Data Flow Analysis of Asynchronous Systems using Infinite Abstract Domains
DData Flow Analysis of Asynchronous Systemsusing Infinite Abstract Domains
Snigdha Athaiya( (cid:66) ) , Raghavan Komondoor , and K. Narayan Kumar Indian Institute of Science, Bengaluru, India { snigdha,raghavan } @iisc.ac.in Chennai Mathematical Institute, Chennai, India [email protected]
Abstract.
Asynchronous message-passing systems are employed fre-quently to implement distributed mechanisms, protocols, and processes.This paper addresses the problem of precise data flow analysis for suchsystems. To obtain good precision, data flow analysis needs to somehowskip execution paths that read more messages than the number of mes-sages sent so far in the path, as such paths are infeasible at run time.Existing data flow analysis techniques do elide a subset of such infeasi-ble paths, but have the restriction that they admit only finite abstractanalysis domains. In this paper we propose a generalization of these ap-proaches to admit infinite abstract analysis domains, as such domainsare commonly used in practice to obtain high precision. We have imple-mented our approach, and have analyzed its performance on a set of 14benchmarks. On these benchmarks our tool obtains significantly higherprecision compared to a baseline approach that does not elide any in-feasible paths and to another baseline that elides infeasible paths butadmits only finite abstract domains.
Keywords:
Data Flow Analysis · Message-passing systems.
Distributed software that communicates by asynchronous message passing isa very important software paradigm in today’s world. It is employed in varieddomains, such as distributed protocols and workflows, event-driven systems, andUI-based systems. Popular languages used in this domain include Go ( https://golang.org/ ), Akka ( https://akka.io/ ), and P ( https://github.com/p-org ).Analysis and verification of asynchronous systems is an important problem,and poses a rich set of challenges. The research community has focused histor-ically on a variety of approaches to tackle this overall problem, such as modelchecking and systematic concurrency testing [24,12], formal verification to checkproperties such as reachability or coverability of states [40,3,2,20,17,30,18,1], anddata flow analysis [28].Data flow analysis [31,29] is a specific type of verification technique thatpropagates values from an abstract domain while accounting for all paths in a a r X i v : . [ c s . P L ] J a n Athaiya S. et al. program. It can hence be used to check whether a property or assertion alwaysholds. The existing verification and data flow analysis approaches mentionedearlier have a major limitation, which is that they admit only finite abstract do-mains. This, in general, limits the classes of properties that can be successfullyverified. On the other hand, data flow analysis of sequential programs using infi-nite abstract domains, e.g., constant propagation [31], interval analysis [11], and octagons [43], is a well developed area, and is routinely employed in verificationsettings. In this paper we seek to bridge this fundamental gap, and develop aprecise data flow analysis framework for message-passing asynchronous systemsthat admits infinite abstract domains. max := process number; send (cid:104) , max (cid:105)
2: Process is in active mode3: while true do if process is in passive mode then
5: receive a mesg and send this same mesg6: else if message (cid:104) , i (cid:105) arrives then if i (cid:54) = max then
8: Send message (cid:104) , i (cid:105) ; left := i else
10: Declare max as the global maximum11: nr leaders++; assert(nr leaders = 1)12: else if message (cid:104) , j (cid:105) arrives then if left > j and left > max then max := left
15: Send message (cid:104) , max (cid:105) else
17: Process enters passive mode
24 13 < , < > <2,3> < , > , < , > , < , > Fig. 1.
Pseudo-code of each process in leader election, and a partial run
To motivate our work we use a benchmark program in the Promela lan-guage [24] that implements a leader election protocol [16]. In the protocol thereis a ring of processes, and each process has a unique number. The objective isto discover the “leader”, which is the process with the maximum number. Thepseudo-code of each process in the protocol is shown in the left side of Figure 1.Each process has its own copy of local variables max and left , whereas nr leadersis a global variable that is common to all the processes (its initial value is zero).Each process sends messages to the next process in the ring via an unboundedFIFO channel. Each process becomes “ready” whenever a message is availablefor it to receive, and at any step of the protocol any one ready process (chosen file assertion.leader.prm ∼ albl/promela-models.zip.ata Flow Analysis of Async. Systems using Inf. Abstract Domains 3 non-deterministically) executes one iteration of its “while” loop. (We formalizethese execution rules in a more general fashion in Section 2.1.) The messagesare a 2-tuple (cid:104) x, i (cid:105) , where x can be 1 or 2, and 1 ≤ i ≤ max . The right side ofFigure 1 shows a snapshot at an intermediate point during a run of the proto-col. Each dashed arrow between two nodes represents a send of a message anda (completed) receipt of the same message. The block arrow depicts the chan-nel from Process 2 to Process 1, which happens to contain three sent (but stillunreceived) messages.It is notable that in any run of the protocol, Lines 10-11 happen to getexecuted only by the actual leader process, and that too, exactly once. Hence,the assertion never fails. The argument for this claim is not straightforward, andwe refer the reader to the paper [16] for the details. Data flow analysis could be used to verify the assertion in the example above, e.g.,using the
Constant Propagation (CP) abstract domain. This analysis determinesat each program point whether each variable has a fixed value, and if yes, thevalue itself, across all runs that reach the point. In the example in Figure 1, allactual runs of the system that happen to reach Line 10 come there with valuezero for the global variable nr leaders.A challenge for data flow analysis on message-passing systems is that theremay exist infeasible paths in the system. These are paths with more receives of acertain message than the number of copies of this message that have been sent sofar. For instance, consider the path that consists of two back-to-back iterationsof the “while” loop by the leader process, both times through Lines 3,6,9-11.This path is not feasible, due to the impossibility of having two copies of themessage (cid:104) , max (cid:105) in the input channel [16]. The second iteration would bring thevalue 1 for nr leaders at Line 10, thus inferring a non-constant value and hencedeclaring the assertion as failing (which would be a false positive).Hence, it is imperative in the interest of precision for any data flow analysis orverification approach to track the channel contents as part of the exploration ofthe state space. Tracking the contents of unbounded channels precisely is knownto be undecidable even when solving problems such as reachability and cover-ability (which are simpler than data flow analysis). Hence, existing approacheseither bound the channels (which in general causes unsoundness), or use soundabstractions such as unordered channels (also known as the Petri Net or VASSabstraction) or lossy channels . Such abstractions suffice to elide a subset of infea-sible paths. In our running example, the unordered channel abstraction happensto suffice to elide infeasible paths that could contribute to a false positive atthe point of the assertion. However, the analysis would need to use an abstractdomain such as CP to track the values of integer variables. This is an infinite do-main (due to the infinite number of integers). The most closely related previousdataflow analysis approach for distributed systems [28] does use the unorderedchannel abstraction, but does not admit infinite abstract domains, and hencecannot verify assertions such as the one in the example above. Athaiya S. et al.
This paper is the first one to the best of our knowledge to propose an approach fordata flow analysis for asynchronous message-passing systems that (a) admits in-finite abstract domains, (b) uses a reasonably precise channel abstraction amongthe ones known in the literature (namely, the unordered channels abstraction),and (c) computes maximally precise results possible under the selected channelabstraction. Every other approach we are aware of exhibits a strict subset of thethree attributes listed above. It is notable that previous approaches do tacklethe infinite state space induced by the unbounded channel contents. However,they either do not reason about variable values at all, or only allow variablesthat are based on finite domains.Our primary contribution is an approach that we call
Backward DFAS . Thisapproach is maximally precise, and admits a class of infinite abstract domains.This class includes well-known examples such as Linear Constant Propagation(LCP) [50] and Affine Relationships Analysis (ARA) [45], but does not includethe full (CP) analysis. We also propose another approach, which we call
ForwardDFAS , which admits a broader class of abstract domains, but is not guaranteedto be maximally precise on all programs.We describe a prototype implementation of both our approaches. On a set of14 real benchmarks, which are small but involve many complex idioms and paths,our tool verifies approximately 50% more assertions than our implementation ofthe baseline approach [28].The rest of the paper is structured as follows. Section 2 covers the back-ground and notation that will be assumed throughout the paper. We presentthe Backward DFAS approach in Section 3, and the Forward DFAS approachin Section 4. Section 5 discusses our implementation and evaluation. Section 6discusses related work, and Section 7 concludes the paper.
Vector addition systems with states or VASS [26] are a popular modelling tech-nique for distributed systems. We begin this section by defining an extension toVASS, which we call a
VASS-Control Flow Graph or VCFG . Definition 1. A VASS-Control Flow Graph or VCFG G is a graph, and isdescribed by the tuple (cid:104) Q, δ, r, q , V, π, θ (cid:105) , where Q is a finite set of nodes, δ ⊆ Q × Q is a finite set of edges, r ∈ N , q is the start node, V is a set of variables or memory locations, π : δ → A maps each edge to an action , where A ≡ (( V → Z ) → ( V → Z )) , θ : δ → Z r maps each edge to a vector in Z r . For any edge e = ( q , q ) ∈ δ , if π ( e ) = a and θ ( e ) = w , then a is calledthe action of e and w is called the queuing vector of e . This edge is depicted as q a,w −−→ q . The variables and the actions are the only additional features of aVCFG over VASS. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 5 A configuration of a VCFG is a tuple (cid:104) q, c, ξ (cid:105) , where q ∈ Q , c ∈ N r and ξ ∈ ( V → Z ). The initial configuration of a VCFG is (cid:104) q ,(cid:126) , ξ (cid:105) , where (cid:126) r zeroes, and ξ is a given initial valuation for the variables. TheVCFG can be said to have r counters . The vector c in each configuration canbe thought of as a valuation to the counters. The transitions between VCFGconfigurations are according to the rule below: e = ( q , q ) , e ∈ δ, π ( e ) = a, θ ( e ) = w, a ( ξ ) = ξ , c + w = c , c ≥ (cid:126) (cid:104) q , c , ξ (cid:105) ⇒ e (cid:104) q , c , ξ (cid:105) Asynchronous systems are composed of finite number of independently executingprocesses that communicate with each other by passing messages along FIFOchannels. The processes may have local variables, and there may exist shared (orglobal) variables as well. For simplicity of presentation we assume all variablesare global. c ! m c ! m x ≔ x + 1c ? m c ? m id, 〈1,0〉 id, 〈1,0〉 id, 〈1,0〉id, 〈0, −1〉id, 〈0,1〉 id, 〈0,1〉 id, 〈0, −1〉 id, 〈0, −1〉 id, 〈−1,0〉id,〈−1,0〉 x ≔ x + 1,〈0,0〉 x ≔ x + 1, 〈0,0〉 (a) (b) Fig. 2. (a) Asynchronous system with two processes, (b) its VCFG model
Figure 2(a) shows a simple asynchronous system with two processes. In thissystem there are two channels, c and c , and a message alphabet consisting oftwo elements, m and m . The semantics we assume for message-passing systemsis the same as what is used by the tool Spin [24]. A configuration of the systemconsists of the current control states of all the processes, the contents of all thechannels, and the values of all the variables. A single transition of the systemconsists of a transition of one of the processes from its current control-state to asuccessor control state, accompanied with the corresponding queuing operationor variable-update action. A transition labeled c ! m can be taken unconditionally,and results in ‘m’ being appended to the tail of the channel ‘c’. A transitionlabeled c ? m can be taken only if an instance of ‘m’ is available at the head Athaiya S. et al. of ‘c’, and results in this instance getting removed from ‘c’. (Note, based onthe context, we over-load the term “message” to mean either an element of themessage alphabet, or an instance of a message-alphabet element in a channel atrun-time.)Asynchronous systems can be modeled as VCFGs, and our approach performsdata flow analysis on VCFGs. We now illustrate how an asynchronous systemcan be modeled as a VCFG. We assume a fixed number of processes in thesystem. We do this illustration using the example VCFG in Figure 2(b), whichmodels the system in Figure 2(a). Each node of the VCFG represents a tupleof control-states of the processes, while each edge corresponds to a transitionof the system. The action of a VCFG edge is identical to the action that labelsthe corresponding process transition. (“id” in Figure 2(b) represents the identity action) The VCFG will have as many counters as the number of unique pairs(c i , m j ) such that the operation c i ! m j is performed by any process. If an edge e in the VCFG corresponds to a send transition c i ! m j of the system, then e ’squeuing vector would have a +1 for the counter corresponding to (c i , m j ) anda zero for all the other counters. Analogously, a receive operation gets modeledas -1 in the queuing vector. In Figure 2(b), the first counter is for (c ,m ) whilethe second counter is for (c ,m ). Note that the +1 and -1 encoding (whichare inherited from VASS’s) effectively cause FIFO channels to be treated asunordered channels.When each process can invoke procedures as part of its execution, such sys-tems can be modeled using inter-procedural VCFGs, or iVCFGs. These are ex-tensions of VCFGs just as standard inter-procedural control-flow graphs areextensions of control-flow graphs. Constructing an iVCFG for a given systemis straightforward, under a restriction that at most one of the processes in thesystem can be executing a procedure other than its main procedure at any time.This restriction is also present in other related work [28,4].
Data flow analysis is based on a given complete lattice L , which serves as theabstract domain. As a pre-requisite step before we can perform our data flowanalysis on iVCFGs, we first consider each edge v a,w −−→ w in each procedurein the iVCFG, and replace the (concrete) action a with an abstract action f ,where f : L → L is a given abstract transfer function that conservatively over-approximates [11] the behavior of the concrete action a .Let p be a path in a iVCFG, let p be the first node in the path, and let ξ i be a valuation to the variables at the beginning of p . The path p is said to be feasible if, starting from the configuration (cid:104) p ,(cid:126) , ξ i (cid:105) , the configuration (cid:104) q, d, ξ (cid:105) obtained at each successive point in the path is such that d ≥ (cid:126)
0, with successiveconfigurations along the path being generated as per the rule for transitionsamong VCFG configurations that was given before Section 2.1. For any path p = e e . . . e k of an iVCFG, we define its path transfer function ptf ( p ) as f e k ◦ f e k − . . . ◦ f e , where f e is the abstract action associated with edge e . ata Flow Analysis of Async. Systems using Inf. Abstract Domains 7 t≔x≔ y≔ z≔0 〈 -
1〉 〈 - foo() foo() 〈 +1 〉〈 +1 〉 〈 - Fig. 3.
