Counterexample-guided abstraction refinement for linear programs with arrays

Abstract

Predicate abstraction refinement is one of the leading approaches to software verification. The key idea is to abstract the input program into a Boolean Program (i.e. a program whose variables range over the Boolean values only and model the truth values of predicates corresponding to properties of the program state), and refinement searches for new predicates in order to build a new, more refined abstraction. Thus Boolean programs are commonly employed as a simple, yet useful abstraction. However, the effectiveness of predicate abstraction refinement on programs that involve a tight interplay between data-flow and control-flow is still to be ascertained. We present a novel counterexample guided abstraction refinement procedure for Linear Programs with arrays, a fragment of the C programming language where variables and array elements range over a numeric domain and expressions involve linear combinations of variables and array elements. In our procedure the input program is abstracted w.r.t. a family of sets of array indices, the abstraction is a Linear Program (without arrays), and refinement searches for new array indices. We use Linear Programs as the target of the abstraction (instead of Boolean programs) as they allow to express complex correlations between data and control. Thus, unlike the approaches based on predicate abstraction, our approach treats arrays precisely. This is an important feature as arrays are ubiquitous in programming. We provide a precise account of the abstraction, Model Checking, and refinement processes, discuss their implementation in the EUREKA tool, and present a detailed analysis of the experimental results confirming the effectiveness of our approach on a number of programs of interest.

Appendix

1.1 Abstraction

Lemma 1

The following facts hold:

1. 1.

   if ω is a valuation over V _P and A _P , then \({\overline {\omega}}(e)\subseteq {\overline {\widehat {\omega}}}(\widehat {e})\), for every expression e;

2. 2.

   if ω is a valuation over V _P and A _P and \(\widehat {\omega}\) is a valuation over V _P ∪{a ^k:a∈A _P ,k∈R _P (a)}, then \({\overline {\omega}}(e) = {\overline {\widehat {\omega}}}(\widehat {e})\), for every expression e.

Proof

The proof of Item (1) is by induction on the structure of the concrete expression e.

Base step :

We have that \(e\in V_{P}\cup\mathbb{Z}\cup \{\mathfrak{u}\}\). If, in addition, \(e\in V\cup\mathbb{Z}\cup\{\mathfrak{u}\}\), then \(\widehat {e} = e\), while if \(e\in V_{P}\setminus \widehat {V}\), then \(\widehat {e} = \mathfrak{u}\). Moreover, if e∈V, from the definition of \(\widehat {\omega}\) we have \(\widehat {\omega}(e) =\omega(e) \in\mathcal{D}\), and \({\overline {\omega}}(e) = \{\omega(e)\} = {\overline {\widehat {\omega}}}(\widehat {e})\). If \(e=\mathfrak{u}\), then \(\omega(e) = {\mathcal{D}} = \widehat {\omega}(e)\). If \(e\in\mathbb{Z}\), \({\overline {\omega}}(e) = \{e\} = {\overline {\widehat {\omega}}}(\widehat {e})\). Finally, if e∈V _P ∖V, \({\overline {\widehat {\omega}}}(e)=\mathcal{D}\) and from this the thesis immediately follows.

Inductive step :

We have the following cases to consider:

1. 1.

   \(e = {a}\mathtt {[}{i}\mathtt {]}\). Then \(\widehat {e} = \operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[k_{1},\ldots,k_{n}])\). We consider the following two sub-cases:

   1. (a)

      \({\overline {\widehat {\omega}}}(\widehat {i})\subseteq\{k_{1},\ldots,k_{n}\}\). By inductive hypothesis, \({\overline {\omega}}(i) \subseteq {\overline {\widehat {\omega}}}(\widehat {i})\). By the definitions of \({\overline {\omega}}\), \({\overline {\widehat {\omega}}}\) and \(\operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[k_{1},\ldots,k_{n}])\), we have that

      $$ {\overline {\omega}}\bigl({a}\mathtt {[}{i}\mathtt {]}\bigr) = \bigl\{\omega(a) (k) : k\in {\overline {\omega}}(i)\bigr\} $$

      and

      $$ {\overline {\widehat {\omega}}}\bigl(\operatorname {abs}\bigl({a}\mathtt {[}{i}\mathtt {]},[k_1, \ldots,k_n]\bigr)\bigr) = \bigl\{\widehat {\omega}\bigl(a^k \bigr) : k\in {\overline {\widehat {\omega}}}(\widehat {i})\bigr\} $$

      Since \(\widehat {\omega}(a^{k})=\omega(a)(k)\) for all k∈{k ₁,…,k _n } and \({\overline {\omega}}(i) \subseteq {\overline {\widehat {\omega}}}(\widehat {i}) \subseteq\{k_{1}, \ldots,k_{n}\}\), it immediately follows that \({\overline {\omega}}(a[i])\subseteq {\overline {\widehat {\omega}}}(\operatorname {abs}(a[i],[k_{1},\ldots,k_{n}]))\). From this the thesis readily follows.

   2. (b)

      \({\overline {\widehat {\omega}}}(\widehat {i})\not\subseteq\{k_{1},\ldots,k_{n}\}\), i.e. there exists \(k\in {\overline {\widehat {\omega}}}(\widehat {i})\) such that k∉{k ₁,…,k _n }. Therefore, \(0\in {\overline {\widehat {\omega}}}(\widehat {i} \operatorname {\mathtt {==}}k')\) for all k′∈{k ₁,…,k _n }. By the definitions of \(\operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[k_{1},\ldots, k_{n}])\) and \({\overline {\widehat {\omega}}}\), we have \({\overline {\widehat {\omega}}}(\mathfrak{u}) \subseteq {\overline {\widehat {\omega}}}(\widehat {(}a[i],[k_{1},\ldots, k_{n}])) = {\overline {\widehat {\omega}}}(\widehat {e}) \subseteq\mathcal{D}\). In other words, \({\overline {\widehat {\omega}}}(\widehat {e}) = \mathcal{D}\). Since \({\overline {\omega}}(a[i])\subseteq\mathcal{D}\), the thesis follows immediately.

2. 2.

   e=e ₁ op  e ₂ (where \(op \in\{\operatorname {\mathtt {>=}}, \operatorname {\mathtt {<=}}, \operatorname {\mathtt {<}}, \operatorname {\mathtt {>}}, \operatorname {\mathtt {==}}, \operatorname {\mathtt {!=}}, \operatorname {\mathtt {*}}, \operatorname {\mathtt {+}}\}\)). Then, \(\widehat {e} = \widehat {e_{1}} op\, \widehat {e_{2}}\). The thesis immediately follows from the inductive hypothesis and the definitions of \({\overline {\omega}}\) and \({\overline {\widehat {\omega}}}\).

3. 3.

   \(e = (b\operatorname {\mathtt {?}}e_{1}\operatorname {\mathtt {:}}e_{2})\), then \(\widehat {e} = (\widehat {b} \operatorname {\mathtt {?}}\widehat {e_{1}} \operatorname {\mathtt {:}}\widehat {e_{2}})\). By inductive hypothesis, we have that \({\overline {\omega}}(b)\subseteq {\overline {\widehat {\omega}}}(\widehat {b})\), \({\overline {\omega}}(e_{1})\subseteq {\overline {\widehat {\omega}}}(\widehat {e_{1}})\), and \({\overline {\omega}}(e_{2})\subseteq {\overline {\widehat {\omega}}}(\widehat {e_{2}})\). One of the following cases occurs:

   1. (a)

      \({\overline {\omega}}(b)=\{0\}\). Therefore, \({\overline {\omega}}(e) = {\overline {\omega}}(e_{2})\). Moreover, \(\{0\}\subseteq {\overline {\widehat {\omega}}}(\widehat {b})\) and \({\overline {\widehat {\omega}}}(\widehat {e_{2}}) \subseteq {\overline {\widehat {\omega}}}(\widehat {e})\). By the definitions of \({\overline {\omega}}\) and \({\overline {\widehat {\omega}}}\), \({\overline {\omega}}(e) = {\overline {\omega}}(e_{2}) \subseteq {\overline {\widehat {\omega}}}(\widehat {e_{2}})\subseteq {\overline {\widehat {\omega}}}(\widehat {e})\).

   2. (b)

      \({\overline {\omega}}(b)\subseteq\mathcal{D}\setminus\{0\}\) and \({\overline {\omega}}(e) = {\overline {\omega}}(e_{1})\). Therefore, either \({\overline {\widehat {\omega}}}(\widehat {b})\subseteq\mathcal{D}\setminus\{0\}\) and \({\overline {\widehat {\omega}}}(\widehat {e}) = {\overline {\widehat {\omega}}}(\widehat {e_{1}})\), or \({\overline {\widehat {\omega}}}(\widehat {b})\cap\mathcal{D}\setminus\{0\}\not= \emptyset\) and \({\overline {\widehat {\omega}}}(\widehat {e}) = {\overline {\widehat {\omega}}}(\widehat {e_{1}}) \cup {\overline {\widehat {\omega}}}(\widehat {e_{2}})\). Hence, \({\overline {\omega}}(e) = {\overline {\omega}}(e_{1})\subseteq {\overline {\widehat {\omega}}}(\widehat {e_{1}}) \subseteq {\overline {\widehat {\omega}}}(\widehat {e})\).

   3. (c)

      \(\mathcal{D}\setminus\{0\}\cap {\overline {\omega}}(b)\not= \emptyset\). Therefore \(\mathcal{D}\setminus\{0\}\cap {\overline {\widehat {\omega}}}(\widehat {b})\not= \emptyset\). Hence, by the definitions of \({\overline {\omega}}\) and \({\overline {\widehat {\omega}}}\), the induction hypothesis, and monotonicity of set union, we have \({\overline {\omega}}(e) = {\overline {\omega}}(e_{1}) \cup {\overline {\omega}}(e_{2}) \subseteq {\overline {\widehat {\omega}}}(\widehat {e_{1}}) \cup {\overline {\widehat {\omega}}}(\widehat {e_{2}}) = {\overline {\widehat {\omega}}}(\widehat {e})\).

The proof of Item (2) is again by induction on the structure of the concrete expression e and is very similar to the proof of Item (1) We report only the proof for the case when e=a[i], the other cases can be proved in a similar fashion.

If e=a[i], then \(\widehat {e} = \operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[0,\ldots,\operatorname {size}(a)-1])\). We consider the following two sub-cases:

1. 1.

   \({\overline {\widehat {\omega}}}(\widehat {i})\subseteq R_{P}(a)\). By inductive hypothesis, \({\overline {\omega}}(i) = {\overline {\widehat {\omega}}}(\widehat {i})\). By the definitions of \({\overline {\omega}}\), \({\overline {\widehat {\omega}}}\) and \(\operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[0,\ldots,\operatorname {size}(a)-1])\), we have that

   $$ {\overline {\omega}}\bigl({a}\mathtt {[}{i}\mathtt {]}\bigr) = \bigl\{\omega(a) (k) \mid k\in {\overline {\omega }}(i)\bigr\} $$

   and

   $$ {\overline {\widehat {\omega}}}\bigl(\operatorname {abs}\bigl({a}\mathtt {[}{i}\mathtt {]},\bigl[0,\ldots,\operatorname {size}(a)-1\bigr] \bigr)\bigr) = \bigl\{\widehat {\omega}\bigl(a^k\bigr) : k\in {\overline {\widehat { \omega}}}(\widehat {i})\bigr\} $$

   Since \(\widehat {\omega}(a^{k})=\omega(a)(k)\) for all k∈R _P (a) and \({\overline {\omega}}(i) = {\overline {\widehat {\omega}}}(\widehat {i}) \subseteq R_{P}(a)\), it immediately follows that \({\overline {\omega}}(a[i]) = {\overline {\widehat {\omega}}}(\operatorname {abs}(a[i],[0,\ldots,\operatorname {size}(a)-1]))\). From this the thesis readily follows.

2. 2.

   \({\overline {\widehat {\omega}}}(\widehat {i})\not\subseteq R_{P}(a)\), i.e. there exists \(k\in {\overline {\widehat {\omega}}}(\widehat {i})\) such that k∉R _P (a). Therefore, both \(0\in {\overline {\omega}}(i \operatorname {\mathtt {==}}k')\) and \(0\in {\overline {\widehat {\omega}}}(\widehat {i} \operatorname {\mathtt {==}}k')\), for all k′∈R _P (a). Therefore, \({\overline {\omega}}(e) = \mathcal{D}\), and, by the definitions of \(\operatorname {abs}({a}\mathtt {[}{i}\mathtt {]},[0,\ldots,\operatorname {size}(a)-1])\) and \({\overline {\widehat {\omega}}}\), we have \({\overline {\widehat {\omega}}}(\widehat {e}) = {\overline {\widehat {\omega}}}(\mathfrak{u}) = \mathcal{D}\). Hence, the thesis follows.

 □

Theorem 1

(Soundness of the Abstraction)

Let 〈V,R〉⪯〈V _P ,R _P 〉 and \(\widehat {P} \in\mathrm{abstract}(P,V,R)\). Then:

1. 1.

   \(\operatorname {post}^{*}_{P}\subseteq(\gamma[h]\,\circ \operatorname {post}^{*}_{\widehat {P}}\circ\, \alpha[h])\);

2. 2.

