.02698354]*/ II.P. Combination of abstract domains Abstract interpretation-based tools usually use several different abstract domains, since the design of a } complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract domain examples used in the Astree´ static analyzer:2 void main () { X = 0.2 * X + 5; INIT = TRUE; y y y while (1) { x x x

Collecting semantics:1, 5 Intervals:20 Simple congruences:24 X=0.9*X+35;/* simulated filter input */partial traces x [a, b] x a[b] ∈ ≡ filter (); INIT = FALSE; } y y y t } x x

25 26 27 49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 38 Octagons: Ellipses: © P. Cousot Exponentials: x y a x2 + by2 axy d abt y(t) abt ± ± ￿ − ￿ − ￿ ￿ Such abstract domains (and more) are described in more details in Sects. III.H–III.I. The following classic abstract domains, however, are not used in Astree´ because they are either too imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest to prove the specification): y y y

x x FICS’08, Shanghai, 3–6/6/2008 — 64 — x ľ P. Cousot

Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics Example of domain-specificArithmetic-geometric abstraction (I): progressions exponentials (Example 2) %catcount.c typedef enum {FALSE = 0, TRUE = 1} BOOLEAN; volatile BOOLEAN I; int R; BOOLEAN T; void main() { R=0; while (TRUE) { __ASTREE_log_vars((R)); if (I) { R = R + 1; } The Ariane 5.01 maiden flightpotentialfailure overflow! th The Ariane 5.01 maiden flight failure –June4 , 1996 was the th else { R = 0; } maiden flight of Ariane 5 –June4 , 1996 was the maiden flight of Ariane 5 –The launcher self- –The launcher was de- T=(R>=100); detroyed after 42 seconds troyed after 40 seconds of flight because of a of flight because of a __ASTREE_wait_for_clock(());software overflow 12 software overflow II.P. Combination of abstract domains }} Abstract interpretation-based tools usually use several different abstract domains, since the design of a complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract domain examples used in the Astree´ static analyzer:2 %catcount.config y y y A 16 bits piece of code of Ariane 4 had been reused12 A 16 within bit piece the of new code32 of bits Ariane code 4 for had Ariane been reused5. within the new 32 bit code for Ariane 5. This caused an uncaught overflow, ultimately makingThis caused the launcheran uncaught uncontrolable. overflow, making the launcher uncontrolable.

Rencontres INRIA–Industrie, 11/10/2007 —48—Rencontres INRIA–Industrie,ľ P. Cousot11/10/2007 —48— P. Cousot __ASTREE_volatile_input((I [0,1])); x ľ x x __ASTREE_max_clock((3600000)); Collecting semantics:1, 5 Intervals:20 Simple congruences:24 partial traces x [a, b] x a[b] %astree–exec-fnmain–config-semcount.configcount.c|grep’|R|’∈ ≡ y y y t |R| <= 0. + clock *1. <= 3600001. x x

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 Octagons: 25 39 Ellipses: 26 Exponentials: © P. Cousot27 2 2 bt bt More precise than the clock domain (intervalsx y ￿ a x + by a forxy ￿ d aX￿ y(t),￿ a X + clock, ± ± − − Such abstract domains (and more) are described in more details in Sects. III.H–III.I. The following classic abstract domains, however, are not used in Astree´ because they are either too imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event X clock) which could thereforeof floating-point be rounding),suppressed! or out of scope (determining program properties which are usually of no interest ` to prove the specification): y y y MPI, 8/26/2008 — 84 — ľ P. Cousot x x x

Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics Example Exampleof domain-specific of analysis abstraction by Astrée (II):(suite) exponentials Example of analysis by Astrée (suite) %catretro.c typedef%catretro.c enum {FALSE=0, TRUE=1} BOOL; void main() void main() BOOL FIRST;typedef enum {FALSE=0, TRUE=1} BOOL; {FIRST=TRUE; {FIRST=TRUE; volatileBOOL BOOL FIRST; SWITCH; while (TRUE) { while (TRUE) { volatilevolatile float E; BOOL SWITCH; dev( ); dev( ); float P,volatile X, A, B; float E; FIRST = FALSE; float P, X, A, B; __ASTREE_wait_for_clock(());FIRST = FALSE; void dev( ) }} __ASTREE_wait_for_clock(()); {X=E; void dev( ) %catretro.config}} if (FIRST){X=E; { P = X; } __ASTREE_volatile_input((E%catretro.config [-15.0, 15.0])); else if (FIRST) { P = X; } __ASTREE_volatile_input((SWITCH__ASTREE_volatile_input((E [0,1])); [-15.0, 15.0])); {P=else (P-((((2.0*P)-A)-B) __ASTREE_max_clock((3600000));__ASTREE_volatile_input((SWITCH [0,1])); {P= (P-((((2.0*P)-A)-B) __ASTREE_max_clock((3600000)); *4.491048e-03));}; |P| <= (15. + 5.87747175411e-39 *4.491048e-03));}; B=A; /1.19209290217e-07)*(1+|P| <= (15. + 5.87747175411e-39 if (SWITCH)B=A; {A = P;} /1.19209290217e-07)*(1+II.P. Combination of abstract domains 1.19209290217e-07)ˆclockAbstract interpretation-based tools usually - 5.87747175411e-39 use several different abstract domains, since the design of a else {Aif = X;} (SWITCH) {A = P;} complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract /1.19209290217e-07<=1.19209290217e-07)ˆclockdomain examples used in the Astr23.0393526881ee´ static analyzer:2 - 5.87747175411e-39 The Patriotelse {A missile= X;} failure } /1.19209290217e-07<=y y 23.0393526881y – “On February 25} th, 1991, a Patriot x x x missile . . . failed to track and inter- Collecting semantics:1, 5 Intervals:20 Simple congruences:24 Cumulated(˜) rounding error partial traces x [a, b] x a[b] cept an incoming Scud .” ∈ ≡ y y y –Thesoftware failure was due to accu- t x x mulated rounding error (y) 49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 Octagons: 25 40 Ellipses: 26 Exponentials: © P. Cousot27 2 2 bt bt (˜) x y ￿ a x + by axy ￿ d a ￿ y(t) ￿ a This Scud subsequentlyFICS’08, hit an Shanghai, Army barracks, 3–6/6/2008 killing 28 Americans. — 65 — ± ± − −ľ P. Cousot Such abstract domains (and more) are described in more details in Sects. III.H–III.I. (y) FICS’08, Shanghai, 3–6/6/2008 —The 65 following — classic abstract domains, however, are not used in Astree´ because theyľ are eitherP. too Cousot –“Timeiskeptcontinuouslybythesystem’sinternalclockin imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest tenths of seconds” to prove the specification): – “The system had been in operation for over 100 consecutive y y y hours” – “Because the system had been on so long, the resulting inac- x x x curacy in the time calculation caused the range gate to shift Polyhedra:9 Signs:7 Linear congruences:28 so much that the system could not track the incoming Scud” too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- Rencontres INRIA–Industrie, 11/10/2007 —55— ľ P. Cousot ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics ExampleStatic of domain-specific Analysis of Scaling abstraction with Astrée (III): scaling %cat-nscale.c %gccscale.c 1 int main () { %./a.out 2floatx;x=0.70000001; x=0.699999988079071 3while(1){ 4x=x/3.0; All Computer Scientists Have Experienced Bugs 5x=x*3.0; 6__ASTREE_log_vars((x)); 7__ASTREE_wait_for_clock(()); 8} 9} Ariane 5.01 failure Patriot failure Mars orbiter loss %catscale.config II.P. Combination of abstract domains Abstract interpretation-based tools usually use several different abstract domains, since the design of a __ASTREE_max_clock((1000000000));(overflow) (floatcomplex rounding) one is best decomposed into a (unit combination oferror) simpler abstract domains. Here are a few abstract domain examples used in the Astree´ static analyzer:2 %astree–exec-fnmain–config-semscale.config–unroll0scale.c\y y y It is preferable to verify that mission/safety-critical pro- |& grep "x in" | tail -1 x x x direct = Collecting semantics:1, 5 Intervals:20 Simple congruences:24 partial traces x [a, b] x a[b] % ∈ ≡ y y y Rencontres INRIA–Industrie, 11/10/2007 Sep. 5, 2006—57— September 5, 2006 J¡¡¡ľ—3—P. Cousot[] ¨ — £££I ľ P. Cousot t x x

