The past, present, and future(s): verifying temporal software properties

Software systems are increasingly present in every aspect of our society, as their deployment can be witnessed from seemingly trivial applications of light switches, to critical control systems of nuclear facilities. In the context of critical systems, software faults and errors could potentially lead to detrimental consequences, thus more rigorous methodologies beyond the scope of testing need be applied to software systems. Formal verification, the concept of being able to mathematically prove the correctness of an algorithm with respect to a mathematical formal specification, can indeed help us prevent these failures. A popular specification language for these formal specifications is temporal logic, due to its intuitive, yet precise expressions that can be utilized to both specify and verify fundamental properties pertaining to software systems. Temporal logic can express properties pertaining to safety, liveness, termination, non-termination, and more with regards to various systems such as Windows device drivers, kernel APIs, database servers, etc. This dissertation thus presents automated scalable techniques for verifying expressive temporal logic properties of software systems, specifically those beyond the scope of existing techniques. Furthermore, this work considers the temporal sub-logics fair-CTL, CTL∗, and CTLlp, as verifying these more expressive sub-logics has been an outstanding research problem. We begin building our framework by introducing a novel scalable and high-performance CTL verification technique. Our CTL methodology is unique relative to existing techniques in that it facilitates reasoning about more expressive temporal logics. In particular, it allows us to further introduce various methodologies that allow us to verify fair-CTL, CTL∗, and CTLlp. We support the verification of fair-CTL through a reduction to our CTL model checking technique via the use of infinite non-deterministic branching to symbolically partition fair from unfair executions. For CTL∗, we propose a method that uses an internal encoding which facilitates reasoning about the subtle interplay between the nesting of path and state temporal operators that occurs within CTL∗ proofs. A precondition synthesis strategy is then used over a program transformation which trades nondeterminism in the transition relation for nondeterminism explicit in variables predicting future outcomes when necessary. Finally, we propose a linear-past extension to CTL∗, that being CTLlp, in which the past is linear and each moment in time has a unique past. We support this extension through the use of history variables over our CTL∗ technique. We demonstrate the fully automated implementation of our techniques, and report our benchmarks carried out on code fragments from the PostgreSQL database server, Apache web server, Windows OS kernel, as well as smaller programs demonstrating the expressiveness of fair-CTL, CTL∗, and CTLlp specifications. Together, these novel methodologies lead to a new class of fully automated tools capable of proving crucial properties that no tool could previously prove in the infinite-state setting.

[1]  Johan Anthory Willem Kamp,et al.  Tense logic and the theory of linear order , 1968 .

[2]  Nir Piterman,et al.  Proving Stabilization of Biological Systems , 2011, VMCAI.

[3]  Sofiène Tahar,et al.  Environment synthesis for compositional model checking , 2002, Proceedings. IEEE International Conference on Computer Design: VLSI in Computers and Processors.

[4]  Florian Zuleger,et al.  Ramsey vs. Lexicographic Termination Proving , 2013, TACAS.

[5]  Amir Pnueli,et al.  Separating Fairness and Well-Foundedness for the Analysis of Fair Discrete Systems , 2005, TACAS.

[6]  Deepak Kapur,et al.  Termination Analysis of C Programs Using Compiler Intermediate Languages , 2011, RTA.

[7]  Nir Piterman,et al.  Fairness for Infinite-State Systems , 2015, TACAS.

[8]  Jochen Hoenicke,et al.  Software Model Checking for People Who Love Automata , 2013, CAV.

[9]  A. Prasad Sistla,et al.  Deciding branching time logic , 1984, STOC '84.

[10]  David Harel,et al.  Effective transformations on infinite trees, with applications to high undecidability, dominoes, and fairness , 1986, JACM.

[11]  Kim G. Larsen,et al.  Model Checking Timed Automata with Priorities Using DBM Subtraction , 2006, FORMATS.

[12]  Laura Bozzelli The Complexity of CTL* + Linear Past , 2008, FoSSaCS.

[13]  Amir Pnueli,et al.  A compositional approach to CTL* verification , 2005, Theor. Comput. Sci..

[14]  Jürgen Giesl,et al.  Proving Termination of Programs Automatically with AProVE , 2014, IJCAR.

[15]  Deepak Kapur,et al.  Termination Analysis of Imperative Programs Using Bitvector Arithmetic , 2012, VSTTE.

[16]  E. Allen Emerson,et al.  The Complexity of Tree Automata and Logics of Programs , 1999, SIAM J. Comput..

[17]  Peter W. O'Hearn,et al.  Proving Nontermination via Safety , 2014, TACAS.

