Model Checking Recursive Programs with Exact Predicate Abstraction

We propose an approach for analyzing non-termination and reachability properties of recursive programs using a combination of over- and under-approximating abstractions. First, we define a new concrete program semantics, mixed, that combines both natural and operational semantics, and use it to design an on-the-fly symbolic algorithm. Second, we combine this algorithm with abstraction by following classical fixpoint abstraction techniques. This makes our approach parametrized by different approximating semantics of predicate abstraction and enables a uniform solution for over- and under-approximating semantics. The algorithm is implemented in Yasm , and we show that it can establish non-termination of non-trivial C programs completely automatically.

[1]  Antoni Mazurkiewicz,et al.  CONCUR '97: Concurrency Theory , 1997, Lecture Notes in Computer Science.

[2]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[3]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[4]  Marsha Chechik,et al.  Yasm: A Software Model-Checker for Verification and Refutation , 2006, CAV.

[5]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[6]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[7]  R. Milner,et al.  Bigraphical Reactive Systems , 2001, CONCUR.

[8]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[9]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[10]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[11]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[12]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[13]  Orna Kupferman,et al.  Abstraction for Falsification , 2005, CAV.

[14]  Marsha Chechik,et al.  Why Waste a Perfectly Good Abstraction? , 2006, TACAS.

[15]  Thomas Ball FORMALIZING COUNTEREXAMPLE-DRIVEN REFINEMENT WITH WEAKEST PRECONDITIONS , 2005 .

[16]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[17]  Swarat Chaudhuri,et al.  On-the-Fly Reachability and Cycle Detection for Recursive State Machines , 2005, TACAS.

[18]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[19]  Orna Grumberg,et al.  A game-based framework for CTL counterexamples and 3-valued abstraction-refinement , 2007, TOCL.

[20]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[21]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[22]  Neil D. Jones,et al.  Program flow analysis - theory and applications , 1981, Prentice Hall software series.

[23]  Bertrand Jeannet,et al.  Abstracting Call-Stacks for Interprocedural Verification of Imperative Programs , 2004, AMAST.

[24]  Marsha Chechik,et al.  Systematic Construction of Abstractions for Model-Checking , 2006, VMCAI.

[25]  Orna Grumberg,et al.  A game-based framework for CTL counterexamples and 3-valued abstraction-refinement , 2003, TOCL.

[26]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[27]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[28]  Klaus Havelund,et al.  SPIN Model Checking and Software Verification , 2000, Lecture Notes in Computer Science.

[29]  Patrice Godefroid,et al.  Model Checking Partial State Spaces with 3-Valued Temporal Logics , 1999, CAV.

[30]  Orna Grumberg,et al.  Monotonic Abstraction-Refinement for CTL , 2004, TACAS.

[31]  Radha Jagadeesan,et al.  Abstraction-Based Model Checking Using Modal Transition Systems , 2001, CONCUR.

[32]  Fabio Somenzi,et al.  CUDD: CU Decision Diagram Package Release 2.2.0 , 1998 .

[33]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.