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 Octagons: 25 41 Ellipses: 26 Exponentials: © P. Cousot27 x y a x2 + by2 axy d abt y(t) abt ± ± ￿ − ￿ − ￿ ￿ Such abstract domains (and more) are described in more details in Sects. III.H–III.I. The following classic abstract domains, however, are not used in Astree´ because they are either too imprecise, not scalable, difficult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest to prove the specification): y y y

x x x

Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope

Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp⊆ F1 D1,...,lfp⊆ Fn Dn in these abstract domains D ,...,D , relative to a collecting semantics t I. The∈ combination of∈ these 1 n C analyses is sound as t I γ (lfp⊆ F ) γ (lfp⊆ F ). However, only combining the analysis results is C ⊆ 1 1 ∩ ···∩ n n not very precise, as it does not permit analyses to improve each other during￿ the￿ computation. Consider, for instance, that interval￿ and￿ parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue∈ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ∈ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ρ( F (x ),..., ￿ 1 n￿ ￿ ￿ 1 1 Fn(xn ) and r1,...,rn =lfp⊆ F in t I γ1(r1) γn(rn)” where ρ performs the reduction between abstract￿ domains.￿ For example￿ ρ( [0,C100], odd⊆ )= ∩[1···, 99]∩, odd . ￿ ￿ ￿ ￿ ￿ ￿ 10 of 38

American Institute of Aeronautics and Astronautics Examples of abstractions not used by Astrée

Linear Polyhedra (too Signs (too congruences expensive) imprecise) (too expensive)

Zonotopes Support functions Convex sets (inclusion?) (widening?) (algorithmics?)

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 42 © P. Cousot Example of analysis by Astrée (suite) An erroneousA common common believe onbelief static on analyzers static analyzers typedef enum {FALSE = 0, TRUE = 1} BOOLEAN; “The properties that can beBOOLEAN proved INIT; byfloat staticP, X; analyzers are often void filter () { simple” [2] static float E[2], S[2]; Like in mathematics: if (INIT) { S[0] = X; P = X; E[0] = X; } else {P=(((((0.5*X)-(E[0]*0.7))+(E[1]*0.4)) – May be simple to state (no overflow)+(S[0]*1.5))-(S[1]*0.7));} E[1] = E[0]; E[0] = X; S[1] = S[0]; S[0] = P; – But harder to discover /*(P( S[0],[ S[1]1325 in: [4522-1327.02698354; 1325:4522], 1327.02698354) ]*/) } 2 ` – And difficult to provevoid(sincemain it () requires { X = 0.2 finding * X + 5; INIT a non = TRUE; trivial non-linear invariant forwhile second(1) { order filters with complex roots [Fer04], which can hardlyX=0.9*X+35; be found/* by simulated exhaustive filter input enu- */ filter (); INIT = FALSE; } meration) }

Reference

[2] Vijay D’Silva, Daniel Kroening, and Georg Weissenbacher. A Survey of Automated Techniques for Formal Software Verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 27, No. 7, July 2008. FICS’08, Shanghai, 3–6/6/2008 — 64 — ľ P. Cousot MPI, 8/26/2008 J✁✁ ✁ – 37 – ? [] ¨ – ✄ ✄✄ I ľ P. Cousot

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 43 © P. Cousot Industrial applications

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 44 © P. Cousot Examples of applications • Verification of the absence of runtime-errors in • Fly-by-wire flight control systems