[18]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[19]  Alain Griffault,et al.  The Mec 5 Model-Checker , 2004, CAV.

[20]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[21]  Nir Piterman,et al.  Faster temporal reasoning for infinite-state programs , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[22]  Marc Brockschmidt,et al.  CTL+FO verification as constraint solving , 2014, SPIN.

[23]  Bernd Finkbeiner,et al.  Verifying Temporal Properties of Reactive Systems: A STeP Tutorial , 2000, Formal Methods Syst. Des..

[24]  Nir Piterman,et al.  On Automation of CTL* Verification for Infinite-State Systems , 2015, CAV.

[25]  Peter Lee,et al.  Automatic numeric abstractions for heap-manipulating programs , 2010, POPL '10.

[26]  Nir Piterman,et al.  Verifying Increasingly Expressive Temporal Logics for Infinite-State Systems , 2017, J. ACM.

[27]  Jochen Hoenicke,et al.  Termination Analysis by Learning Terminating Programs , 2014, CAV.

[28]  Viktor Vafeiadis,et al.  Proving that non-blocking algorithms don't block , 2009, POPL '09.

[29]  Swarat Chaudhuri,et al.  A constraint-based approach to solving games on infinite graphs , 2014, POPL.

[30]  Philippe Schnoebelen,et al.  A Hierarchy of Temporal Logics with Past , 1995, Theor. Comput. Sci..

[31]  Andreas Podelski,et al.  Proving that programs eventually do something good , 2007, POPL '07.

[32]  Marsha Chechik,et al.  Yasm: A Software Model-Checker for Verification and Refutation , 2006, CAV.

[33]  David Monniaux,et al.  Quantifier Elimination by Lazy Model Enumeration , 2010, CAV.

[34]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[35]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[36]  Amir Pnueli,et al.  The Glory of the Past , 1985, Logic of Programs.

[37]  Andreas Podelski,et al.  ARMC: The Logical Choice for Software Model Checking with Abstraction Refinement , 2007, PADL.

[38]  Andrey Rybalchenko,et al.  Solving Existentially Quantified Horn Clauses , 2013, CAV.

[39]  Fausto Giunchiglia,et al.  Planning as Model Checking , 1999, ECP.

[40]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[41]  Marta Z. Kwiatkowska,et al.  Probabilistic symbolic model checking with PRISM: a hybrid approach , 2004, International Journal on Software Tools for Technology Transfer.

[42]  Mark Reynolds,et al.  An axiomatization of full Computation Tree Logic , 2001, Journal of Symbolic Logic.

[43]  Edmund M. Clarke,et al.  Arithmetic Strengthening for Shape Analysis , 2007, SAS.

[44]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[45]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[46]  A. Rybalchenko,et al.  Transition invariants , 2004, LICS 2004.

[47]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[48]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[49]  Eric Bodden A lightweight LTL runtime verification tool for java , 2004, OOPSLA '04.

[50]  Caterina Urban,et al.  The Abstract Domain of Segmented Ranking Functions , 2013, SAS.

[51]  Tayssir Touili,et al.  Pushdown model checking for malware detection , 2013, International Journal on Software Tools for Technology Transfer.

[52]  Sagar Chaki,et al.  SMT-based model checking for recursive programs , 2014, Formal Methods in System Design.

[53]  Eric Koskinen,et al.  Making prophecies with decision predicates , 2011, POPL '11.

[54]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[55]  Chin-Laung Lei,et al.  Modalities for Model Checking: Branching Time Logic Strikes Back , 1987, Sci. Comput. Program..

[56]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[57]  Eric Koskinen,et al.  Reasoning about nondeterminism in programs , 2013, PLDI.

[58]  Joël Ouaknine,et al.  State/Event Software Verification for Branching-Time Specifications , 2005, IFM.

[59]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[60]  Marta Z. Kwiatkowska,et al.  PRISM 4.0: Verification of Probabilistic Real-Time Systems , 2011, CAV.

[61]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[62]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[63]  Chin-Laung Lei,et al.  Temporal Reasoning Under Generalized Fairness Constraints , 1986, STACS.

[64]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[65]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[66]  Marc Brockschmidt,et al.  Better Termination Proving through Cooperation , 2013, CAV.

[67]  Ernst-Rüdiger Olderog,et al.  Fairness in parallel programs: the transformational approach , 1988, TOPL.

[68]  Leslie Lamport,et al.  "Sometime" is sometimes "not never": on the temporal logic of programs , 1980, POPL '80.

[69]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[70]  Javier Esparza,et al.  Model-Checking LTL with Regular Valuations for Pushdown Systems , 2001, TACS.