   \(P\sqsubseteq \widehat {P}\).

Moreover if \(\widehat {P} \in\mathrm{abstract}(P,V_{P},R_{P})\) then

1. 3.

   \(\operatorname {post}^{*}_{P} = (\gamma[h]\,\circ \operatorname {post}^{*}_{\widehat {P}}\circ\,\alpha[h])\);

2. 4.

   \(P\equiv \widehat {P}\).

Proof

The proof of Item (1) is done in three steps. First we prove that if \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P} \langle i',\omega'\rangle \) is a transition in P then \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{P} \langle i,\widehat {\omega'}\rangle \) is a transition in \(\widehat {P}\) in Step 1. Second we prove that for every path in P there is a corresponding abstract path in \(\widehat {P}\) in Step 2 and finally we prove the statement of the theorem in Step 3.

Step 1. Let 〈i,ω〉∈S _P be an arbitrary state of P. The proof proceeds by cases, considering the possible statements s _i associated with i∈N _P .

1. 1.

   s _i is \(\mathtt {;}\) (or \(\operatorname {\mathtt {return}}\mathtt {;}\)) and so is \(\widehat {s_{i}}\), and the thesis immediately follows;

2. 2.

   s _i is \(x= e\mathtt {;}\), where x∈V _P .¹⁷ Then \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P}\langle \operatorname {sSucc}_{P}(i),\omega'\rangle \), where \(\omega' \in\varOmega' = \{\omega[d/x] : d\in {\overline {\omega}}(e)\}\). We have two cases to consider.

   1. (a)

      If \(x\in \widehat {V}\), then \(\widehat {s_{i}}\) is \(x=\widehat {e}\mathtt {;}\). By the definition of \({\xrightarrow []{\sigma}}_{\widehat {P}}\), \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{\widehat {P}} \langle \operatorname {sSucc}_{P}(i),\omega_{1}\rangle \), where \(\omega_{1} \in\varOmega_{1} = \{\widehat {\omega}[d/x] : d \in {\overline {\widehat {\omega}}}(\widehat {e})\}\). Since, by Lemma 1, \({\overline {\omega}}(e)\subseteq {\overline {\widehat {\omega}}}(\widehat {e})\), for every valuation ω″∈Ω′, its abstraction \(\widehat {\omega}''\in\varOmega_{1}\).

   2. (b)

      If \(x\notin \widehat {V}\). Then, \(\widehat {s_{i}}\) is a skip statement \(\mathtt {;}\). Then by definition of \({\xrightarrow []{\sigma}}_{\widehat {P}}\), we have that \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{\widehat {P}}\langle \operatorname {sSucc}_{P}(i),\widehat {\omega}\rangle \). Since ω and ω′ only differ on the value of a variables not in \(V_{\widehat {P}}\), by the definition of the function \(\widehat {\cdot}\), \(\widehat {\omega'} = \widehat {\omega}\).

3. 3.

   s _i is \({a}\mathtt {[}{j}\mathtt {]}= e\mathtt {;}\) (with e a linear expression with arrays), and assume R(a)={k ₁,…,k _n }. Then, \(\widehat {s_{i}}\) is of the form

   $$ a^{k_1},\ldots,a^{k_n}=(\widehat {j}\operatorname {\mathtt {==}}k_1)\operatorname {\mathtt {?}}\widehat {e} \operatorname {\mathtt {:}}a^{k_1},\ldots,(\widehat {j}\operatorname {\mathtt {==}}k_n)\operatorname {\mathtt {?}}\widehat {e} \operatorname {\mathtt {:}}a^{k_n}\mathtt {;}. $$

   In the concrete program, \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P}\langle \operatorname {sSucc}_{P}(i),\omega'\rangle \), where

   $$ \omega' \in\varOmega' = \bigl\{\omega\bigl[\bigl( \omega(a)[k/d]\bigr)/a\bigr] : k \in {\overline {\omega}}(j) \text{ and } d\in {\overline {\omega}}(e) \bigr\} $$

   In the abstract program, \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{\widehat {P}}\langle \operatorname {sSucc}_{P}(i),\omega_{1}\rangle \), where

   $$ \omega_1 \in\varOmega_1 = \bigl\{\widehat {\omega} \bigl[d_1/a^{k_1},\ldots,d_n/a^{k_n} \bigr] : \begin{array}[t]{l} d_i \in {\overline {\widehat {\omega}}}\bigl((\widehat {j}\operatorname {\mathtt {==}}k_i)\operatorname {\mathtt {?}}\widehat {e} \operatorname {\mathtt {:}}a^{k_i}\bigr) \\ \text{for } 1\leq i \leq n \bigr\} \end{array} $$

   By Lemma 1, \({\overline {\omega}}(j) \subseteq {\overline {\widehat {\omega}}}(\widehat {j})\), \({\overline {\omega}}(e) \subseteq {\overline {\widehat {\omega}}}(\widehat {e})\), and, for any k∈{k ₁,…,k _n }, \({\overline {\omega}}(a[k]) = \{\omega(a)(k)\} = \{\widehat {\omega}(a^{k})\} = {\overline {\widehat {\omega}}}(a^{k})\). We need to show that if ω″∈Ω′, then \(\widehat {\omega}''\in\varOmega_{1}\).

   Let us consider an arbitrary ω″∈Ω′. Then, ω″=ω[(ω(a)[d/k])/a] for some \(k\in {\overline {\omega}}(j)\) and \(d\in {\overline {\omega}}(e)\). We may have two cases:

   1. (a)

      k∈{k ₁,…,k _n }. Since \({\overline {\omega}}(j) \subseteq {\overline {\widehat {\omega}}}(\widehat {j})\), we also have that \(k\in {\overline {\widehat {\omega}}}(\widehat {j})\). Therefore, there is a \(d\not= 0\) with \(d\in {\overline {\widehat {\omega}}}(\widehat {j}\operatorname {\mathtt {==}}k)\). Moreover, \(0 \in {\overline {\widehat {\omega}}}(\widehat {j}\operatorname {\mathtt {==}}k')\), for \(k\not= k' \in \{k_{1},\ldots,k_{n}\}\). As a consequence, the following set of valuations \(\varOmega_{2} = \{\widehat {\omega}[d/a^{k}] : d \in {\overline {\widehat {\omega}}}(\widehat {e})\}\) is contained in the set Ω ₁. Since \({\overline {\omega}}(e) \subseteq {\overline {\widehat {\omega}}}(\widehat {e})\) by Lemma 1, we also have that \(\widehat {\omega}''\in\varOmega_{2}\). Hence, we conclude \(\widehat {\omega}''\in\varOmega_{1}\).

   2. (b)

      k∉{k ₁,…,k _n }. Therefore, ω″(a)(k′)=ω(a)(k′), for any k′∈{k ₁,…,k _n }. Since, \({\overline {\omega}}(j) \subseteq {\overline {\widehat {\omega}}}(\widehat {j})\), we also have that \(k\in {\overline {\widehat {\omega}}}(\widehat {j})\). Hence, \(0 \in {\overline {\widehat {\omega}}}(\widehat {j}\operatorname {\mathtt {==}}k')\), for k′∈{k ₁,…,k _n }. As a consequence, \(\widehat {\omega} \in\varOmega_{1}\). Since ω and ω″ only differ on the value of some array element not belonging to {k ₁,…,k _n }, by the definition of the function \(\widehat {\cdot}\), \(\widehat {\omega} = \widehat {\omega}''\). Therefore, also \(\widehat {\omega}'' \in\varOmega_{1}\).

4. 4.

   s _i is \(\operatorname {\mathtt {if}}(b)\) (\(\operatorname {\mathtt {while}}(b)\) or \(\operatorname {\mathtt {assume}}(b)\mathtt {;}\)), where b is an (boolean) linear expression with arrays. Then \(\widehat {s_{i}}\) is \(\operatorname {\mathtt {if}}(\widehat {b})\) (\(\operatorname {\mathtt {while}}(\widehat {b})\) or \(\operatorname {\mathtt {assume}}(\widehat {b})\mathtt {;}\)), and, by Lemma 1, \({\overline {\omega}}(b) \subseteq {\overline {\widehat {\omega}}}(\widehat {b})\). According to the definition of the transition relation (see Sect. 3), there are three cases:

   1. (a)

      if \(\{0,d\}\subseteq {\overline {\omega}}(b)\), for some \(d\not= 0\), then \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P} \langle i',\omega\rangle \), where \(i'\in \operatorname {Succ}_{P}(i)\). Since \({\overline {\omega}}(b) \subseteq {\overline {\widehat {\omega}}}(\widehat {b})\), then \(0\in {\overline {\widehat {\omega}}}(\widehat {b})\) and \({\overline {\widehat {\omega}}}(\widehat {b})\cap \mathcal{D}\setminus\{0\}\not=\emptyset\). Therefore, \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{\widehat {P}} \langle i',\widehat {\omega}\rangle \), where \(i'\in \operatorname {Succ}_{P}(i)\).

   2. (b)

      \({\overline {\omega}}(b)=\{0\}\) and \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P} \langle Fsucc_{P}(i),\omega\rangle \). Since \({\overline {\omega}}(b) \subseteq {\overline {\widehat {\omega}}}(\widehat {b})\), then \(0 \in {\overline {\widehat {\omega}}}(\widehat {b})\). Therefore, \(\langle i,\widehat {\omega}\rangle {\xrightarrow []{\epsilon}}_{\widehat {P}} \langle i',\widehat {\omega}\rangle \), with i′∈Fsucc _P (i), is a transition of \(\widehat {P}\);

   3. (c)

      \({\overline {\omega}}(b)\subseteq\mathcal{D}\setminus\{0\}\) and \(\langle i,\omega\rangle {\xrightarrow []{\epsilon}}_{P} \langle Tsucc_{P}(i),\omega\rangle \). The proof is similar to the proof of the previous case.

5. 5.

   s _i is \(\operatorname {\mathtt {assert}}(b)\mathtt {;}\), where b is an (boolean) linear expression with arrays. Then \(\widehat {s_{i}}\) is \(\operatorname {\mathtt {assert}}(\widehat {b})\mathtt {;}\). The proof is similar to the previous case.

Step 2. We now prove that: if \(\xi=\langle i_{0},\omega_{0}\rangle {\xrightarrow []{\sigma_{1}}}_{P} \langle i_{1},\omega_{1}\rangle {\xrightarrow []{\sigma_{2}}}_{P} \cdots {\xrightarrow []{\sigma_{n}}}_{P} \langle i_{n},\omega_{n}\rangle \) is a path in P, then \(\widehat {\xi}=\langle i_{0},\widehat {\omega}_{0}\rangle {\xrightarrow []{\sigma_{1}}}_{\widehat {P}} \langle i_{1},\widehat {\omega}_{1}\rangle {\xrightarrow []{\sigma_{2}}}_{\widehat {P}} \cdots {\xrightarrow []{\sigma_{n}}}_{\widehat {P}} \langle i_{n},\widehat {\omega}_{n}\rangle \) is a path in \(\widehat {P}\).

The proof is by induction on the length n of the path ξ in P. If n=0 then the thesis follows immediately. Let us assume the thesis holds for a path of length n−1. Then \(\widehat {\xi}=\langle i_{0},\widehat {\omega}_{0}\rangle {\xrightarrow []{\sigma_{1}}}_{\widehat {P}} \langle i_{1},\widehat {\omega}_{1}\rangle {\xrightarrow []{\sigma_{2}}}_{\widehat {P}} \cdots {\xrightarrow []{\sigma_{n-1}}}_{\widehat {P}} \langle i_{n-1},\widehat {\omega}_{n-1}\rangle \) is a path in \(\widehat {P}\). Since, by the proof of Step 1, \(\langle i_{n-1},\omega_{n-1}\rangle {\xrightarrow []{\sigma_{n}}}_{P} \langle i_{n},\omega_{n}\rangle \) is a transition in P, then \(\langle i_{n-1},\widehat {\omega}_{n-1}\rangle {\xrightarrow []{\sigma_{n}}}_{\widehat {P}} \langle i_{n},\widehat {\omega}_{n}\rangle \) is a transition in \(\widehat {P}\). Hence the thesis.

Step 3. Finally, we prove that \(\operatorname {post}^{*}_{P}\subseteq(\gamma [h]\,\circ \operatorname {post}^{*}_{\widehat {P}}\circ\,\alpha[h])\). Let X be a subset of S _P and \(\langle i,\omega\rangle \in \operatorname {post}^{*}_{P}(X)\). Then , for some 〈i ₀,ω ₀〉∈X the following

$$\langle i_0,\omega_0\rangle {\xrightarrow []{\sigma_1}}_P \langle i_1,\omega_1\rangle {\xrightarrow []{\sigma_2}}_P \cdots {\xrightarrow []{\sigma_{n-1}}}_P \langle i_{n-1},\omega_{n-1}\rangle {\xrightarrow []{\sigma_{n}}}_P\langle i,\omega\rangle $$

is a path in P. But then:

$$\langle i_0,\widehat {\omega}_0\rangle {\xrightarrow []{\sigma_1}}_{\widehat {P}} \langle i_1,\widehat {\omega}_1\rangle {\xrightarrow []{\sigma_2}}_{\widehat {P}} \cdots {\xrightarrow []{\sigma _{n-1}}}_{\widehat {P}} \langle i_{n-1},\widehat {\omega}_{n-1}\rangle {\xrightarrow []{\sigma_{n}}}_{\widehat {P}}\langle i,\widehat {\omega}\rangle $$

is a path in \(\widehat {P}\). Therefore, \(\langle i,\widehat {\omega}\rangle \in \operatorname {post}^{*}_{\widehat {P}}\).