Example iVCFG
The standard data flow analysis problem for sequential programs is to com-pute the join-over-all-paths (JOP) solution. Our problem statement is to com-pute the join-over-all-feasible-paths (JOFP) solution for iVCFGs. Formally stated,if start is the entry node of the “main” procedure of the iVCFG, given any node target in any procedure of the iVCFG, and an “entry” value d ∈ L at start suchthat d conservatively over-approximates ξ , we wish to compute the JOFP valueat target as defined by the following expression: (cid:71) p is a feasible and interprocedurally validpath in the iVCFG from start to target ( ptf ( p ))( d )Intuitively, due to the unordered channel abstraction, every run of the systemcorresponds to a feasible path in the iVCFG, but not vice versa. Hence, theJOFP solution above is guaranteed to conservatively over-approximate the JOPsolution on the runs of the system (which is not computable in general). In this section we present our key contribution – the
Backward DFAS (Data FlowAnalysis of Asynchronous Systems) algorithm – an interprocedural algorithmthat computes the precise JOFP at any given node of the iVCFG.We begin by presenting a running example, which is the iVCFG with twoprocedures depicted in Figure 3. There is only one channel and one message in themessage alphabet in this example, and hence the queuing vectors associated withthe edges are of size 1. The edges without the vectors are implicitly associatedwith zero vectors. The actions associated with edges are represented in the formof assignment statements. The edges without assignment statements next tothem have identity actions. The upper part of the Figure 3, consisting of nodes
Athaiya S. et al. a, b, p, q, h, i, j, k, l , is the VCFG of the “main” procedure. The remaining nodesconstitute the VCFG of the (tail) recursive procedure foo . The solid edges areintra-procedural edges, while dashed edges are inter-procedural edges.Throughout this section we use
Linear Constant Propagation (LCP) [50] asour example data flow analysis. LCP, like CP, aims to identify the variables thathave constant values at any given location in the system. LCP is based on thesame infinite domain as CP; i.e., each abstract domain element is a mapping fromvariables to (integer) values. The “ (cid:119) ” relation for the LCP lattice is also definedin the same way as for CP. The encoding of the transfer functions in LCP is asfollows. Each edge (resp. path) maps the outgoing value of each variable to either a constant, or to a linear expression in the incoming value of at most one variableinto the edge (resp. path), or to a special symbol (cid:62) that indicates an unknownoutgoing value. For instance, for the edge g → m in Figure 3, its transfer functioncan be represented symbolically as (t’=t,x’=x+1,y’=y,z’=z), where the primedversions represent outgoing values and unprimed versions represent incomingvalues.Say we wish to compute the JOFP at node k . The only feasible paths thatreach node k are the ones that attain calling-depth of three or more in the proce-dure foo , and hence encounter at least three send operations, which are requiredto clear the three receive operations encountered from node h to node k . All suchpaths happen to bring the constant values (t = 1, z = 1) to the node k . Hence,(t = 1, z = 1) is the precise JOFP result at node k . However, infeasible paths, ifnot elided, can introduce imprecision. For instance, the path that directly goesfrom node c to node o in the outermost call to the Procedure foo (this path is ofcalling-depth zero) brings values of zero for all four variables, and would henceprevent the precise fact (t = 1, z = 1) from being inferred. The set of all
L → L transfer functions clearly forms a complete lattice based onthe following ordering: f (cid:119) f iff for all d ∈ L , f ( d ) (cid:119) f ( d ). Backward DFASmakes a few assumptions on this lattice of transfer functions. The first is thatthis lattice be of finite height ; i.e., all strictly ascending chains of elements inthis lattice are finite (although no a priori bound on the sizes of these chains isrequired). The second is that a representation of transfer functions is available,as are operators to compose, join, and compare transfer functions. Note, the twoassumptions above are also made by the classical “functional” inter-proceduralapproach of Sharir and Pnueli [54]. Thirdly, we need distributivity, as definedbelow: for any f , f , f ∈ L → L , ( f (cid:116) f ) ◦ f = ( f ◦ f ) (cid:116) ( f ◦ f ). Thedistributivity assumption is required only if the given system contains recursiveprocedure calls.Linear Constant Propagation (LCP) [50] and Affine Relationships Analysis(ARA) [45] are well-known examples of analyses based on infinite abstract do-mains that satisfy all of the assumptions listed above. Note that the CP transfer-functions lattice is not of finite height. Despite the LCP abstract domain beingthe same as the CP abstract domain, the encoding chosen for LCP transfer ata Flow Analysis of Async. Systems using Inf. Abstract Domains 9 functions (which was mentioned above), ensures that LCP uses a strict, finite-height subset of the full CP transfer-functions lattice that is closed under joinand function composition operations. The trade-off is that LCP transfer func-tions for assignment statements whose RHS is not a linear expression and forconditionals are less precise than the corresponding CP transfer functions.Our final assumption is that procedures other than “main” may send mes-sages, but should not have any “receive” operations. Previous approaches thathave addressed data flow analysis or verification problems for asynchronous sys-tems with recursive procedures also have the same restriction [53,28,18].We now introduce important terminology. The demand of a given path p inthe VCFG is a vector of size r , and is defined as follows: demand ( p ) = (cid:40) max ( (cid:126) − w,(cid:126) , if p = ( v f,w −−→ z ) max ( demand ( p (cid:48) ) − w,(cid:126) , if p = ( e.p (cid:48) ) , where e ≡ ( v f,w −−→ z )Intuitively, the demand of a path p is the minimum required vector of countervalues in any starting configuration at the entry of the path for there to exist asequence of transitions among configurations that manages to traverse the entirepath (following the rule given before Section 2.1). It is easy to see that a path p is feasible iff demand ( p ) = (cid:126) C is said to cover a path p iff: (a) all paths in C have thesame start and end nodes (respectively) as p , (b) for each p (cid:48) ∈ C , demand ( p (cid:48) ) ≤ demand ( p ), and (c) ( (cid:116) p (cid:48) ∈ C ptf ( p (cid:48) )) (cid:119) ptf ( p ). (Regarding (b), any binary vectoroperation in this paper is defined as applying the same operation on every pairof corresponding entries, i.e., point-wise.)A path template ( p , p , . . . , p n ) of any procedure F i is a sequence of pathsin the VCFG of F i such that: (a) path p begins at the entry node en F i of F i and path p n ends at return node ex F i of F i , (b) for all p i , ≤ i < n , p i ends ata call-site node, and (c) for all p i , < i ≤ n , p i begins at a return-site node v ir ,such that v ir corresponds to the call-site node v i − c at which p i − ends. At a high level, Backward DFAS works by growing paths in the backward di-rection by a single edge at a time starting from the target node (node k inour example in Figure 3). Every time this process results in a path reachingthe start node (node a in our example), and the path is feasible, the approachsimply transfers the entry value d via this path to the target node. The mainchallenge is that due to the presence of cycles and recursion, there are an infinitenumber of feasible paths in general. In this subsection we present a set of lemmasthat embody our intuition on how a finite subset of the set of all paths can beenumerated such that the join of the values brought by these paths is equal tothe JOFP. We then present our complete approach in Section 3.3. Demand Coverage Lemma:
Let p and p (cid:48) be two paths from a node v i toa node v j such that demand ( p (cid:48) ) ≤ demand ( p ) . If p is any path ending at v i ,then demand ( p .p (cid:48) ) ≤ demand ( p .p ) . (cid:3) This lemma can be argued using induction on the length of path p . Asimilar observation has been used to solve coverability of lossy channels andwell-structured transition systems in general [3,17,2]. An important corollaryof this lemma is that for any two paths p (cid:48) and p from v i to v j such that demand ( p (cid:48) ) ≤ demand ( p ), if there exists a path p ending at v i such that p .p is feasible, then p .p (cid:48) is also feasible. Function Coverage Lemma:
Let p be a path from a node v i to a node v j , and P be a set of paths from v i to v j such that ( (cid:70) p (cid:48) ∈ P ptf ( p (cid:48) )) (cid:119) ptf ( p ) .Let p be any path ending at v i and p be any path beginning at v j . Underthe distributivity assumption stated in Section 3.1, the following property holds: ( (cid:70) p (cid:48) ∈ P ptf ( p .p (cid:48) .p )) (cid:119) ptf ( p .p .p ) . (cid:3) The following result follows from the Demand and Function Coverage Lem-mas and from monotonicity of the transfer functions:
Corollary 1:
Let p be a path from a node v i to a node v j , and P be a setof paths from v i to v j such that P covers p . Let p be any path ending at v i .Then, the set of paths { p .p (cid:48) | p (cid:48) ∈ P } covers the path p .p . (cid:3) We now use the running example from Figure 3 to illustrate how we leverageCorollary 1 in our approach. When we grow paths in backward direction fromthe target node k , two candidate paths that would get enumerated (among oth-ers) are p i ≡ hijk and p j ≡ hijkhijk (in that order). Now, p i covers p j . Therefore,by Corollary 1, any backward extension p .p j of p j ( p is any path prefix) isguaranteed to be covered by the analogous backward extension p .p i of p i . Bydefinition of covering, it follows that p .p i brings in a data value that conserva-tively over-approximates the value brought in by p .p j . Therefore, our approachdiscards p j as soon as it gets enumerated. To summarize, our approach discardsany path as soon as it is enumerated if it is covered by some subset of thepreviously enumerated and retained paths.Due to the finite height of the transfer functions lattice, and because demandvectors cannot contain negative values, at some point in the algorithm everynew path that can be generated by backward extension at that point wouldbe discarded immediately. At this point the approach would terminate, andsoundness would be guaranteed by definition of covering.In the inter-procedural setting the situation is more complex. We first presenttwo lemmas that set the stage. The lemmas both crucially make use of the as-sumption that recursive procedures are not allowed to have “receive” operations.For any path p a that contains no receive operations, and for any demand vector d , we first define supply ( p a , d ) as min ( s, d ), where s is the sum of the queuingvectors of the edges of p a . Supply Limit Lemma:
Let p , p be two paths from v i to v j such thatthere are no receive operations in p and p . Let p b be any path beginning at v j .If demand ( p b ) = d , and if supply ( p , d ) ≥ supply ( p , d ) , then demand ( p .p b ) ≤ demand ( p .p b ) . (cid:3) A set of paths P is said to d -supply-cover a path p a iff: (a) all pathsin P have the same start node and same end node (respectively) as p a , (b)( (cid:116) p (cid:48) ∈ P ptf ( p (cid:48) )) (cid:119) ptf ( p a ), and (c) for each p (cid:48) ∈ P , supply ( p (cid:48) , d ) ≥ supply ( p a , d ). ata Flow Analysis of Async. Systems using Inf. Abstract Domains 11 Supply Coverage Lemma: If p a .p b is a path, and demand ( p b ) = d , andif a set of paths P d -supply-covers p a , and p a as well as all paths in P have noreceive operations, then the set of paths { p (cid:48) .p b | p (cid:48) ∈ P } covers the path p a .p b .Proof argument: Since
P d -supply-covers p a , by the Supply Limit Lemma,we have (a): for all p (cid:48) ∈ P , demand ( p (cid:48) .p b ) ≤ demand ( p a .p b ). Since P d -supply-covers p a , we also have ( (cid:116) p (cid:48) ∈ P ptf ( p (cid:48) )) (cid:119) ptf ( p a ). From this, we use the FunctionCoverage lemma to infer that (b): ( (cid:116) p (cid:48) ∈ P ptf ( p (cid:48) .p b )) (cid:119) ptf ( p a .p b ). The resultnow follows from (a) and (b). (cid:3) Consider path hijk in our example, which gets enumerated and retained (asdiscussed earlier). This path gets extended back as qhijk ; let us denote this pathas p (cid:48) . Let d be the demand of p (cid:48) (i.e., is equal to 3). Our plan now is to extendthis path in the backward direction all the way up to node p , by prependinginterprocedurally valid and complete (i.e., IVC) paths of procedure foo in frontof p (cid:48) . An IVC path is one that begins at the entry node of foo , ends at thereturn node of foo , is of arbitrary calling depth, has balanced calls and returns,and has no pending returns when it completes [49]. First, we enumerate the IVCpath(s) with calling-depth zero (i.e., path co in the example), and prepend themin front of p (cid:48) . We then produce deeper IVC paths, in phases. In each phase i , i >
0, we inline IVC paths of calling-depth i − i , and prepend these IVC paths in front of p (cid:48) . We terminate wheneach IVC path that is generated in a particular phase j is d -supply-covered bysome subset P of IVC paths generated in previous phases.The soundness of discarding the IVC paths of phase j follows from the SupplyCoverage lemma ( p (cid:48) would take the place of p b in the lemma’s statement, whilethe path generated in phase j would take the place of p a in the lemma statement).The termination condition is guaranteed to be reached eventually, because: (a)the supplies of all IVC paths generated are limited to d , and (b) the latticeof transfer functions is of finite height. Intuitively, we could devise a soundtermination condition even though deeper and deeper IVC paths can incrementcounters more and more, because a deeper IVC path that increments the countersbeyond the demand of p (cid:48) does not really result in lower overall demand whenprepended before p (cid:48) than a shallower IVC path that also happens to meet thedemand of p (cid:48) (Supply Limit lemma formalizes this).In our running example, for the path qhijk , whose demand is equal to three,prefix generation for it happens to terminate in the fifth phase. The IVC pathsthat get generated in the five phases are, respectively, p = co , p = cdefgmcono , p = ( cdefgm ) co ( no ) , p = ( cdefgm ) co ( no ) , p = ( cdefgm ) co ( no ) , and p = ( cdefgm ) co ( no ) . supply ( p ,
3) = supply ( p ,
3) = supply ( p ,
3) = 3. TheLCP transfer functions of the paths are as follows. ptf ( p ) is (t’=1, x’=x+3,y’=x+2, z’=1), ptf ( p ) is (t’=1, x’=x+4, y’=x+3, z’=1), while ptf ( p ) is (t’=1,x’=x+5, y’=x+4, z’=1). { p , p } p .We also need a result that when the IVC paths in the j th phase are d -supply-covered by paths generated in preceding phases, then the IVC paths that wouldbe generated in the ( j + 1) th would also be d -supply-covered by paths generated Algorithm 1
Backward DFAS algorithm procedure ComputeJOFP ( target ) (cid:46) Returns JOFP from start ∈ Nodes to target ∈ Nodes , entry value d ∈ L .2: for all v ∈ Nodes do (cid:46) Nodes is the set of all nodes in the VCFG3: sPaths ( v ) = ∅
4: For each intra-proc VCFG edge v → target , add this edge to workList and to sPaths ( v )5: repeat
6: Remove any path p from workList .7: Let v be the start node of p .8: if v is a return-site node, with incoming return edge from func. F then
9: Let v be the call-site node corresponding to v , e be the call-site-to-entry edge from v to en F , and r be the exit-to-return-site edge from ex F to v .10: for all p ∈ ComputeEndToEnd ( F , demand ( p )) do p = e . p . r . p if Covered ( p , sPaths ( v )) returns false then
13: Add p to sPaths ( v ) and to workList .14: else if v is the entry node of a func. F then for all v ∈ call-sites ( F ) do
16: Let e be the call edge from v to v .17: p = e . p .18: if Covered ( p , sPaths ( v )) returns false then
19: Add p to sPaths ( v ) and to workList .20: else for all intra-procedural edges e = v f,w −−→ v in the VCFG do if Covered ( e.p , sPaths ( v )) returns false then
23: Add the path ( e.p ) to sPaths ( v ) and to workList .24: until workList is empty25: P = { p | p ∈ sPaths ( start ) , demand ( p ) = 0 } return (cid:70) p ∈ P ( ptf ( p ))( d ) in phases that preceded j . This can be shown using a variant of the SupplyCoverage Lemma, which we omit in the interest of space. Once this is shown,it then follows inductively that none of the phases after phase j are required,which would imply that it would be safe to terminate.The arguments presented above were in a restricted setting, namely, thatthere is only one call in each procedure, and that only recursive calls are allowed.These restrictions were assumed only for simplicity, and are not actually assumedin the algorithm to be presented below. Our approach is summarized in Algorithm 1.
ComputeJOFP is the main rou-tine. The algorithm works on a given iVCFG (which is an implicit parameterto the algorithm), and is given a target node at which the JOFP is to be com- ata Flow Analysis of Async. Systems using Inf. Abstract Domains 13
Algorithm 2
Routines invoked for inter-procedural processing in BackwardDFAS algorithm procedure ComputeEndToEnd ( F , d ) (cid:46) Returns a set of paths that d -supply-covers each IVC path of the proce-dure F .2: for all F i ∈ Funcs do
3: Place all 0-depth paths from F i in sIVCPaths ( F i , d )4: repeat
5: pathsAdded = false for all path template ( p , p , . . . , p n ) in any function F i ∈ Funcs do
7: Let F be the procedure called from the call-site at which p ends, F be the procedure called from the call-site at which p ends, and so on.8: for all p (cid:48) ∈ sIVCPaths ( F , d ), p (cid:48) ∈ sIVCPaths ( F , d ) , . . . do
9: Let p (cid:48) = p . e . p (cid:48) . r . p . e . p (cid:48) . r . . . . p n , where each e i is the call-edgethat leaves the call-site node at which p i ends and r i is the return edgecorresponding to e i .10: if DSCovered ( p (cid:48) , d, sIVCPaths ( F i , d )) returns false then
11: Add the path p (cid:48) to sIVCPaths ( F i , d ). pathsAdded = true .12: until pathsAdded is false return sIVCPaths ( F, d ) puted. A key data structure in the algorithm is sPaths ; for any node v , sPaths ( v )is the set of all paths that start from v and end at target that the algorithm hasgenerated and retained so far. The workList at any point stores a subset of thepaths in sPaths , and these are the paths of the iVCFG that need to be extendedbackward.To begin with, all edges incident onto target are generated and added to thesets sPaths and workList (Line 4 in Algorithm 1). In each step the algorithmpicks up a path p from workList (Line 6), and extends this path in the backwarddirection. The backward extension has three cases based on the start node ofthe path p . The simplest case is the intra-procedural case, wherein the pathis extended backwards in all possible ways by a single edge (Lines 21-23). Theroutine Covered , whose definition is not shown in the algorithm, checks if itsfirst argument (a path) is covered by its second argument (a set of paths). Note,covered paths are not retained.When the start node of p is the entry node of a procedure F (Lines 14-19), the path is extended backwards via all possible call-site-to-entry edges forprocedure F .If the starting node of path p is a return-site node v (Lines 8-13) in a callingprocedure, we invoke a routine ComputeEndToEnd (in line 10 of Algorithm 1).This routine, which we explain later, returns a set IVC paths of the called pro-cedure such that every
IVC path of the called procedure is d -supply-covered bysome subset of paths in the returned set, where d denotes demand ( p ). Thesereturned IVC paths are prepended before p (Line 11), with the call-edge e andreturn edge r appropriately inserted. The final result returned by the algorithm (see Lines 25 and 26 in Algo-rithm 1) is the join of the values transferred by the zero-demand paths (i.e.,feasible paths) starting from the given entry value d ∈ L . Routine
ComputeEndToEnd : This routine is specified in Algorithm 2, and isbasically a generalization of the approach that we described in Section 3.2, nowhandling multiple call-sites in each procedure, mutual recursion, calls to non-recursive procedures, etc. We do assume for simplicity of presentation that thereare no cycles (i.e., loops) in the procedures, as this results in a fixed number ofpath templates in each procedure. There is no loss of generality here becausewe allow recursion. The routine incrementally populates a group of sets – thereis a set named sIVCPaths ( F i , d ) for each procedure F i in the system. The ideais that when the routine completes, sIVCPaths ( F i , d ) will contain a set of IVCpaths of F i that d -supply-cover all IVC paths of F i . Note that we simultaneouslypopulate covering sets for all the procedures in the system in order to handlemutual recursion.The routine ComputeEndToEnd first enumerates and saves all zero-depthpaths in all procedures (see Line 3 in Algorithm 2). The routine then iterativelytakes a path template at a time, and fills in the “holes” between corresponding(call-site, return-site) pairs of the form v i − c , v ir in the path template with IVCpaths of the procedure that is called from this pair of nodes, thus generatinga deeper IVC path (see the loop in lines 6-11). A newly generated IVC path p (cid:48) is retained only if it is not d -supply-covered by other IVC paths alreadygenerated for the current procedure F i (Lines 10-11). The routine terminateswhen no more IVC paths that can be retained are generated, and returns theset sIVCPaths ( F, d ). We now illustrate our approach using the example in Figure 3. Algorithm 1 wouldstart from the target node k , and would grow paths one edge at a time. After foursteps the path hijk would be added to sPaths ( h ) (the intermediate steps wouldadd suffixes of this path to sPaths ( i ), sPaths ( j ), and sPaths ( k )). Next, path khijk would be generated and discarded, because it is covered by the “root” path k .Hence, further iterations of the cycle are avoided. On the other hand, the path hijk would get extended back to node q , resulting in path qhijk being retainedin sPaths ( q ). This path would trigger a call to routine ComputeEndToEnd .As discussed in Section 3.2, this routine would return the following set of paths: p = co , and p i = ( cdefgm ) i co ( no ) i for each 1 ≤ i ≤
4. (Recall, as discussed inSection 3.2, that ( cdefgm ) co ( no ) and deeper IVC paths are 3-supply-coveredby the paths { p , p } .)Each of the paths returned above by the routine ComputeEndToEnd wouldbe prepended in front of qhijk , with the corresponding call and return edges in-serted appropriately. These paths would then be extended back to node a . Hence,the final set of paths in sPaths ( a ) would be abpcoqhijk , abpcdefgmconoqhijk , abp ( cdefgm ) co ( no ) , abp ( cdefgm ) co ( no ) , and abp ( cdefgm ) co ( no ) . Of these ata Flow Analysis of Async. Systems using Inf. Abstract Domains 15 paths, the first two are ignored, as they are not feasible. The initial data-flowvalue (in which all variables are non-constant) is sent via the remaining threepaths. In all these three paths the final values of variables ‘t’ and ‘z’ are one.Hence, these two constants are inferred at node k . We provide argument sketches here about the key properties of Backward DFAS.Detailed proofs are available in the appendix.
