Software model checking using languages of nested trees

While model checking of pushdown systems is by now an established technique in software verification, temporal logics and automata traditionally used in this area are unattractive on two counts. First, logics and automata traditionally used in model checking cannot express requirements such as pre/post-conditions that are basic to analysis of software. Second, unlike in the finite-state world, where the μ-calculus has a symbolic model-checking algorithm and serves as an “assembly language” to which temporal logics can be compiled, there is no common formalism—either fixpoint-based or automata-theoretic—to model-check requirements on pushdown models. In this article, we introduce a new theory of temporal logics and automata that addresses the above issues, and provides a unified foundation for the verification of pushdown systems. The key idea here is to view a program as a generator of structures known as nested trees as opposed to trees. A fixpoint logic (called NT-μ) and a class of automata (called nested tree automata) interpreted on languages of these structures are now defined, and branching-time model-checking is phrased as language inclusion and membership problems for these languages. We show that NT-μ and nested tree automata allow the specification of a new frontier of requirements usable in software verification. At the same time, their model checking problem has the same worst-case complexity as their traditional analogs, and can be solved symbolically using a fixpoint computation that generalizes, and includes as a special case, “summary”-based computations traditionally used in interprocedural program analysis. We also show that our logics and automata define a robust class of languages—in particular, just as the μ-calculus is equivalent to alternating parity automata on trees, NT-μ is equivalent to alternating parity automata on nested trees.

[1]  E. Allen Emerson,et al.  Tree automata, mu-calculus and determinacy , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[2]  Javier Esparza,et al.  Model-Checking LTL with Regular Valuations for Pushdown Systems , 2001, TACS.

[3]  Bernhard Steffen,et al.  Model Checking the Full Modal mu-Calculus for Infinite Sequential Processes , 1997, Theor. Comput. Sci..

[4]  Swarat Chaudhuri,et al.  A fixpoint calculus for local and global program flows , 2006, POPL '06.

[5]  R. Alur,et al.  Adding nesting structure to words , 2006, JACM.

[6]  Igor Walukiewicz Pushdown Processes: Games and Model-Checking , 2001, Inf. Comput..

[7]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[8]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[9]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[10]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[11]  Igor Walukiewicz,et al.  Pushdown Processes: Games and Model-Checking , 1996, Inf. Comput..

[12]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[13]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[14]  Rajeev Alur,et al.  Visibly pushdown languages , 2004, STOC '04.

[15]  Stephan Merz,et al.  Model Checking , 2000 .

[16]  Edmund M. Clarke,et al.  Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons , 1982, Sci. Comput. Program..

[17]  Rajeev Alur,et al.  Analysis of recursive state machines , 2001, TOPL.

[18]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[19]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.

[20]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[21]  Bernhard Steffen,et al.  Data Flow Analysis as Model Checking , 1990, TACS.

[22]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[23]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[24]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[25]  Chin-Laung Lei,et al.  Modalities for model checking (extended abstract): branching time strikes back , 1985, POPL.

[26]  Thomas Wilke,et al.  Automata logics, and infinite games: a guide to current research , 2002 .

[27]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[28]  Chin-Laung Lei,et al.  Modalities for Model Checking: Branching Time Logic Strikes Back , 1987, Sci. Comput. Program..

[29]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[30]  Swarat Chaudhuri,et al.  Languages of Nested Trees , 2006, CAV.

[31]  David A. Schmidt Data flow analysis is model checking of abstract interpretations , 1998, POPL '98.

[32]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).