• ATV docking system

• Flight warning system (on-going work)

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 45 © P. Cousot Industrialization • 8 years of research (CNRS/ENS/INRIA): www.astree.ens.fr

• Industrialization by AbsInt (since Jan. 2010): www.absint.com/astree/

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 46 © P. Cousot On-going work

Julien Bertrane, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, Xavier Rival. Static Analysis and Verification of Aerospace Software by Abstract Interpretation. AIAA Infotech@Aerospace 2010, AIAA 2010-3385, 20–22 April 2010, Atlanta, GA, http://pdf.aiaa.org/preview/2010/ CDReadyMIAA10_2358/PV2010_3385.pdf

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 47 © P. Cousot Verification of target programs

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 48 © P. Cousot Verification of compiled programs • The valid source may be proved correct while the certified compiler is incorrect so the target program may go wrong • Possible approaches: • Verification at the target level • Source to target proof translation and proof check on the target ✴ Translation validation (local verification of equivalence of run-time error free source and target) • Formally certified compilers

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 49 © P. Cousot Verification of imperfectly clocked synchronous systems

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 50 © P. Cousot But these computations are performed according to two clocks C and C￿. It may be that these clocks are synchronous. This case is depicted in the lower left part of Fig. 2. The two alternating boolean outputs of the two systems being always equal, the comparison always results in no alarm (OK statement). But maybe the clocksButC theseand C computations￿ are slightly desynchronized are performed according by a small to delay two clocksε. ThisC and caseC is￿. depicted It may be in that the these clocks are lower right part ofsynchronous. Fig.2. The two This alternating case is depicted boolean in outputsthe lower of left the part two of systems Fig. 2. are The then two alternatingalmost always boolean outputs of equal, but they difftheer near two systems every clock being tick. always Then,Imperfect equal, the the comparison comparison being always made results synchrony precisely in no alarm on those (OK statement). tick, it always results into anBut alarm maybe (“!= the” statement). clocks C and However,C￿ are slightly thisdesynchronized alarm is probably by a unnecessary small delay ε in. This that case case, is depicted in the since the desynchronizationlower right delay part is of very Fig.2. small. The This two desynchronization alternating boolean delay outputs is in practice of the two unavoidable, systems are since then almost always clocks are physical objectsequal, but andExample they cannot differ be near perfect. of every This(buggy) clock implementation tick. Then, communicating the of an comparison alarm is therefore being made flawed.synchronous precisely Such on those tick, systems: it errors cannot be alwaysalways• discovered results into by an hand. alarm Their (“!= detection” statement). has to However, be done this automatically alarm is probably and statically. unnecessary in that case, since the desynchronization delay is very small. This desynchronization delay is in practice unavoidable, since clocks are physical objects and cannot be perfect. This implementation of an alarmblackboard is therefore flawed. inputs Such errors cannot be always discovered by hand. Their detection has to be done automatically and statically. READ READ C C’ • negate previous input NOT COMPARE READ NOT READ C C’ (on clocks C and C’)

C NOT COMPARE C’ NOT • compare inputs System 1 System 2 C Real C’ Real 023451 time 023451 time System 1 System 2 Synchronized andC’ dysynchronized executions:C’ true true System 2 • Real Real 023451 time 023451 time false false C’ C’ System 2 true true false false true true

false false System 1 εεεε ε true C true C false false Systemtrue 1 true εεεε ε OK OK OK OK OK != C != != != != C false false COMPARE true C true C OK OK OK OK OK != != != != != false false flawed COMPARE Figure 2. Example of two similar imperfectly-synchronous systems with an alarm watchingC differences in their outputs. C alarms

49thFigure iEEE Conference 2. Example on Decision of and two Control, similar Atlanta imperfectly-synchronous GA, Pre-Conference Workshop on systems Verification with of Control an alarm Systems, watching Dec. 14, 2010 di ff erences in their outputs. 51 © P. Cousot IV.B. Syntax and semantics

