Reachability Analysis

A family of Static Analysis techniques that decide (or approximate) whether a given program point or state is reachable from a given start state. In finite-state models (as in model checking), reachability is decidable; on arbitrary Turing-complete programs, reachability of an arbitrary semantic condition is undecidable (Rice’s Theorem), so practical tools restrict to abstract domains or bounded horizons.

Reachability analysis answers the foundational question of safety verification: “can the program enter a bad state?” For smart contracts, this includes “can selfdestruct be invoked by an untrusted caller?”, “can invariant X be violated?”, “is this branch reachable?”. KEVM and similar executable-semantics tools enable reachability analysis over the EVM.

Tags

#verification #static-analysis #model-checking

KEVM

An executable formal semantics of the Ethereum Virtual Machine, written in the K Framework (Runtime Verification, Inc., 2017–). Unlike the Ethereum yellow paper (prose + informal pseudo-mathematics), KEVM is a machine-checkable specification: you can run a contract against KEVM and get the same result the semantics prescribes, byte-for-byte.

Its value is twofold. (1) Reference semantics — disputes about “what does this opcode do?” can be resolved by running KEVM, not by re-reading English prose. (2) Verification target — contracts can be proved correct against KEVM using the K framework’s symbolic execution and theorem-proving tools, rather than against an ad-hoc test suite.

House on Rock - LangSec in Ethereum Classic holds up KEVM as the remediation Ethereum Classic should adopt: replace the yellow paper with an executable semantics and give verification tools a standard target.

Rice’s Theorem

A foundational result in computability theory (Henry Gordon Rice, 1951–53): every non-trivial semantic property of the partial function computed by a program is undecidable. Source paper: Classes of Recursively Enumerable Sets and Their Decision Problems. “Non-trivial” means the property holds for some computable functions but not others; “semantic” means it depends on the input/output behaviour, not on the syntactic form of the program.

Put differently: you cannot in general decide, by inspecting a program, whether it belongs to any interesting class defined by what it does. Halting is one such property (Halting Problem), but so is “produces output X on input Y,” “terminates for all inputs,” “implements function f,” “contains no unreachable states,” and so on.

Rice’s theorem is the formal frontier against which static-analysis, verification, and capability-bounding claims must be measured. Any tool promising to decide a non-trivial semantic property on arbitrary programs is — by Rice — either restricting the program class (e.g. Finite-state Grammars, typed or total subsets) or approximating (sound-but-incomplete analyses). Whole research programs — LangSec, Formal Verification, Static Analysis, Weird Machine — are organised around this constraint.

Concrete implication cited in House on Rock - LangSec in Ethereum Classic: Ethereum’s gas mechanism cannot “sidestep Turing completeness” to deliver a safety guarantee, because safety is a semantic property and Rice’s theorem makes semantic properties of arbitrary programs undecidable. Gas is a resource bound (non-semantic, decidable) masquerading as a safety property (semantic, undecidable).

Computability lineage

graph TD G["Gödel (1931) Incompleteness (Principia)"] --> GR["Gödel (1934) General Recursive Functions"] C["Church (1936) An Unsolvable Problem of Elementary Number Theory"] --> K["Kleene (1936) On Notation for Ordinal Numbers"] GR --> K T["Turing (1936) On Computable Numbers"] --> HALT[[Halting Problem]] C --> HALT K --> RE["Kleene (1943) Recursive Predicates and Quantifiers"] RE --> POST1["Post (1944) Recursively Enumerable Sets"] POST1 --> POSTPROB["Post's Problem"] RE --> MYH["Myhill (1952) On Definable Sets of Positive Integers"] POST1 --> RICE["Rice (1953) Classes of R.E. Sets and Their Decision Problems"] HALT --> RICE RICE --> RT((Rice's Theorem)) RT --> LS[[LangSec]] RT --> FV[[Formal Verification]] RT --> SA[[Static Analysis]] GR -.equivalence.- T C -.equivalence.- T

Reachability Analysis

Tags

Backlinks