By definition, \(h(\langle i_{0},\omega_{0}\rangle ) =\langle i_{0},\widehat {\omega}_{0}\rangle \), therefore, by monotonicity of α, \(\langle i_{0},\widehat {\omega}_{0}\rangle \in\alpha[h](X)\). Moreover, \(\langle i,\omega\rangle \in\gamma(\{i,\widehat {\omega}\})\), by definition of γ. By monotonicity of γ and \(\operatorname {post}^{*}_{\widehat {P}}\), we can finally conclude that \(\langle i,\omega\rangle \in\gamma\circ \operatorname {post}^{*}_{\widehat {P}}\circ\alpha(X)\).

As to Item (2) of the theorem, it suffices to notice that the proof in Step 2 above also ensures that \(\operatorname {traces}(P)\subseteq \operatorname {traces}(\widehat {P})\), therefore, that \(P\sqsubseteq \widehat {P}\).

Items (3) and (4) can be proved with a straightforward adaption of the proof above, by exploiting Item (2) of Lemma 1. □

Let P be a linear program without arrays (hence, such that A _P =∅) and V⊆V _P . We denote with abstract(P,V) the abstraction of P with respect to V defined by replacing all the expressions e occurring in P with \(\widehat {e}\), and then by replacing each assignment of the form \(x = e\mathtt {;}\) with the skip statement (\(\mathtt {;}\)) if x∉V, with \(x \operatorname {\mathtt {=}}\widehat {e}\mathtt {;}\), otherwise. The following result, which is an immediate consequence of Lemma 1, states the soundness of the abstraction when applied to a linear program P without arrays:

Corollary 5

Let P be a linear program without arrays, V⊆V _P and \(\widehat {P} \in\mathrm{abstract}(P,V)\) be an abstraction of P w.r.t. V. Then, \(post^{*}_{P} \subseteq(\gamma[h] \,\circ\, post^{*}_{\widehat {P}} \, \circ\, \alpha[h])\) and \(P\sqsubseteq \widehat {P}\).

The following lemma states that if two linear programs \(\widehat {P}\) and \(\widehat {P}'\) are abstractions of the same linear program with arrays P, and in addition \(\widehat {P}'\) contains a superset of the variables in \(\widehat {P}\), then \(\widehat {P}\) is also an abstraction of \(\widehat {P}'\) w.r.t. the additional variables in \(\widehat {P}'\).

Lemma 2

Let \(\widehat {P}\in\mathrm{abstract}(P,V,R)\), and 〈V,R〉⪯〈V′,R′〉. Then for some \(\widehat {P}'\in\mathrm{abstract}(P,V',R')\), \(\widehat {P}\in\mathrm{abstract}(\widehat {P}',\widehat {V})\), where \(\widehat {V} = V\cup\{a^{k} : a\in A_{P}, k\in R(a)\}\).

Proof

We need to build a linear program \(\widehat {P}'\) such that the result of abstracting it w.r.t. \(\widehat {V} = V\cup\{a^{k} : a\in A_{P}, k\in R(a)\}\), gives \(\widehat {P}\). Let X(a)=R′(a)∖R(a), for each array a∈A _P , and θ′(a) be any permutation of R′(a) obtained by concatenating the corresponding permutation θ(a) of R(a) used to construct \(\widehat {P}\) with an arbitrary permutation of X(a).

Let us assume that R(a)={k ₁,…,k _r } and R′(a)={k ₁,…,k _r ,k _r+1,…,k _n }, then X(a)={k _r+1,…,k _n }. Assume also that θ(a)=[k ₁,…,k _r ], and let θ′(a)=[k ₁,…,k _r ,k _r+1,…,k _n ]. We now show that the abstract program \(\widehat {P}'\) built from P using the permutations θ′(a), for a∈A _P , satisfies \(\widehat {P}\in\mathrm{abstract}(\widehat {P}',\widehat {V})\).

We first show that given any expression e in P, if \(e_{\widehat {P}}\) and \(e_{\widehat {P}'}\) are the abstractions of e w.r.t. V and R and V′ and R′, respectively, and \(\widehat {e}_{\widehat {P}'}\) is the abstraction of \(e_{\widehat {P}'}\) w.r.t. \(\widehat {V}\), then \(e_{\widehat {P}} = \widehat {e}_{\widehat {P}'}\). The proof is by induction on the structure of e. The base case for \(e\in V_{P}\cup \mathbb{Z}\cup\{\mathfrak{u}\}\) is immediate.

As to the induction cases, we only prove the case where \(e = {a}\mathtt {[}{i}\mathtt {]}\) (the other cases are trivial). If \(e = {a}\mathtt {[}{i}\mathtt {]}\), then we have:

$$\begin{aligned} e_{\widehat {P}'} =& (i_{\widehat {P}'}\operatorname {\mathtt {==}}k_1)\operatorname {\mathtt {?}}a^{k_1}\operatorname {\mathtt {:}}\ldots \operatorname {\mathtt {:}}(i_{\widehat {P}'} \operatorname {\mathtt {==}}k_{r})\operatorname {\mathtt {?}}a^{k_r} \operatorname {\mathtt {:}}(i_{\widehat {P}'}\operatorname {\mathtt {==}}k_{r+1})\operatorname {\mathtt {?}}a^{k_{r+1}}\operatorname {\mathtt {:}}\ldots \\ & \operatorname {\mathtt {:}}(i_{\widehat {P}'}\operatorname {\mathtt {==}}k_{n})\operatorname {\mathtt {?}}a^{k_n}\operatorname {\mathtt {:}}\mathfrak{u} \\ e_{\widehat {P}} =&(i_{\widehat {P}}\operatorname {\mathtt {==}}k_1)\operatorname {\mathtt {?}}a^{k_1}\operatorname {\mathtt {:}}\ldots \operatorname {\mathtt {:}}(i_{\widehat {P}} \operatorname {\mathtt {==}}k_{r})\operatorname {\mathtt {?}}a^{k_r}\operatorname {\mathtt {:}}\mathfrak{u} \end{aligned}$$

Therefore, abstracting \(e_{\widehat {P}'}\) with respect to \(\widehat {V}\), all the variables in X(a) are replaced by \(\mathfrak{u}\), and we obtain

$$(\widehat {i}_{\widehat {P}}\operatorname {\mathtt {==}}k_1)\operatorname {\mathtt {?}}a^{k_1}\operatorname {\mathtt {:}}\ldots \operatorname {\mathtt {:}}(\widehat {i}_{\widehat {P}}\operatorname {\mathtt {==}}k_{r})\operatorname {\mathtt {?}}a^{k_r}\operatorname {\mathtt {:}}(\widehat {i}_{\widehat {P}'}\operatorname {\mathtt {==}}k_{r+1}) \operatorname {\mathtt {?}}\mathfrak{u}\operatorname {\mathtt {:}}\ldots \operatorname {\mathtt {:}}(\widehat {i}_{\widehat {P}'}\operatorname {\mathtt {==}}k_{n})\operatorname {\mathtt {?}}\mathfrak {u}\operatorname {\mathtt {:}}\mathfrak{u} $$

\(\widehat {e}_{\widehat {P}'}\) is finally obtained by replacing sub-expressions of the form \(e'\operatorname {\mathtt {?}}\mathfrak{u}\operatorname {\mathtt {:}}\mathfrak{u}\) with \(\mathfrak{u}\) leading to

$$\widehat {e}_{\widehat {P}'} = (\widehat {i}_{\widehat {P}'}\operatorname {\mathtt {==}}k_1)\operatorname {\mathtt {?}}a^{k_1}\operatorname {\mathtt {:}}\ldots \operatorname {\mathtt {:}}(\widehat {i}_{\widehat {P}}\operatorname {\mathtt {==}}k_{r})\operatorname {\mathtt {?}}a^{k_r}\operatorname {\mathtt {:}}\mathfrak{u} $$

Since \(\widehat {i}_{\widehat {P}'} = i_{\widehat {P}}\) by the induction hypothesis, we can finally conclude that \(\widehat {e}_{\widehat {P}'} = e_{\widehat {P}}\).

To complete the proof, we need to show that an assignment in \(\widehat {P}'\) associated to a node i in the CFG, once abstracted w.r.t. \(\widehat {V}\) is equal to the corresponding assignment associated to node i in the CFG of \(\widehat {P}\). There can be two cases. Either the assignment at node i in P is of the form \(x= e\mathtt {;}\) or of the form \({a}\mathtt {[}{j}\mathtt {]}= e\mathtt {;}\) (the case of parallel assignments is similar).

Let us consider the case \(x= e\mathtt {;}\). There are three cases to consider:

1. 1.

   x∉V′. Then also x∉V, and in both abstract programs it is abstracted to the skip statement \(\mathtt {;}\). Therefore, its abstraction w.r.t. \(\widehat {V}\) is \(\mathtt {;}\).

2. 2.

   x∈V. Then also x∈V′ and in \(\widehat {P}\) it will become \(x= e_{\widehat {P}}\mathtt {;}\), while in \(\widehat {P}'\) it will become \(x= e_{\widehat {P}'}\mathtt {;}\). Since \(\widehat {e}_{\widehat {P}'}=e_{\widehat {P}}\), abstracting \(x= e_{\widehat {P}'}\mathtt {;}\) w.r.t. \(\widehat {V}\) gives \(x= e_{\widehat {P}}\mathtt {;}\).

3. 3.

   x∉V and x∈V′. The abstraction of the assignment in \(\widehat {P}\) is \(\mathtt {;}\), while in \(\widehat {P}'\) is \(x= e_{\widehat {P}'}\mathtt {;}\). Since \(x\notin \widehat {V}\), the abstraction of \(x= e_{\widehat {P}'}\mathtt {;}\) w.r.t. \(\widehat {V}\) gives \(\mathtt {;}\).

Let us now consider the assignment of the form \({a}\mathtt {[}{j}\mathtt {]} \operatorname {\mathtt {=}}e\mathtt {;}\). Its abstraction in \(\widehat {P}\) is

$$a^{k_1},\ldots,a^{k_r}=\bigl(j_{\widehat {P}} \operatorname {\mathtt {==}}k_1\operatorname {\mathtt {?}}e_{\widehat {P}}\operatorname {\mathtt {:}}a^{k_1}\bigr),\ldots,\bigl(j_{\widehat {P}} \operatorname {\mathtt {==}}k_r\operatorname {\mathtt {?}}e_{\widehat {P}}\operatorname {\mathtt {:}}a^{k_r}\bigr)\mathtt {;}$$

while its abstraction in \(\widehat {P}'\) is

$$\begin{aligned} a^{k_1},\ldots,a^{k_r},\ldots,a^{k_n} =& \bigl(j_{\widehat {P}'} \operatorname {\mathtt {==}}k_1\operatorname {\mathtt {?}}e_{\widehat {P}'}\operatorname {\mathtt {:}}a^{k_1} \bigr),\ldots,\bigl(j_{\widehat {P}'} \operatorname {\mathtt {==}}k_r\operatorname {\mathtt {?}}e_{\widehat {P}'}\operatorname {\mathtt {:}}a^{k_r}\bigr),\ldots, \\ &\bigl(j_{\widehat {P}'} \operatorname {\mathtt {==}}k_n\operatorname {\mathtt {?}}e_{\widehat {P}'}\operatorname {\mathtt {:}}a^{k_n}\bigr)\mathtt {;} \end{aligned}$$

Abstracting this last assignment w.r.t. \(\widehat {V}\) gives:

$$a^{k_1},\ldots,a^{k_r}=\bigl(\widehat {j}_{\widehat {P}'} \operatorname {\mathtt {==}}k_1\operatorname {\mathtt {?}}\widehat {e}_{\widehat {P}'}\operatorname {\mathtt {:}}a^{k_1}\bigr),\ldots,\bigl(\widehat {j}_{\widehat {P}'} \operatorname {\mathtt {==}}k_r\operatorname {\mathtt {?}}\widehat {e}_{\widehat {P}'}\operatorname {\mathtt {:}}a^{k_r}\bigr)\mathtt {;}$$

The conclusion follows from the fact that \(\widehat {j}_{\widehat {P}'}=j_{\widehat {P}}\) and \(\widehat {e}_{\widehat {P}'}=e_{\widehat {P}}\). □

The Lemma above allows us to prove the following:

Theorem 2

Let \(\widehat {P}\in\mathrm{abstract}(P,V,R)\) and \(\widehat {P}'\in\mathrm{abstract}(P,V',R')\). If 〈V,R〉⪯〈V′,R′〉, then \(\widehat {P}'\sqsubseteq \widehat {P}\).

