View
221
Download
2
Embed Size (px)
Citation preview
Model Checking
Lecture 5
Outline
1 Specifications logic vs automata linear vs branching safety vs liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Outline
1 Specifications logic vs automata linear vs branching safety vs liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Decidability vs Expressiveness
bull Unbounded state Undecidablebull Is the unbounded system able to
encode a Turing machinendash Single-counter machines NOndash Two-counter machines YESndash Single-stack machines NOndash Two-stack machines YES
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
From Finite to Inifinite-State Systems
bull So far algorithms for systems with finite state spaces
bull Sources of infinite-statendash Control recursionndash Data unbounded numeric variables
lists ndash Time Systems with real-time clocksndash Parameters arbitrary number of
participating processes
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
State representation
bull Explicit representation infeasiblebull Symbolic representation is the key
ndash For the transition systemndash For the reachable states
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown systems
(G L g0 l0 )
g h G finite set of control states
l m L finite set of stack symbols g0 initial control state l0 initial stack symbol set of transitions
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Three kinds of transitions(g l) (h m) (step)(g l) (h m n) (call)(g l) (h ) (return)
Configuration g l
g l h m g l
hnm
g l h
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Modeling sequential programs
bull An element in G is a valuation to global variables
bull An element in L is a valuation to local variables andndash current instruction address for the frame
at the top of the stackndash return instruction address for the other
frames
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Example
bool a = F
void main( ) L1 a = TL2 flip(a)L3
void flip(bool x) L4 a = xL5
(F )
(F _ L3)
(F _ L3 T L5)
(T _ L3 T L4)
(T _ L2)
(F _ L1)
(a x pc)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls L such that (g0 l0) (g ls)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Naiumlve algorithm
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
bull R is unbounded so algorithm wonrsquot terminate
bull Two solutionsndash Summary-based (aka interprocedural
dataflow analysis)ndash Automata-based
Problem with the naiumlve algorithm
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
E(g l h m) (step edges)
E+(g l h nm) (call edges)
E-(g l h) (pop edges)
Initially
Algorithm I
E(g0 l0 g0 l0)
E+ is empty
E- is empty
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Step rule
E(g l h m) (h m) (hrsquo mrsquo)
E(g l hrsquo mrsquo)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Call rule
E(g l h m) (h m) (hrsquo nrsquomrsquo)
E+(g l hrsquo nrsquomrsquo) E(hrsquo nrsquo hrsquo nrsquo)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Return rule
E(g l h m) (h m) (hrsquo )
E-(g l hrsquo)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Summary rule
E+(g l h nm) E-(h n hrsquo)
E(g l hrsquo m)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
int g = 0
main() L0 incr()L1 g = 0L2 incr()L3
incr() L4 g = g+1L5
E(0 L0 0 L0)
E+(0 L0 0 L4L1)
E(0 L4 0 L4)
E(0 L4 1 L5)
E-(0 L4 1)
E(0 L0 1 L1)
E(0 L0 0 L2)
E+(0 L0 0 L4L3)E(0 L0 1 L3)
E-(0 L0 1)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
int g = 0
main() L0 if () L1 foo(0) else L2 foo(1)L3 assert(g gt 0)L4
foo(r) L5 if (r = 0) L6 foo(r) else L7 g = g + 1L8
E(0 L0 0 L0)
E+(0 L0 0 L50L3)E(0 L50 0 L50)
E(0 L50 0 L60)
E(0 L0 0 L1)
E(0 L0 0 L2)
E+(0 L0 0 L51L3)E(0 L51 0 L51)
E(0 L51 0 L71)
E(0 L51 1 L81)
E-(0 L51 1)E(0 L0 1 L3)
E(0 L0 1 L4)
E-(0 L0 1)
E+(0 L50 0 L50L80)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Reachability problem
Given pushdown system (G L g0 l0 ) and control state g does there exist a stack ls such that (g0 l0) (g ls)
Algorithm I Summary-based
Yes if E(grsquo lrsquo g l) for some grsquo lrsquo and lNo otherwise
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Algorithm II
Add (g0 l0) to R
(g ls) R (g ls) (grsquo lsrsquo)
Add (grsquo lsrsquo) to R
Key ideaUse a finite automaton to symbolically represent R
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Symbolic representation
Pushdown system (G L g0 l0 )
Representation automaton (Q L T G F)- Q ( G) is the set of states- L is the alphabet- T is the transition relation- G is the set of initial states- F is the set of final states
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
g s1 s2l l
m
h
m
Represents the set of configurations (h m) (g l m l)
A set C of configurations is regular if it is representable by an automaton
Theorem (Buchi) The set of configurations reachable from a regular set is also regular
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)
Pushdown system
(G L g0 l0 )- G = g0 g1 g2- L = l0 l1 l2- (g0 l0) (g1 l1l0) (g1 l1) (g2 l2l0) (g2 l2) (g0 l1) (g0 l1) (g0 )
g0
l0 s0
g1
g2
s11
l0
l1
s22l2
l0
l1
l0
(g0 l0 l0l0+ l1l0l0+) (g1 l1l0+) (g2 l2l0l0+)