Proving Termination of Programs with Bitvector Arithmetic by Symbolic Execution

(1)

Proving Termination of Programs with Bitvector Arithmetic

by Symbolic Execution

J¨ urgen Giesl

LuFG Informatik 2, RWTH Aachen University, Germany

joint work with Jera Hensel, Florian Frohn, and Thomas Str¨oder

(2)

Termination Analysis in AProVE

Java C Haskell Prolog

JBC

LLVM Symbolic

Execution Graph

Integer Transition

System (ITS)

Safety Termination

Complexity Non-Termination

(3)

Termination Analysis in AProVE

JBC

LLVM Symbolic

Execution Graph

Integer Transition

System (ITS)

Safety Termination

Winner of SV-COMP 2015 & 2016 termination competition

Drawback: assumes mathematical integers Z instead of bitvectors

(4)

Termination Analysis in AProVE

JBC

LLVM Symbolic

Execution Graph

Integer Transition

System (ITS)

Safety Termination

Termination of C programs with explicit pointer arithmetic

(5)

Termination Analysis in AProVE

JBC

LLVM Symbolic

Execution Graph

Integer Transition

System (ITS)

Safety Termination

Termination of C programs with explicit pointer arithmetic Winner of SV-COMP 2015 & 2016 termination competition

Z

(6)

JBC

LLVM Symbolic

Execution Graph

Integer Transition

System (ITS)

Safety Termination

Termination of C programs with explicit pointer arithmetic

Winner of SV-COMP 2015 & 2016 termination competition

Drawback: assumes mathematical integers Z instead of bitvectors

(7)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

standardSMT solving overZ forsymbolic execution standardITSs overZ fortermination proving

(8)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination

for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

standardITSs overZ fortermination proving

(9)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

(10)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination

for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

(11)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

(12)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C

byte-accurate symbolic execution

to bitvector arithmetic

Solution: express bitvector relations by relations on Z

(13)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

(14)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

standard SMT solving overZ forsymbolic execution

(15)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt termination analysis of C to bitvector arithmetic Solution: express bitvector relations by relations on Z

standard SMT solving overZ forsymbolic execution standard ITSs overZ fortermination proving

(16)

Mathematical Integers Z vs. Bitvectors

void f(unsigned int x) { unsigned int j = 0;

while (j <= x) j++; }

for Z : termination for bitvectors: non-termination

void g(unsigned int j) { while (j > 0) j++; }

for Z : non-termination for bitvectors: termination

Goal: adapt byte-accurate symbolic execution to bitvector arithmetic Solution: express bitvector relations by relations on Z

standard SMT solving overZ forsymbolic execution standard ITSs overZ fortermination proving

(17)

From C to LLVM

entry: 0: ad = alloca i32 1: store i32 j, i32* ad 2: br label cmp

cmp: 0: j1 = load i32* ad 1: j1p = icmp ugt i32 j1, 0 2: br i1 j1p, label body,

label done body: 0: j2 = load i32* ad

1: inc = add i32 j2, 1 2: store i32 inc, i32* ad 3: br label cmp

done: 0: ret void }

void g(unsigned int j) { while (j > 0) j++; }

C LLVM

Symbolic Execution Graph

Integer Transition

System (ITS)

Safety Termination

(18)

2: br label cmp cmp: 0: j1 = load i32* ad

1: j1p = icmp ugt i32 j1, 0 2: br i1 j1p, label body,

done: 0: ret void }

C LLVM

Integer Transition

System (ITS)

Safety Termination

(19)

Abstract States

define i32 @g(i32 j) { entry: 0: ad = alloca i32

1: store i32 j, i32* ad 2: br label cmp

done: 0: ret void }

void g(unsigned int j) while (j > 0) j++; }

C LLVM

Integer Transition

System (ITS)

Safety Termination

(20)

Abstract States

done: 0: ret void }

a

(entry,2)

{j=v_j,ad=v_ad} {Jv_ad,vendK} {vend =v_ad+ 3} {v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Heuristic: partitionprogram variables intoU ] S

x∈ U: PV(x)represents value ofx as unsigned integer

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

KB and consequences ofALandPT information on ranges of integers:

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(21)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{j=v_j,ad=v_ad} {Jv_ad,vendK} {vend =v_ad+ 3} {v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction)

PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(22)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{j=v_j,ad=v_ad}

{Jv_ad,vendK} {vend =v_ad+ 3} {v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables

AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(23)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{j=v_j,ad=v_ad} {Jv_ad,vendK}

{vend =v_ad+ 3} {v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(24)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{j=v_j,ad=v_ad} {Jv_ad,vendK} {vend =v_ad+ 3}

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables)

PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(25)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables)

PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(26)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(27)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a: ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(28)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

ERR or

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(29)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula containing

KB and consequences ofALandPT

information on ranges of integers:

j∈ U has type i32 ⇒ 0≤PV(j)

| {z }

vj

≤umax32

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(30)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula containing

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete:

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(31)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula containing

information on ranges of integers:

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(32)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

information on ranges of integers: j∈ U has type i32 ⇒ 0≤PV(j)

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete:

∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(33)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete: ∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n

hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(34)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete: ∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n hai

_SL

: separation logic formula, extends hai by details on memory

abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(35)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete: ∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state

iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(36)

Abstract States

done: 0: ret void }

a

_(entry,₂₎

{v_ad,→i32,uv_j}

⇐ = pos

⇐ = PV

⇐ = AL

⇐ = KB

⇐ = PT

Abstract state a:

pos : program position (block, next instruction) PV : program variables → symbolic variables AL: allocation list J v

₁

, v

₂

K

KB : knowledge base (FO-(in)equalities over symbolic variables) PT : points-to atoms v

1

, →

_type,u

v

2

hai: FO formula

containing

| {z }

vj

≤umax₃₂

| {z }

2³²−1

a concrete: ∀ symbolic variables v ∃ n ∈ Z such that | = hai ⇒ v = n hai

_SL

: separation logic formula, extends hai by details on memory abstract state a represents concrete state iff

hai

_SL

is satisfied by instantiation corresponding to concrete state

(37)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅ A

{j=vj,ad=vad, ...} {Jvad,vendK} {v_end=vad+ 3, ...}

∅ (entry,2)

{j=vj,ad=vad, ...} {Jvad,vendK} {...} {vad,→vj} C

(cmp,0)

{j=vj,ad=vad, ...} {Jvad,vendK} {...} {vad,→vj} D

(cmp,1)

{j=vj,ad=vad, j1=vj, ...} {Jvad,vendK} {...} {vad,→vj} E

⇐=PV

⇐=AL

⇐=KB

⇐=PT

(38)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅ A

(entry,2)

(cmp,0)

(cmp,1)

⇐=pos

⇐=PV

⇐=AL

⇐=KB

⇐=PT

(39)

Symbolic Execution

define i32 @g(i32 j) { entry:0: ad = alloca i32

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅ A

{j=vj,ad=vad, ...} {Jvad,vendK} {v_end=vad+ 3, ...}

∅ (entry,2)

(cmp,0)

(cmp,1)

⇐=pos

⇐=PV

⇐=AL

⇐=KB

⇐=PT

(40)

Symbolic Execution

define i32 @g(i32 j) { entry:0: ad = alloca i32

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

{Jvad,vendK} {v_end=vad+ 3, ...}

∅ B

(entry,2)

(cmp,0)

(cmp,1)

(41)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

∅ B

(entry,2)

(cmp,0)

(cmp,1)

⇐=PV

⇐=AL

⇐=KB

⇐=PT

(42)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

∅ B

(entry,2)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} C

(cmp,0)

(cmp,1)

(43)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

∅ B

(entry,2)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} C

(cmp,0)

(cmp,1)

⇐=PV

⇐=AL

⇐=KB

⇐=PT

(44)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

∅ B

(entry,2)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} C

(cmp,0)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} D

(cmp,1)

(45)

Symbolic Execution

done: 0: ret void }

(entry,0) {j=vj, ...}

∅

{0≤vj≤umax, ...}

∅

A (entry,1)

{j=vj,ad=vad, ...}

∅ B

(entry,2)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} C

(cmp,0)

{j=vj,ad=vad, ...}

{Jvad,vendK} {...}

{vad,→vj} D

(cmp,1)

⇐=PV

⇐=AL

⇐=KB

⇐=PT