Proof

Assuming 〈V,R〉⪯〈V′,R′〉, by Lemma 2, there exists a program \(\widehat {P}''\in\mathrm{abstract}(P,V',R')\) such that \(\widehat {P}\in\mathrm{abstract}(\widehat {P}'',\widehat {V})\), where \(\widehat {V} = V\cup\{a^{k} : a\in A_{P}, k\in R(a)\}\). By Corollary 5 \(\widehat {P}''\sqsubseteq \widehat {P}\). Since any two programs in abstract(P,V′,R′) are semantically equivalent (as they only differ on the permutations of the sets R′(a) of array indexes used to build the abstraction), then \(\widehat {P}'\equiv \widehat {P}''\). Hence the conclusion. □

1.2 Data-flow analysis

Theorem 3

(Soundness of the Data-flow Analysis)

Let . The following holds: if for all i∈N _P , Π _i ⊆Π _i (P), then for all i∈N _P , \(\varPi_{i}^{1}\subseteq\boldsymbol{\Pi}_{i}(P)\).

Proof

Let Π⊆Π(P) and . Since , then Π ¹ is obtained from Π by one of the cases in the definition of and let i∈N _P be vertex of the statement considered. If \(j\notin \operatorname {Succ}_{P}(i)\) then \(\varPi^{1}_{j}=\varPi_{j}\) and since Π⊆Π(P), it trivially follows that Π _j ⊆Π _j (P). If \(j\in \operatorname {Succ}_{P}(i)\) then \(\varPi^{1}_{j}=\varPi_{j}\cup\varPi^{*}\) for some Π ^∗ and we must prove that \(\varPi^{1}_{j}\subseteq\boldsymbol{\Pi}_{j}(P)\). This amounts to proving that both Π _j ⊆Π _j (P) and Π ^∗⊆Π _j (P) hold. The former is an obvious consequence of the hypothesis Π⊆Π(P). For the latter we must show that the pairs of valuations in Π ^∗ are path edges incident in j and we proceed by cases:

• If s _i is \(\mathtt {;}\) (or \(\operatorname {\mathtt {return}}\mathtt {;}\)), then \(j={\operatorname {sSucc}_{P}(i)}\) and Π ^∗=Π _i . Let 〈ω _e ,ω _i 〉∈Π _i . By hypothesis Π _i ⊆Π _i (P). This means that 〈ω _e ,ω _i 〉 is a path edge incident in i and therefore that there exists a valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\). This path can be extended to the path

  $$\langle1, \omega_0\rangle {\xrightarrow []{\varSigma_0^e}}_P \langle e, \omega_e\rangle {\xrightarrow []{\varSigma_e^i}}_P \langle i, \omega_i\rangle {\xrightarrow []{\epsilon}}_P\langle j,\omega_i\rangle, $$

  which is a valid path. Therefore 〈ω _e ,ω _i 〉 is a path edge incident in j.

• If s _i is an assignment y = e, then \(j={\operatorname {sSucc}_{P}(i)}\) and \(\varPi^{*}=\{\langle\omega_{e},\omega_{i}[\mathbf{d}/\mathbf{y}]\rangle: \langle\omega_{e},\omega_{i}\rangle\in\varPi_{i}, \mathbf{d}\in {\overline {\omega}}_{i}(\mathbf{e})\}\). Let 〈ω ₁,ω ₂〉∈Π ^∗. By the definition of Π ^∗ we know that ω ₁=ω _e and ω ₂=ω _i [d/y] for some 〈ω _e ,ω _i 〉∈Π _i and \(\mathbf{d}\in {\overline {\omega}}_{i}(\mathbf{e})\). By hypothesis Π _i ⊆Π _i (P). This means that 〈ω _e ,ω _i 〉 is a path edge incident in i and therefore that there exists a valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\). This path can be extended to the valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}_{P}\langle j,\omega_{i}[\mathbf{d}/\mathbf{y}]\rangle\). Therefore 〈ω ₁,ω ₂〉 is a path edge incident in j.

• If s _i is \(\operatorname {\mathtt {assume}}(b)\) then \(j=\operatorname {sSucc}_{P}(i)\) and \(\varPi^{*}=\{\langle\omega_{e},\omega_{i}\rangle\in\varPi_{i} : d\in {\overline {\omega}}_{i}(b)\ \mbox{for} \mbox{some}\ d\neq0\}\). Let 〈ω ₁,ω ₂〉∈Π ^∗. By the definition of Π ^∗ we know that ω ₁=ω _e and ω ₂=ω _i for some 〈ω _e ,ω _i 〉∈Π _i such that \(d\in {\overline {\omega}}_{i}(b)\) for some d≠0. By hypothesis Π _i ⊆Π _i (P). This means that 〈ω _e ,ω _i 〉 is a path edge incident in i and therefore that there exists a valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\). This path can be extended to \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}_{P}\langle j,\omega_{i}\rangle\) which is a valid path. Therefore 〈ω ₁,ω ₂〉 is a path edge incident in j.

• If s _i is \(\operatorname {\mathtt {if}}(b)\), \(\operatorname {\mathtt {while}}(b)\), or \(\operatorname {\mathtt {assert}}(b)\) then \(j\in\{\operatorname {Tsucc}_{P}(i), \operatorname {Fsucc}_{P}(i)\}\). If \(j=\operatorname {Tsucc}_{P}(i)\) then \(\varPi^{*}=\{\langle\omega_{e},\omega_{i}\rangle\in\varPi_{i} : d\in {\overline {\omega}}_{i}(b)\text{ for some }d\neq0\}\). Let 〈ω ₁,ω ₂〉∈Π ^∗. By the definition of Π ^∗ we know that ω ₁=ω _e and ω ₂=ω _i for some 〈ω _e ,ω _i 〉∈Π _i such that \(d\in {\overline {\omega}}_{i}(b)\) for some d≠0. By hypothesis Π _i ⊆Π _i (P). This means that 〈ω _e ,ω _i 〉 is a path edge incident in i and therefore that there exists a valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\). This path can be extended to \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}_{P}\langle j,\omega_{i}\rangle\) which is a valid path. Therefore 〈ω ₁,ω ₂〉 is a path edge incident in j. The proof for \(j=\operatorname {Fsucc}_{P}(i)\) is analogous and therefore omitted.

• If s _i is a procedure call pr(a) then \(j={\operatorname {sSucc}_{P}(i)}\) and \(\varPi^{*}=\{\langle\omega_{j},\omega_{j}\rangle: \omega_{j}(\mathbf{g})=\omega_{i}(\mathbf{g}), \omega_{j}(\mathbf{y})\in {\overline {\omega}}_{i}(\mathbf{a}), \langle\omega_{e},\omega_{i}\rangle\in\varPi_{i}, \mathbf{g}=\operatorname {Globals}_{P}, \mathbf{y}=\operatorname {Formals}_{P}(pr)\}\). Let 〈ω ₁,ω ₂〉∈Π ^∗. By the definition of Π ^∗ we know that ω ₁=ω _j an ω ₂=ω _j , where ω _j is a valuation such that ω _j (g)=ω _i (g) and \(\omega_{j}(\mathbf{y})\in {\overline {\omega}}_{i}(\mathbf{a})\) for some 〈ω _e ,ω _i 〉∈Π _i with \(\mathbf{g}=\operatorname {Globals}_{P}\) and \(\mathbf{y}=\operatorname {Formals}_{P}(pr)\). By hypothesis Π _i ⊆Π _i (P). This means that 〈ω _e ,ω _i 〉 is a path edge incident in i and therefore that there exists a valid path \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\). This path can be extended to \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\operatorname {\scriptstyle {call}}(\operatorname {RetPt}_{P}(i),\omega)}}_{P}\langle j,\omega_{j}\rangle\), where \(\omega:\operatorname {Locals}_{P}(i)\rightarrow\mathcal{D}\) is such that ω(x)=ω _i (x), for every \(\mathbf{x}\in \operatorname {Locals}_{P}(i)\), and this path is a valid path. Therefore 〈ω ₁,ω ₂〉 is a path edge incident in j.

• If \(i = \operatorname {Exit}_{P}(pr)\), then

  $$ \varPi^*=\bigl\{\langle\omega_e,\omega_j\rangle: \begin{array}[t]{l} \omega_j(\mathbf{z})=\omega_k(\mathbf{z}), \omega_j(\mathbf{g})=\omega_i(\mathbf{g}),\\ \langle\omega_e,\omega_k\rangle\in\varPi_k, \langle\omega_h,\omega_i\rangle\in\varPi_i,\\ \omega_k(\mathbf{a})=\omega_h(\mathbf{y}), \omega_k(\mathbf{g})=\omega_h(\mathbf{g}),\\ \operatorname {RetPt}(k)=j, \mathbf{y}=\operatorname {Formals}_P(pr),\\ \mathbf{z}=\operatorname {Locals}_P(k),\ \mbox{and}\ \mathbf{g}=\operatorname {Globals}_P\bigr\} \end{array} $$

  for \(j\in \operatorname {Succ}_{P}(i)\). Let 〈ω ₁,ω ₂〉∈Π ^∗. By the definition of Π ^∗, ω ₁=ω _e and ω ₂=ω _j , where ω _j (z)=ω _k (z) and ω _j (g)=ω _i (g) for 〈ω _e ,ω _k 〉∈Π _k and 〈ω _h ,ω _i 〉∈Π _i such that ω _k (a)=ω _h (y) and ω _k (g)=ω _h (g) with \(\operatorname {RetPt}(k)=j\), \(\mathbf{y}=\operatorname {Formals}_{P}(pr)\), \(\mathbf{z}=\operatorname {Locals}_{P}(k)\), and \(\mathbf{g}=\operatorname {Globals}_{P}\). By hypothesis Π _i ⊆Π _i (P) and Π _k ⊆Π _k (P). This means that 〈ω _e ,ω _k 〉 and 〈ω _h ,ω _i 〉 are path edges incident in k and i respectively and therefore that there exist valid paths \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{k}}}_{P} \langle k, \omega_{k}\rangle\) and \(\langle1, \omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{h}}}_{P} \langle h, \omega_{h}\rangle {\xrightarrow []{\varSigma_{h}^{i}}}_{P} \langle i, \omega_{i}\rangle\). Consider the path

  $$\begin{aligned} \langle1, \omega_0\rangle {\xrightarrow []{\varSigma_0^e}}_P& \langle e, \omega_e\rangle {\xrightarrow []{\varSigma_e^k}}_P \langle k, \omega_k\rangle {\xrightarrow []{\operatorname {\scriptstyle {call}}(\operatorname {RetPt}(k),\omega)}}_P \langle h, \omega_h\rangle {\xrightarrow []{\varSigma_h^i}}_P \langle i, \omega_i\rangle\\ {\xrightarrow []{\operatorname {\scriptstyle {ret}}(j,\omega)}}&\langle j,\omega_j\rangle, \end{aligned}$$

  where \(\omega:\operatorname {Locals}_{P}(i)\rightarrow\mathcal{D}\) is such that ω(x)=ω _k (x), with \(\mathbf{x}\in \operatorname {Locals}_{P}(i)\). This is a valid path. In fact \(\langle k, \omega_{k}\rangle {\xrightarrow []{\operatorname {\scriptstyle {call}}(\operatorname {RetPt}(k),\omega)}}_{P} \langle h, \omega_{h}\rangle\) and \(\langle i, \omega_{i}\rangle {\xrightarrow []{\operatorname {\scriptstyle {ret}}(j,\omega)}}\langle j,\omega_{j}\rangle\) are legal transitions, because of ω _k (a)=ω _h (y), ω _k (g)=ω _h (g) and ω _j (z)=ω _k (z), ω _j (g)=ω _i (g) respectively. □

Theorem 4

(Completeness of the Data-flow Analysis)

Let Π ⁰ be defined as above. If 〈ω _h ,ω _j 〉∈Π _j (P) then there exists Π ¹ such that and \(\langle\omega_{h},\omega_{j}\rangle\in\varPi^{1}_{j}\).

Proof

Let 〈ω _h ,ω _j 〉∈Π _j (P), then there exists a valid path

$$\tau=\langle1,\omega_0\rangle {\xrightarrow []{\varSigma_0^h}}_P \langle h, \omega_h\rangle {\xrightarrow []{\varSigma_h^j}}_P \langle j, \omega_j\rangle $$

for some valuation ω ₀. The proof is by induction on the length of τ. In the base case, the length of τ is 0, i.e.τ=〈1,ω ₀〉. We take Π ¹=Π ⁰. Both and \(\langle\omega_{h},\omega_{j}\rangle= \langle\omega_{0},\omega_{0}\rangle\in\varPi^{0}_{1}\) trivially hold. In the step case, let τ be of length n+1. Let \(\tau'=\langle 1,\omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{e}}}_{P} \langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\) be the prefix of τ of length n. Obviously τ′ is a valid path and therefore 〈ω _e ,ω _i 〉∈Π _i . By induction hypothesis there exists Π′ such that and \(\langle\omega_{e},\omega_{i}\rangle\in\varPi'_{i}\). Path τ is obtained from τ′ by adding a transition associated with s _j . The proof continues by a case analysis.