We assume that eachIV.B. part Syntax of the synchronous and semantics software compiled for one precise computer will execute according to the clock C of that computer with a period (the time between two consecutive clock ticks) remaining inside a knownWe assume interval that [µC each; νC], part with of 0 <µ theC synchronous￿ νC. In the software quasi-synchronous compiled for framework one precise introduced computer will execute formally by Caspi etaccording al.,58 two to theclocks clock supposedC of that to computertick synchronously with a period are allowed (the time to betweendesynchronize two consecutive in the clock ticks) following way: at mostremaining two consecutive inside a known ticks interval of one [ ofµC; theνC], clock with 0may<µ happenC ￿ νC. In between the quasi-synchronous two consecutive framework ticks introduced 58 of the other clock. Thisformally hypothesis by Caspi is et quite al., weak,two and clocks we supposed usually work to tick with synchronously a clock whose are parameter allowed to is desynchronize such in the following way: at most two consecutive ticks of one of the clock may happen between two consecutive ticks that 2 µC ￿ νC, which implies quasi-synchrony compared to a perfect clock whose period is between µC and × of the other clock. This hypothesis is quite weak, and we usually work with a clock whose parameter is such νC.WhenµC is close to νC, our hypothesis is stronger and we expect to be able to prove more properties. that 2 µC ￿ νC, which implies quasi-synchrony compared to a perfect clock whose period is between µC and Furthermore, each communication× channel ch has an interval [αch; βch] as parameter such that the delays between the emissionνC.When of a valueµC is and close its to receptionνC, our hypothesis must always is stronger belong to and this we interval. expect to The be communications able to prove more properties. over a given channel areFurthermore, still considered each communicationserial, which means channel thatch ifhas a value an intervala is sent [αch over; βch] channel as parameterch before such that the delays between the emission of a value and its reception must always belong to this interval. The communications a value b,thena is received before b. over a given channel are still considered serial, which means that if a value a is sent over channel ch before In this realistic framework, idealistic cases usually considered can still be modelled. It is then assumed a value b,thena is received before b. that all clocks C, C’,... are perfect: µ = ν = µ = ν = ... and that communications are instantaneous, In this realisticC framework,C C’ idealisticC’ cases usually considered can still be modelled. It is then assumed i.e., 0 = αch = βch = αch’ = βch’ for all the channels ch, ch’,... in the system. that all clocks C, C’,... are perfect: µC = νC = µC’ = νC’ = ... and that communications are instantaneous, i.e., 0 = αch = βch = αch’ = βch’ for all the channels ch, ch’,... in the system.