Termination.
The argument is by contradiction. For the algorithm to notterminate, one of the following two scenarios must happen. The first is that aninfinite sequence of paths gets added to some set sPaths ( v ). By Higman’s lemmait follows that embedded within this infinite sequence there is an infinite se-quence p , p , . . . , such that for all i , demand ( p i ) ≤ demand ( p i +1 ). Because thealgorithm never adds covered paths, it follows that for all i : (cid:70) ≤ k ≤ i +1 ptf ( p k ) (cid:65) (cid:70) ≤ k ≤ i ptf ( p k ). However, this contradicts the assumption that the lattice oftransfer functions is of finite height. The second scenario is that an infinite se-quence of IVC paths gets added to some set sIVCPaths ( F, d ) for some procedure F and some demand vector d in some call to routine ComputeEndToEnd .Because the “supply” values of the IVC paths are bounded by d , it follows thatembedded within the infinite sequence just mentioned there must exist an infinitesequence of paths p , p , . . . , such that for all i , supply ( p i , d ) ≥ supply ( p i +1 , d ).However, since d -supply-covered paths are never added, it follows that for all i : (cid:70) ≤ k ≤ i +1 ptf ( p k ) (cid:65) (cid:70) ≤ k ≤ i ptf ( p k ). However, this contradicts the assumptionthat the lattice of transfer functions is of finite height. Soundness and Precision.
We already argued informally in Section 3.2 thatthe algorithm explores all feasible paths in the system, omitting only paths thatare covered by other already-retained paths. By definition of covering, this issufficient to guarantee over-approximation of the JOFP. The converse direction,namely, under-approximation, is obvious to see as every path along which thedata flow value d is sent at the end of the algorithm is a feasible path. Together,these two results imply that the algorithm is guaranteed to compute the preciseJOFP. Complexity.
We show the complexity of our approach in the single-proceduresetting. Our analysis follows along the lines of the analysis of the backwardsalgorithm for coverability in VASS [5]. The overall idea, is to use the techniqueof Rackoff [47] to derive a bound on the length of the paths that need to beconsidered. We derive a complexity bound of O ( ∆.h . L r +1 .r.log ( L )), where ∆ is the total number of transitions in the VCFG, Q is the number of VCFG nodes, h is the height of lattice of L → L functions, and L = ( Q. ( h + 1) . (3 r )!+1 . The Backward DFAS approach, though precise, requires the transfer functionlattice to be of finite height. Due to this restriction, infinite-height abstract domains like Octagons [43], which need widening [11], are not accommodatedby Backward DFAS. To address this, we present the Forward DFAS approach,which admits any complete lattice as an abstract domain (if the lattice is ofinfinite height then a widening operator should also be provided). The trade-offis precision. Forward DFAS elides only some of the infeasible paths in the VCFG,and hence, in general, computes a conservative over-approximation of the JOFP.Forward DFAS is conceptually not as sophisticated as Backward DFAS, but isstill a novel proposal from the perspective of the literature.The Forward DFAS approach is structured as an instantiation of Kildall’sdata flow analysis framework [31]. This framework needs a given complete lattice,the elements of which will be propagated around the VCFG as part of the fixpoint computation. Let L be the given underlying finite or infinite completelattice. L either needs to not have any infinite ascending chains (e.g., ConstantPropagation), or L needs to have an associated widening operator “ (cid:79) L ”. Thecomplete lattice D that we use in our instantiation of Kildall’s framework isdefined as D ≡ D r,κ → L , where κ ≥ D r,κ is the set of all vectors of size r (where r is the number of counters inthe VCFG) such that all entries of the vectors are integers in the range [0 , κ ]. Theordering on this lattice is as follows: ( d ∈ D ) (cid:118) ( d ∈ D ) iff ∀ c ∈ D r,κ . d ( c ) (cid:118) L d ( c ). If a widening operator (cid:79) L has been provided for L , we define a wideningoperator (cid:79) for D as follows: d (cid:79) d ≡ λc ∈ D r,κ . d ( c ) (cid:79) L d ( c ).We now need to define the abstract transfer functions with signature D → D for the VCFG edges, to be used within the data flow analysis. As an intermediatestep to this end, we define a ternary relation boundedMove1 as follows. Any tripleof integers ( p, q, s ) ∈ boundedMove1 iff(0 ≤ p ≤ κ ) ∧ (( q ≥ ∧ p + q ≤ κ ∧ s = p + q ) ∨ ( a )( q ≥ ∧ p + q > κ ∧ s = κ ) ∨ ( b )( q < ∧ p = κ ∧ ≤ s ≤ κ ∧ κ − s ≤ − ∗ q ) ∨ ( c )( q < ∧ p < κ ∧ p + q ≥ ∧ s = p + q )) ( d )We now define a ternary relation boundedMove on vectors. A triple of vectors( c , c , c ) belongs to relation boundedMove iff all three vectors are of the samesize, and for each index i , ( c [ i ] , c [ i ] , c [ i ]) ∈ boundedMove1 .We now define the D → D transfer function for the VCFG edge q f,w −−→ q as follows: fun ( l ∈ D ) ≡ λc ∈ D r,κ . (cid:71) c such that ( c ,w,c ) ∈ boundedMove f ( l ( c )) Finally, let l denote following function: λc ∈ D r,κ . if c is (cid:126) d else ⊥ ,where d ∈ L . We can now invoke Kildall’s algorithm using the fun transferfunctions defined above at all VCFG edges, using l as the fact at the “entry”to the “main” procedure. After Kildall’s algorithm has finished computing the ata Flow Analysis of Async. Systems using Inf. Abstract Domains 17 fix point solution, if l Dv ∈ D is the fix point solution at any node v , we returnthe value (cid:0) (cid:116) c ∈ D r,κ l Dv ( c ) (cid:1) as the final result at v .The intuition behind the approach above is as follows. If v is a vector in theset D r,κ , and if ( c, m ) is a channel-message pair, then the value in the ( c, m )thslot of v encodes the number of instances of message m in channel c currently.An important note is that if this value is κ , it actually indicates that there are κ or more instances of message m in channel c , whereas if the value is less than κ it represents itself. Hence, we can refer to vectors in D r,κ as bounded queueconfigurations . If d ∈ D is a data flow fact that holds at a node of the VCFGafter data flow analysis terminates, then for any v ∈ D r,κ if d ( v ) = l , it indicatesthat l is a (conservative over-approximation) of the join of the data flow factsbrought by all feasible paths that reach the node such that the counter values atthe ends of these paths are as indicated by v (the notion of what counter valuesare indicated by a vector v ∈ D r,κ was described earlier in this paragraph).The relation boundedMove is responsible for blocking the propagation alongsome of the infeasible paths. The intuition behind it is as follows. Let us con-sider a VCFG edge q f : L→L ,w −−−−−−→ q . If c is a bounded queue configuration atnode q , then, c upon propagation via this edge will become a bounded queueconfiguration c at q iff ( c , w, c ) ∈ boundedMove . Lines ( a ) and ( b ) in thedefinition of boundedMove1 correspond to sending a message; line ( b ) basicallythrows away the precise count when the number of messages in the channel goesabove κ . Line ( c ) corresponds to receiving a message when all we know is thatthe number of messages currently in the channel is greater than or equal to κ .Line ( d ) is key for precision when the channel has less than κ messages, as itallows a receive operation to proceed only if the requisite number of messagesare present in the channel.The formulation above extends naturally to inter-procedural VCFGs usinggeneric inter-procedural frameworks such as the call strings approach [54]. Weomit the details of this in the interest of space. Properties of the approach:
Since Forward DFAS is an instantiation ofKildall’s algorithm, it derives its properties from the same. As the set D r,k is afinite set, it is easy to see that the fix-point algorithm will terminate.To argue the soundness of the algorithm, we consider the concrete lattice D c ≡ D r → L , and the following “concrete” transfer function for the VCFGedge q f,w −−→ q : fun conc ( l ∈ D c ) ≡ λc ∈ D r . (cid:0)(cid:70) c ∈ D r such that c + w = c f ( l ( c )) (cid:1) ,where D r is the set of all vectors of size r of natural numbers. We then argue thatthe abstract transfer function fun defined earlier is a consistent abstraction [11]of fun conc . This soundness argument is given in detail in the appendix.If we restrict our discussion to single-procedure systems, the complexity ofour approach is just the complexity of applying Kildall’s algorithm. This worksout to O ( Q κ r h ), where Q is the number of VCFG nodes, and h is either theheight of the lattice L or the maximum increasing sequence of values from L that is obtainable at any point using the lattice L in conjunction with Kildall’salgorithm, using the given widening operation (cid:79) L . c t x y z1 0 0 0 0 m t x y z2 0 1 0 1 c t x y z1 0 0 0 02 0 1 0 1 m t x y z2 0 1 0 13 1 2 1 1 c t x y z1 0 0 0 02 0 1 0 13 1 2 1 1 m t x y z2 0 1 0 13 1 (cid:62) (cid:62) o t x y z1 0 0 0 02 0 1 0 13 1 (cid:62) (cid:62) k t x y z1 1 (cid:62) (cid:62)
12 1 (cid:62) (cid:62)
13 1 (cid:62) (cid:62)
Fig. 4.
Data flow facts over a run of the algorithm
Illustration:
We illustrate Forward DFAS using the example in Figure 3. Fig-ure 4 depicts the data flow values at four selected nodes as they get updated overeight selected points of time during the run of the algorithm. In this illustra-tion we assume a context insensitive analysis for simplicity (it so happens thatcontext sensitivity does not matter in this specific example). We use the value κ = 3. Each small table is a data flow fact, i.e., an element of D ≡ D r,κ → L .The top-left cell in the table shows the node at which the fact arises. In eachrow the first column shows the counter value, while the remaining columns de-pict the known constant value of the variables ( (cid:62) indicates unknown). Here aresome interesting things to note. When any tuple of constant values transfersalong the path from node c to node m , the constant values get updated dueto the assignment statements encountered, and this tuple shifts from counter i to counter i + 1 (if i is not already equal to κ ) due to the “send” operationencountered. When we transition from Step (5) to Step (6) in the figure, weget (cid:62) ’s, as counter values 2 and 3 in Step (5) both map to counter value 3 inStep (6) due to κ being 3 (hence, the constant values get joined ). The value atnode o (in Step (7)) is the join of values from Steps (5) and (6). Finally, whenthe value at node o propagates to node k , the tuple of constants associated withcounter value 3 end up getting mapped to all lower values as well due to thereceive operations encountered.Note, the precision of our approach in general increases with the value of κ (the running time increases as well). For instance, if κ is set to 2 (rather than3) in the example, some more infeasible paths would be traversed. Only z = 1would be inferred at node k , instead of (t = 1, z = 1). We have implemented prototypes of both the Forward DFAS and BackwardDFAS approaches, in Java. Both the implementations have been parallelized,using the ThreadPool library. With Backward DFAS the iterations of the outer“repeat” loop in Algorithm 1 run in parallel, while with Forward DFAS prop-agations of values from different nodes to their respective successors happen inparallel. Our implementations currently target systems without procedure calls,as none of our benchmarks had recursive procedure calls. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 19
Our implementations accept a given system, and a “target” control state q in one of the processes of the system at which the JOFP is desired. They thenconstruct the VCFG from the system (see Section 2.1), and identify the target set of q , which is the set of VCFG nodes in which q is a constituent. For instance,in Figure 2, the target set for control state e is { ( a, e ) , ( b, e ) } . The JOFPs atthe nodes in the target set are then computed, and the join of these JOFPs isreturned as the result for q .Each variable reference in any transition leaving any control state is calleda “use”. For instance, in Figure 2, the reference to variable x along the out-going transition from state d is one use. In all our experiments, the objectiveis to find the uses that are definitely constants by computing the JOFP at alluses. This is a common objective in many research papers, as finding constantsenables optimizations such as constant folding, and also checking assertions inthe code. We instantiate Forward DFAS with the Constant Propagation (CP)analysis, and Backward DFAS with the LCP analysis (for the reason discussedin Section 3.1). We use the bound κ = 2 in all runs of Forward DFAS, exceptwith two benchmarks which are too large to scale to this bound. We discuss thislater in this section. All the experiments were run on a machine with 128GBRAM and four AMD Opteron 6386 SE processors (64 cores total). Table 1.
Information about the benchmarks. Abbreviations used: (a) prtcl = protocol,(b) comm = communication, (c) app = application
Benchmark Description r mutex mutual exclusion example 3 1 6 4536bartlett Bartlett’s alternating-bit prtcl 3 3 7 17864leader leader election prtcl 2 11 12 16002lynch distorted channel comm prtcl 3 5 27 168912peterson Peterson’s mutual exclusionprtcl 3 4 4 6864boundedAsync illustrative example 3 5 10 14375receive1 illustrative example 2 5 13 1160server actor-based client server app 3 3 6 1232chameneos Chameneos concurrency game 3 9 10 45584replicatingStorage replicating storage system 4 4 8 47952event bus test publish-subscribe system 2 2 5 160jobqueue test concurrent job queue system 4 1 10 28800bookCollectionStore REST app 2 2 12 2162nursery test structured concurrency app 3 2 4 1260 We use 14 benchmarks for our evaluations. These are described in the first twocolumns of Table 1. Four benchmarks – bartlett, leader, lynch, and peterson – are
Promela models for the Spin model-checker. Three benchmarks – boundedAsync,receive1, and replicatingStorage – are from the P language repository ( ). Two benchmarks – server and chameneos – are from the Bas-set repository ( ).Four benchmarks – event bus test, jobqueue test, nursery test, and bookCollec-tionStore – are real world Go programs. There is one toy example “mutex”, forensuring mutual exclusion, via blocking receive messages, that we have madeourselves. We provide precise links to the benchmarks in the appendix.Our DFAS implementations expect the asynchronous system to be specifiedin an XML format. We have developed a custom XML schema for this, closelybased on the Promela modeling language used in Spin [25]. We followed thisdirection in order to be able to evaluate our approach on examples from differentlanguages. We manually translated each benchmark into an XML file, which wecall a model . As the input XML schema is close to Promela, the Spin models wereeasily translated. Other benchmarks had to be translated to our XML schemaby understanding their semantics.Note that both our approaches are expensive in the worst-case (exponential orworse in the number of counters r ). Therefore, we have chosen benchmarks thatare moderate in their complexity metrics. Still, these benchmarks are real andcontain complex logic (e.g., the leader election example from Promela, whichwas discussed in detail in Section 1.1). We have also performed some manualsimplifications to the benchmarks to aid scalability (discussed below). Our eval-uation is aimed towards understanding the impact on precision due to infeasiblepaths in real benchmarks, and not necessarily to evaluate applicability of ourapproach to large systems.We now list some of the simplifications referred to above. Language-specificidioms that were irrelevant to the core logic of the benchmark were removed. Thenumber of instances of identical processes in some of the models were reduced ina behavior-preserving manner according to our best judgment. In many of thebenchmarks, messages carry payload . Usually the payload is one byte. We wouldhave needed 256 counters just to encode the payload of one 1-byte message.Therefore, in the interest of keeping the analysis time manageable, the payloadsize was reduced to 1 bit or 2 bits. The reduction was done while preserving keybehavioral aspects according to our best judgment. Finally, procedure calls wereinlined (there was no use of recursion in the benchmarks).In the rest of this section, whenever we say “benchmark”, we actually meanthe model we created corresponding to the benchmark. Table 1 also shows variousmetrics of our benchmarks (based on the XML models). Column 3-6 depict,respectively, the number of processes, the total number of variables, the numberof “counters” r , and the total number of nodes in the VCFG. We provide ourXML models of all our benchmarks, as well as full output files from the runs ofour approach, as a downloadable folder (https://drive.google.com/drive/folders/181DloNfm6 UHFyz7qni8rZjwCp-a8oCV). ata Flow Analysis of Async. Systems using Inf. Abstract Domains 21 Table 2.
Data flow analysis resultsDFAS Approach Baseline ApproachesBenchmark
Total
189 42 63 49 22 20 22 39 4 14
We structure our evaluation as a set of research questions (RQs) below. Table 2summarizes results for the first three RQs, while Table 3 summarizes results forRQ 4.
RQ 1:
How many constants are identified by the Forward and Backward DFASapproaches?
Column (2) in Table 2 shows the number of uses in each benchmark.Columns (4)-Forw and (4)-Back show the number of uses identified as constantsby the Forward and Backward DFAS approaches, respectively. In total acrossall benchmarks Forward DFAS identifies 63 constants whereas Backward DFASidentifies 49 constants.Although in aggregate Backward DFAS appears weaker than Forward DFAS,Backward DFAS infers more constants than Forward DFAS in two benchmarks –jobqueue test and bookCollectionStore. Therefore, the two approaches are actu-ally incomparable. The advantage of Forward DFAS is that it can use relativelymore precise analyses like CP that do not satisfy the assumptions of BackwardDFAS, while the advantage of Backward DFAS is that it always computes theprecise JOFP.
RQ 2:
How many assertions are verified by the approaches?
Verifying asser-tions that occur in code is a useful activity as it gives confidence to developers.All but one of our benchmarks had assertions (in the original code itself, beforemodeling). We carried over these assertions into our models. For instance, forthe benchmark leader , the assertion appears in Line 11 in Figure 1. In some benchmarks, like jobqueue test, the assertions were part of test cases. It makessense to verify these assertions as well, as unlike in testing, our technique con-siders all possible interleavings of the processes. As “bookCollectionStore” didnot come with any assertions, a graduate student who was unfamiliar with ourwork studied the benchmark and suggested assertions.Column (3) in Table 2 shows the number of assertions present in each bench-mark. Columns (5)-Forw and (5)-Back in Table 2 show the number of assertionsdeclared as safe (i.e., verified) by the Forward and Backward DFAS approaches,respectively. An assertion is considered verified iff constants (as opposed to “ (cid:62) ”)are inferred for all the variables used in the assertion, and if these constants sat-isfy the assertion. As can be seen from the last row in Table 2, both approachesverify a substantial percentage of all the assertions – 52% by Forward DFAS and48% by Backward DFAS. We believe these results are surprisingly useful, giventhat our technique needs no loop invariants or usage of theorem provers.