• If s _i is a \(\mathtt {;}\) (or a \(\operatorname {\mathtt {return}}\mathtt {;}\)), then \(\tau=\langle 1,\omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{h}}}_{P} \langle h, \omega_{h}\rangle {\xrightarrow []{\varSigma_{h}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}\langle j,\omega_{j}\rangle\) with ω _j =ω _i and 〈h,ω _h 〉=〈e,ω _e 〉. By the definition of is follows that there exists Π ¹ such that (and therefore ) with \(\varPi^{1}_{j}=\varPi'_{j}\cup\varPi'_{i}\). From this and the fact \(\langle\omega_{e},\omega_{i}\rangle\in\varPi'_{i}\) it readily follows that \(\langle\omega_{h},\omega_{j}\rangle\in\varPi^{1}_{j}\).

• If s _i is an assignment y=e, then \(\tau=\langle1,\omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{h}}}_{P} \langle h, \omega_{h}\rangle {\xrightarrow []{\varSigma_{h}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}\langle j,\omega_{j}\rangle\) with ω _j =ω _i [d/y], with \(\mathbf{d}\in {\overline {\omega}}_{i}(\mathbf{e})\), and 〈h,ω _h 〉=〈e,ω _e 〉. By the definition of is follows that there exists Π ¹ such that (and therefore ) with

  $$\varPi^1_j=\varPi'_j\cup \bigl\{\big\langle\omega_e,\omega_i[\mathbf{d}/\mathbf{y}]\big\rangle: \langle\omega_e,\omega_i\rangle\in\varPi'_i, \mathbf{d}\in {\overline {\omega}}_i(\mathbf{e})\bigr\} $$

  From this and the fact \(\langle\omega_{e},\omega_{i}\rangle\in\varPi'_{i}\) it readily follows that \(\langle\omega_{h},\omega_{j}\rangle\in\varPi^{1}_{j}\).

• If s _i is \(\operatorname {\mathtt {assume}}(b)\), then \(\tau=\langle1,\omega_{0}\rangle {\xrightarrow []{\varSigma_{0}^{h}}}_{P} \langle h, \omega_{h}\rangle {\xrightarrow []{\varSigma_{h}^{i}}}_{P} \langle i, \omega_{i}\rangle {\xrightarrow []{\epsilon}}\langle j,\omega_{j}\rangle\) with ω _j =ω _i and \(j\operatorname {sSucc}_{P}(i)\). By the definition of is follows that there exists Π ¹ such that (and therefore ) with

  $$ \varPi^1_{j}=\varPi_{j}\cup\bigl\{\langle \omega_e,\omega_i\rangle\in\varPi'_i : d\in {\overline {\omega}}_i(b)\text{ for some }d\neq0\bigr\} $$

  Since \(j = \operatorname {sSucc}_{P}(i)\), by the definition of the state transition relation we know that \(d\in {\overline {\omega}}_{i}(b)\) for some \(d\not=0\). From this and the fact \(\langle\omega_{e},\omega_{i}\rangle\in\varPi'_{i}\) it readily follows that \(\langle\omega_{h},\omega_{j}\rangle\in\varPi^{1}_{j}\).

• If s _i is of the form \(\operatorname {\mathtt {if}}(b)\), \(\operatorname {\mathtt {while}}(b)\), or \(\operatorname {\mathtt {assert}}(b)\), then

  $$\tau=\langle1,\omega_0\rangle {\xrightarrow []{\varSigma_0^h}}_P \langle h, \omega_h\rangle {\xrightarrow []{\varSigma_h^i}}_P \langle i, \omega_i\rangle {\xrightarrow []{\epsilon}}\langle j,\omega_j\rangle, $$

  with ω _j =ω _i , \(j\in\{\operatorname {Tsucc}_{P}(i),\operatorname {Fsucc}_{P}(i)\}\), and 〈h,ω _h 〉=〈e,ω _e 〉. Let us consider the case where \(j = \operatorname {Tsucc}_{P}(i)\) (the case where \(j = \operatorname {Fsucc}_{P}(i)\) can be proved similarly). By the definition of is follows that there exists Π ¹ such that (and therefore ) with

  $$ \varPi^1_{j}=\varPi_{j}\cup\bigl\{\langle \omega_e,\omega_i\rangle\in\varPi'_i : d\in {\overline {\omega}}_i(b)\text{ for some }d\neq0\bigr\} $$

  Since \(j = \operatorname {Tsucc}_{P}{i}\), by the definition of the state transition relation we know that \(d\in {\overline {\omega}}_{i}(b)\) for some \(d\not=0\). From this and the fact \(\langle\omega_{e},\omega_{i}\rangle\in\varPi'_{i}\) it readily follows that \(\langle\omega_{h},\omega_{j}\rangle\in\varPi^{1}_{j}\).

• If s _i is a procedure call pr(a), then

  $$\tau=\langle 1,\omega_0\rangle {\xrightarrow []{\varSigma_0^e}}_P \langle e, \omega_e\rangle {\xrightarrow []{\varSigma_e^k}}_P \langle k, \omega_k\rangle {\xrightarrow []{\operatorname {\scriptstyle {call}}(\operatorname {RetPt}_P(k),\omega_k)}}_P\langle j, \omega_j\rangle, $$

  with \(j = \operatorname {First}_{P}(pr)\), and \(\langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{k}}}_{P} \langle k,\omega_{k}\rangle\) is a same–level path. Therefore, by induction hypothesis, there exists Π′ such that and \(\langle \omega_{e},\omega_{k}\rangle \in\varPi'_{k}\). By the definition of is follows that there exists Π ¹ such that (and therefore ) with

  $$\begin{array}{rcl} \varPi^1_{j}&=&\varPi'_{j}\cup \big\{\langle\omega_j,\omega_j\rangle: \begin{array}[t]{l} \omega_j(\mathbf{g})=\omega_{k'}(\mathbf{g}), \omega_j(\mathbf{y})\in {\overline {\omega}}_{k'}(\mathbf{a}), \langle\omega_{e'},\omega_{k'}\rangle\in\varPi'_k,\\ \mathbf{g}=\operatorname {Globals}_P, \mathbf{y}=\operatorname {Formals}_P(pr)\big\} \end{array} \end{array} $$

  On the other hand, by the definition of state transition for a procedure call, we also have that ω _j (g)=ω _k (g) and \(\omega_{j}(\mathbf{y}) \in {\overline {\omega}}_{k}(\mathbf{a})\). Therefore, \(\langle \omega_{k},\omega_{j}\rangle \in\varPi^{1}_{j}\) as required.

• If \(i= \operatorname {Exit}_{P}(pr)\), then

  $$\begin{aligned} &\tau=\langle1,\omega_0\rangle {\xrightarrow []{\varSigma_0^h}}_P \langle h, \omega_h\rangle {\xrightarrow []{\varSigma_h^k}}_P \langle k, \omega_k\rangle {\xrightarrow []{\operatorname {\scriptstyle {call}}(\operatorname {RetPt}_P(k),\omega_k)}}_P\langle e, \omega_e\rangle\\ &\quad {\xrightarrow []{\varSigma_e^i}}_P \langle i, \omega_i\rangle {\xrightarrow []{\operatorname {\scriptstyle {ret}}(j,\omega_k)}}\langle j,\omega_j\rangle, \end{aligned}$$

  with \(e = \operatorname {First}_{P}(pr)\) and \(j \in \operatorname {Succ}_{P}(k)\). Moreover, both \(\langle h, \omega_{h}\rangle {\xrightarrow []{\varSigma_{h}^{k}}}_{P} \langle k, \omega_{k}\rangle\) and \(\langle e, \omega_{e}\rangle {\xrightarrow []{\varSigma_{e}^{i}}}_{P} \langle i, \omega_{i}\rangle\) are same-level paths. Therefore, by induction hypothesis, there exists Π′ such that and both \(\langle \omega_{h},\omega_{k}\rangle \in\varPi'_{k}\) and \(\langle \omega_{e},\omega_{i}\rangle \in\varPi'_{i}\). By the definition of is follows that there exists Π ¹ such that (and therefore ) with

  $$\varPi^1_j=\varPi'_j\cup\big\{\big\langle\omega'_{h},\omega'_j\big\rangle: \begin{array}[t]{l} \big\langle\omega'_{h},\omega'_{k}\big\rangle\in\varPi'_k, \big\langle\omega'_e,\omega'_i\big\rangle\in\varPi'_i,\\ \omega'_j(\mathbf{z})=\omega'_{k}(\mathbf{z}), \omega'_j(\mathbf{g})=\omega_i(\mathbf{g}),\\ \omega'_e(\mathbf{f})\in {\overline {\omega}}'_{k}(\mathbf{a}), \omega'_{k}(\mathbf{g})=\omega'_e(\mathbf{g}),\\ \operatorname {RetPt}(k)=j, s_k\ \mbox{is}\ pr(\mathbf{a}),\ \mathbf{f}=\operatorname {Formals}_P(pr),\\ \mathbf{z}=\operatorname {Locals}_P(k),\ \mbox{and}\ \mathbf{g}=\operatorname {Globals}_P\!\bigr\} \end{array} $$

  On the other hand, by the definition of state transition for a procedure call, we also have that ω _e (g)=ω _k (g), where g=Globals _P , and \(\omega_{e}(\mathbf{f}) \in {\overline {\omega}}_{k}(\mathbf{a})\), where \(\mathbf{f} =\operatorname {Formals}_{P}(pr)\). Similarly, by the definition of state transition for Exit _P (pr), ω _j (g)=ω _i (g), and ω _j (z)=ω _k (z), where \(\mathbf{z} =\operatorname {Locals}_{P}(j)\). Therefore, \(\langle \omega_{h},\omega_{i}\rangle \in\varPi^{1}_{j}\) as required. □

1.3 Model checking linear programs

Lemma 2

Let y be a variable and e a linear (Boolean) expression, such that y does not occur in e, then for any valuation ω:

1. 1.

   \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\) iff \(d\in {\overline {\omega}}(e)\), for some \(d\not= 0\);

2. 2.

   \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\) iff \(0\in {\overline {\omega}}(e)\);

3. 3.

   if e is a linear expression, then \({\overline {\omega}}(e)=\{d\in\mathcal{D} : \, \models_{\omega[d/y]}\operatorname {\gamma }(y,e)\}\).

Proof

The proof is by induction on the structure of the expression e. The base case (for e a constant or a variable) is straightforward. Therefore, here we consider the step case only.

• \(e=(e_{1} \operatorname {\mathit {op}}e_{2})\), with \(\operatorname {\mathit {op}}\in\{\operatorname {\mathtt {*}}, \operatorname {\mathtt {+}}, \operatorname {\mathtt {>=}}, \operatorname {\mathtt {<=}}, \operatorname {\mathtt {<}}, \operatorname {\mathtt {>}}, \operatorname {\mathtt {==}}, \operatorname {\mathtt {!=}}\}\). Let ω be a arbitrary valuation, and \(\overline{d}\in {\overline {\omega}}(e)\). By the definition of \({\overline {\omega}}\), \(\overline{d} = d_{1}\,op\,d_{2}\), for some \(d_{i}\in {\overline {\omega}}(e_{i})\) (i=1,2). Moreover, both e ₁ and e ₂ are linear expressions. Therefore, by induction hypothesis we know that:

  $${\overline {\omega}}(e_i)=\bigl\{d\in\mathcal{D} : \models_{\omega[d/z_i]}\operatorname {\gamma }(z_i,e_i)\bigr\} $$

  for i=1,2. Thus, by the definitions of \(\operatorname {\gamma }(z_{i},e_{i})\), we have that for i=1,2:

  $$\models_{\omega[d_i/z_i]} \exists U_i.\Bigl(z_i=\overline{\mathit{ne}_i}\wedge\bigwedge\overline{B_i}\Bigr)^* $$

  for some \(e_{i}{\rightarrow }(\overline{B_{i}},\overline{\mathit{ne}_{i}})\).