26 of 38

American Institute of Aeronautics and Astronautics26 of 38 American Institute of Aeronautics and Astronautics were in fact designed in a continuous world (through differential equations) in an environment (made of space and time) that is a continuous object. In addition, using a continuous-time semantics enables the use of very well-known mathematical theories about continuous numbers which are not so frequently used in static analysis. were in fact designed in a continuous world (through differential equations) in an environment (made of IV.D. Temporal abstract domains space andwere time) in that fact designed is a continuous in a continuous object. In world addition, (through using di afferential continuous-time equations) semantics in an environment enables the (made use of IV.D.1. Abstractof constraints very well-knownspace and time) mathematical that is a continuous theories about object. continuous In addition, numbers using a whichcontinuous-time are not so semantics frequently enables used the in use A first domain ofstatic abstract analysis. constraints59 abstracts ℘(R V) as conjunctive sets of universal and existential of very well-known→ mathematical theories about continuous numbers which are not so frequently used in constraints. A universal constraint over a signal s R V is defined by a time interval [a; b] and a value x, ∈ → and denoted t [a; b]:s(t)=staticx. Its concretization analysis. is the set of signals in R V that take the value x during the whole time∀ interval∈IV.D. [a; b]. Temporal An existential constraintSemantics abstract over a domains signaland sabstractionsis defined→ by a time interval [a; b] and a value x, and denoted t [a; b]:s(t)=x.Continuous Its concretization semantics is the (value set of signalss(t) of in signalsR Vs that at any take the value x at least once during∃ the∈ timeIV.D. interval• [a Temporal; b]. For example, abstractt [0; 1] : domainss(t)=true →t [0; 1] : s(t)=false IV.D.1. Abstracttime constraints t) ∃ ∈ ∧∃ ∈ is the abstraction of functions in R B that change their boolean value at least once between t = 0 and t = 1. IV.D.1.→ Abstract constraints A first domain of• Clock abstract ticks and constraints serial communications59 abstracts do happen℘(R in V) as conjunctive sets of universal and existential The operators defined for usual operationsknown in time abstract intervals domains [l, h], ( l ≤, h) as well59 as the backward→ abstract operators correspondingconstraints. to synchronousA first A universal domain language of primitives constraint abstract ( >, constraints overpre∪,∩blackboard a signalabstracts reading,s etc.)℘ are(Ris quite definedV) as conjunctive by a time interval sets of universal [a; b] andand a valueexistentialx, − R V → precise in this domain. constraints.• Examples A universal of abstractions constraint: over a signal∈ →s R V is defined by a time interval [a; b] and a value x, and denoted t [a; b]:s(t)=x. Its concretization is the∈ set of→ signals in R V that take the value x during and∀ denoted∈ t [a; b]:s(t)=x. Its concretization is the set of signals→ in R V that take the value x during IV.D.2. Changesthe counting whole domain time interval• ∀ [∈a; b]. An existential constraint over a signal s is defined by→ a time interval [a; b] and a the whole time interval [a; b]. An existential constraint over a signal s is defined by a time interval [a; b] and a A second domainvalue of changex, and counting denoted60 was• designedt [a in; orderb]:s to(t deal)= automaticallyx. Its concretization with reasoning on is the the set of signals in R V that take the value value x, and denoted∃ ∈ t [a; b]:s(t)=x. Its concretization+ is the set of signals→ in R V that take the value stability and thex variabilityat least of systems. once during The• abstractchange the properties counting time∃ ∈ interval (￿ k, a [ba); andb]. (￿ Fork, a example,b), for a, b tR [0; 1] : s(t)=true t →[0; 1] : s(t)=false and k , respectively meanx thatat behaviors least once do not during change thetheir timevalue more interval (respectively [a; b]. less) For than example,k∃times∈ ∈ t [0; 1] : s(t)=∧∃true ∈ t [0; 1] : s(t)=false N is the abstraction of(signal functions changes inless (more)￿￿ thanthat k times change ￿￿in time their boolean value at least once between t = 0 and during∈ the time interval [a; b]. R B ∃ ∈ ∧∃ ∈ is the abstractioninterval [ ofa, b functions]) → in R B that change their boolean value at least once between t = 0 and This domaint is= more 1. precise for forward operators and defines a very precise→ reduced product with the t = 1.49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 52 © P. Cousot abstract constraint domain.The operators defined for usual operations in abstract domains ( , ) as well as the backward abstract An example of reduction is (withThe times operatorsa, pre, blackboard∪ ∩ reading, etc.) are quite ￿ operators corresponding∃ ∈ to synchronous language∀ ∈ primitives− ( >, pre, blackboard reading, etc.) are quite Then, if￿￿ there isprecise at least one in value this change domain. between c and d, then there are actually at least two changes. − Indeed, at some time t [c; dprecise), the value in has this to be domain. some y = x, since at time d it has to be x (by w) and it ∈ ￿ changes at least once in [c, d]. Then, at some point t￿ [b; c], the value has to be x (by v) which makes two ∈ value changes: oneIV.D.2. between t￿ Changesand t, and one counting between t domainand d. This is excluded by the stability property u. As a consequence, thereIV.D.2. is no value change Changes between countingc and d and, domain since the value at time d is x and does not change,A the second value has domain to remain of equal change to x during counting whole time60 was interval,60 designed which can in be order translated to deal automatically with reasoning on the into t [c; d]:s(t)=x.A This second constraint domain merges with of change the constraint countingt [d; fwas]:s(t designed)=x and yields in order to deal automatically with reasoning on the ∀ ∈ ∀ ∈ + t [c; f]:s(t)=stabilityx. andstability the variability and the variability of systems. of systems. The abstract The abstract properties properties (￿ k, a ( k, ab) andb) (￿ andk, ( a k, ab), forb),a, for b a,R b R+ ∀ ∈ ￿ ￿ ∈ ∈ and k Nand, respectivelyk N, respectively mean that mean behaviors that behaviors do not do change not change their value their￿￿ morevalue￿￿ more(respectively (respectively￿￿ less)￿￿ less) than thank timesk times IV.E. Applicationduring to∈ redundanttheduring time∈ the systems interval time interval [a; b]. [a; b]. It is often the case that similar (ifThis not domainidentical) systems is more run precise in parallel for so forward that, in case operators one system and has defines a very precise reduced product with the a hardware failure, itThis is detected, domain either is by more the other precise similar for systems forward or by aoperators dedicated unit, and and defines only a very precise reduced product with the redundant unitsabstract keep performing constraintabstract the computation. constraint domain. The domain. continuous-time semantics presented in this section has been precisely designedAn example to proveAn the example of properties reduction of of such reduction is systems. (with is times (witha

