Model Checking Recursive Programs with Numeric Data Types

Pushdown systems (PDS) naturally model sequential recursive programs. Numeric data types also often arise in real-world programs. We study the extension of PDS with unbounded counters, which naturally model numeric data types. Although this extension is Turingpowerful, reachability is known to be decidable when the number of reversals between incrementing and decrementing modes is bounded. In this paper, we (1) pinpoint the decidability/complexity of reachability and linear/branching time model checking over PDS with reversal-bounded counters (PCo), and (2) experimentally demonstrate the effectiveness of our approach in analysing software. We show reachability over PCo is NP-complete, while LTL is coNEXP-complete (coNP-complete for fixed formulas). In contrast, we prove that EF-logic over PCo is undecidable. Our NP upper bounds are by a direct poly-time reduction to satisfaction over existential Presburger formulas, allowing us to tap into highly optimized solvers like Z3. Although reversal-bounded analysis is incomplete for PDS with unbounded counters in general, our experiments suggest that some intricate bugs (e.g. from Linux device drivers) can be discovered with a small number of reversals. We also pinpoint the decidability/ complexity of various extensions of PCo, e.g., with discrete clocks.

[1]  Thomas Schwentick,et al.  On the Complexity of Equational Horn Clauses , 2005, CADE.

[2]  Ju. V. Matijasevic,et al.  ENUMERABLE SETS ARE DIOPHANTINE , 2003 .

[3]  Patricia Bouyer,et al.  Model-checking Timed Temporal Logics , 2009, M4M.

[4]  Mihalis Yannakakis,et al.  Minimum and maximum delay problems in real-time systems , 1991, Formal Methods Syst. Des..

[5]  Antoine Meyer,et al.  Counting LTL , 2010, 2010 17th International Symposium on Temporal Representation and Reasoning.

[6]  Antoni Mazurkiewicz,et al.  CONCUR '97: Concurrency Theory , 1997, Lecture Notes in Computer Science.

[7]  Rodney R. Howell,et al.  An Analysis of the Nonemptiness Problem for Classes of Reversal-Bounded Multicounter Machines , 1987, J. Comput. Syst. Sci..

[8]  A. Bouajjani,et al.  On the verification problem of nonregular properties for nonregular processes , 1995, Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science.

[9]  Thierry Cachat,et al.  Uniform Solution of Parity Games on Prefix-Recognizable Graphs , 2003, INFINITY.

[10]  A. Prasad Sistla,et al.  The complexity of propositional linear temporal logics , 1982, STOC '82.

[11]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[12]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[13]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[14]  Javier Esparza,et al.  Model checking LTL with regular valuations for pushdown systems , 2001, Inf. Comput..

[15]  Petr Hliněný,et al.  Mathematical Foundations of Computer Science 2010, 35th International Symposium, MFCS 2010, Brno, Czech Republic, August 23-27, 2010. Proceedings , 2010, MFCS.

[16]  David Gries,et al.  The Science of Programming , 1981, Text and Monographs in Computer Science.

[17]  Kenneth Steiglitz,et al.  Combinatorial Optimization: Algorithms and Complexity , 1981 .

[18]  Bernd Becker,et al.  LIRA: Handling Constraints of Linear Arithmetics over the Integers and the Reals , 2007, CAV.

[19]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[20]  Zhe Dang,et al.  Binary Reachability Analysis of Pushdown Timed Automata with Dense Clocks , 2001, CAV.

[21]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[22]  Ian Stark,et al.  Free-Algebra Models for the pi-Calculus , 2005, FoSSaCS.

[23]  Michel Hack,et al.  The Equality Problem for Vector Addition Systems is Undecidable , 1976, Theor. Comput. Sci..

[24]  Javier Esparza,et al.  jMoped: A Java Bytecode Checker Based on Moped , 2005, TACAS.

[25]  Oscar H. Ibarra,et al.  Reversal-Bounded Multicounter Machines and Their Decision Problems , 1978, JACM.

[26]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[27]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[28]  Eitan M. Gurari,et al.  The Complexity of Decision Problems for Finite-Turn Multicounter Machines , 1981, J. Comput. Syst. Sci..

[29]  Graham Steel,et al.  Deduction with XOR Constraints in Security API Modelling , 2005, CADE.

[30]  Oscar H. Ibarra,et al.  Binary Reachability Analysis of Discrete Pushdown Timed Automata , 2000, CAV.

[31]  Ranjit Jhala,et al.  A Practical and Complete Approach to Predicate Refinement , 2006, TACAS.

[32]  B. Scarpellini Complexity of subcases of Presburger arithmetic , 1984 .

[33]  A. To Model Checking Infinite-State Systems: Generic and Specific Approaches , 2010 .

[34]  Jean-Marc Talbot,et al.  Properties of Visibly Pushdown Transducers , 2010, MFCS.

[35]  Rohit Parikh,et al.  On Context-Free Languages , 1966, JACM.

[36]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[37]  Javier Esparza,et al.  Model-Checking LTL with Regular Valuations for Pushdown Systems , 2001, TACS.

[38]  Antoine Meyer,et al.  Counting CTL , 2010, FoSSaCS.

[39]  Igor Walukiewicz Model Checking CTL Properties of Pushdown Systems , 2000, FSTTCS.

[40]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[41]  Oscar H. Ibarra,et al.  Counter Machines and Verification Problems , 2002, Theor. Comput. Sci..

[42]  Alain Finkel,et al.  Reversal-Bounded Counter Machines Revisited , 2008, MFCS.

[43]  Helmut Veith,et al.  Languages Represented by Boolean Formulas , 1997, Inf. Process. Lett..

[44]  Mahesh Viswanathan,et al.  Complexity Bounds for the Verification of Real-Time Software , 2010, VMCAI.

[45]  Jerzy Tyszkiewicz,et al.  Mathematical Foundations of Computer Science 2008, 33rd International Symposium, MFCS 2008, Torun, Poland, August 25-29, 2008, Proceedings , 2008, MFCS.

[46]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.