Saturation methods for global model-checking pushdown systems

Pushdown systems equip a finite state system with an unbounded stack memory, and are thus infinite state. By recording the call history on the stack, these systems provide a natural model for recursive procedure calls. Model-checking for pushdown systems has been well-studied. Tools implementing pushdown model-checking (e.g. Moped) are an essential back-end component of high-profile software model checkers such as SLAM, Blast and Terminator. Higher-order pushdown systems define a more complex memory structure: a higher-order stack is a stack of lower-order stacks. These systems form a robust hierarchy closely related to the Caucal hierarchy and higher-order recursion schemes. This latter connection demonstrates their importance as models for programs with higher-order functions. We study the global model-checking problem for (higher-order) pushdown systems. In particular, we present a new algorithm for computing the winning regions of a parity game played over an order-1 pushdown system. We then show how to compute the winning regions of two-player reachability games over order-n pushdown systems. These algorithms extend the saturation methods of Bouajjani, Esparza and Maler for order-1 pushdown systems, and Bouajjani and Meyer for higher-order pushdown systems with a single control state. These techniques begin with an automaton recognising (higher-order) stacks, and iteratively add new transitions until the automaton becomes saturated. The reachability result, presented at FoSSaCS 2007 and in the LMCS journal, is the main contribution of the thesis. We break the saturation paradigm by adding new states to the automaton during the iteration. We identify the fixed points required for termination by tracking the updates that are applied, rather than by observing the transition structure. We give a number of applications of this result to LTL model-checking, branching-time model-checking, non-emptiness of higher-order pushdown automata and Buchi games. Our second major contribution is the first application of the saturation technique to parity games. We begin with a mu-calculus characterisation of the winning region. This formula alternates greatest and least fixed point operators over a kind of reachability formula. Hence, we can use a version of our reachability algorithm, and modifications of the Buchi techniques, to compute the required result. The main advantages of this approach compared to existing techniques due to Cachat, Serre and Vardi et al. are that it is direct and that it is not immediately exponential in the number of control states, although the worst-case complexity remains the same.

[1]  Antoine Meyer,et al.  Winning Regions of Higher-Order Pushdown Games , 2008, 2008 23rd Annual IEEE Symposium on Logic in Computer Science.

[2]  Rajeev Alur,et al.  Modular Strategies for Infinite Games on Recursive Graphs , 2003, CAV.

[3]  Rajeev Alur,et al.  Modular strategies for recursive game graphs , 2006, Theor. Comput. Sci..

[4]  Thomas Wilke,et al.  CTL+ is Exponentially more Succinct than CTL , 1999, FSTTCS.

[5]  George C. Necula,et al.  Temporal-Safety Proofs for Systems Code , 2002, CAV.

[6]  Javier Esparza,et al.  Reachability Analysis of Multithreaded Software with Asynchronous Communication , 2005, FSTTCS.

[7]  Don Box,et al.  Essential .NET: The Common Language Runtime , 2002 .

[8]  Arnaud Carayol,et al.  Regular Sets of Higher-Order Pushdown Stacks , 2005, MFCS.

[9]  Christof Löding,et al.  Visibly Pushdown Games , 2004, FSTTCS.

[10]  Tayssir Touili,et al.  Reachability Analysis of Synchronized PA Systems , 2005, INFINITY.

[11]  Moshe Y. Vardi,et al.  Global Model-Checking of Infinite-State Systems , 2004, CAV.

[12]  David E. Muller,et al.  Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[13]  John Harrison Formal verification at Intel , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[14]  Javier Esparza,et al.  Decidability of model checking for infinite-state concurrent systems , 1997, Acta Informatica.

[15]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[16]  Michael Benedikt,et al.  Model Checking of Unrestricted Hierarchical State Machines , 2001, ICALP.

[17]  Wolfgang Thomas,et al.  Solving Pushdown Games with a Sigma3 Winning Condition , 2002, CSL.

[18]  Moshe Y. Vardi Branching vs. Linear Time: Final Showdown , 2001, TACAS.

[19]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[20]  Didier Caucal,et al.  On infinite transition graphs having a decidable monadic theory , 1996, Theor. Comput. Sci..

[21]  Alfred V. Aho,et al.  Indexed Grammars—An Extension of Context-Free Grammars , 1967, SWAT.

[22]  Tayssir Touili,et al.  A Generic Approach to the Static Analysis of Concurrent Programs with Procedures , 2003, Int. J. Found. Comput. Sci..

[23]  I. Walukiewicz Pushdown Processes: Games and Model Checking , 1996 .

[24]  Ahmed Bouajjani,et al.  Constrained Properties, Semilinear Systems, and Petri Nets , 1996, CONCUR.

[25]  Didier Caucal,et al.  On the transition graphs of automata and grammars , 1990, WG.

[26]  Hugo Gimbert,et al.  Parity and Exploration Games on Infinite Graphs , 2004, CSL.

[27]  Joost Engelfriet,et al.  Iterated pushdown automata and complexity classes , 1983, STOC.

[28]  David E. Muller,et al.  The Theory of Ends, Pushdown Automata, and Second-Order Logic , 1985, Theor. Comput. Sci..

[29]  Friedrich Otto,et al.  String-Rewriting Systems , 1993, Text and Monographs in Computer Science.

[30]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[31]  Werner Damm,et al.  An Automata-Theoretical Characterization of the OI-Hierarchy , 1986, Inf. Control..

[32]  Anil Seth,et al.  An Alternative Construction in Symbolic Reachability Analysis of Second Order Pushdown Systems , 2008, Int. J. Found. Comput. Sci..

