Harnessing Forest Automata for Verification of Heap Manipulating Programs. (Vérification de programmes avec structures de données complexes)

This work addresses verification of infinite-state systems, more specifically, verification of programs manipulating complex dynamic linked data structures. Many different approaches emerged to date, but none of them provides a sufficiently robust solution which would succeed in all possible scenarios appearing in practice. Therefore, in this work, we propose a new approach which aims at improving the current state of the art in several dimensions. Our approach is based on using tree automata, but it is also partially inspired by some ideas taken from the methods based on separation logic. Apart from that, we also present multiple advancements within the implementation of various tree automata operations, crucial for our verification method to succeed in practice. Namely, we provide an optimised algorithm for computing simulations over labelled transition systems which then translates into more efficient computation of simulations over tree automata. We also give a new algorithm for checking inclusion over tree automata, and we provide experimental evaluation demonstrating that the new algorithm outperforms other existing approaches.

[1]  Tayssir Touili,et al.  Extrapolating Tree Transformations , 2002, CAV.

[2]  R. Wilhelm,et al.  Parametric Shape Analysis via 3 - valued Logic TOPLAS , 2002 .

[3]  Ahmed Bouajjani,et al.  Programs with lists are counter automata , 2011, Formal Methods Syst. Des..

[4]  Peter Lee,et al.  Automatic numeric abstractions for heap-manipulating programs , 2010, POPL '10.

[5]  Lukás Holík,et al.  Efficient Inclusion Checking on Explicit and Semi-symbolic Tree Automata , 2011, ATVA.

[6]  Ahmed Bouajjani,et al.  Verifying Programs with Dynamic 1-Selector-Linked Structures in Regular Model Checking , 2005, TACAS.

[7]  Orna Grumberg,et al.  Generation of Reduced Models for Checking Fragments of CTL , 1993, CAV.

[8]  Haruo Hosoya Foundations of XML Processing: The Tree-Automata Approach , 2010 .

[9]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[10]  Ahmed Bouajjani,et al.  Abstract regular (tree) model checking , 2012, International Journal on Software Tools for Technology Transfer.

[11]  Thomas A. Henzinger,et al.  Computing simulations on finite and infinite graphs , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[12]  David I. August,et al.  Shape analysis with inductive recursion synthesis , 2007, PLDI '07.

[13]  Robert E. Tarjan,et al.  Three Partition Refinement Algorithms , 1987, SIAM J. Comput..

[14]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[15]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[16]  Masami Hagiya,et al.  XML Schema Containment Checking Based on Semi-implicit Techniques , 2003, CIAA.

[17]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[18]  Shengchao Qin,et al.  Automated Verification of Shape and Size Properties Via Separation Logic , 2007, VMCAI.

[19]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[20]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[21]  Jyotirmoy V. Deshmukh,et al.  Automatic Verification of Parameterized Data Structures , 2006, TACAS.

[22]  Lukás Holík,et al.  Forest Automata for Verification of Heap Manipulation , 2011, CAV.

[23]  Jean-François Raskin,et al.  Antichain Algorithms for Finite Automata , 2010, TACAS.

[24]  Benjamin C. Pierce,et al.  Regular expression types for XML , 2000, TOPL.

[25]  Fabio Somenzi,et al.  CUDD: CU Decision Diagram Package Release 2.2.0 , 1998 .

[26]  Parosh Aziz Abdulla,et al.  A Uniform (Bi-)Simulation-Based Framework for Reducing Tree Automata , 2009, Electron. Notes Theor. Comput. Sci..

[27]  P. Abdulla,et al.  Computing Simulations over Tree Automata (Efficient Techniques for Reducing Tree Automata) , 2007 .

[28]  Parosh Aziz Abdulla,et al.  Regular Tree Model Checking , 2002, CAV.

[29]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[30]  Masahiro Fujita,et al.  Spectral Transforms for Large Boolean Functions with Applications to Technology Mapping , 1993, 30th ACM/IEEE Design Automation Conference.

[31]  Tony Bourdier,et al.  Tree Automata Based Semantics of Firewalls , 2011, 2011 Conference on Network and Information Systems Security.

[32]  Peter W. O'Hearn,et al.  On Scalable Shape Analysis , 2007 .

[33]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[34]  Petr Jancar,et al.  Behavioural Equivalences on Finite-State Systems are PTIME-hard , 2005, Comput. Artif. Intell..

[35]  Parosh Aziz Abdulla,et al.  Monotonic Abstraction for Programs with Multiply-Linked Structures , 2011, Int. J. Found. Comput. Sci..

[36]  Lukáš Holík,et al.  Optimizing an LTS-Simulation Algorithm , 2012 .

[37]  Lucian Ilie,et al.  On NFA Reductions , 2004, Theory Is Forever.

[38]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[39]  Parosh Aziz Abdulla,et al.  When Simulation Meets Antichains(on Checking Language Inclusion of NFA) , 2010 .

[40]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[41]  Parosh Aziz Abdulla,et al.  Monotonic Abstraction for Programs with Dynamic Memory Heaps , 2008, CAV.

[42]  Nils Klarlund,et al.  MONA Implementation Secrets , 2000, Int. J. Found. Comput. Sci..

[43]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[44]  Tayssir Touili,et al.  Antichain-Based Universality and Inclusion Testing over Nondeterministic Finite Tree Automata , 2008, CIAA.

[45]  Tomás Vojnar,et al.  VATA: A Library for Efficient Manipulation of Non-deterministic Tree Automata , 2012, TACAS.

[46]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[47]  Tomás Vojnar,et al.  Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic , 2011, CAV.

[48]  Ahmed Bouajjani,et al.  Abstract Regular Model Checking , 2004, CAV.

[49]  Thomas A. Henzinger,et al.  Antichains: A New Algorithm for Checking Universality of Finite Automata , 2006, CAV.

[50]  Parosh Aziz Abdulla,et al.  Simulation-Based Iteration of Tree Transducers , 2005, TACAS.

[51]  Francesco Ranzato,et al.  A New Efficient Simulation Equivalence Algorithm , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[52]  William Pugh,et al.  Skip lists: a probabilistic alternative to balanced trees , 1989, CACM.

[53]  Xiaokang Qiu,et al.  Decidable logics combining heap structures and data , 2011, POPL '11.