







# Reachability Analysis for Annotated Code

Mikoláš Janota<sup>1</sup> Radu Grigore<sup>1</sup> Michał Moskal<sup>2</sup>

<sup>1</sup>Systems Research Group, University College Dublin, Ireland

<sup>2</sup>Institute of Computer Science University of Wrocław, Poland

SAVCBS '07





IST-15905



# Why Annotated Code?

## Static Checking Example

```
//@ ensures \result >= a;
//@ ensures \result >= b;
int max(int a, int b) {
  if (b > a)
    return b;
  else
    return b;
}
```

# Why Annotated Code?

## Static Checking Example

```
//@ ensures \result >= a;
//@ ensures \result >= b;
int max(int a, int b) {
   if (b > a)
      return b;
   else
Bug \rightarrow return b;
}
```

# Is It Possible that Some Things Are not Checked?

### Code-Spec Inconsistency

```
/*@ requires x > 10;
  @ ensures \result == 1;*/
int withPre(int x) {
  if (x < 10) {
    // not checked
    return 2;
  }
  return 1;
}</pre>
```

## Is It Possible that Some Things Are not Checked?

#### Code-Spec Inconsistency

```
/*@ requires x > 10;
  @ ensures \result == 1;*/
int withPre(int x) {
  if (x < 10) {
    // not checked
    return 2;
  }
  return 1;
}</pre>
```

### Inconsistent Spec

```
/*@ requires i >= 10;
  @ ensures \result == i;
  @ ensures \result < 10;*/
int libraryFunc(int i);

int useLibraryFunc() {
  int r = libraryFunc(11);
  return 1/0; //not checked
}</pre>
```

# ESC/Java2 Architecture



# Input Language

## Dynamic Single Assignment (DSA)

```
cmd := assume f \mid assert f \mid cmd \parallel cmd \mid cmd ; cmd
```

where f is a first-order logic predicate on the program variables

### Inconsistent Spec

```
/*@ requires i >= 10;
  @ ensures \result == i;
  @ ensures \result < 10;*/
int libraryFunc(int i);

int useLibraryFunc() {
  int r = libraryFunc(11);
  return 1/0; // not checked
}</pre>
```

## useLibraryFunc as DSA

```
C_1: assert 11 \ge 10; C_2: assume r_1 = 11 \land r_1 < 10;
```

 $C_3$ : assert  $0 \neq 0$ ;

 $C_4$ : assume RES = 1/0

# Reachability Propagation in Control Flow Graph



## Computing Unreachable Code

### Construct a control flow graph from DSA

- directed acyclic (DAG)
- nodes are labeled with commands:

```
\mathcal{L}: \operatorname{Nodes} \to \{ \operatorname{assume} f, \operatorname{assert} f \}
```

## Computing Unreachable Code

### Construct a control flow graph from DSA

- directed acyclic (DAG)
- nodes are labeled with commands:

$$\mathcal{L}: \operatorname{Nodes} \to \{\operatorname{assume} f, \operatorname{assert} f\}$$

## Compute preconditions and postconditions for nodes

$$post(n) \equiv SP(pre(n), \mathcal{L}(n)) = pre(n) \land f$$

$$pre(n) \equiv \begin{cases} true & \text{if } n \text{ is an entry node} \\ \bigvee_{p \in parents(p)} post(p) & \text{otherwise} \end{cases}$$

## Computing Unreachable Code

### Construct a control flow graph from DSA

- directed acyclic (DAG)
- nodes are labeled with commands:

$$\mathcal{L}: \operatorname{Nodes} \to \{ \operatorname{assume} f, \operatorname{assert} f \}$$

## Compute preconditions and postconditions for nodes

$$post(n) \equiv SP(pre(n), \mathcal{L}(n)) = pre(n) \land f$$

$$pre(n) \equiv \begin{cases} true & \text{if } n \text{ is an entry node} \\ \bigvee_{p \in parents(n)} post(p) & \text{otherwise} \end{cases}$$

#### Call the Theorem Prover

for each node n, ask the theorem prover if pre(n) is unsatisfiable



- reachability information can be propagated
- 2 most nodes are reachable
- most nodes dominate some other node

- reachability information can be propagated
- 2 most nodes are reachable
- most nodes dominate some other node





- reachability information can be propagated
- most nodes are reachable
- most nodes dominate some other node





- reachability information can be propagated
- 2 most nodes are reachable
- most nodes dominate some other node





- reachability information can be propagated
- most nodes are reachable
- most nodes dominate some other node





# Algorithm — Greedy Heuristic

- Compute:
  - T the immediate dominator tree of the nodes not known to be unreachable.
  - ii. r the root of T.
- Choose an unlabeled node x in T with a maximal number of unlabeled dominators (greedy choice).
  - i. Query the prover on x.
  - ii. Label x reachable/unreachable accordingly and propagate.
  - iii. If x is reachable then go to step 1.
- By using binary search find the unreachable node on the path from r to x that is closest to r (the 'broken link' in chains). Label and propagate accordingly.
- Repeat from step 1 while there are unlabeled nodes.



# Case Study

#### Where

- ESC/Java2's front-end (javafe)
- 1890 methods
- running time 9 hours where reachability analysis took 34.8%

### The Most Interesting Problems

- uncovered 5 inconsistencies in the JDK specifications
  - including a problem in treating of the informal comment ensures \result <=> (\* is upper-case \*)
- deficiencies of the checker (e.g., in loop unrolling)
- catching an undeclared exception
- most common: an error hiding subsequent code
- in some cases we don't know why the code is unreachable



## Conclusions and Future Work

- unreachable code is a problem in practice, nevertheless,
- finding the exact source of unreachability is difficult, thus,
- in our future work we want to explore how we can provide more helpful feedback to the user

The implementation is in the ESC/Java2's cvs head and can be enabled by the switch -era.

## Example with a Loop

### Infinite Loop

```
int j = 0;
int sum = 0;
//@ loop_invariant i == 0;
for (int i = 0; i < 10; j++)
    sum += i;
//@ assert false;</pre>
```



# Loop Unrolling

## Loop Unrolled Twice

```
if C then B;
```

if C then B;

if C then assume false;