RQ 3:
Are the DFAS approaches more precise than baseline approaches?
Wecompare the DFAS results with two baseline approaches. The first baseline isa Join-Over-all-Paths (JOP) analysis, which basically performs CP analysis onthe VCFG without eliding any infeasible paths. Columns (6)-JOP and (7)-JOPin Table 2 show the number of constants inferred and the number of assertionsverified by the JOP baseline. It can be seen that Backward DFAS identifies 2.2times the number of constants as JOP, while Forward DFAS identifies 2.9 timesthe number of constants as JOP (see columns (4)-Forw, (4)-Back, and (6)-JOPin the
Total row in Table 2). In terms of assertions, each of them verifies almost5 times as many assertions as JOP (see columns (5)-Forw, (5)-Back, and (7)-JOP in
Total row in Table 2.) It is clear from the results that eliding infeasiblepaths is extremely important for precision.The second baseline is Copy Constant Propagation (CCP) [49]. This is an-other variant of constant propagation that is even less precise than LCP. How-ever, it is based on a finite lattice, specifically, an IFDS [49] lattice. Hence thisbaseline represents the capability of the closest related work to ours [28], whichelides infeasible paths but supports only IFDS lattices, which are a sub-class offinite lattices. (Their implementation also used a finite lattice of predicates, butwe are not aware of a predicate-identification tool that would work on our bench-marks out of the box.) We implemented the CCP baseline within our BackwardDFAS framework. This baseline hence computes the JOFP using CCP (i.e., itelides infeasible paths).Columns (6)-CCP and (7)-CCP in Table 2 show the number of constantsinferred and the number of assertions verified by the CCP baseline. From the
Total row in Table 2 it can be seen that Forward DFAS finds 62% more constantsthan CCP, while Backward DFAS finds 26% more constants than CCP. Withrespect to number of assertions verified, the respective gains are 57% and 43%.In other words, infinite domains such as CP or LCP can give significantly moreprecision than closely related finite domains such as CCP. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 23
Table 3.
Execution time in secondsmut. bar. lea. lyn. pet. bou. rec. ser. cha. rep. eve. job. boo. nur.Forw 1.2 14.0 1.3 8.0 1.2 21.0 1.2 1.2 18.0 2.4 1.2 1.2 1.2 1.2Back 5.0 11.0 284.0 118.0 13.0 21.0 8.0 3.0 220.0 21.0 3.0 140.0 16.0 1.0JOP 1.2 1.3 1.6 8.0 1.2 1.4 1.3 1.2 3.1 3.0 1.1 1.4 1.2 1.2CCP 5.0 12.0 226.0 116.0 12.0 14.0 8.0 3.0 156.0 24.0 3.0 51.0 30.0 1.0
RQ 4:
How does the execution cost of DFAS approaches compare to the cost ofthe JOP baseline?
The columns in Table 3 correspond to the benchmarks (onlyfirst three letters of each benchmark’s name are shown in the interest of space).The rows show the running times for Forward DFAS, Backward DFAS, JOPbaseline, and CCP baseline, respectively.The JOP baseline was quite fast on almost all benchmarks (except lynch).This is because it maintains just a single data flow fact per VCFG node, incontrast to our approaches. Forward DFAS was generally quite efficient, excepton chameneos and lynch. On these two benchmarks, it scaled only with κ = 1and κ = 0, respectively, encountering memory-related crashes at higher valuesof κ (we used κ = 2 for all other benchmarks). These two benchmarks have largenumber of nodes and a high value of r , which increases the size of the data flowfacts.The running time of Backward DFAS is substantially higher than the JOPbaseline. One reason for this is that being a demand-driven approach, the ap-proach is invoked separately for each use (Table 2, Col. 2), and the cumulativetime across all these invocations is reported in the table. In fact, the mean timeper query for Backward DFAS is less than the total time for Forward DFAS on9 out of 14 benchmarks, in some cases by a factor of 20x. Also, unlike ForwardDFAS, Backward DFAS visits a small portion of the VCFG in each invocation.Therefore, Backward DFAS is more memory efficient and scales to all our bench-marks. Every invocation of Backward DFAS consumed less than 32GB of mem-ory, whereas with Forward DFAS, three benchmarks (leader, replicatingStorage,and jobqueue test) required more than 32GB, and two (lynch and chameneos)needed more than the 128 GB that was available in the machine. On the whole,the time requirement of Backward DFAS is still acceptable considering the largeprecision gain over the JOP baseline. The results of the evaluation using our prototype implementation are very en-couraging, in terms of both usefulness and efficiency. The evaluation does how-ever pose some threats to the validity of our results. The benchmark set, thoughextracted from a wide set of sources, may not be exhaustive in its idioms. Also,while modeling, we had to simplify some of the features of the benchmarks in or-der to let the approaches scale. Therefore, applicability of our approach directlyon real systems with all their language-level complexities, use of libraries, etc.,is not yet established, and would be a very interesting line of future work.
The modeling and analysis of parallel systems , which include asynchronous sys-tems, multi-threaded systems, distributed systems, event-driven systems, etc.,has been the focus of a large body of work, for a very long time. We discusssome of the more closely related previous work, by dividing the work into fourbroad categories.
Data Flow Analysis:
The work of Jhala et al. [28] is the closest work that ad-dresses similar challenges as our work. They combine the Expand, Enlarge andCheck (EEC) algorithm [20] that answers control state reachability in WSTS [17],with the unordered channel abstraction, and the IFDS [49] algorithm for dataflow analysis, to compute the JOFP solution for all nodes. They admit onlyIDFS abstract domains, which are finite by definition. Some recent work has ex-tended this approach for analyzing JavaScript [59] and Android [44] programs.Both our approaches are dissimilar to theirs, and we admit infinite lattices (likeCP and LCP). On the other hand, their approach is able to handle parameterpassing between procedures, which we do not.Bronevetsky et al. [7] address generalized data flow analysis of a very re-stricted class of systems, where any receive operation must receive messagesfrom a specific process, and channel contents are not allowed to cause non-determinism in control flow. Other work has addressed analysis of asynchrony inweb applications [27,41]. These approaches are efficient, but over-approximatethe JOFP by eliding only certain specific types of infeasible paths.
Formal Modeling and Verification:
Verification of asynchronous systems has re-ceived a lot of attention over a long time. VASS [30] and Petri nets [48] (whichboth support unordered channel abstraction) have been used widely to modelparallel and asynchronous processes [30,37,53,28,18,4]. Different analysis prob-lems based on these models have been studied, such as reachability of configura-tions [6,42,33,34], coverability and boundedness [30,3,2,17,20,5], and coverabilityin the presence of stacks or other data structures [56,4,8,9,39].The coverability problem mentioned above is considered equivalent to con-trol state reachability, and has received wide attention [1,13,28,18,53,19,32,4,55].Abdulla et al. [3] were the first to provide a backward algorithm to answer cover-ability. Our Backward DFAS approach is structurally similar to their approach,but is a strict generalization, as we incorporate data flow analysis using infiniteabstract domains. (It is noteworthy that when the abstract domain is finite, thendata flow analysis can be reduced to coverability.) One difference is that we usethe unordered channel abstraction, while they use the lossy channel abstraction.It is possible to modify our approach to use lossy channels as well (when thereare no procedure calls, which they also do not allow); we omit the formalizationof this due to lack of space.Bouajjani and Emmi [4] generalize over previous coverability results by solv-ing the coverability problem for a class of multi-procedure systems called re-cursively parallel programs. Their class of systems is somewhat broader than ata Flow Analysis of Async. Systems using Inf. Abstract Domains 25 ours, as they allow a caller to receive the messages sent by its callees. Our
ComputeEndToEnd routine in Algorithm 2 is structurally similar to their ap-proach. They admit finite abstract domains only. It would be interesting futurework to extend the Backward DFAS approach to their class of systems.Our approaches explore all interleavings between the processes, following theSpin semantics. Whereas, the closest previous approaches [28,4] only address“event-based” systems, wherein a set of processes execute sequentially withoutinterleaving at the statement level, but over an unbounded schedule (i.e., eachprocess executes from start to finish whenever it is scheduled).
Other forms of verification:
Proof-based techniques have been explored for veri-fying asynchronous and distributed systems [23,57,46,21]. These techniques needinductive variants and are not as user-friendly as data flow analysis techniques.Behavioral types have been used to tackle specific analysis problems such asdeadlock detection and correct usage of channels [35,36,51].
Testing and Model Checking:
Languages and tools such as Spin and Promela [25],P [14], P
In spite of the substantial body of work on analysis and verification of distributedsystems, there is no existing approach that performs precise data flow analysis ofsuch systems using infinite abstract domains, which are otherwise very commonlyused with sequential programs. We propose two data flow analysis approachesthat solve this problem – one computes the precise JOFP solution always, whilethe other one admits a fully general class of infinite abstract domains. We haveimplemented our approaches, analyzed 14 benchmarks using the implementation,and have observed substantially higher precision from our approach over twodifferent baseline approaches.Our approach can be extended in many ways. One interesting extensionwould be to make Backward DFAS work with infinite height lattices, usingwidening. Another possible extension could be the handling of parameters inprocedure calls. There is significant scope for improving the scalability usingbetter engineering, especially for Forward DFAS. One could explore the integra-tion of partial-order reduction [10] into both our approaches. Finally, we wouldlike to build tools based on our approach that apply directly to programs writtenin commonly-used languages for distributed programming.
Following are the links to the sources of the benchmarks used in the paper. ∼ ∼ ∼ In this section, we formally prove the termination and correctness of our algo-rithm
ComputeJOFP . The proofs in the appendix are self-contained and onlyrefer to Algorithm 1 and Algorithm 2 in the paper. Before presenting the proofs,we revise the important definitions.
Definition 2 (Demand).
For a path p , and vector d ∈ N r demand ( p, d ) = µ ( d − w ) , if p = ( v f,w −−→ v (cid:48) )= µ ( demand ( p (cid:48) , d ) − w ) , if p = ( e.p (cid:48) ) , where e ≡ ( v f,w −−→ v (cid:48) )Here, µ ≡ λz ∈ Z . ( max (0 , z )). µ can be applied to vectors of integers in thenatural manner, that is, by applying µ to each component of the vector. Thisdefinition is equivalent to the definition presented in the paper (if d is replacedby 0). Definition 3 (Covering).
A set of paths C is said to cover a path p iff – all paths in C have the same start and end nodes (respectively) as p , and – for each path p (cid:48) ∈ C , demand ( p (cid:48) ) ≤ demand ( p ) , and ata Flow Analysis of Async. Systems using Inf. Abstract Domains 27 – the join of the path transfer functions of all these paths dominates the pathtransfer function of p . Definition 4 (Path Template). A path template ( p , p , . . . , p n ) of a procedure F ∈ Funcs is a sequence ofpaths in the VCFG of F such that – n ≥ – path p begins at node en F (the entry node of the VCFG of procedure F ) andpath p n ends at node ex F (the designated exit node of the VCFG of procedure F ) – for all p i , ≤ i < n , p i ends at a call-site node, and – for all p i , < i ≤ n , p i begins at the return-site node corresponding to thecall-site node at which p i − ends. Definition 5 (D-Covering).
A path p is d-covered by a set of paths S , forgiven demand d iff,1. if p begins in vertex v i and ends at vertex v j , all paths in S start at v i andend at v j
2. for all paths p (cid:48) ∈ S , ( demand ( p (cid:48) , d ) ≤ demand ( p, d )) (cid:70) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:119) ptf ( p )Note, when d = 0, then 0 − covering is simply equivalent to covering as definedin Defintion 3. TerminationTheorem 1 (Termination).
The algorithm terminates if the lattice of transferprocedures ( L → L ) is of finite height.Proof: We prove the theorem in two parts. First, we prove that each invoca-tion of the form
ComputeEndToEnd( F , d ) , where F ∈ Funcs and d ∈ N r ,necessarily terminates.First, it is clear that the loop at lines 2-3 in ComputeEndToEnd termi-nates, as there are only finite number of 0-depth paths.Now we reason about the other loop in the routine from lines 4-12. Let eachvisit to Line 11 in the routine
ComputeEndToEnd in algorithm (where a pathis added to a set sIVCPaths ( F i , d )) during the current invocation be consideredas an “event”. Each event is fully described by a triple of parameters, namely:(the procedure F i being currently visited,the path IVC path p (cid:48) in procedure F i that is currently being added to sIVCPaths ( F i , d ), demand ( p (cid:48) , d ))Therefore, the entire invocation corresponds to a sequence of events of thekind mentioned above. Let this sequence be called S . Clearly, the invocation isnon-terminating iff S is infinitely long. Since the procedures contain only send operations, for any path p that is fullywithin the procedures, by Definition 2, demand ( p, d ) ≤ d . Therefore, there is afinite number of values possible in the third components of the triples mentionedabove. Also, the number of procedures in Funcs is finite. Therefore, if S is infinite,there must exist a procedure F and a vector d (cid:48) such that an infinite number ofevents in S have F in their first component and d (cid:48) in their third component.Let S (cid:48) be the subsequence of S consisting of all events with F in their firstcomponent and d (cid:48) in their third component; thus, S (cid:48) is infinite.For any j , let S (cid:48) [ j ] . path denotes the second component of the event at S (cid:48) [ j ].By the definition of CoveredWithDemand , and from Line 23 in the pro-cedure
ComputeEndToEnd , it follows that for every index i ≥ (cid:71) ≤ j
ComputeEndToEnd is terminating, then the only way
Compute-JOFP will go into non-termination is if for some node v , an infinite number of ata Flow Analysis of Async. Systems using Inf. Abstract Domains 29 paths get inserted into sPaths ( v ) at Lines 13, 19, and 23 in ComputeJOFP .Here, v can be any node in the VCFG of any procedure. Let S = p , p , . . . be the infinite sequence of paths inserted into sPaths ( v ). Since the set of alldemand vectors form a well-quasi ordering w.r.t. the ≤ comparison on demandvectors, there must exist an infinite subsequence S (cid:48) of S such that for all i ≥ demand ( S (cid:48) [ i ]) ≥ demand ( S (cid:48) [ i − Com-puteJOFP algorithm, and the definition of covered , it follows that for all i ≥ (cid:71) ≤ j
Hence Proved.
Soundness
Soundness of the algorithm is characterized by the following theo-rem:
Theorem 2 (Soundness).
For any node v , let d ∈ L be the JOFP value com-puted by ComputeJOFP in algorithm for v , treating d ∈ L as the initial valueat the start node, and start as the initial node. Then, d (cid:119) (cid:71) p is a feasible, interprocedurally validpath from start to v ( ptf ( p ))( d )The proof of this theorem requires a set of lemmas and intermediate theorems.Therefore, we will first present the necessary lemmas, then the intermediatetheorems, and then the final proof of correctness. Important Lemmas
We require the following lemmas.
Lemma 1. If d ∈ N r is a vector, r ≥ , p and p are paths from v i to v j such that demand ( p , d ) ≤ demand ( p , d ) , and p is any path ending at v i , thendemand ( p .p , d ) ≤ demand ( p .p , d ) .Proof: This is the
Demand Supply Lemma presented in the paper. We prove thelemma using induction on the length of the path p .We first consider the base case when p = v f,w −−−→ v i , i.e., it is a single edge.Let d = demand ( p , d ), d = demand ( p , d ).We are given, d ≤ d Subtracting w from both sides we get, d − w ≤ d − w − (1)We now prove that the application of µ preserves the ordering in the inequa-tion (1), or in other words, µ applied to vectors is a monotone function.Recall that by Definition 2, demand ( p .p , d ) = µ ( d − w ), and demand ( p .p , d ) = µ ( d − w ), i.e., µ applied on the LHS and RHS of (1) gives the demands of p . p and p . p .As µ is applied component-wise on a vector and addition/subtraction ofvectors is also component-wise, it suffices to show that for any i ∈ [1 . . . r ] , ( µ ( d [ i ] − w [ i ]) ≤ µ ( d [ i ] − w [ i ]). Based on the values of d [ i ] , d [ i ] and w [ i ],we have the following possibilities:1. Case 1 : d [ i ] − w [ i ] > d [ i ] − w [ i ] >
0. In this case, by the definitionof µ , µ ( d [ i ] − w [ i ]) = d [ i ] − w [ i ] − (2)and µ ( d [ i ] − w [ i ]) = d [ i ] − w [ i ] − (3)From (1) , (2) and (3) we can infer that µ ( d [ i ] − w [ i ]) ≤ µ ( d [ i ] − w [ i ]) − (4)2. Case 2 : d [ i ] − w [ i ] ≤ d [ i ] − w [ i ] ≤
0. In this case, by the definitionof µ we have, µ ( d [ i ] − w [ i ]) = 0 − (5)and µ ( d [ i ] − w [ i ]) = 0 − (6)From (5) and (6) we can infer that µ ( d [ i ] − w [ i ]) ≤ µ ( d [ i ] − w [ i ]) − (7)3. Case 3 : d [ i ] − w [ i ] ≤ d [ i ] − w [ i ] >
0. In this case by the definitionof µ we have, µ ( d [ i ] − w [ i ]) = 0 − (8)and µ ( d [ i ] − w [ i ]) > − (9)From (8) and (9) we can infer that µ ( d [ i ] − w [ i ]) ≤ µ ( d [ i ] − w [ i ]) − (10) ata Flow Analysis of Async. Systems using Inf. Abstract Domains 31 Due to (1), the fourth case ( d [ i ] − w [ i ] > ∧ d [ i ] − w [ i ] ≤
0) cannot occur.From (4) , (7) and (10) we can infer that for all i ∈ [1 . . . r ], ( µ ( d [ i ] − w [ i ]) ≤ µ ( d [ i ] − w [ i ]), irrepective of the values of d [ i ] , d [ i ] and w [ i ].Therefore, it can be seen that µ ( d − w ) ≤ µ ( d − w ) − (11)Now, using the definition of demand for p . p and p . p , and from (11) itfollows that, demand ( p .p , d ) ≤ demand ( p .p , d )This proves the base case. Now, for the inductive case, let the length of p be n + 1. Let p = ( v f,w −−→ v ) .p (cid:48) , where we have from the hypothesis that, demand ( p (cid:48) .p , d ) ≤ demand ( p (cid:48) .p , d ).The inductive case can be proved the same way as the base case, by replacing p by p (cid:48) .p , and p by p (cid:48) .p in the base case proof. Hence proved.
