A Complete Bounded Model Checking Algorithm for Pushdown Systems

Pushdown systems (PDSs) consist of a stack and a finite state machine and are frequently used to model abstractions of software. They correspond to sequential recursive programs with finite-domain variables. This paper presents a novel algorithm for deciding reachability of particular locations of PDSs. We exploit the fact that most PDSs used in practice are shallow, and propose to use SAT-based Bounded Model Checking to search for counterexamples. Completeness is achieved by computing universal summaries of the procedures in the program.

[1]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[2]  Daniel Kroening,et al.  Efficient Computation of Recurrence Diameters , 2003, VMCAI.

[3]  Thomas W. Reps,et al.  Improving Pushdown System Model Checking , 2006, CAV.

[4]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[5]  Sriram K. Rajamani,et al.  Boolean Programs: A Model and Process for Software Analysis , 2000 .

[6]  Andreas Podelski,et al.  ACSAR: Software Model Checking with Transfinite Refinement , 2007, SPIN.

[7]  Rajeev Alur,et al.  Analysis of recursive state machines , 2001, TOPL.

[8]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[9]  Tayssir Touili,et al.  Bounded Communication Reachability Analysis of Process Rewrite Systems with Ordered Parallelism , 2009, INFINITY.

[10]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[11]  Daniel Kroening,et al.  Over-Approximating Boolean Programs with Unbounded Thread Creation , 2006, 2006 Formal Methods in Computer Aided Design.

[12]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[13]  Daniel Kroening,et al.  Symbolic Model Checking for Asynchronous Boolean Programs , 2005, SPIN.

[14]  Jakob Rehof,et al.  Context-Bounded Model Checking of Concurrent Software , 2005, TACAS.

[15]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[16]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[17]  Daniel Kroening,et al.  SAT-Based Summarization for Boolean Programs , 2007, SPIN.

[18]  K. Rustan M. Leino,et al.  A SAT Characterization of Boolean-Program Correctness , 2003, SPIN.

[19]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[20]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[21]  Tayssir Touili,et al.  A Generic Approach to the Static Analysis of Concurrent Programs with Procedures , 2003, Int. J. Found. Comput. Sci..

[22]  J. R. Büchi Regular Canonical Systems , 1964 .

[23]  Klaus Havelund,et al.  SPIN Model Checking and Software Verification , 2000, Lecture Notes in Computer Science.

[24]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[25]  Javier Esparza,et al.  Rewriting Models of Boolean Programs , 2006, RTA.

[26]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[27]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[28]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.