American Institute28 of of 38 Aeronautics and Astronautics

American Institute of Aeronautics and Astronautics Real code Analysis Analysis Static analysis of communicatingReal code Analysis imperfectlyAnalysis clocked redundantStatic units analysisExample of communicating of static imperfectly analysis clocked redundant units SENSORS Changes Counting SENSORS Constraints Constraints Changes Counting [ ! ; "] [ # ; $ ] Constraints Constraints For how long Changes Changes [ ; ] Counting [ ! ; "] Counting # $ Changes Changes Counting Counting should the input REDUNDANT UNIT #1 REDUNDANT UNIT #2 be stabilized REDUNDANT UNIT #1 REDUNDANT UNIT #2 before deciding Changes Changes Counting [ % ; &] Counting Changes [ ' ; (] Changes Counting [ % ; &] Counting [ ' ; (] on disagreement? Constraints ACTUATORS Changes ConstraintsACTUATORS ACTUATORS Counting Changes ACTUATORS Counting VOTER VOTER

Integral bounding Integral bounding SpecificationSpecification:noalarmraisedwithanormalinput:noalarmraisedwithanormalinput

0 0 2/3 ) 2/3 ) ) ) < 2 2 > input stabilityinput< ∆ stability: Between∆ : 3 Between× ∆ input3 × ∆ stabilityinput> stability∆ :theanalyzer∆ :theanalyzer counter-examplecounter-exampleand ∆ : ? and ∆ : ?proves theproves specification the specification Julien Bertrane, ENS ParisJulien Bertrane,Static ENS analysis Paris of imperfectly-clockedStatic analysis of synchronous imperfectly-clocked systems synchronous using continuous-time systems using abstract continuous-time domains abstract45/49 domains 45/49 49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 53 © P. Cousot THÉSÉE: Verification of embedded real-time parallel C programs

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 54 © P. Cousot Parallel programs • Bounded number of processes with shared memory, events, semaphores, message queues, blackboards,… • Processes created at initialization only • Real time operating system (ARINC 653) with fixed priorities (highest priority runs first) • Scheduled on a single processor Verified properties • Absence of runtime errors • Absence of unprotected data races