Lemma 2.
Let p be a path from v i to v j and S be a set of paths from v i to v j such that (cid:70) p ∈ S ptf ( p ) (cid:119) ptf ( p ) . Let p be any path ending at v i . Then, (cid:70) p ∈ S ptf ( p .p ) (cid:119) ptf ( p .p ) .Proof: Let S = { p , p , . . . , p n } ,We are given, ptf ( p ) (cid:116) ptf ( p ) . . . (cid:116) ptf ( p n ) (cid:119) ptf ( p ) − (1), By composing on the left-side of the LHS and RHS in (1) using ptf ( p ) andthe monotonicity of composition operation, we obtain, ptf ( p ) ◦ ( ptf ( p ) (cid:116) ptf ( p ) . . . (cid:116) ptf ( p n )) (cid:119) ptf ( p ) ◦ ptf ( p ) − (2)It is given that the path transfer functions form a complete lattice. As a con-sequence, the path transfer function composition left-distributes over functionjoin, i.e., f ◦ ( f (cid:116) f (cid:116) . . . (cid:116) f n ) = ( f ◦ f ) (cid:116) ( f ◦ f ) (cid:116) . . . (cid:116) ( f ◦ f n ). Therefore,expanding (2) using left-distributivity we obtain,( ptf ( p ) ◦ ptf ( p )) (cid:116) ( ptf ( p ) ◦ ptf ( p )) . . . (cid:116) ( ptf ( p ) ◦ ptf ( p n )) (cid:119) ( ptf ( p ) ◦ ptf ( p )) − (3)The path transfer function for a path p = p a . p b is given by ptf ( p a .p b ) = ptf ( p a ) ◦ ptf ( p b ). Therefore, by rewriting (3) in terms of path transfer functions,we get ptf ( p .p ) (cid:116) ptf ( p .p ) (cid:116) . . . (cid:116) ptf ( p .p n ) (cid:119) ptf ( p .p ) − (4)As S = { p , p , . . . , p n } , we can condense (4) to (cid:71) p ∈ S ptf ( p .p ) (cid:119) ptf ( p .p ) Hence proved.
Lemma 3.
Let p = e . e . . . e n be a path, such that for i ∈ [1 . . . n ] , w e i = θ ( e i ) . Let p be any path that starts at the end node of p , and let p = p .p . Let d be any element of N r . If p does not receive any messages, then demand ( p, d ) = µ ( demand ( p , d ) − w p ) , where w p = w e + w e + . . . w e n .Proof: We prove the lemma by induction on the length of p , and taking anyarbitrary p .We first prove the base case. The base case is when p is of length 1, i.e., itis an edge e . Let w e be the queuing vector of e , and therefore w p = w e .By Definition 2, we have, demand ( p, d ) = µ ( demand ( p , d ) − w e )Replacing the value of w e using w p = w e , demand ( p, d ) = µ ( demand ( p , d ) − w p )This proves the base case.We now proceed to the inductive case. Let p = e . p (cid:48) . p , where e . p (cid:48) is oflength n + 1. As p (cid:48) is of length n , the inductive hypothesis holds for p (cid:48) and path p (cid:48) = p (cid:48) . p . Therefore, by the hypothesis we have, demand ( p (cid:48) , d ) = µ ( demand ( p , d ) − w p (cid:48) ) − (1)From Definition 2 we have for path p , demand ( p, d ) = µ ( demand ( p (cid:48) , d ) − w e ) − (2)After replacing the value of demand ( p (cid:48) , d ) from (1) in (2) we get, demand ( p, d ) = µ ( µ ( demand ( p , d ) − w p (cid:48) ) − w e ) − (3)Now we argue that demand ( p, d ) = µ ( demand ( p , d ) − w p (cid:48) − w e ); i.e., theinner application of µ from (3) can be dropped. In order to prove this, wewill argue that for any i ∈ [1 . . . r ] , µ ( µ ( demand ( p , d )[ i ] − w p (cid:48) [ i ]) − w e [ i ]) = µ ( demand ( p , d )[ i ] − w p (cid:48) [ i ] − w e [ i ]). Proving this suffices as the two operations in-volved, µ and vector addition/subtraction are component-wise. Therefore, prov-ing the required result for all components, will prove it for the full vector.Thus, we proceed to the proof. Let x = demand ( p , d ) − w p (cid:48) . Based on thevalue of x [ i ] for any i ∈ [1 . . . r ], we have the following possible scenarios:1. x [ i ] > µ ( x [ i ]) = x [ i ].Therefore by replacing the value of µ ( x [ i ]) we have, µ ( µ ( x [ i ]) − w e [ i ]) = µ ( x [ i ] − w e [ i ]) − (4).2. x [ i ] ≤ w e [ i ] ≥
0, i.e. e i cannot bea receive operation. Therefore subtracting w e [ i ] from x [ i ] will further reducethe value, that is, x [ i ] − w e [ i ] ≤ − (5)From (5), and the definition of µ , we have µ ( x [ i ] − w e [ i ]) = 0 − (6). ata Flow Analysis of Async. Systems using Inf. Abstract Domains 33 Again, because x [ i ] ≤
0, therefore µ ( x [ i ]) = 0. Hence subtracting w e [ i ] from µ ( x [ i ]) will result in zero or lower value, that is, µ ( x [ i ]) − w e [ i ] ≤ − (7)From (7), and the definition of µ ,we have µ ( µ ( x [ i ]) − w e [ i ]) = 0 − (8)As the RHS are equal in (6) and (8), we can infer that in this case, µ ( µ ( x [ i ]) − w e [ i ]) = µ ( x [ i ] − w e [ i ]) − (9)Therefore, from (4) and (9), we have proved that for any i ∈ [1 . . . r ] , ( µ ( µ ( x [ i ]) − w e [ i ]) = µ ( x [ i ] − w e [ i ])). Therefore, we can rewrite (3) to, demand ( p, d ) = µ ( demand ( p , d ) − w p (cid:48) − w e )As the paths p and p (cid:48) do not receive any messages w p = w e.p (cid:48) = w p (cid:48) + w e .Thus, replacing ( − w p (cid:48) − w e ) in the above equation by − w p , demand ( p, d ) = µ ( demand ( p , d ) − w p )Therefore, the inductive case holds as well. Hence proved.
As a consequence of Lemma 3, we have the following corollary.
Corollary 2:
Let p = e . e . . . e n be a path, such that for i ∈ [1 . . . n ] , w e i = θ ( e i ) . Let d be any element of N r . If p does not receive any messages, thendemand ( p, d ) = µ ( d − w p ) , where w p = w e + w e + . . . w e n .Proof : The proof of the corollary is the same as that of Lemma 3, and can beobtained by simply replacing demand ( p , d ) by d . Lemma 4.
Let p be a path from v i to v j and S be a set of paths from v i to v j such that (cid:70) p ∈ S ptf ( p ) (cid:119) ptf ( p ) . Let p be any path beginning at v j .Let procedure composition be right-distributive over join for all the path transferprocedure s. Then, (cid:70) p ∈ S ptf ( p .p ) (cid:119) ptf ( p .p ) .Proof: Let S = { p , p , ..., p n } . We are given,( ptf ( p ) (cid:116) ptf ( p ) . . . (cid:116) ptf ( p n )) (cid:119) ptf ( p ) − (1)Composing the LHS and RHS of inequation (1) from the right-side by ptf ( p )and due to the monotonicity of ptf ( p ) and procedure composition, we get,( ptf ( p ) (cid:116) ptf ( p ) . . . (cid:116) ptf ( p n )) ◦ ptf ( p ) (cid:119) ptf ( p ) ◦ ptf ( p ) − (2)As procedure composition is right-distributive over procedure join, i.e. forany f, f , . . . f n ∈ L → L , ( f (cid:116) . . . (cid:116) f n ) ◦ f = ( f ◦ f ) (cid:116) . . . (cid:116) ( f n ◦ f ), we canexpand (2) as,( ptf ( p ) ◦ ptf ( p )) (cid:116) ( ptf ( p ) ◦ ptf ( p )) . . . (cid:116) ( ptf ( p n ) ◦ ptf ( p )) (cid:119) ptf ( p ) ◦ ptf ( p ) − (3) The path transfer procedure for a path p = p a . p b is given by ptf ( p a .p b ) = ptf ( p a ) ◦ ptf ( p b ). Therefore, by rewriting (3) in terms of path transfer procedures, we get( ptf ( p .p ) (cid:116) ptf ( p .p ) . . . (cid:116) ptf ( p n .p )) (cid:119) ptf ( p .p ) − (4)As S = { p , p , . . . , p n } , we can condense (4) to (cid:71) p ∈ S ptf ( p .p ) (cid:119) ptf ( p .p ) Hence proved.
Lemma 5.
Let d ∈ N r be a vector, v i and v j be any two nodes p and p bepaths from v i to v j such that demand ( p , d ) ≤ demand ( p , d ) . Let p be any pathending at v i and p be any path beginning from v j . Let the paths p , p , p and p be such that they do not receive any messages. Then, demand ( p .p .p , d ) ≤ demand ( p .p .p , d ) .Proof: The proof is in two parts. We first prove that demand ( p .p , d ) ≤ demand ( p .p , d ). The second part proves demand ( p .p .p , d ) ≤ demand ( p .p .p , d ).To prove the first part, we use Corollary 2. As the paths p , p do not receiveany messages, Corollary 2 is applicable on p and p . Let w p and w p be thesums of the queuing vectors of edges in paths p and p respectively. Therefore,by mapping p and p to p in Corollary 2, we have, demand ( p , d ) = µ ( d − w p ) − (1) demand ( p , d ) = µ ( d − w p ) − (2)We are given, demand ( p , d ) ≤ demand ( p , d ) − (3)Substituting the values from Equations (1) and (2) into (3), we obtain µ ( d − w p ) ≤ µ ( d − w p ) − (4)Equation (4) will hold true iff for all i ∈ [1 . . . r ], it holds that : – Condition 1: either ( w p [ i ] < d [ i ] ∨ w p [ i ] < d [ i ]) ∧ ( w p [ i ] ≥ w p [ i ]), or – Condition 2: w p [ i ] ≥ d [ i ] ∧ w p [ i ] ≥ d [ i ]We now argue that irrespective of which of the two conditions above holdsfor any given 1 ≤ i ≤ r , ( demand ( p .p , d )[ i ] ≤ demand ( p .p , d )[ i ]).Let demand ( p , d ) = d . The first case is when Condition 1 holds for some i .In this case, w p [ i ] ≥ w p [ i ] − (5)Negating both sides of Equation (5) and adding d [ i ] to both sides, we obtain, d [ i ] − w p [ i ] ≤ d [ i ] − w p [ i ] − (6)By Definition 2 and Lemma 3, we have demand ( p .p , d ) = µ ( d − w p ) − (7)and ata Flow Analysis of Async. Systems using Inf. Abstract Domains 35 demand ( p .p , d ) = µ ( d − w p ) − (8)That is, to obtain the demand, µ will be applied on both sides.We proved in Lemma 1 that µ is a monotone procedure , i.e., if x ≤ y then µ ( x ) ≤ µ ( y ). Thus, the application of µ on both sides of Equation (6) preservesthe ordering of the inequation, and we obtain µ ( d [ i ] − w p [ i ]) ≤ µ ( d [ i ] − w p [ i ]) − (9)Using the definitions of demands of paths p . p and p . p from Equations(7) and (8), in conjunction with Equation (9) it follows that, demand ( p .p , d )[ i ] ≤ demand ( p .p , d )[ i ] − (10)The second case is when condition 2 holds for i . In this case we have, w p [ i ] ≥ d [ i ] − (11) w p [ i ] ≥ d [ i ] − (12)Negating both sides of (11) and (12) and adding d [ i ] to both sides in bothequations, we obtain d [ i ] − w p [ i ] ≤ d [ i ] − w p [ i ] ≤ − (13).As p does not receive any messages, therefore by the definition of demand, demand ( p , d ) ≤ d − (14)As d is lower than or equal to d , then from Equations (13) and (14) we get, d [ i ] − w p [ i ] ≤ d [ i ] − w p [ i ] ≤ − (15)From (15) and the definition of µ , we have µ ( d [ i ] − w p [ i ]) = 0 and µ ( d [ i ] − w p [ i ]) = 0 − (16)By Lemma 3 we have demand ( p .p , d ) = µ ( d − w p ) and demand ( p .p , d ) = µ ( d − w p ).Using Equation (16), and the above definitions, we can infer demand ( p .p , d )[ i ] ≤ demand ( p .p , d )[ i ] − (17)Since (10) and (17) hold for all i , we get: demand ( p .p , d ) ≤ demand ( p .p , d ) − (18)Now we prove the second part, i.e., if demand ( p , d ) ≤ demand ( p , d ) then demand ( p .p .p , d ) ≤ demand ( p .p .p , d ).Applying Lemma 1 by mapping p .p to p in the lemma statement, p .p to p in the lemma statement, and p to p in the lemma statement, and using(18), we have demand ( p .p .p , d ) ≤ demand ( p .p .p , d ) Hence proved.
Lemma 6.
Let v i and v j be any two nodes. Let p be a path from v i to v j and S be a set of paths from v i to v j such that (cid:70) p ∈ S ptf ( p ) (cid:119) ptf ( p ) . Let procedurecomposition be both left- and right- distributive over procedure join for all the path transfer procedure s. Let p be any path ending at v i and p be any pathstarting from v j . Then (cid:70) p ∈ S ptf ( p .p .p ) (cid:119) ptf ( p .p .p ) .Proof: This is the
Function Coverage Lemma , as presented in the paper. Toprove lemma we use the results of Lemma 2 and 4. From Lemma 2, we can inferthat, (cid:71) p ∈ S ptf ( p .p ) (cid:119) ptf ( p .p ) − (1)Let S = { p .p | p ∈ S } . Therefore, we can rewrite (1) as (cid:71) p ∈ S ptf ( p ) (cid:119) ptf ( p .p ) − (2)Now, from Lemma 4, we can infer, (cid:71) p ∈ S ptf ( p.p ) (cid:119) ptf ( p .p .p ) − (3)Rewriting (3) in terms of S using the definition of S , we obtain (cid:71) p ∈ S ptf ( p .p .p ) (cid:119) ptf ( p .p .p ) Hence proved.
Lemma 7.