  Without loss of generality, we may assume that \(z_{1} \not= z_{2}\) and U ₁∩U ₂=∅ (otherwise we can rename all the variables in U ₂∪{z ₂}). Since no variable in U ₁ occurs free in \((z_{2}=\overline{\mathit{ne}_{2}}\wedge\bigwedge\overline{B_{2}})^{*}\) and no variable in U ₂ occurs free in \((z_{1}=\overline{\mathit{ne}_{1}}\wedge\bigwedge \overline{B_{1}})^{*}\), it follows that:

  $$\models_{\omega[d_1/z_1,d_2/z_2]} \exists U_1\exists U_2.\Bigl(z_1=\overline{\mathit{ne}_1}\wedge z_2=\overline{\mathit{ne}_2}\wedge\bigwedge \overline{B_1}\wedge\bigwedge\overline{B_2}\Bigr)^* $$

  Taking U=U ₁∪U ₂, this is equivalent to

  $$ \models_{\omega[d_1/z_1,d_2/z_2]} \exists U.\Bigl(z_1= \overline{\mathit{ne}_1}\wedge z_2=\overline{\mathit{ne}_2} \wedge\bigwedge\overline{B_1}\wedge\bigwedge \overline{B_2}\Bigr)^* $$

  (3)

  By the definition of (z ₁  op  z ₂)⁺, it clearly follows that:

  $$\begin{aligned} &\mbox{if}\ d_1\,op\,d_2 \not=0,\quad \mbox{then}\ \models_{\omega[d_1/z_1,d_2/z_2]} \exists U.\Big((z_1\, op\, z_2)^+ \wedge z_1\\ &\hphantom{\mbox{if}\ d_1\,op\,d_2 \not=0,\quad \mbox{then}\ } \quad =\overline{\mathit{ne}_1}\wedge z_2\\ &\hphantom{\mbox{if}\ d_1\,op\,d_2 \not=0,\quad \mbox{then}\ } \quad =\overline {\mathit{ne}_2}\wedge\bigwedge\overline{B_1}\wedge\bigwedge\overline{B_2}\Big)^* \end{aligned}$$

  and from the definition of (z ₁  op  z ₂)⁻ it follows that:

  $$\begin{aligned} &\mbox{if}\ d_1\,op\,d_2 =0,\quad \mbox{then}\ \models_{\omega[d_1/z_1,d_2/z_2]} \exists U.\Bigl((z_1\, op\, z_2)^- \wedge z_1\\ &\hphantom{\mbox{if}\ d_1\,op\,d_2 =0,\quad \mbox{then}\ } \quad =\overline{\mathit{ne}_1}\wedge z_2\\ &\hphantom{\mbox{if}\ d_1\,op\,d_2 =0,\quad \mbox{then}\ } \quad =\overline{\mathit{ne}_2}\wedge\bigwedge\overline{B_1}\wedge\bigwedge \overline{B_2}\Bigr)^* . \end{aligned}$$

  Since \(\overline{d} = d_{1}\,op\,d_{2}\) and neither z ₁ nor z ₂ occurs in \(\overline{\mathit{ne}_{1}}\), \(\overline{\mathit{ne}_{2}}\), \(\overline{B_{1}}\) or \(\overline{B_{2}}\), we obtain:

  $$\begin{aligned} &\text{if}\ \overline{d} \not=0\quad \text{then}\ \models_{\omega} \exists U.\Bigl((\overline{\mathit{ne}_1}\, op\, \overline{\mathit{ne}_2})^+ \wedge\bigwedge\overline {B_1}\wedge\bigwedge\overline{B_2}\Bigr)^*\\ &\text{if}\ \overline{d} = 0\quad \text{then}\ \models_{\omega} \exists U.\Bigl((\overline{\mathit{ne}_1}\, op\, \overline{\mathit{ne}_2})^- \wedge\bigwedge\overline {B_1}\wedge\bigwedge\overline{B_2}\Bigr)^* \end{aligned}$$

  By one application of the inference rule for linear operators, we know that \(e{\rightarrow }(\overline{B_{1}}\cup\overline{B_{2}},\overline{\mathit{ne}_{1}}\,op\,\overline{\mathit{ne}_{2}})\). Therefore, from the definition of \(\operatorname {\operatorname {\beta }^{+}}(e)\) and \(\operatorname {\operatorname {\beta }^{--}}(e)\), we immediately conclude that if \(\overline{d}\in {\overline {\omega}}(e)\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\), and if \(0\in {\overline {\omega}}(e)\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\).

  If, in addition, \(\mathit{op}\in\{\operatorname {\mathtt {*}}, \operatorname {\mathtt {+}}\}\), from (3) follows that

  $$\models_{\omega[d_1/z_1,d_2/z_2]} \exists U.\Bigl(z_1\, \mathit{op}\, z_2 =\overline{\mathit{ne}_1}\, \mathit{op}\, \overline{\mathit{ne}_2}\wedge \bigwedge\overline{B_1}\wedge\bigwedge\overline{B_2}\Bigr)^* $$

  and from that

  $$\models_{\omega[\overline{d}/z]} \exists U.\Bigl(z =\overline{\mathit{ne}_1}\, \mathit{op}\, \overline{\mathit{ne}_2}\wedge\bigwedge\overline {B_1}\bigwedge\overline{B_2}\Bigr)^* $$

  where z is a variable not occurring in \(\overline{\mathit{ne}_{1}}\), \(\overline{\mathit{ne}_{2}}\), \(\overline{B_{1}}\) or \(\overline{B_{2}}\).

  Therefore, from the definition of \(\operatorname {\gamma }(z,e)\), we immediately conclude that \(\models_{\omega[\overline{d}/z]} \operatorname {\gamma }(z,e)\). Hence, \(\overline{d}\in\{d\in\mathcal{D} : \models_{\omega[\overline{d}/z]} \operatorname {\gamma }(z,e)\}\).

  For the other direction, assume \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\) or \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\) ¹⁸, and that, if e is a linear expression, that \(\overline{d}\in\{d\in\mathcal{D} : \models_{\omega[\overline{d}/z]} \operatorname {\gamma }(z,e)\}\). Therefore, by the definitions of \(\operatorname {\operatorname {\beta }^{+}}()\), \(\operatorname {\operatorname {\beta }^{--}}()\) and \(\operatorname {\gamma }()\), we have that

  $$\begin{aligned} &\models_{\omega} \operatorname {\operatorname {\beta }^+}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl(ne^+ \wedge\bigwedge B\Bigr)^*\quad \text{for some $(B,\mathit{ne})$,}\\ &\hphantom{\models_{\omega} \operatorname {\operatorname {\beta }^+}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl(\mathit{ne}^+ \wedge\bigwedge B\Bigr)^*\quad} \text{with $e{\rightarrow }(B,\mathit{ne}_{1})$}\\ &\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl(ne^- \wedge\bigwedge B\Bigr)^*\quad \text{for some $(B,\mathit{ne})$,}\\ &\hphantom{\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl(\mathit{ne}^- \wedge\bigwedge B\Bigr)^*\quad} \text{with $e{\rightarrow }(B,\mathit{ne})$} \end{aligned}$$

  and, if e is a linear expression,

  $$\models_{\omega[\overline{d}/z]} \exists U.\Bigl(z =ne \wedge\bigwedge B\Bigr)^* $$

  for some pair (B,ne), with e→(B,ne).

  Since e=e ₁  op  e ₂, both e ₁ and e ₂ are linear expressions and B=B ₁∪B ₂ and ne=ne ₁  op  ne ₂, where e ₁→(B ₁,ne ₁) and e ₂→(B ₂,ne ₂). Therefore, we have

  $$\begin{aligned} \models_{\omega} \exists U.\Bigl(ne^+ \wedge\bigwedge B\Bigr)^*\quad \text{iff}\ \models_{\omega} \exists U. \Bigl((\mathit{ne}_1 \,op\,\mathit{ne}_2)^+ \wedge\bigwedge B_1 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (4)
  $$\begin{aligned} \models_{\omega} \exists U.\Bigl(ne^- \wedge\bigwedge B\Bigr)^*\quad \text{iff}\ \models_{\omega} \exists U. \Bigl((\mathit{ne}_1 \,op\,\mathit{ne}_2)^- \wedge\bigwedge B_1 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (5)

  from the equivalences above, we then obtain that:

  $$\begin{aligned} \models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl((\mathit{ne}_1 \,op\,\mathit{ne}_2)^+ \wedge\bigwedge B_1 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (6)
  $$\begin{aligned} \models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\quad \text{implies}\ \models_{\omega} \exists U.\Bigl((\mathit{ne}_1 \,op\,\mathit{ne}_2)^- \wedge\bigwedge B_1 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (7)

  Moreover, if e is a linear expression,

  $$ \models_{\omega[\overline{d}/z]} \exists U.\Bigl(z = \mathit{ne}_1 \,op \,\mathit{ne}_2 \wedge\bigwedge B_1 \wedge\bigwedge B_2\Bigr)^* $$

  (8)

  From (8) we immediately obtain:

  $$ \models_{\omega[\overline{d}/z]}\exists U.\Bigl(z =\mathit{ne}_1\,op \,\mathit{ne}_2\wedge\bigwedge B_1\Bigr)^* \wedge\exists U.\Bigl(z =\mathit{ne}_1\,op\,\mathit{ne}_2\wedge\bigwedge B_2\Bigr)^* $$

  (9)

  Let now z ₁,z ₂ be two new variables. From (9), there must exists \(d_{1},d_{2}\in\mathcal{D}\) with \(\overline{d} = d_{1}\,op\,d_{2}\) and such that:

  $$\begin{aligned} \models_{\omega[\overline{d}/z,d_1/z_1,d_2/z_2]} z =&z_1\,op\,z_2\wedge \exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_1\Bigr)^* \\ &{}\wedge\exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (10)

  Similarly, if \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\), from (6) there must exist \(d_{1},d_{2}\in\mathcal{D}\) with \(d_{1}\,op\,d_{2}\not=0\) and:

  $$\begin{aligned} &\models_{\omega[d_1/z_1,d_2/z_2]} (z_1\,op\,z_2)^+\wedge \exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_1\Bigr)^* \\ &\quad {}\wedge\exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

  (11)

and, if \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\), from (7) there must exist \(d_{1},d_{2}\in\mathcal{D}\) with d ₁  op  d ₂=0, and

$$\begin{aligned} &\models_{\omega[d_1/z_1,d_2/z_2]} (z_1\,op\,z_2)^-\wedge \exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_1\Bigr)^* \\ &\quad {}\wedge\exists U.\Bigl(z_1 = \mathit{ne}_1 \wedge z_2 = \mathit{ne}_2 \wedge\bigwedge B_2\Bigr)^* \end{aligned}$$

(12)

Each of Eqs. (10), (11), (12) implies that:

$$\models_{\omega[d_1/z_1]}\operatorname {\gamma }(z_1,e_1) \quad \text{and} \quad \models_{\omega[d_2/z_2]} \operatorname {\gamma }(z_2,e_2) $$

By induction hypothesis, \(d_{i}\in {\overline {\omega}}(e_{i})\) (for i=1,2). Hence, by the definition of \({\overline {\omega}}(e)\), \(\overline{d} = d_{1}\,op\,d_{2}\in {\overline {\omega}}(e)\). Moreover, from (11) we can conclude that \(\overline{d}\not= 0\), and from (12) we can conclude that \(\overline{d}= 0\), as required.

• \(e=(b \operatorname {\mathtt {?}}e_{1} \operatorname {\mathtt {:}}e_{2})\), where, for i=1,2, e _i is a linear expression. Let ω be a arbitrary valuation, and \(\overline{d}\in {\overline {\omega}}(e)\). By induction hypothesis we know that \({\overline {\omega}}(e_{i})=\{d\in\mathcal{D} : \, \models_{\omega[d/z_{i}]}\operatorname {\gamma }(e_{i},z_{i})\}\) for i=1,2 and \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(b)\) iff \(d'\in {\overline {\omega}}(b)\) for some \(d'\not=0\), and \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(b)\) iff \(0\in {\overline {\omega}}(b)\).

  By the definition of \({\overline {\omega}}\) for conditional expressions, either \(\overline{d} \in {\overline {\omega}}(e_{1})\) and \(0\not=d'\in {\overline {\omega}}(b)\), or \(\overline{d} \in {\overline {\omega}}(e_{2})\) and \(0\in {\overline {\omega}}(b)\). Let us consider the first case (the second case is similar).

  Thus, by the definition of \(\operatorname {\gamma }(e_{i},z_{i})\) and \(\operatorname {\operatorname {\beta }^{+}}(b)\), we have that:

  $$\models_{\omega[\overline{d}/z_1]}\exists U_1.\Bigl(z_1=\mathit{ne}_1\wedge\bigwedge B_1\Bigr)^* $$

  for some pair (B ₁,ne ₁) with e ₁→(B ₁,ne ₁) and

  $$\models_{\omega}\exists U'.\Bigl(nb'^+\wedge\bigwedge B'\Bigr)^* $$

  for some pair (B′,nb′) with \(b{\rightarrow }(B_{1}',nb')\).

  Again, without loss of generality, we may assume U ₁∩U′=∅. Since no variable in U ₁ occurs free in (nb′⁺∧⋀B′)^∗ and no variable in U′ occurs free in (z ₁=ne ₁∧⋀B ₁)^∗, it follows that:

  $$ \models_{\omega[\overline{d}/z_1]}\exists U_1\exists U'.\Bigl(z_1=\mathit{ne}_1\wedge\bigwedge B_1\ \wedge\ nb'^{+}\wedge\bigwedge B'\Bigr)^* $$

  (13)

  Now, under the assumptions we have made, e→(B ₁∪B′∪{nb′⁺},ne ₁) (by one application of the inference rule for the positive case of conditional expression). Therefore, from the condition above and the definition of \(\operatorname {\gamma }(e,z_{1})\), it follows that \(\models_{\omega[\overline{d}/z_{1}]}\operatorname {\gamma }(e,z_{1})\), and, therefore, \(\overline{d}\in\{d\in\mathcal{D} : \models_{\omega[d/z_{1}]} \operatorname {\gamma }(e,z_{1})\}\).

