Equational Abstraction Refinement for Certified Tree Regular Model Checking

Tree Regular Model Checking (TRMC) is the name of a family of techniques for analyzing infinite-state systems in which states are represented by trees and sets of states by tree automata. The central problem is to decide whether a set of bad states belongs to the set of reachable states. An obstacle is that this set is in general neither regular nor computable in finite time. This paper proposes a new CounterExample Guided Abstraction Refinement (CEGAR) algorithm for TRMC. Our approach relies on a new equational-abstraction based completion algorithm to compute a regular overapproximation of the set of reachable states in finite time. This set is represented by $\mathcal{R}_{/E}$-automata, a new extended tree automaton formalism whose structure can be exploited to detect and remove false positives in an efficient manner. Our approach has been implemented in TimbukCEGAR, a new toolset that is capable of analyzing Java programs by exploiting an elegant translation from the Java byte code to term rewriting systems. Experiments show that TimbukCEGAR outperforms existing CEGAR-based completion algorithms. Contrary to existing TRMC toolsets, the answers provided by TimbukCEGAR are certified by Coq, which means that they are formally proved correct.

[1]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[2]  Hubert Comon,et al.  Tree automata techniques and applications , 1997 .

[3]  Pierre Wolper,et al.  Iterating Transducers in the Large (Extended Abstract) , 2003, CAV.

[4]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[5]  Thomas Genet,et al.  Rewriting for Cryptographic Protocol Verification , 2000, CADE.

[6]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[7]  Axel Legay,et al.  Fast Equational Abstraction Refinement for Regular Tree Model Checking , 2010 .

[8]  David A. McAllester,et al.  Automated Deduction - CADE-17 , 2000, Lecture Notes in Computer Science.

[9]  Parosh Aziz Abdulla,et al.  Constrained Monotonic Abstraction: A CEGAR for Parameterized Verification , 2010, CONCUR.

[10]  Mahesh Viswanathan,et al.  LEVER: A Tool for Learning Based Verification , 2006, International Conference on Computer Aided Verification.

[11]  Parosh Aziz Abdulla,et al.  Parameterized Verification of Infinite-State Processes with Global Conditions , 2007, CAV.

[12]  Vlad Rusu,et al.  Equational approximations for tree automata completion , 2010, J. Symb. Comput..

[13]  Parosh Aziz Abdulla,et al.  Parameterized Tree Systems , 2008, FORTE.

[14]  Thomas Genet,et al.  Verification of Copy-Protection Cryptographic Protocol using Approximations of Term Rewriting System , 2003 .

[15]  Amir Pnueli,et al.  Symbolic Model Checking with Rich ssertional Languages , 1997, CAV.

[16]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[17]  Toshinori Takai,et al.  A Verification Technique Using Term Rewriting Systems and Abstract Interpretation , 2004, RTA.

[18]  Mahesh Viswanathan,et al.  Using Language Inference to Verify Omega-Regular Properties , 2005, TACAS.

[19]  Valérie Viet Triem Tong,et al.  Reachability Analysis over Term Rewriting Systems , 2004, Journal of Automated Reasoning.

[20]  Paul Gastin,et al.  CONCUR 2010 - Concurrency Theory, 21th International Conference, CONCUR 2010, Paris, France, August 31-September 3, 2010. Proceedings , 2010, CONCUR.

[21]  Tayssir Touili,et al.  Extrapolating Tree Transformations , 2002, CAV.

[22]  Ahmed Bouajjani,et al.  Abstract regular (tree) model checking , 2012, International Journal on Software Tools for Technology Transfer.

[23]  Benoît Boyer,et al.  Certifying a Tree Automata Completion Checker , 2008, IJCAR.

[24]  Larry Wos,et al.  What Is Automated Reasoning? , 1987, J. Autom. Reason..

[25]  Amir Pnueli,et al.  Symbolic model checking with rich assertional languages , 2001, Theor. Comput. Sci..

[26]  Thi-Bich-Hanh Dao,et al.  Characterizing Conclusive Approximations by Logical Formulae , 2011, RP.

[27]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[28]  Ahmed Bouajjani,et al.  Abstract Regular Model Checking , 2004, CAV.

[29]  José Meseguer,et al.  Equational abstractions , 2008, Theor. Comput. Sci..

[30]  Sophie Tison,et al.  Regular Tree Languages and Rewrite Systems , 1995, Fundam. Informaticae.

[31]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.

[32]  Thomas Genet,et al.  Decidable Approximations of Sets of Descendants and Sets of Normal Forms , 1998, RTA.

[33]  Olga Kouchnarenko,et al.  Finer Is Better: Abstraction Refinement for Rewriting Approximations , 2008, RTA.

[34]  Parosh Aziz Abdulla,et al.  Simulation-Based Iteration of Tree Transducers , 2005, TACAS.

[35]  Chang Liu,et al.  Term rewriting and all that , 2000, SOEN.

[36]  Andreas Podelski,et al.  ARMC: The Logical Choice for Software Model Checking with Abstraction Refinement , 2007, PADL.

[37]  Thomas Genet,et al.  Reachability analysis of rewriting for software verification , 2009 .

[38]  Yohan Boichut,et al.  Rewriting Approximations for Fast Prototyping of Static Analyzers , 2007, RTA.

[39]  Teruo Higashino,et al.  Formal Techniques for Networked and Distributed Systems - FORTE 2008, 28th IFIP WG 6.1 International Conference, Tokyo, Japan, June 10-13, 2008, Proceedings , 2008, FORTE.

[40]  Tayssir Touili,et al.  Spade: Verification of Multithreaded Dynamic and Recursive Programs , 2007, CAV.

[41]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.