Let d ∈ N r be any vector. Say a set of paths S d -covers a path p .For any path p (cid:48) , let S p (cid:48) denote any set of paths that d -covers p (cid:48) . Then, the setof paths (cid:83) p (cid:48) ∈ S S p (cid:48) d -covers p .Proof: Let S = (cid:83) p (cid:48) ∈ S S p (cid:48) . Let p begin at vertex v i and end at v j . As S d -covers p , we have the following facts from Definition 3:1. all paths in S start at v i and end at v j
2. for all paths p (cid:48) ∈ S, ( demand ( p (cid:48) , d ) ≤ demand ( p, d ))3. (cid:70) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:119) ptf ( p )Similarly, we have the following facts for any p (cid:48) ∈ S the set S p (cid:48) that d -covers p (cid:48) .1. as p (cid:48) starts at v i and ends at v j , all paths in S p (cid:48) start at v i and end at v j
2. for all paths p (cid:48)(cid:48) ∈ S p (cid:48) , ( demand ( p (cid:48)(cid:48) , d ) ≤ demand ( p (cid:48) , d )) ata Flow Analysis of Async. Systems using Inf. Abstract Domains 37 (cid:70) p (cid:48)(cid:48) ∈ S p (cid:48) ptf ( p (cid:48)(cid:48) ) (cid:119) ptf ( p (cid:48) )From the facts above and the definition of S , it can be directly inferred thatevery path in S begins at v i and ends at v j . − (1)Now we prove that for any path p ∈ S , demand ( p , d ) ≤ demand ( p, d ).Let p (cid:48) ∈ S . For any path p ∈ S p (cid:48) , demand ( p , d ) ≤ demand ( p (cid:48) , d ). − (2)We are given that ( demand ( p (cid:48) , d ) ≤ demand ( p, d )). Therefore from (2), wecan infer that( demand ( p , d ) ≤ demand ( p, d )). − (3)Now we prove that the join of the transfer procedure s of the paths in S dominates the path transfer procedure of p . Because S covers p , we have (cid:71) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:119) ptf ( p )Say S = { p (cid:48) , p (cid:48) , . . . p (cid:48) n } , then by expanding the above equation we get ptf ( p (cid:48) ) (cid:116) ptf ( p (cid:48) ) (cid:116) . . . (cid:116) ptf ( p (cid:48) n ) (cid:119) ptf ( p ) − (4)We are given for all p (cid:48) ∈ S that (cid:70) p ∈ S p (cid:48) ptf ( p ) (cid:119) ptf ( p (cid:48) ). By the property ofjoin operation we have, (cid:71) p ∈ S p (cid:48) ptf ( p ) (cid:116) (cid:71) p ∈ S p (cid:48) ptf ( p ) (cid:116) . . . (cid:116) (cid:71) p ∈ S p (cid:48) n ptf ( p ) (cid:119) ptf ( p (cid:48) ) (cid:116) ptf ( p (cid:48) ) (cid:116) . . . (cid:116) ptf ( p (cid:48) n ) − (5)where S p (cid:48) , S p (cid:48) , . . . S p (cid:48) n are the sets d -covering paths p (cid:48) , p (cid:48) , . . . p (cid:48) n respectively.From (4) and (5), it can be seen that (cid:71) p ∈ S p (cid:48) ptf ( p ) (cid:116) (cid:71) p ∈ S p (cid:48) ptf ( p ) (cid:116) . . . (cid:116) (cid:71) p ∈ S p (cid:48) n ptf ( p ) (cid:119) ptf ( p ) − (6)By the property of join (6) can be rewritten as, (cid:71) p ∈ ( S p (cid:48) ∪ S p (cid:48) ∪ ... ∪ S p (cid:48) n ) ptf ( p ) (cid:119) ptf ( p ) − (7)As S = S p (cid:48) ∪ S p (cid:48) . . . ∪ S p (cid:48) n , therefore (7) can be rewritten as (cid:71) p ∈ S ptf ( p ) (cid:119) ptf ( p ) − (8)From (1) , (3) and (8), S d -covers p . Hence proved . Our algorithm can be seen as generating paths iteratively, and storing eachgenerated path if it is not covered by other paths. A path is generated at everyvisit to Lines 11, 17, and 21 of routine
ComputeJOFP . For a given path p ,we say that it is generated by our algorithm if it is generated during any visitto any of the lines mentioned above. Over the course of a run of the algorithm,note that for any path p that is generated, the path necessarily ends at thenode target , although it could begin at any node. Also note that when any path p is generated, if p begins at a node v i , then p is stored in sPaths ( v i ) unless sPaths ( v i ) already stores a previously generated set of paths that cover p . Lemma 8. If p is a path from a node v i in the VCFG of any procedure to thetarget node, and if the algorithm generates a set of paths S that cover p , thenwhen ComputeJOFP terminates there is guaranteed to be a set of paths insPaths ( v i ) that cover p .Proof: Note, after any path p (cid:48) ∈ S is generated, the algorithm would invoke theroutine Covered ( p (cid:48) ). The two following outcomes can result from this invoca-tion.1. The routine Covered returns false . In this case p (cid:48) is added to sPaths ( v i ),That is, p (cid:48) is retained.2. The routine Covered returns true . In this case, p (cid:48) is not added to sPaths ( v i ),as there exists a set of paths Cover ( p (cid:48) ) ⊆ sPaths ( v i ) such that Cover ( p (cid:48) )covers p (cid:48) .We now prove that irrespective of the outcome above of Covered , thereexists a set of paths in sPaths ( v i ) that cover p .Let S = { p (cid:48) ∈ S | Covered ( p (cid:48) ) returned false } Let S = { p (cid:48)(cid:48) ∈ Cover ( p (cid:48) ) | p (cid:48) ∈ S ∧ Covered ( p (cid:48) ) returns true } Clearly, S ∪ S ⊆ sPaths ( v i ), and they begin at v i and end at v . − (1)As S covers p , for all paths p (cid:48) ∈ S , demand ( p (cid:48) ) ≤ demand ( p ). − (2)Similarly, as S covers p , and S contains paths due to sets that cover paths p (cid:48) ∈ S , therefore for all paths p (cid:48)(cid:48) ∈ S . ( demand ( p (cid:48)(cid:48) ) ≤ demand ( p )). − (3)From (2) and (3), we can infer that for all paths p (cid:48) ∈ S ∪ S , demand ( p (cid:48) ) ≤ demand ( p )) − (4)Now we prove the relation between the path transfer procedure s of p andpaths in sPaths ( v i ). We are given, (cid:70) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:119) ptf ( p )Splitting the above using the definition of S we obtain, (cid:70) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:116) (cid:70) p (cid:48)(cid:48) ∈ S − S ptf ( p (cid:48)(cid:48) ) (cid:119) ptf ( p ) − (5)We can expand the set S − S = { p (cid:48)(cid:48) , p (cid:48)(cid:48) , . . . p (cid:48)(cid:48) n } and write (5) as, (cid:70) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:116) ptf ( p (cid:48)(cid:48) ) (cid:116) ptf ( p (cid:48)(cid:48) ) . . . (cid:116) ptf ( p (cid:48)(cid:48) n ) (cid:119) ptf ( p ) − (6)From the two outputs of Covered , we know that S ⊆ sPaths ( v i ). Also, foreach p (cid:48)(cid:48) ∈ S − S there exists a set Cover ( p (cid:48)(cid:48) ) ⊆ sPaths ( v i ) such that Cover ( p (cid:48)(cid:48) )covers p (cid:48)(cid:48) . ata Flow Analysis of Async. Systems using Inf. Abstract Domains 39 Thus replacing the path transfer procedure s of all p (cid:48)(cid:48) ∈ S − S by (cid:70) p ∈ Cover ( p (cid:48)(cid:48) ) ptf ( p )in (6), and the property that if a (cid:119) b then c (cid:116) a (cid:119) c (cid:116) b , we get (cid:71) p (cid:48) ∈ S ptf ( p (cid:48) ) (cid:116) (cid:71) p ∈ Cover ( p (cid:48)(cid:48) ) ptf ( p ) (cid:116) . . . (cid:116) (cid:71) p ∈ Cover ( p (cid:48)(cid:48) n ) ptf ( p ) (cid:119) ptf ( p ) − (7)Let S (cid:48) = S ∪ Cover ( p (cid:48)(cid:48) ) ∪ . . . ∪ Cover ( p (cid:48)(cid:48) n ). Rewriting (7) in terms of S (cid:48) weget (cid:71) p (cid:48) ∈ S (cid:48) ptf ( p (cid:48) ) (cid:119) ptf ( p ) − (8)From the definition of S (cid:48) we know that S (cid:48) = S ∪ S and S (cid:48) ⊆ sPaths ( v i ).Therefore, from (1) , (4) and (8), we can infer that S (cid:48) ⊆ sPaths ( v i ) covers p . Hence proved.
Similar to the generation of paths discussed above, the routine
ComputeEnd-ToEnd also generates paths iteratively in each invocation, and stores a gener-ated path if it is not covered by other paths. The routine
ComputeEndToEnd is invoked with a procedure F and a vector d (which is the demand of a path).In each invocation, the routine ComputeEndToEnd generates an interproce-durally valid and complete path, using path templates, at every visit to Line 9.For a given path p , we say that it is generated by ComputeEndToEnd if it isgenerated during any visit to Line 9. Any path p generated by ComputeEnd-ToEnd begins at the entry node of the VCFG of some procedure F i and endsat the designated exit node of F i . If p is generated and it begins at the entrynode of F i , then it is stored in sIVCPaths ( F i , d ) unless sIVCPaths ( F i , d ) alreadystores a previously generated set of paths that d -cover p . Lemma 9.
Let d ∈ N r be a given vector such that ComputeEndToEnd is in-voked with procedure F i ∈ Funcs and d as arguments. If p is an interprocedurallyvalid and complete path from the entry node en F of any procedure F ∈ Funcsto the exit node ex F , and if ComputeEndToEnd generates (at Line 11) a setof paths S that d -cover p for the given vector d , then when the above-mentionedinvocation to ComputeEndToEnd terminates there is guaranteed to be a setof paths in sIVCPaths ( F, d ) that d -cover p .Proof : The proof of this lemma is similar to the proof of Lemma 8. In thiscase also, for each p (cid:48) ∈ S , either p (cid:48) is retained in sIVCPaths ( F, d ), or a set of d -covering paths is already present. Therefore, this lemma holds. Lemma 10.
Let p , p , p be paths where p and p end at v i and p begins at v i .If demand ( p , demand ( p )) ≤ demand ( p , demand ( p )) , then demand ( p .p ) ≤ demand ( p .p ) Proof:
To prove the lemma, we first prove an intermediate result, i.e., forany paths p, q , such that end node of p is the same as the start node of q , demand ( p.q, d ) = demand ( p, demand ( q, d )). We prove this using induction onthe length of p .The base case is when p is a single edge e with queuing vector w e . Then byDefinition 2, demand ( e.q, d ) = µ ( demand ( q, d ) − w e ) − (1)Again by Definition 2 demand ( e, demand ( q, d )) = µ ( demand ( q, d ) − w e ) − (2).From (1) and (2), we have demand ( e.q, d ) = demand ( e, demand ( q, d )).We now prove the inductive case. Let p = e.p (cid:48) , where p is of length n + 1and p (cid:48) is of length n . By the induction hypothesis we have, demand ( p (cid:48) .q, d ) = demand ( p (cid:48) , demand ( q, d )).By Definition 2, we have demand ( p.q, d ) = µ ( demand ( p (cid:48) .q, d ) − w e )Replacing the value in the RHS using induction hypothesis, demand ( p.q, d ) = µ ( demand ( p (cid:48) , demand ( q, d )) − w e ) − (3)Also, since p = e.p (cid:48) , using the definition of demand, we have demand ( p, demand ( q, d )) = µ ( demand ( p (cid:48) , demand ( q, d )) − w e ) − (4)From (3) and (4), we can infer that demand ( p.q, d ) = demand ( p, demand ( q, d ))for the inductive case as well. Therefore we have proved that for any paths p and q , demand ( p.q, d ) = demand ( p, demand ( q, d )).By taking d = 0 in the result above, we get demand ( p .p ) = demand ( p , demand ( p )) − (5) demand ( p .p ) = demand ( p , demand ( p )) − (6).We can conclude from (5) and 6 that demand ( p , demand ( p )) ≤ demand ( p , demand ( p )) ⇒ demand ( p .p ) ≤ demand ( p .p ). Hence proved.
Lemma 11.
Let v be any node in the VCFG of any procedure, such that for agiven node target the algorithm computes the set sPaths ( v ) for v on termination.Any path p ∈ sPaths ( v ) is an interprocedurally valid path.Proof: According to the definition of an interprocedurally valid path, a path p will not be interprocedurally valid if at least once during the traversal of thepath, the symbol popped from the top of the stack on encountering a return-site node is not the same as the corresponding call-node. The above scenario ata Flow Analysis of Async. Systems using Inf. Abstract Domains 41 can result only if the path has a return edge that does not have a ‘matching’call-edge.We prove by induction on the length of the path p , that whenever a path isadded to sPaths ( v ), it is interprocedurally valid (i.e., there are no unbalancedreturn edges).For the base case, the length of p is 1. A path of length 1 will be inter-procedurally invalid if it requires that an empty stack should be popped alongthe traversal of the path. Paths of length 1 are added only at Line 4 in Com-puteJOFP , and all the added paths (rather edges) are intra-procedural edges.Therefore, p does not contain an unbalanced return edge that will cause thestack to pop from an empty stack.Hence all paths of length 1 added to sPaths ( v ) are interprocedurally valid.Moving on to the inductive case, let p be a path of length n + 1. Let theinductive hypothesis hold for all paths of length upto n . There are 3 pointsin the algorithm where paths are added to sPaths ( v ) – lines 13, 19, and 23 in ComputeJOFP . Therefore, based on the location in algorithm where p wasadded, we have the following cases. – Case 1 : p = e.p (cid:48) and p was added to sPaths ( v ) at line 23 in Compute-JOFP . In this case, e is an intra-procedural edge, and the path p (cid:48) is aninterprocedurally valid path by the induction hypothesis.Therefore, the concatenation of e and p (cid:48) does not introduce any un-balancedreturn edges, and hence p is also an interprocedurally valid path. − (1) – Case 2 : p = c.p (cid:48) and p was added to sPaths ( v ) at line 19 in InterProcExt .In this case, c is a call edge. Traversal of c does not pop the stack, and fromthe hypothesis we know that the traversal of p (cid:48) is also interprocedurallyvalid.Therefore, p is interprocedurally valid in this case. − (2) – Case 3: p = p .p , where p was added to sPaths ( v ) at line 13 in InterPro-cExt , p begins at v and ends at a return-site node v r and p begins at v r ,and p is an interprocedurally valid and complete path. Both p and p areof length ≤ n such that their combined length is equal to n . Therefore, theinduction hypothesis holds for both p and p .As p is an IVC path, at the end of the traversal of p (i.e., at node v r ) ,the stack will be empty. From the induction hypothesis we know that thetraversal of p from v r is interprocedurally valid.Therefore, the path p = p .p is also interprocedurally valid. − (3)From (1), (2) and (3), it follows that p is an interprocedurally valid path. Hence Proved . Intermediate Theorems
We first prove that the set of paths returned by theroutine
ComputeEndToEnd for a given demand d , d -covers all IVC paths ofany procedure F ∈ Funcs . Theorem 3 (ComputeEndToEnd Cover).
Let d ∈ N r be a given vector.Let F i be a procedure in Funcs and let ComputeEndToEnd be invoked with aguments F i and d . Let sIVCPaths ( F i , d ) be the set of interprocedurally validand complete (IVC) paths computed and returned by ComputeEndtoEnd . Let F be any procedure in Funcs. Let p be any IVC path from start of F to end of F .Then there exists a set of paths Cover ( p ) ⊆ sIVCPaths ( F, d ) such that Cover ( p ) d -covers p .Proof: We prove the theorem using induction on the depth of path p . The depth of path p is the maximum number of (non-sequential) calls made from withinthe path p .The base case is when p is of depth 0. For all methods F ∈ Funcs and givendemand d , all the paths of depth 0 in F are added to sIVCPaths ( F , d ) at Line3 in ComputeEndToEnd . Hence, p ∈ sIVCPaths ( F, d ), and d -covers itself. 𝑒𝑛 𝐹 𝑒𝑛 𝐹1 𝑒𝑛 𝐹2 𝑒𝑥 𝐹1 𝑒𝑥 𝐹2 𝑒𝑥 𝐹 𝑝 𝑎 𝑟 𝑝 𝑐 𝑝 𝑝 𝑏 𝑝 𝑟 𝑐 𝑐 IVC path of depth ≤ 𝑛
IVC path of depth ≤ 𝑛
IVC path of depth ≤ 𝑛 + 1
Fig. 5.
IVC path p of depth n + 1 We now prove the inductive case. We assume that the hypothesis holds forall paths of depth up to n , i.e., for a given d , all paths of depth up to n are d -covered by their respective sIVCPaths sets.Let p be an IVC path from en F to ex F of depth n + 1.Any IVC path of F depth n + 1 will have the following structure. It willstart at the method entry en F , then reach a call-site ,traverse an IVC path ofdepth upto n , then return to F , then reach another call-site, traverse another ≤ n depth IVC path, and so on, until it reaches the exit node ex F .For the simplicity of discussion, for now we assume that p contains just twooutermost level calls. Figure 5 shows a schematic structure of such a path. Atthe end of the proof, we will discuss how to extend the proof for paths witharbitrary number of calls. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 43 In Figure 5, as p is of depth n + 1, p and p are paths of depth n , and wehave from the hypothesis that p is d -covered by Cover ( p ) ∈ sIVCPaths ( F , d ),and p is d -covered by Cover ( p ) ∈ sIVCPaths ( F , d ). In the figure, the paths p , p , p a , p b and p c are all in non- main procedures and hence do not receive anymessages. The edges c , c , r , and r are call and return edges.We now obtain a set of paths that d -covers p b . c . p . r . p c Let S = { p b . c . p (cid:48) . r . p c | p (cid:48) ∈ Cover ( p ) } By the inductive hypothesis, demand ( p (cid:48) , d ) ≤ demand ( p ) d for each p (cid:48) ∈ Cover ( p ).Therefore, according to Lemma 5, each path p j ∈ S is such that demand ( p j , d ) ≤ demand ( p b . c . p . r . p c , d ).Again by the hypothesis, and by Lemma 6, the join of the path transfer proce-dures of the paths in S dominates the path transfer procedure of p b . c . p . r . p c .Therefore, S d -covers the path p b .c .p .r .p c . − (1)Let S = { p a . c . p . r . p i | p i ∈ S } .By Lemma 1, we have for all p (cid:48) ∈ S demand ( p (cid:48) , d ) ≤ demand ( p, d )Applying Lemma 2, we can infer that the join of path transfer procedures ofpaths in S dominates ptf ( p ). Thus, S d -covers p . − (2)Now for each p i ∈ S , let S i be the set S i = { p a . c . p (cid:48) . r . p i | p (cid:48) ∈ Cover ( p ) } From Lemma 5 and 6, by taking p = p a . c , p = r . p i , and Cover ( p ) tobe S , it can be seen that S i d -covers p (cid:48) = p a . c . p . r . p i . − (3)From the definition of S it is clear that p (cid:48) ∈ S . − (4)Let S = (cid:83) p i ∈ S S i .From (2) , (3) , (4), and Lemma 7, the set S d -covers p . − (5)As Cover ( p ) ⊆ sIVCPaths ( F , d ), and Cover ( p ) ⊆ sIVCPaths ( F , d ), byLines 8-9 in procedure ComputeEndToEnd in algorithm, we know that eachpath in the set S is generated by the algorithm. Therefore, by (5) and Lemma 9,the set sIVCPaths ( F, d ) d -covers p .For arbitrary structure, the above reasoning can be repeated the requirednumber of times, i.e., for every call made in the path p , the proof will find the d -covering paths for the path suffix starting from the end of the current call tothe exit node, and extend it backwards with the d -covering paths of the IVCpath of the current call, as done in this proof. Therefore, an inductive proofwith induction on the number of calls in a path will be able to prove it usingthe same arguments. Hence proved.
We use the concept of segment in the subsequent proofs, which can be definedas follows.
Definition 6 (Segment).
Any interprocedurally valid path between any twonodes, where each node can bes a node in the VCFG of any procedure in thesystem, can be considered as a sequence of segments. Each segment is either asingle intra-procedural edge, a call edge, or a path consisting of: (cid:104) a call edge from a call-site v i to a procedure F ,followed by an IVC path from the start of F to the end of F ,followed by the return edge from the exit of F to the return site correspondingto v i (cid:105) Similar to the proof of Lemma 11, it is easy to see that this definition is valid,that is, the three kinds of segments are sufficient. For instance, a return edgecannot be a segment, as then it would allow a single return edge to be deemedan interprocedurally valid path, which is not correct.The next theorem ensures that the paths that do not go through main andend at the node target in the VCFG of any F ∈ Funcs are covered by the pathsgenerated and stored by the algorithm.
Theorem 4 (Covering in non-main procedures).
