Chair of Software Engineering at ETH Zurich , Switzerland Software verification course –

environment assigning intervals to program variables. Writing X = {x1 ← �1� � � � � x� ← ��} for the function X mapping x� to �� such that X (x�) = ��, � = 1� � � � � �, the interval invariance equations would be 4 One of the 64 bits is used for garbage collection. 12 P. C�����   X1 = {x ← [min_int� max_int]} X2 = {x ← [1� 1] � L X3(x) = ∅ ? ∅ : let [�� �] = X3(x) in [min(� + 1� max_int)�min(� + 1� max_int)] M} X3 = X2 �̇ {x ← [min_int� max_int]} X4 = X2 �̇ {x ← ∅} where the abstract operations are extended pointwise such as {x1 ← �1, . . . , x� ← ��} �̇ {x1 ← � � 1, . . . , x� ← � � �} � {x1 ← �1 � � � 1, . . . , x� ← �� � � � �}. Since our example has only one variable, this boils down to using the interval abstract domain (and leaving implicit the variable name x). Then we have to encode an abstract domain for representing abstract invariants�X1� X2� X3� X4� which attach to each program point � an abstract local invariant X � which holds whenever controls reaches program point �. Each abstract local invariant X � is represented by an abstract environment (abstract intervals in our simplified case). The encoding is very simple as a 4-tuple specifying the value of program variable x at each program point (1, 2, 3, 4). We essentially have to represent the logical structure, which boils down to • the partial order �̇ (pless), encoding logical implication ⇒ in the abstract; • �̇ (pgreater), the inverse implication (⇐); • the pointwise infimum (∅)4 (pbot), encoding false, • the pointwise meet (for later use in section 3.9), and • the printing of local abstract invariants attached to program points (pprint). (* invariant .ml , interval invariant abstract domain *) open Interval type invariant = interval * interval * interval * interval ;; let cless (x1 ,x2 ,x3 ,x4) (x ’1 ,x ’2,x ’3 ,x ’4) = ( less x1 x ’1 , less x2 x ’2 , less x3 x ’3 , less x4 x ’4);; let pless x x’ = let (b1 , b2 , b3 , b4) = cless x x’ in b1 && b2 && b3 && b4 ;; let pgreater x x’ = pless x’ x;; let pbot = ( EMPTY , EMPTY , EMPTY , EMPTY );; let pmeet (x1 ,x2 ,x3 ,x4) (x ’1 ,x ’2,x ’3 ,x ’4) = • •