  Moreover, if \(\overline{d}\not=0\), then from Eq. (13) and the definition of e ⁺ follows that:

  $$\models_{\omega}\exists U_1\exists U'.\Bigl(\mathit{ne}_1^+\wedge\bigwedge B_1\ \wedge\ nb'^{+}\wedge\bigwedge B'\Bigr)^* $$

  Hence, from the definition of \(\operatorname {\operatorname {\beta }^{+}}()\) and the reduction rules for conditional expressions, we can conclude that if \(\overline{d}\in {\overline {\omega}}(e)\) for some \(\overline{d}\not=0\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\). In a very similar way we can conclude also that if \(0\in {\overline {\omega}}(e)\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\).

  For the other direction consider any \(\overline{d}\in\{d\in\mathcal{D} : \models_{\omega[d/z]} \operatorname {\gamma }(e,z)\}\). Then,

  $$\models_{\omega[\overline{d}/z]}\exists U. \Bigl(z=\overline{ne}\wedge \bigwedge\overline{B}\Bigr)^* $$

  for some \(e {\rightarrow }(\overline{B},\overline{ne})\). There are two cases:

  • \(\overline{ne} = \mathit{ne}_{1}\) for some e ₁→(B ₁,ne ₁), and \(\overline{B} = B_{1}\cup B'\cup nb'^{+}\), for some b→(B′,nb′).

  • \(\overline{ne} = \mathit{ne}_{2}\) for some e ₂→(B ₂,ne ₂), and \(\overline{B} = B_{1}\cup B'\cup nb'^{-}\), for some b→(B′,nb′).

  Let us consider the first case (the proof in the second case is similar). Then,

  $$ \models_{\omega[\overline{d}/z]}\exists U. \Bigl (z=\mathit{ne}_1 \wedge\bigwedge B_1\wedge \bigwedge B'\wedge nb'^+\Bigr)^* $$

  (14)

  and therefore

  $$\models_{\omega[\overline{d}/z]}\exists U. \Bigl(z=\mathit{ne}_1\wedge \bigwedge B_1\Bigr)^*\wedge \exists U.\Bigl(nb'^+\wedge \bigwedge B'\Bigr)^* $$

  From the first conjunct we obtain \(\models_{\omega[\overline{d}/z]}\operatorname {\gamma }(z,e_{1})\), and from the second one we obtain \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(b)\). Moreover, by the inductive hypothesis, \(\overline{d}\in {\overline {\omega}}(e_{1})\) and \(d'\in {\overline {\omega}}(b)\) with \(d'\not=0\). As a consequence, by the definition of \({\overline {\omega}}(e)\), \(\overline{d}\in {\overline {\omega}}(e_{1})\subseteq {\overline {\omega}}(e)\).

  If now \(\overline{d}\not=0\), from Eq. (14) and the definition of e ⁺ follows that

  $$\models_{\omega}\exists U. \Bigl(\mathit{ne}_1^+\wedge \bigwedge B_1\wedge \bigwedge B'\wedge nb'^+\Bigr)^* $$

  while if \(\overline{d}=0\), from Eq. (14) and the definition of e ⁻ follows that

  $$\models_{\omega}\exists U. \Bigl(\mathit{ne}_1^-\wedge \bigwedge B_1\wedge \bigwedge B'\wedge nb'^+\Bigr)^* $$

  Hence, we can conclude that if \(\overline{d}\in {\overline {\omega}}(e)\) for some \(\overline{d}\not=0\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{+}}(e)\), and if \(0\in {\overline {\omega}}(e)\), then \(\models_{\omega} \operatorname {\operatorname {\beta }^{--}}(e)\).

Theorem 5

(Soundness and Completeness of the Symbolic Data-flow Analysis)

Let P be a linear program and \(\varDelta ,\varDelta ^{1}\in\mathcal{A}(P)\). The following fact holds: if and only if .

Proof

It suffices to observe that by replacing each ADLC δ with [[δ]] throughout the definition of we obtain the definition of . Let i∈N _P . If \(j\notin \operatorname {Succ}_{P}(i)\), then \(\varDelta ^{1}_{j}=\varDelta _{j}\) becomes \({[\![\varDelta ^{1}_{j}]\!]}={[\![\varDelta _{j}]\!]}\) and therefore [[Δ ¹]] _j =[[Δ]] _j .¹⁹

• If s _i is a \(\mathtt {;}\) statement (or a \(\operatorname {\mathtt {return}}\mathtt {;}\)), then \(\varDelta ^{1}_{\operatorname {sSucc}_{P}(i)}=\varDelta _{\operatorname {sSucc}_{P}(i)}\sqcup \varDelta _{i}\) becomes \({[\![\varDelta ^{1}]\!]}_{\operatorname {sSucc}_{P}(i)}={[\![\varDelta ]\!]}_{\operatorname {sSucc}_{P}(i)}\cup {[\![\varDelta ]\!]}_{i}\);

• if s _i an assignment y = e then \(\varDelta ^{1}_{\operatorname {sSucc}_{P}(i)}=\varDelta _{\operatorname {sSucc}_{P}(i)}\sqcup \varDelta ^{*}\) and we must show that

  $${[\![\varDelta ^*]\!]}=\bigl\{\big\langle\omega_e,\omega_i[\mathbf{d}/\mathbf{y}]\big\rangle : \langle\omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, \mathbf{d}\in {\overline {\omega}}_i(\mathbf{e})\bigr\} $$

  where \(\varDelta ^{*}=\lambda\mathbf{x}\mathbf{x'}. \exists\mathbf{x}''. (\varDelta _{i}(\mathbf{x},\mathbf{x}'')\sqcap \operatorname {\gamma }(\mathbf{y}',\mathbf{e}'')\sqcap\mathbf{z}'=\mathbf{z}'')\), where \(\mathbf{x}=\operatorname {InScope}_{P}(i)\), and \(\mathbf{z}=\operatorname {InScope}_{P}(i)\setminus\mathbf{y}\). By definition [[Δ ^∗]] is equal to

  $$ \bigl\{\langle\omega_e,\omega_j\rangle:\, \models_{\omega_e\cup\omega_j'}\exists\mathbf{x}''. \bigl( \varDelta _i\bigl(\mathbf{x},\mathbf{x}'' \bigr)\sqcap \operatorname {\gamma }\bigl(\mathbf{y}',\mathbf{e}'' \bigr)\sqcap\mathbf{z}'=\mathbf{z}'' \bigr)\bigr\} $$

  (15)

  By Lemma 2 and the semantics of ADLCs, (15) is equivalent to:

  $$ \bigl\{\langle\omega_e,\omega_j\rangle: \langle \omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, \omega_j(\mathbf{y})\in {\overline {\omega}}_i(\mathbf{e}), \omega_j(\mathbf{z})=\omega_i(\mathbf{z})\bigr\} $$

  (16)

  and (16) can be finally simplified to:

  $$ \bigl\{\bigl\langle\omega_e,\omega_i[\mathbf{d}/ \mathbf{y}]\bigr\rangle: \langle\omega_e,\omega_i\rangle \in {[\![\varDelta ]\!]}_i, \mathbf{d}\in {\overline {\omega}}_i(\mathbf{e}) \bigr\} $$

• if i corresponds to an \(\operatorname {\mathtt {assume}}(b)\) statement, then \(\varDelta ^{1}_{\operatorname {sSucc}_{P}(i)}=\varDelta _{\operatorname {sSucc}_{P}(i)}\sqcup \varDelta ^{*}\) and we must show that \({[\![\varDelta ^{*}]\!]}=\{\langle\omega_{e},\omega_{i}\rangle: \langle\omega_{e},\omega_{i}\rangle\in {[\![\varDelta ]\!]}_{i}, d\in {\overline {\omega}}_{i}(b) \text{ and } d\not=0\}\), where \(\varDelta ^{*}=\lambda\mathbf{x}\mathbf{x'}. (\varDelta _{i}(\mathbf{x},\mathbf{x'})\sqcap \operatorname {\operatorname {\beta }^{+}}(b))\), and \(\mathbf{x}=\operatorname {InScope}_{P}(i)\). By definition [[Δ ^∗]] is equal to

  $$ \bigl\{\langle\omega_e,\omega_j\rangle:\, \models_{\omega_e\cup\omega'_j} \varDelta _i\bigl(\mathbf{x},\mathbf{x}' \bigr)\sqcap \operatorname {\operatorname {\beta }^+}(b)\bigr\} $$

  (17)

  where \(j = \operatorname {sSucc}_{P}(i)\). By definition, \(\models_{\omega_{e}\cup\omega'_{j}} \varDelta _{i}(\mathbf{x},\mathbf{x}')\) if and only if 〈ω _e   ω _j 〉∈[[Δ _i ]]. Therefore, (17) is equivalent to

  $$ \bigl\{\langle\omega_e,\omega_i\rangle:\,\langle \omega_e\,\omega_i\rangle \in {[\![\varDelta _i]\!]} \text{ and} \models_{\omega_e\cup\omega'_i} \operatorname {\operatorname {\beta }^+}(b)\bigr\} $$

  (18)

  Finally, by Lemma 2 and the semantics of ADLCs, (18) is equivalent to:

  $$ \bigl\{\langle\omega_e,\omega_i\rangle: \langle \omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, d \in {\overline {\omega}}_i(b)\text{ and }d\not=0\bigr\} $$

  (19)

• if i corresponds to an \(\operatorname {\mathtt {if}}(b)\), \(\operatorname {\mathtt {while}}(b)\), or \(\operatorname {\mathtt {assert}}(b)\) statement, then \(\varDelta ^{1}_{\operatorname {Tsucc}_{P}(i)}=\varDelta _{\operatorname {Tsucc}_{P}(i)}\sqcup \varDelta ^{*}\) (the case of \(\varDelta ^{1}_{\operatorname {Fsucc}_{P}(i)}\) is symmetric) and we must show that

  $${\big [\!\big [\varDelta ^*\big ]\!\big ]}=\bigl\{\langle\omega_e,\omega_i\rangle: \langle\omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, d\in {\overline {\omega}}_i(b) \text{ and } d\not=0\bigr\}, $$

  where \(\varDelta ^{*}=\lambda\mathbf{x}\mathbf{x'}. (\varDelta _{i}(\mathbf{x},\mathbf {x'})\sqcap \operatorname {\operatorname {\beta }^{+}}(b))\), and \(\mathbf{x}=\operatorname {InScope}_{P}(i)\). By definition [[Δ ^∗]] is equal to

  $$ \bigl\{\langle\omega_e,\omega_j \rangle:\,\models_{\omega_e\cup\omega'_j} \varDelta _i\bigl(\mathbf{x}, \mathbf{x}'\bigr)\sqcap \operatorname {\operatorname {\beta }^+}(b)\bigr\} $$

  (20)

  where \(j = \operatorname {Tsucc}_{P}(i)\). By definition, \(\models_{\omega_{e}\cup\omega'_{j}} \varDelta _{i}(\mathbf{x},\mathbf{x}')\) if and only if 〈ω _e   ω _j 〉∈[[Δ _i ]]. Therefore, (20) is equivalent to

  $$ \bigl\{\langle\omega_e,\omega_i\rangle:\,\langle \omega_e\,\omega_i\rangle \in {[\![\varDelta _i]\!]} \text{ and} \models_{\omega_e\cup\omega'_i} \operatorname {\operatorname {\beta }^+}(b)\bigr\} $$

  (21)

  Finally, by Lemma 2 and the semantics of ADLCs, (21) is equivalent to:

  $$ \bigl\{\langle\omega_e,\omega_i\rangle: \langle \omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, d \in {\overline {\omega}}_i(b)\text{ and }d\not=0\bigr\} $$

  (22)

• if i corresponds to a procedure call pr(a), then \(\varDelta ^{1}_{\operatorname {sSucc}_{P}(i)}=\varDelta _{\operatorname {sSucc}_{P}(i)}\sqcup \varDelta ^{*}\), and we must show that \({[\![\varDelta ^{*}]\!]}=\{\langle\omega_{j},\omega_{j}\rangle: \langle\omega_{e},\omega_{i}\rangle\in {[\![\varDelta ]\!]}_{i}, \omega_{j}(\mathbf{g}) = \omega_{i}(\mathbf{g}), \omega_{j}(\mathbf{f}) \in {\overline {\omega}}_{i}(\mathbf{a})\}\), where \(j = \operatorname {sSucc}_{P}(i)\), \(\varDelta ^{*}=\lambda\mathbf{w}\mathbf{w}'. (\exists\mathbf{x}\mathbf{x}''. (\varDelta _{i}(\mathbf{x},\mathbf{x}'')\sqcap \operatorname {\gamma }(\mathbf{f}',\mathbf{a}'')\sqcap\mathbf{g}'=\mathbf{g}'')\sqcap \mathbf{w}'=\mathbf{w})\), and \(\mathbf{x}=\operatorname {InScope}_{P}(i)\), \(\mathbf{f}=\operatorname {Formals}_{P}(pr)\), \(\mathbf{w}=\operatorname {InScope}_{P}(j)\) and \(\mathbf{g}=\operatorname {Globals}_{P}\). By definition [[Δ ^∗]] is equal to

  $$ \bigl\{\langle\omega_h,\omega_j\rangle:\, \models_{\omega_h\cup\omega'_j} \exists\mathbf{x}\mathbf{x}''. \bigl(\varDelta _i\bigl(\mathbf{x},\mathbf{x}'' \bigr)\sqcap \operatorname {\gamma }\bigl(\mathbf{f}',\mathbf{a}'' \bigr)\sqcap\mathbf{g}'=\mathbf{g}'' \bigr)\sqcap\mathbf{w}'=\mathbf{w}\bigr\} $$