Let p be any interproce-durally valid path from a node v in the VCFG of some procedure F , and saythe target node is in some procedure F (i.e. target is not in main ). When thealgorithm terminates, there exists a set of paths Cover ( p ) ⊆ sPaths ( v ) such thatCover ( p ) covers p.Proof: We prove the theorem using induction on the number of segments inthe given path p , where segments are as defined in Definition 6. Without lossof generality, we assume that the target node cannot be a return-site node oran entry node of any procedure. In order to compute the JOFP for these nodes,one can always introduce dummy successor nodes from these nodes.The base case is when the path has only one segment. Due to the assumptionson target stated above, p must be of the form v i f,w −−→ target , i.e., a path consistingof only a single intra-procedural edge (the other segments end at either a return-site node or an entry node). All such edges are added to sPaths ( v i ) at line 4 ofroutine ComputeJOFP in the algorithm. Therefore, p ∈ sPaths ( v i ) and eachas path covers itself by definition, the base case holds.Now we prove the inductive case. From the inductive hypothesis we have thatall paths p having n segments are covered.Based on the types of segments, the inductive case has 3 cases. The first caseis when p is of the form p = ( v i f,w −−→ v j ) .p , where p is a path from v j to target having n segments, and p is covered by Cover ( p ) ⊆ sPaths ( v j ).Consider the following set of paths: S = { ( v i → v j ) .p j | p j ∈ Cover ( p ) } By mapping d in Lemma 1 to be the zero vector, ( v → v i ) to p , and eachpath p j ∈ Cover ( p ) to p , we have for every path p i in S is such that demand ( p i ) ≤ demand ( p ) (1)By the inductive hypothesis, the join of the path transfer procedures of thepaths in Cover ( p ) dominates the path transfer procedure of p . Therefore, byLemma 2, we have, ata Flow Analysis of Async. Systems using Inf. Abstract Domains 45 (cid:71) p i ∈ S ptf ( p i ) (cid:119) ptf ( p ) (2)From Equations 1 and 2 it follows that S covers p .Since every path in Cover ( p ) is present in sPaths ( v j ) (inductive hypothesis),the algorithm would have generated every path in S (at Lines 21 and 22).Therefore, by applying Lemma 8 and using the fact that S covers p we caninfer that a set paths that covers p is present in sPaths ( v i ) when ComputeJOFP terminates.Case 2 is when the first segment of p is a call-return path as described inDefinition 6. Let p = p . p , where p is the call-return path, and p is theremainder of p . Let v j be the end node of p (i.e., a return-site node) and thestart node of p as well. Let v i be the start node of p (i.e., the call-site nodecorresponding to v j ), and let F be the procedure that is called from v i .By the inductive hypothesis, there exists a set of paths Cover ( p ) in sPaths ( v j )that cover p . − (3)Consider the following set of paths: S = { p . p i | p i ∈ Cover ( p ) } Due to the assumptions on the VCFG, the main procedure is not called byany other procedure. Therefore, v i and target are both not in main , the pathsconsidered in the theorem do not go through the main procedure. As a resultthe demands of all paths are 0. Therefore, each path p j in S is such that demand ( p j ) ≤ demand ( p ). Again by the inductive hypothesis, and by Lemma 2,the join of the path transfer procedures of the paths in S dominate the pathtransfer procedure of p .Therefore, S covers p − (4)Let c be the call edge from v i to en F and r be the corresponding return edgefrom ex F to v j . Consider any path p i in Cover ( p ) and the following set: S p i = { c . p j . r . p i | p j ∈ computeEndToEnd ( F, } From Theorem 3, we know that the set of paths sIVCPaths ( F, d -covers p where d = 0. Therefore, using Lemma 5, by mapping c to p , r to p , p to p and each path p j ∈ computeEndToEnd ( F,
0) to p , it follows that for everypath p k ∈ S p i , demand ( p k ) ≤ demand ( p . p i ) − (5)Also, by Lemma 6 by mapping computeEndToEnd ( F,
0) to S , it followsthat the join of the path transfer procedures of the paths in S p i dominates thepath transfer procedure of p . p i . − (6)From (5) and (6), it follows that the set S p i covers the path p . p i . − (7)The path p i was generated by the algorithm (as per definition of Cover ( p )).Thus, from lines 10-11 in the pseudocode of ComputeJOFP , it is clear thatalgorithm generates all paths in S p i . − (8)Consider the following set: S = (cid:83) p i ∈ Cover ( p ) S p i From the definition of S , from statements (4) and (8), from Lemma 7, andfrom the definition of S , it follows that: S covers p − (7)From Statement (8), it is clear that the algorithm generates every path in S .From this, and from Statement (7) and Lemma 8, we infer that when algorithmterminates, sPaths ( v i ) will contain a set of paths that cover p .The third case is when p is of the form p = e c . p , where e c is a call-site-to-entry-node edge for method F , and p is covered by Cover ( p ) ⊆ sPaths ( en F ).The proof in this case is again similar to the first case. Hence proved.
Next we need to prove that the algorithm generates and stores paths thatcover all the paths in the system. In order to do this, we first prove the followingimportant lemma.
Lemma 12.
Let p j be any inter-procedurally valid path from the entry of aprocedure F i to the target node v that is inside some procedure in Funcs suchthat the algorithm has added p j to sPaths ( en F i ) . If p is any interprocedurallyvalid path such that p begins in some vertex v i in main and ends at a call-sitenode v k in main from which there is a call-edge c to en F i , then it can be shownthat when the algorithm terminates there exist a set of paths in sPaths ( v i ) suchthat this set of paths covers the path p = p . c . p j .Proof: By Lines 14-16 in the procedure
ComputeJOFP in algorithm , andfrom our assumption that p j is in sPaths ( en F i ), it follows that sPaths ( v k ) willcontain a set of paths, denoted as Cover ( c . p j ), that cover the path c . p j . − (1)The proof of this lemma is by induction on the number of segments, as definedin Definition 6, in p . As p is an IVC path in main (if p is not IVC then theedge c will not be from main to en F i , and hence will not satisfy the requirementsof the lemma), there can be only two kinds of segments in p - intra-proceduraledge in main , or an IVC call return path.The base case is when p has a single segment. This segment has to be ofthe form v i → v k , where v i → v k is an edge in main (the other kind of segmentends at a return-site node, not at a call-site node). Consider the following set ofpaths: S = { ( v i → v k ) . p k | p k ∈ Cover ( c . p j ) } Since there are no receive operations inside the procedures, the demand ( c . p j ) =¯0. Therefore, from Statement (1), since every path p j in Cover ( c . p j ) covers c . p j ,every path p k in Cover ( c . p j ) is such that demand ( p k ) = 0. Therefore, for everypath p l ∈ S , demand ( p l ) ≤ demand ( p ). − (2)From Statement (1), since Cover ( c . p j ) covers c . p j , the join of the path trans-fer procedures of the paths in Cover ( c . p j ) dominates the path transfer procedureof c . p j . Therefore, by Lemma 2, the join of the path transfer procedures of thepaths in S dominates the path transfer procedure of p . − (3)From Statements (2) and (3), it follows that S covers the path p . − (4) ata Flow Analysis of Async. Systems using Inf. Abstract Domains 47 Since every path in
Cover ( c . p j ) is present in sPaths ( v k ) (Statement (1)above), the algorithm would have generated every path in S , and would havechecked whether to add this path to sPaths ( v i ) or whether this path is alreadycovered by paths in sPaths ( v i ) (Line 21-22 in the pseudocode for Compute-JOFP ). This, in conjunction with Statement (4) above and Lemma 8 lets usinfer that a set of paths that covers p is present in sPaths ( v i ) when the algo-rithm terminates.We now move onto the inductive case. We assume that the lemma is truewhenever the path ending at v k is of length at most n segments. Let p consistsof n + 1 segments. Based on types of segments, the argument proceeds undertwo cases.The first case is that p is of the form ( v i → v j ) .p , where v i → v j is an edgein main , and v j is the first vertex in the suffix path p .Since p has at most n segments, the inductive hypothesis is applicable on thepath p . c . p j . The remainder of the argument is identical to the same inductivecase in the proof of Theorem 4.The second case is that p is of the form p . p , where p is an IVC call-return path ( p is the first segment of p ), and p is the remainder of p . Since p has at most n segments, the inductive hypothesis is applicable on the path p . c . p j .Let v j be the end node of p (i.e., a return-site node) and start node of p aswell. Let v i be the start node of p (i.e., the call-site node corresponding to v j ),and let F be the procedure that is called from v i .Let p (cid:48) = p .c.p j . By the inductive hypothesis, there exists a set of paths Cover ( p (cid:48) ) in sPaths ( v j ) that cover p (cid:48) . − (5)Consider the following set of paths: S = { p . p i | p i ∈ Cover ( p (cid:48) ) } By the inductive hypothesis, demand ( p i ) ≤ demand ( p (cid:48) ) for each p i in Cover ( p (cid:48) ).Therefore, according to Lemma 1 (taking d in that lemma to be the zero vec-tor), each path p j in S is such that demand ( p j ) ≤ demand ( p ). Again by theinductive hypothesis, and by Lemma 2, the join of the path transfer proceduresof the paths in S dominate the path transfer procedure of p .Therefore, S covers p − (6)Consider any path p i in Cover ( p (cid:48) ). Let c be the call edge from v i to en F and r be the corresponding return edge from ex F to v j . Consider the followingsets: T p i = { p j | p j ∈ computeEndToEnd ( F, demand ( p i )) , demand ( p j , demand ( p i )) ≤ demand ( p , demand ( p i )) } S p i = { c . p j . r . p i | p j ∈ T p i } From Theorem 3, it follows that the set T p i d -covers the path fragment from en F to ex F in p , where d = demand ( p i ).Therefore, from Theorem 3, Lemma 10 by taking p to be p i in Lemma 10,and Lemma
5, it follows that for every path p k ∈ S p i , demand ( p k ) ≤ demand ( p . p i ) − (7) From Theorem 3, it also follows that the join of the path transfer proceduresof the paths in T p i dominates the path transfer procedure of the path fragmentfrom en F to ex F in p . Therefore, by Lemma 6, the join of the path transferprocedures of the paths in S p i dominates the path transfer procedure of p . p i . − (8)From (7) and (8), it follows that the set S p i covers the path p . p i . − (9) p i was generated by the algorithm (as per definition of Cover ( p (cid:48) )). Thus,from lines 10-11 in the pseudocode of ComputeJOFP , it is clear that algorithmgenerates all paths in S p i . − (10)Consider the following set: S = (cid:83) p i ∈ Cover ( p (cid:48) ) S p i From the definition of S , from statement (6) and (9), from Lemma 7, andfrom the definition of S , it follows that: S covers p − (11)From Statement (10), it is clear that the algorithm generates every path in S . From this, and from Statement (11) and from Lemma 8, we infer that whenalgorithm terminates, sPaths ( v i ) will contain a set of paths that cover p . Hence proved.
Theorem 5.
If p is an interprocedurally valid path from a node v i in main toa target node v such that v is in any procedure (including main ), then whenalgorithm terminates, there exists a set of paths Cover ( p ) ⊆ sPaths ( v i ) suchthat Cover ( p ) covers p.Proof: Based on the structure of p , there can be two possible cases.First is when the target v is in main , and therefore the structure of p is thatit starts from v i in main , goes via vertices in main , enters procedures whose callsit encounters in main and returns to main , again goes via vertices in main , andso on, and then ends at v in main . In this case, the proof is similar to the proofof Lemma 12, by taking the interprocedurally valid path suffix c.p j to be empty,and the induction is on the number of segments in p .The other case is when the structure of p is that it starts from vertex v i in main , goes via vertices in main , enters procedures whose calls it encounters in main and returns to main , again goes via vertices in main , and so on, until itmakes a final entry into a procedure F i such that after this entry it eventuallyreaches the target vertex v (which may be in F i or a transitive callee of F i )without returning from F i .Therefore, p is of the form p . c . p , where p is the suffix of p from the en F i to v (without returning from F i ), p is a path from v i to a call-site node in main ,and c is a call-edge from this call-site node to en F i .According to Theorem 4, taking v to be en F i , when algorithm terminates,there exists a set of inter-procedurally valid paths Cover ( p ) in sPaths ( en F i )such that all these paths are from en F i to v , and the join of the path transferprocedures of these paths dominates ptf ( p ). − (1)Consider the following set of paths: ata Flow Analysis of Async. Systems using Inf. Abstract Domains 49 S = { p . c . p j | p j ∈ Cover ( p ) } From (1), and from Lemmas 1 and 2, it follows that S covers p . − (2)For any path p j in Cover ( p ), according to Lemma 12, when the algorithmterminates, a set of paths that cover p . c . p j exist in sPaths ( v i ). Therefore, itfollows from the definition of S that a set of paths exist in sPaths ( v i ) that cover S . The statement above, together with Statement (2) and Lemma 7, impliesthat a set of paths exist in sPaths ( v i ) that cover p . Hence proved.Proof of Theorem 2
Now we are ready to prove the soundness of the algorithm.As proved in Theorem 5 any interprocedurally valid path p from start nodeto target node is covered by Cover ( p ) ⊆ sPaths ( start ). From Lemma 11, weknow that all paths in sPaths ( start ) are interprocedurally valid. As the set ofall feasible paths is subset of all possible paths, Theorem 5 holds for all feasiblepaths as well.All feasible paths from start to v have a demand of 0 (else they have morereceives than sends in some prefix of the path). Therefore, by the definition ofcovering, all paths in the set Cover ( p ) will have a demand 0.Let S = { p i | p i ∈ sPaths ( start ) ∧ demand ( p ) = 0 } .Clearly, S ⊇ Cover ( p ), thus S covers p .From Lines 25-26 in ComputeJOFP we have, d = (cid:71) p i ∈ S ptf ( p i )( d )where d is the value returned by the algorithm. As S covers p , therefore (cid:71) p i ∈ S ptf ( p i ) (cid:119) ptf ( p )Hence, d (cid:119) ptf ( p )( d ), for any p .As d (cid:119) ptf ( p )( d ) for any feasible p , and by the property ( a (cid:119) b ∧ a (cid:119) c ) ⇒ ( a (cid:119) b (cid:116) c ), for the set of all feasible paths P = { p , p , . . . } that begin at start ,and end at v , d (cid:119) ptf ( p )( d ) (cid:116) ptf ( p )( d ) (cid:116) . . . By condensing the above inequation, we get d (cid:119) (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p ))( d ) Hence proved.
Precision
Our algorithm claims to compute the precise JOFP of multi-procedureVCFGs, under the unordered channel abstraction . That is, we do not include val-ues due to paths which are infeasible under this abstraction, but may includevalues due to paths which are infeasible when the order of messages in the chan-nel is maintained. The following theorem proves the precision of our algorithm.
Theorem 6 (Precision).
For any node target, let d ∈ L be the JOFP valuecomputed by ComputeJOFP in algorithm for target, treating d ∈ L as theinitial value at the start node, and start as the initial node. Then, d = (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p ))( d ) Proof:
From the Soundness theorem for algorithm , we know that, d (cid:119) (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p ))( d )We know that for any p i ∈ sPaths ( start ), where p i has a demand of 0, p i isa feasible path.Therefore, the set S = { p i | p i ∈ sPaths ( start ) ∧ demand ( p i ) = 0 } is a subsetof the set of feasible paths reaching v . Also, we know from Lemma 11 that theall the paths in sPaths ( start ) are interprocedurally valid. Thus, (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p )) (cid:119) (cid:71) p i ∈ S ptf ( p i ) − (2)According to Lines 17-18 of method ComputeJOFP in the algorithm , d = (cid:71) p i ∈ S ptf ( p i )( d ) − (3)From (2) and (3), we have (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p )) (cid:119) d − (4)From (1) and (4), we can infer, (cid:71) p is a feasible, interprocedurally validpath from start to target ( ptf ( p )) = d − (4) Hence proved. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 51
Complexity Analysis of Backward DFAS Algorithm
We present herethe complexity derivation of the single procedure case in the Backward DFASalgorithm. The derivation additionally assumes that the transfer functions areright-distributive.Let Q be the number of locations, K be the number of counters and let h bethe height of the transfer function lattice. Wlog. we assume that each transitionchanges the value of any counter by at most 1. For this section we assume thatthe composition operator is distributive on the lattice of transfer functions.Let π be a run from ( p, u ) to ( q, v ), written ( p, u ) π −→ ( q, v ). We shall write f π to denote the transfer function defined by composing those associated withthe transitions along the run. We say that a set P of runs covers π , if for each ρ ∈ P , ( p, u ) ρ −→ ( q, w ) with v ≤ w and f π ≤ (cid:116) ρ ∈ P f ρ . Note that this notionof covering is defined over runs and as we shall see it is related to the notiondefined for paths earlier. We say that P strictly covers π if for each ρ ∈ P , thefinal configuration is identical to ( q, v ). We shall write f P to denote the function (cid:116) ρ ∈ P f ρ . The following are easy to see. Fact 1:
If the set of runs P covers (resp. strictly covers) π , and for each ρ ∈ P ,the set P ρ covers (resp. strictly covers) ρ then (cid:83) ρ ∈ P P ρ covers (resp. strictlycovers) π . Fact 2:
Suppose P covers (resp. strictly covers) π from ( p, u ) to ( q, v ). Sup-pose ( q, v ) δ → ( r, w ). Then, { ( p, u ) ρ −→ ( q, v ) δ → ( r, w ) | ρ ∈ P } strictly covers( p, u ) ρ −→ ( q, v ) δ → ( r, w ).We shall often write ρ.δ to refer to ( p, u ) ρ −→ ( q, v ) δ → ( r, w ). Fact 3: If P is a set of runs that strictly cover π and suppose P is a set ofruns that cover π . Then, P .P covers π .π .We write (cid:96) ( P ) for the maximum of the lengths of the runs in a finite set P . Let π be a run from ( q, u ) to ( t, v ) for some v . Then, we let e(cid:96) ( π ) ( effectivelength ) to be M inimum { (cid:96) ( P ) | P covers π } First we consider the case when all configurations along the run are boundedby a value B , i.e., the value of each counter in each configuration along the run(including the initial and final configurations) is bounded by B . We say thatsuch a run is B -bounded. Lemma 13.