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 55 © P. Cousot Semantics • No memory consistency model for C • Optimizing compilers consider sequential processes out of their execution context init: flag1 = flag2 = 0 process 1: process 2: flag1 = 1; flag2 = 1; write to flag1/2 and if (!flag2) if (!flag1) read of flag2/1 are independent so can be { { /* critical section */ /* critical section */ reordered → error! In the Java memory model, both processes can enter their critical section simultaneously. The rationale is that, due to process-wide• We program assume optimisation: without knowledge of other processes, a compiler might assume that, e.g., in process 1, thesequential write to flag1 consistencyand the read from inflag2 absenceare independent of data and canrace be reordered, and the same for process• 2, flag2 and flag1 respectively. As a consequence, each process can read the other process’ flag before forsetting data its own flag. races, Multi-processors values with are out-of-order limited execution by possible or not fully synchronized caches can also• cause similar behaviors, even in the absence of compiler optimizations. There is currently no memoryinterleavings consistency model forbetween C; however, synchronization we need to choose one inpoints order to define our concrete semantics. It is safe to assume that, as C++, C will guarantee sequential consistency for programs without data-race. We also draw from the Java model75 to give a semantics to unprotected 49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 56 © P. Cousot accesses, so that we can analyze the behavior of a program after a data-race. More precisely, assume that a run of a process p performs a sequence of synchronisation operations at times t1 <...

VI.B.2. Scheduling and synchronisation The U state component in our concrete semantics models the scheduler state, which in turns defines which process can run and which must wait. Firstly, it maintains the state of synchronisation objects, e.g., for each mutex (there are finitely many), whether it is unlocked or locked by a process (and which one). Secondly, it remembers, for each process, whether it is waiting for a resource internal to the system (e.g., trying to lock an already locked mutex), for an external event (e.g., a message from the environment or a timeout), or is runnable (i.e., either actually running or preempted by another process). As we assume that the scheduler obeys a strict real-time semantics and there is a single processor, only one process can be scheduled in a given state: the runnable process with highest priority. All higher priority processes are waiting at a system call, while lower priority processes can be either waiting at a system call, or be runnable and preempted at any program point. The execution of a synchronisation primitive by the running process updates the scheduling state U. For instance, trying to lock an already locked mutex causes the process to enter a wait state, while unlocking a locked mutex causes either the mutex to be unlocked (if no process is waiting for it), or the mutex ownership to pass to the highest priority process waiting for it (which then becomes runnable, and possibly preempts the current process). Moreover, U might change due to external events, which we assume can take place at any time. For instance, a process performing a timed wait enters a non-deterministic wait phase but can become runnable at any time (as we do not model physical time), and possible preempt a lower priority running process.

VI.C. Abstraction Our prototype analyzer of parallel embedded realtime software, named Thes´ ee´ , is based on Astree´ (Sect. III). It has a similar structure, reuses most of its abstractions (e.g., general-purpose numerical ab- stractions for Di, trace partitioning with respect to Ci, etc.) and adds some more.

32 of 38

American Institute of Aeronautics and Astronautics Abstractions • Based on Astrée for the sequential processes • Takes scheduling into account • OS entry points (semaphores, logbooks, sampling and queuing ports, buffers, blackboards, …) are all stubbed (using Astrée stubbing directives) • Interference between processes: flow-insensitive abstraction of the writes to shared memory and inter-process communications

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 57 © P. Cousot Example of application: FWS

• Degraded mode (5 processes, 100 000 LOCS) • 1h40 on 64-bit 2.66 GHz Intel server • 98 alarms • Full mode (15 processes, 1 600 000 LOCS) • 50 h • 12 000 alarms in May, 7000 in December 2010 • !!! more work to be done !!! (e.g. analysis of complex data structures, interference, logs, etc)

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 58 © P. Cousot Conclusion

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 59 © P. Cousot Cost-effective verification • The rumor has it that: • Manuel validation (testing) is costly, unsafe, not a verification! • Formal proofs by theorem provers are extremely laborious hence costly • Model-checkers do not scale up • Why not try abstract interpretation? • Domain-specific static analysis scales and can deliver no false alarm

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 60 © P. Cousot The End

Cited references are available online at URL http://www.di.ens.fr/~cousot/COUSOTpapers.shtml

49th iEEE Conference on Decision and Control, Atlanta GA, Pre-Conference Workshop on Verification of Control Systems, Dec. 14, 2010 61 © P. Cousot