  (23)

  By the last conjunct (w′=w′) in the DLC above, we have that ω _h =ω _j and, therefore, (23) is equivalent to

  $$ \bigl\{\langle\omega_j,\omega_j\rangle:\, \models_{\omega_j\cup\omega'_j} \exists\mathbf{x}\mathbf{x}''. \bigl(\varDelta _i\bigl(\mathbf{x},\mathbf{x}'' \bigr)\sqcap \operatorname {\gamma }\bigl(\mathbf{f}',\mathbf{a}'' \bigr)\sqcap\mathbf{g}'=\mathbf{g}'' \bigr)\bigr\} $$

  (24)

  By Lemma 2 and the semantics of ADLCs, (24) is equivalent to:

  $$ \bigl\{\langle\omega_j,\omega_j\rangle: \langle \omega_e,\omega_i\rangle\in {[\![\varDelta ]\!]}_i, \omega(\mathbf{f})\in {\overline {\omega}}_i(\mathbf{a}) \text{ and } \omega_j(\mathbf{g})=\omega_i(\mathbf{g}) \bigr\} $$

  (25)

• if \(i=\operatorname {Exit}_{P}(pr)\) then \(\varDelta ^{1}_{j}=\varDelta _{j}\sqcup \varDelta ^{*}\), where \(j\in \operatorname {Succ}_{P}(i)\), and we must show that

  $$ \begin{aligned} {\big [\!\big [\varDelta ^*\big ]\!\big ]}= \bigl\{\langle\omega_e, \omega_j\rangle: & \langle\omega_e, \omega_k\rangle\in {[\![\varDelta ]\!]}_k,\ \langle \omega_h,\omega_i\rangle\in {[\![\varDelta ]\!]}_i,\ \omega_k(\mathbf{g}) = \omega_h(\mathbf{g}), \\ & \omega_j(\mathbf{z}) = \omega_k(\mathbf{z}),\ \omega_h(\mathbf{f})\in {\overline {\omega}}_k(\mathbf{a}), \text{ and } \omega_j(\mathbf{g}) = \omega_i(\mathbf{g}) \bigr\} \end{aligned} $$

  with k such that s _k =pr(a) and \(\operatorname {RetPt}(k)=j\), \(\mathbf{w}=\operatorname {InScope}_{P}(k)\), \(\mathbf{l}=\operatorname {Locals}_{P}(k)\), \(\mathbf{f}=\operatorname {Formals}(pr)\), \(\mathbf{x}=\operatorname {InScope}_{P}(i)\), \(\mathbf{z}=\operatorname {Locals}_{P}(i)\), and

  $$ \varDelta ^*= \lambda\mathbf{w}\mathbf{w}'. \exists \mathbf{w}'''. \bigl(\exists \mathbf{x}''\mathbf{z}'.\bigl( \varDelta _k\bigl(\mathbf{w},\mathbf{w}''' \bigr) \sqcap \varDelta _i\bigl(\mathbf{x}'', \mathbf{x}'\bigr) \sqcap \operatorname {\gamma }\bigl(\mathbf{f}'', \mathbf{a}'''\bigr) \sqcap \mathbf{g}''=\mathbf{g}''' \bigr) \sqcap\mathbf{l}'=\mathbf{l}''' \bigr) $$

  By definition we have that:

  $$\begin{aligned} {\big [\!\big [\varDelta ^*\big ]\!\big ]} =&\bigl\{\langle \omega_e,\omega_j\rangle \,:\, \models_{\omega_e\cup\omega'_j} \exists\mathbf{w}'''. \bigl(\exists\mathbf{x}''\mathbf{z}'.\bigl(\varDelta _k\bigl(\mathbf{w},\mathbf{w}'''\bigr) \sqcap \varDelta _i\bigl(\mathbf{x}'',\mathbf{x}'\bigr) \sqcap \operatorname {\gamma }\bigl(\mathbf{f}'',\mathbf{a}'''\bigr) \\ & {}\sqcap\mathbf{g}''=\mathbf{g}'''\bigr) \sqcap\mathbf{l}'=\mathbf{l}'''\bigr)\bigr\} \end{aligned}$$

  which is equivalent to:

  $$\begin{aligned} {\big [\!\big [\varDelta ^*\big ]\!\big ]} =&\bigl\{\langle \omega_e,\omega_j\rangle \,:\, \models_{\omega_e\cup\omega'_j} \exists\mathbf{w}'''. \bigl(\varDelta _k\bigl(\mathbf{w},\mathbf{w}'''\bigr)\sqcap \mathbf{l}'=\mathbf{l}''' \\ & {} \sqcap\bigl(\exists\mathbf{x}''\mathbf{z}'.\bigl(\varDelta _i\bigl(\mathbf{x}'',\mathbf {x}'\bigr) \sqcap \operatorname {\gamma }\bigl(\mathbf{f}'',\mathbf{a}'''\bigr)\bigr) \sqcap\mathbf{g}''=\mathbf{g}'''\bigr)\bigr)\bigr\} \end{aligned}$$

  Therefore, a pair 〈ω _e ,ω _j 〉∈[[Δ ^∗]] if and only if there exists some valuation ω _k such that 〈ω _e ,ω _k 〉∈[[Δ _k ]] with ω _j (y)=ω _k (y) (since \(\models_{\omega_{j}'\cup\omega_{k}'''}\mathbf{l}'=\mathbf{l}'''\) must hold), and such that

  $$ \models_{\omega_k'''\cup\omega'_j} \exists\mathbf{x}'' \mathbf{z}'.\bigl(\varDelta _i\bigl(\mathbf{x}'', \mathbf{x}'\bigr) \sqcap \operatorname {\gamma }\bigl(\mathbf{f}'', \mathbf{a}'''\bigr)\bigr) \sqcap \mathbf{g}''=\mathbf{g}''' $$

  (26)

  On the other hand, by definition of [[Δ _i ]] and Lemma 2, Eq. (26) holds if and only if there exist two valuations ω _h and ω _i such that 〈ω _h ,ω _i 〉∈[[Δ _i ]], \(\omega_{h}(f)\in {\overline {\omega}}_{k}(\mathbf{a})\), ω _h (g)=ω _k (g) (since it must hold \(\models_{\omega''_{h}\cup\omega_{k}'''}\mathbf{g}''=\mathbf{g}'''\)), and ω _j (g)=ω _i (g) (since the tuple x contains all the local variables in z and the global variables in g, and in Eq. (26) none of the variables g′ are quantified away). Summarizing, from the above reasoning, we obtain the required path edges:

  $$ \begin{aligned} {\big [\!\big [\varDelta ^*\big ]\!\big ]}= \bigl\{\langle\omega_e, \omega_j\rangle:& \langle\omega_e, \omega_k\rangle\in {[\![\varDelta ]\!]}_k,\ \langle \omega_h,\omega_i\rangle\in {[\![\varDelta ]\!]}_i,\ \omega_k(\mathbf{g}) = \omega_h(\mathbf{g}), \\ & \omega_j(\mathbf{y}) = \omega_k(\mathbf{y}),\ \omega_h(\mathbf{f})\in {\overline {\omega}}_k(\mathbf{a}), \text{ and } \omega_j(\mathbf{g}) = \omega_i(\mathbf{g}) \bigr \} \end{aligned} $$

 □

1.4 Refinement

Lemma 3

The sequent tree Π′ computed at step 2 of the \({\rm refine}(\tau,\varPi,V,R)\) procedure of Fig. 3 can be transformed into a proof of the unsatisfiability of \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\) for all \(\widehat {P}'\in\mathrm{abstract}(P,V',R')\). Hence \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\) is unsatisfiable for all \(\widehat {P}'\in\mathrm{abstract}(P,V',R')\).

Proof

We transform Π′ into a new sequent tree Π″ and then show that Π″ is a proof of the unsatisfiability of \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\). We build Π″ by applying the following transformations to Π′ :

1. 1.

   replace \(\varPhi_{\mathfrak {T}_{1}}(\tau,P)\) in the premises of each sequent with \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\);

2. 2.

   replace every occurrence of Q(e,a) with ⋁ _k∈R′(a) e=k;

3. 3.

   replace every leaf of the form \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}'),\bigvee_{k\in R'(a)} e=k\vdash\psi[\operatorname {select}(a,e)]\) with the following sequent tree:

   
4. 4.

   replace every subtree of the form

   

   with

   

   where Π ₀ is

   

   where \(a_{j+1}=_{x}\operatorname {store}(a_{j},e_{1},e_{2})\) abbreviates the formula \(\operatorname {select}(a_{j+1},x)=(e_{1}=x)~?~e_{2}:\operatorname {select}(a_{j},x)\).

5. 5.

   apply the cut rule q times to the root sequent using (2) in order to eliminate the premises of the form \(\bigvee_{k\in R'(a)}e_{j}'=k\) for j=1,…,q from it. This leaves us with the sequent tree Π″ whose root sequent is \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\vdash\bot\).

It is easy to verify that Π″ is a proof by checking that all the leaves are sequents of the form \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\vdash\varphi\) with \(\varphi\in\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\). □

Theorem 7

Let \(\widehat {P}\in\mathrm{abstract}(P,V,R)\), \(\tau\in \operatorname {traces}(\widehat {P})\) such that \(\varPhi_{\mathfrak {T}_{1}}(\tau,P)\) is unsatisfiable, Π be a proof of \(\varPhi_{\mathfrak {T}_{1}}(\tau,P)\vdash\bot\) and \(\widehat {P}'\in{\rm abstract}(P,V',R')\), where V′ and R′ are the sets of variables returned by the procedure \({\rm refine}(\tau,\varPi,V,R)\). Then \(\widehat {P}'\sqsubset \widehat {P}\) and 〈V,R〉≺〈V′,R′〉⪯〈V _P ,R _P 〉.

Proof

Since V⊆V′ and R⊆R′, then 〈V,R〉⪯〈V′,R′〉. By Theorem 2 it thus follows that \(\widehat {P}'\sqsubseteq \widehat {P}\). From Lemma 3 we know that \(\varPhi_{\mathfrak {T}_{0}}(\tau,\widehat {P}')\) is unsatisfiable. From this fact and Theorem 6 it follows that \(\tau\notin \operatorname {traces}(\widehat {P}')\). Since \(\tau\in \operatorname {traces}(\widehat {P})\) by hypothesis, then \(\widehat {P}'\sqsubset \widehat {P}\). Moreover, since 〈V,R〉=〈V′,R′〉 clearly implies \(\widehat {P}',\widehat {P} \in\mathrm{abstract}(P,V,R)\) which, in turn, ensures \(\widehat {P}'\equiv \widehat {P}\), it readily follows that 〈V,R〉≺〈V′,R′〉. □

1.5 The CEGAR procedure

Corollary 3

(Soundness of the AR Procedure)

Let V⊆V _P and R⊆R _P . If AR(P,V,R) returns \({\rm SAFE}\), then P has no error trace.

Proof

This readily follows from the soundness of the model checking procedure and the soundness of the abstraction (Theorem 1). □

Corollary 4

(Relative Completeness of the AR Procedure)

Let V⊆V _P and R⊆R _P . If P has no error trace and all the calls to the model-check procedure terminate, then AR(P,V,R) terminates and returns SAFE.

Proof

If all the calls to the model-check procedure terminate, then the procedure AR does not terminate only if there exists an infinite sequence of recursive calls AR(P,V ₀,R ₀),AR(P,V ₁,R ₁),AR(P,V ₂,R ₂),…. From Theorem 7 it follows that 〈V ₀,R ₀〉≺〈V ₁,R ₁〉≺〈V ₂,R ₂〉⋯ with 〈V _i ,R _i 〉⪯〈V _P ,R _P 〉 for i≥0. This leads to a contradiction since both V _P and R _P have finite cardinality. In order to prove that the AR procedure returns \({\rm SAFE}\), we show that the only possible exit point of the procedure is that at line 3.

• Let us assume that the procedure exits at line 4. Then \(\widehat {P}\in\textrm{abstract}(P,V,R)\), V=V _P , R=R _P and \(\textrm{model-check}(\widehat {P})\) returns an error trace, i.e. there exists an execution trace of \(\widehat {P}\) ending with vertex 0. Under the same hypotheses it follows by Theorem 1 that \(\widehat {P}\equiv P\), i.e. \(\operatorname {traces}(P)=\operatorname {traces}(\widehat {P})\). Thus there exists an execution trace of \(\widehat {P}\) ending with vertex 0. But this contradicts the hypothesis that vertex 0 is not reachable in P.

• Let us assume that the procedure exits at line 7. Then \(\varPhi_{\mathfrak {T}_{1}}(\tau,P)\) is satisfiable, where τ is an error trace of \(\widehat {P}\) and hence it ends with vertex 0. By Theorem 6 it then follows that \(\tau\in \operatorname {traces}{P}\), but this contradicts the hypothesis that vertex 0 is not reachable in P.

 □