For a B -bounded run ( p, u ) π −→ ( q, v ) , we have a finite set of runs P , with (cid:96) ( P ) ≤ Q. ( h + 1) .B K that strictly covers π , where K is the number ofcounters.Proof. We prove this by induction on the length of π . If the length of π is lessthan Q. ( h + 1) .B K then we may take P = { π } . Otherwise, since the number of B bounded configurations is bounded by Q.B K , we may break up the run as:( p, u ) π −→ ( r, x ) π −→ ( r, x ) π −→ . . . ( r, x ) π h −→ ( r, x ) π (cid:48) −→ ( q, v ) where each π i is non-empty. Now, consider the runs ξ = π , ξ = π π , . . . , ξ h = π π . . . π h . Then, the increasing sequence f ξ (cid:118) f ξ (cid:116) f ξ (cid:118) f ξ (cid:116) f ξ (cid:116) f ξ . . . (cid:118) f ξ (cid:116) f ξ (cid:116) . . . (cid:116) f ξ h has at most h distinct elements. Thus, there is an i such that f ξ (cid:116) . . . (cid:116) f ξ i = f ξ (cid:116) . . . (cid:116) f ξ i (cid:116) f ξ i +1 , that is f ξ i +1 (cid:118) f ξ (cid:116) . . . (cid:116) f ξ i . Hence, by distributivity ofcomposition, f π = f ξ i +1 ; f π i +2 ...π h π (cid:48) (cid:118) f ξ ; f π i +2 ...π h π (cid:48) (cid:116) . . . (cid:116) f ξ i f π i +2 ...π h π (cid:48) = f ξ π i +2 ...π h π (cid:48) (cid:116) . . . (cid:116) f ξ i π i +2 ...π h π (cid:48) Consider the set of runs P = { π π i +2 π i +3 . . . π h π (cid:48) , π π π i +2 π i +3 . . . π h π (cid:48) , . . . , π π . . . π i π i +2 π i +3 . . . π h π (cid:48) ,. . . , π π . . . π i π i +2 . . . π h π (cid:48) } From the above calculation, P strictly covers π and further every run in P isstrictly shorter than π . By the induction hypothesis, each ρ in this set P is strictlycovered by a set of runs P ρ containing only runs of length at most Q. ( h + 1) .B K .Thus, by Fact 1, (cid:83) ρ ∈ P P ρ is the desired strict covering set for π .Following [5], for any I ⊆ { , . . . , K } a subset of the counters, we define u I to be the function which returns u ( i ) if i ∈ I and 0 otherwise. For such an I anda system G , we define G I to be the one obtained from G where each transition ismodified to leave all counters outside I untouched and operate on counters from I as before. For any run π from ( p, u ) to ( q, v ) in G there is a corresponding run π I from ( p, u I ) to ( q, v I ) constituting a valid run in G I .Let us fix a system G and a target location t . For any configuration s (i.e. s isof the form ( p, u )), lattice function f , and I ⊆ { , . . . , K } we define dist ( I, f, s ))as follows: dist ( I, f, s ) =
M in ( { } ∪ { e(cid:96) ( π ) | ∃ v.s π −→ ( t, v ) in G I and f (cid:118) f π } )For any 0 ≤ k ≤ K , we set g ( k ) to be sup { dist ( I, f, s )) | | I | = k } . Thus, thefunction g ( k ) provides an upper bound on the length of runs that suffice to coverany run from any configuration s to a configuration above ( t,
0) in any system G I with | I | = k . We now derive bounds on g ( k ). Lemma 14.
For any k ∈ { , , . . . K } , g (0) ≤ Q. ( h + 1) g ( k ) ≤ Q. ( h + 1) . (1 + g ( k − k + 1 + g ( k − if k > In particular, g ( k ) is finite for all ≤ k ≤ K .Proof. The proof follows an argument in the style of Rackoff ([47], [5]) andproceeds by induction on k .For k = 0 the result follows directly from Lemma 13.We examine the inductive case next. Let | I | = k . Suppose, for s, f , there isa run π from s to ( t, v ) in G I with f (cid:118) f π . We consider two cases. ata Flow Analysis of Async. Systems using Inf. Abstract Domains 53 Case 1:
Suppose every configuration in the run π is bounded in size by B = g ( k −
1) + 1. Then, by Lemma 13, there is a set of runs P in G I such that (cid:96) ( P )is bounded by Q. ( h + 1) . ( g ( k −
1) + 1) k which covers π , i.e., f P (cid:119) f π (cid:119) f . Thiscompletes the proof in this case. Case 2:
Suppose there is a configuration in the run π where at least one of thecounters in I exceeds g ( k −
1) + 1. Let one such counter be i ∈ I . Then the run π in G I breaks up as: s π −→ s (cid:48) δ → ( q, w ) π −→ ( t, v ), where s π −→ s (cid:48) is g ( k −
1) + 1bounded run, δ is a single transition and w ( i ) > g ( k −
1) + 1.Observe that taking J to be I \ { i } we also get a run π J from ( q, w J ) to( t, v J ). Further, by the definition of G J and G I , f π = f π J . By the definitionof g ( k − | J | = k −
1, we know that there is a collection of runs P in G J from ( q, w J ) that cover π J such that (cid:96) ( P ) ≤ g ( k − ρ ∈ P let ρ I be the pseudo run (possibly invalid, since positivity of counter i may notbe guaranteed) induced by the same sequence of transitions in G I . We claim ρ I is actually a valid run in G I . This is because, w ( i ) ≥ g ( k −
1) + 1, the lengthof ρ I is no more than g ( k −
1) and each transition may decrease counter i byat most 1. By the definitions of G I and G J , f ρ I = f ρ . Thus, the set of runs P (cid:48) = { ρ I | ρ ∈ P } covers π in G I .Further, by Lemma 13, we have a set of runs P that strictly cover π in G I ,and (cid:96) ( P ) ≤ Q. ( h + 1) . ( g ( k −
1) + 1) k . Thus, using Fact 2, P .δ strictly covers π .δ in G I . Then using the above and Fact 3, P .δ.P (cid:48) covers π .δ.π in G I . Thelength of any run in this set is bounded by Q. ( h + 1) . ( g ( k −
1) + 1) k + 1 + g ( k − Lemma 15.
Let g ( k ) be as defined above. Then g ( k ) ≤ ( Q. ( h + 1) . (3 k )!+1 Proof.
We just follow the proof in [5]. The proof proceeds by induction on k . For k = 0, the result follows directly. In the inductive case: f ( k ) ≤ Q. ( h + 1) . (1 + g ( k − k + 1 + g ( k −
1) By Lemma 14 ≤ Q. ( h + 1) . [(1 + g ( k − k + (1 + g ( k − ≤ ( Q. ( h + 1)(1 + g ( k − k +1 ≤ ( Q. ( h + 1)(2 .g ( k − k +1 ≤ ( Q. ( h + 1) . .g ( k − k +1 ≤ ( Q. ( h + 1) . . ( Q. ( h + 1) . (3( k − ) k +1 ≤ ( Q. ( h + 1) . (3( k − ) k +1 ≤ ( Q. ( h + 1) . (3 k )!+1 Let L = ( Q. ( h + 1) . (3 K )!+1 . From Lemma 14 and 15 we know that forany run π from any configuration s = ( p, u ) to one with control state t can becovered by runs of length at most L . This allows us restrict our analysis entirelyto configurations bounded by L . Lemma 16.
Suppose s = ( p, u ) π −→ ( t, v ) be a run of length at most m . Let w be such that u (cid:48) ( i ) = M in ( u ( i ) , m ) . Then, there is a run ( p, u (cid:48) ) π (cid:48) −→ ( t, v (cid:48) ) where π (cid:48) and π follow the same sequence of transitions, in particular, f π = f π (cid:48) .Proof. Follows simply from the fact that the length of the run is bounded m andeach transition may reduce the value of a counter by at most 1. Lemma 17.
Let s be any configuration and t a location. Then, (cid:71) { f π | ∃ s (cid:48) ≤ s. ∃ v. s (cid:48) π −→ ( t, v ) } = (cid:71) { f π | ∃ v. s π −→ ( t, v ) } = (cid:71) { f π | ∃ s (cid:48) ≤ s. ∃ v. s (cid:48) is L -bounded , s (cid:48) π −→ ( t, v ) , with (cid:96) ( π ) ≤ L } Proof.
That the second and third values are below (under (cid:118) ) the first followssimply from the containment of the underlying sets on which the join is applied.Now, if s (cid:48) ≤ s and s (cid:48) π −→ ( t, v ) then clearly there is a run s π (cid:48) −→ ( t, w ) followingthe same sequence of transitions (so that f π = f π (cid:48) ). This ensures that the firstvalue is below (under (cid:118) ) the second. If s π −→ ( t, v ) then by Lemma 15 there is acovering set P for π with e(cid:96) ( P ) ≤ L . We then apply Lemma 16 to each elementof P to conclude that the second value is below the third under (cid:118) , completingthe proof the Lemma.Consider Algorithm 1 and assume that the working set is maintained as aqueue. Then, paths are extended in increasing order of length. We think of thealgorithm as proceeding in rounds. Round i pertains to the segment when pathsof lengths i are extended to paths of length i + 1, added to the working list ifrequired and placed in the appropriate bins i.e. sP aths ( q ) for appropriate q .Suppose ( q, u ) π −→ ( target, v ) is any run of length i . Let p be the path inducedby the run π . Then, clearly p has length i and further demand ( p, ≤ u . Theproof of correctness given earlier showed that there are paths C p ⊆ sP aths ( q )at the end of round i that cover the path p (here cover refers to paths and isused in the sense defined in the main paper). Thus, – Each path p (cid:48) in C p moves from control location q to target – For each path p (cid:48) in C p , demand ( p (cid:48) , ≤ demand ( p, p, u ) π p (cid:48) −→ ( target, w p (cid:48) ) using the sequence of transitions p (cid:48) . Let P be thecollection of these runs. – f p (cid:118) (cid:70) p (cid:48) ∈ C p f p (cid:48) . But f p = f π and for each p (cid:48) ∈ C p , f p (cid:48) = f π p (cid:48) . Thus, f π = f p (cid:118) (cid:70) p (cid:48) ∈ C p f p (cid:48) = (cid:70) π p (cid:48) ∈ P f π p (cid:48) . ata Flow Analysis of Async. Systems using Inf. Abstract Domains 55 For a configuration s = ( q, u ) let Π is be the set of paths in sP aths ( q ) afterthe i th round whose demand is below u under ≤ . In other words, Π is = { x ∈ sP aths ( q ) | ( q, demand ( x, ≤ ( q, u ) } at the end of the i th round. Then, forany run of the form s π −→ ( target, v ) inducing a path p C p ⊆ Π is and thus have f π (cid:118) (cid:70) p (cid:48) ∈ Π is f p (cid:48) . Lemma 18.
For any configuration s = ( p, u ) (cid:71) { f π | ∃ v. s π −→ ( t, v ) } = (cid:71) { f p | p ∈ Π L s } Proof.
This follows from Lemma 17 and the fact that each run of length at most L from s is subsumed by Π L s as shown above.If s = ( q,
0) then Π L s consists only of paths with demand 0. Thus, JOP( q, target )is the join of the transfer functions defined by all the runs from ( q,
0) to the targetas required.In addition note that the demands at the end of round i of Algorithm 1 areno more than i on each counter and thus no more than L at the end of L rounds.Now we can complete the computation of the complexity of Algorithm 1. Wefirst note that instead of maintaining a path p it suffices to maintain its demandvector along with the transfer function defined by the run. Since all our demandvectors are L -bounded, the total number of demand vectors is no more than L K .In addition, in any stage of the algorithm, in any bin, for any demand vector v at most h different copies exist (with different associated transfer functions).To see this suppose ( v, f ) , . . . ( v, f h +1 ) appear in some bin and suppose this isthe order in which they were added. Then, as argued before, there is an i suchthat f i +1 (cid:118) f (cid:116) f . . . f i contradicting the definition of Algorithm 1. Thus, atany point in the algorithm, there are at most Q bins, each of which containat most h. L K demand vector - transfer function pairs. In each round, for eachpossible transition δ we consider at most h. L K possible candidates for extension(all drawn from the same bin). Thus each round considers ∆.h. L K candidates.For each such candidiate the operations required are:1. manipulating the demand vector by combining it with δ to determine thenew demand. These vectors both consist of K values each of size L (hencecan represented and manipulated using log ( L ) bits).2. composing the transfer functions3. checking if the composed transfer function is subsumbed by the join of subsetof functions selected from the same bin.The first part uses time proportional to K.log ( L ) . Let us suppose that composingtransfer functions take A time. Selecting the desired subset in step three requiresus to examine each element of the bin and compare with its demand vector. Thus, h. L K comparisons, each taking K.log ( L ) steps is necessary. Assuming each jointakes time B time, we can carry out the resulting join in time h. L K . B. Finally,we need to compare the resulting function with the candidate taking C time.Thus, the time spent at each candidate is proportional to O ( K.log ( L )) + A + O ( h. L K .K.log ( L ) + h. L K . B + C)
Thus, the time spent in each round i is bounded by O ( ∆.h. L K . [ K.log ( L ) + A + h. L K .K.log ( L ) + h. L K . B + C])where ∆ is the total number of transitions. Finally, there are at most L roundsand thus the over all complexity is bounded by ∆.h. L K +1 . [ K.log ( L ) + A + h. L K .K.log ( L ) + h. L K . B + C])which is O ( ∆.h. L K +1 [ A + h. L K . ( K.log ( L ) + B) + C])where L = ( Q. ( h + 1) . (3 K )!+1 . Thus, for a fixed function lattice where latticeoperations take constant time, the complexity simplifies to O ( ∆.h . L K +1 .K.log ( L )) We first present the important definitions required for the proof.The complete lattice D that we for this purpose is defined as follows: D ≡ D r,κ → L The ordering on this lattice is as follows: ( d ∈ D ) (cid:118) ( d ∈ D ) iff ∀ c ∈ D r,κ . d ( c ) (cid:118) L d ( c ).The define the abstract trasnfer function we first define a ternary relation boundedMove1 as follows. Any triple ( p, q, s ) ∈ boundedMove1 iff(0 ≤ p ≤ κ ) ∧ (( q ≥ ∧ p + q ≤ κ ∧ s = p + q ) ∨ ( a )( q ≥ ∧ p + q > κ ∧ s = κ ) ∨ ( b )( q < ∧ p = κ ∧ ≤ s ≤ κ ∧ κ − s ≤ − ∗ q ) ∨ ( c )( q < ∧ p < κ ∧ p + q ≥ ∧ s = p + q )) ( d )We now define a relation boundedMove on vectors. A triple of vectors ( c , c , c )belongs to relation boundedMove iff all three vectors are of the same size, andfor each index i , ( c [ i ] , c [ i ] , c [ i ]) ∈ boundedMove1 .The D → D transfer function for the VCFG edge q f,w −−→ q is given asfollows: fun ( l ∈ D ) ≡ λc ∈ D r,κ . (cid:71) c such that ( c ,w,c ) ∈ boundedMove f ( l ( c )) As we intend to prove the correctness by adopting the correctness prooftechnique of abstract interpretation to argue the soundness of our approach,we fist present the “concrete ” lattice and transfer function. Let D r be the ata Flow Analysis of Async. Systems using Inf. Abstract Domains 57 set of all vectors of size r of natural numbers. Consider the “concrete” lattice D c ≡ D r → L , and the following “concrete” transfer function for the VCFGedge q f,w −−→ q : fun conc ( l ∈ D c ) ≡ λc ∈ D r . (cid:32) (cid:71) c ∈ D r such that c + w = c f ( l ( c )) (cid:33) . We now prove that the function fun is a consistent abstraction of the function fun conc . For that we define the following function γγ ( l ∈ D ) ≡ λc ∈ D r . l ( min ( c, (cid:126)κ ))where (cid:126)κ is a vector of size r all of whose elements are equal to κ .We need to prove that for any d ∈ D , γ ( fun ( d )) (cid:119) fun conc ( γ ( d )). As dis-cussed in the paper, this will be sufficient to prove the correctness.Let d be any bounded queue configuration in D r,κ , and let d be any config-uration in N r such that min ( d , κ ) is equal to d . Let d be the concrete successorof d (if one exists) along the VCFG edge t . It is easy to see from the definitionsof the transfer functions that to prove consistent abstraction, it is enough toprove that ( d, w, min ( d , (cid:126)κ )) is in boundedMove , where w is the queuing vectorof t.To prove this, let us assume for simplicity that there is a single counter.Therefore, d , d , d , and w all are integers. Also, in this case (cid:126)κ can be writtenas κ itself. The generalization to multiple counters is easy, since the argumentactually applies to each counter individually. – Case ( w ≥ d + w ≤ κ ): In this case, d is ≤ κ and d = d + w .In this case, d = d , and min ( d , κ ) = d . Hence by definition, ( d, w, d ) ∈ boundedMove . Therefore, ( d, w, min ( d , κ )) ∈ boundedMove – Case ( w ≥ d + w > κ ): We have d = d + w . In this case, ( d, w, κ ) ∈ boundedMove . As min ( d , κ ) = κ , we have proved that ( d, w, min ( d , κ )) ∈ boundedMove . – Case ( w < d ≥ κ ): Clearly, we have d ≥ κ . Therefore, d = min ( d , κ ) = min ( d , κ ) = κ , and ( κ, w, κ ) ∈ P re . Therefore, ( d, w, min ( d , κ )) ∈ boundedMove . – Case ( w < d < κ and d ≥ κ ): Since d = d + w , we have κ − d ≤ − ∗ w . Also, ( κ, w, d ) ∈ boundedMove , and d = min ( d , κ ) = κ and min ( d , κ ) = d . Therefore, ( d, w, min ( d , κ )) ∈ boundedMove . – Otherwise ( w < d < κ and d < κ ): In this case we have ( d , w, d ) ∈ boundedMove , and min ( d , κ ) = d and min ( d , κ ) = d . Therefore, ( d, w, min ( d , κ )) ∈ boundedMove . Hence Proved.
References