[33]  Bruno Courcelle,et al.  The Monadic Second-Order Logic of Graphs IX: Machines and their Behaviours , 1995, Theor. Comput. Sci..

[34]  Orna Kupferman,et al.  An Automata-Theoretic Approach to Reasoning about Infinite-State Systems , 2000, CAV.

[35]  Igor Walukiewicz Model Checking CTL Properties of Pushdown Systems , 2000, FSTTCS.

[36]  E. Allen Emerson,et al.  An Automata Theoretic Decision Procedure for the Propositional Mu-Calculus , 1989, Inf. Comput..

[37]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[38]  Igor Walukiewicz,et al.  On the Expressive Completeness of the Propositional mu-Calculus with Respect to Monadic Second Order Logic , 1996, CONCUR.

[39]  C.-H. Luke Ong,et al.  On Model-Checking Trees Generated by Higher-Order Recursion Schemes , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[40]  Richard Mayr Combining Petri Nets and PA-Processes , 1997, TACS.

[41]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[42]  Richard Mayr Model Checking PA-Processes , 1997, CONCUR.

[43]  Rajeev Alur,et al.  Analysis of Recursive State Machines , 2001, CAV.

[44]  Gerald Gazdar,et al.  Applicability of Indexed Grammars to Natural Languages , 1988 .

[45]  Javier Esparza Petri Nets, Commutative Context-Free Grammars, and Basic Parallel Processes , 1995, FCT.

[46]  Igor Walukiewicz,et al.  Pushdown Games with Unboundedness and Regular Conditions , 2003, FSTTCS.

[47]  Peter Müller,et al.  A Modular Verification Methodology for C# Delegates , 2009, Rigorous Methods for Software Construction and Analysis.

[48]  Wolfgang Thomas,et al.  A Combinatorial Approach to the Theory of omega-Automata , 1981, Inf. Control..

[49]  Somesh Jha,et al.  On generalized authorization problems , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[50]  Richard Mayr Weak Bisimulation and Model Checking for Basic Parallel Processes , 1996, FSTTCS.

[51]  Andrzej S. Murawski,et al.  Collapsible Pushdown Automata and Recursion Schemes , 2008, LICS.

[52]  Arnaud Carayol,et al.  The Caucal Hierarchy of Infinite Graphs in Terms of Logic and Higher-Order Pushdown Automata , 2003, FSTTCS.

[53]  G. Ramalingam,et al.  Context-sensitive synchronization-sensitive analysis is undecidable , 2000, TOPL.

[54]  Javier Esparza,et al.  On the Decidability of Model Checking for Several µ-calculi and Petri Nets , 1994, CAAP.

[55]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[56]  Richard Mayr,et al.  Process rewrite systems , 1999, EXPRESS.

[57]  Amir Pnueli,et al.  The Glory of the Past , 1985, Logic of Programs.

[58]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[59]  R. McNaughton,et al.  Counter-Free Automata , 1971 .

[60]  Mahesh Viswanathan,et al.  Model Checking Multithreaded Programs with Asynchronous Atomic Methods , 2006, CAV.

[61]  Rajeev Alur,et al.  Model checking of hierarchical state machines , 2001, SIGSOFT '98/FSE-6.

[62]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[63]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[64]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[65]  Søren Christensen Decidability and decomposition in process algebras , 1993 .

[66]  Nir Piterman Verification of Infinite-State Systems , 2004 .

[67]  Olaf Burkart Model checking rationally restricted right closures of recognizable graphs , 1997, INFINITY.

[68]  Colin Stirling,et al.  Modal Logics and mu-Calculi: An Introduction , 2001, Handbook of Process Algebra.

[69]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2005, Sci. Comput. Program..

[70]  Pierre Wolper Temporal Logic Can Be More Expressive , 1983, Inf. Control..

[71]  Richard Mayr Tableau Methods for PA-Processes , 1997, TABLEAUX.

[72]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[73]  Gareth S. Rohde,et al.  Alternating automata and the temporal logic of ordinals , 1997 .

[74]  Ernst L. Leiss,et al.  On Equations for Regular Languages, Finite Automata, and Sequential Networks , 1980, Theor. Comput. Sci..

[75]  Wolfgang Thomas,et al.  Languages, Automata, and Logic , 1997, Handbook of Formal Languages.

[76]  Rajeev Alur,et al.  Analysis of recursive state machines , 2001, TOPL.

[77]  Robert P. Kurshan Formal verification in a commercial setting , 1997, DAC.

[78]  Orna Kupferman,et al.  Model Checking Linear Properties of Prefix-Recognizable Systems , 2002, CAV.

[79]  Richard Mayr Strict Lower Bounds for Model Checking BPA , 1998, Electron. Notes Theor. Comput. Sci..

[80]  Swarat Chaudhuri,et al.  A fixpoint calculus for local and global program flows , 2006, POPL '06.

[81]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[82]  Colin Stirling,et al.  Bisimulation, Modal Logic and Model Checking Games , 1999, Logic Journal of the IGPL.

[83]  Pawel Urzyczyn,et al.  Higher-Order Pushdown Trees Are Easy , 2002, FoSSaCS.

[84]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[85]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[86]  Thierry Cachat,et al.  Higher Order Pushdown Automata, the Caucal Hierarchy of Graphs and Parity Games , 2003, ICALP.

[87]  C.-H. Luke Ong,et al.  Symbolic Backwards-Reachability Analysis for Higher-Order Pushdown Systems , 2008, Log. Methods Comput. Sci..

[88]  Howard Barringer,et al.  Temporal Logic with Fixed Points , 1987, Temporal Logic in Specification.

[89]  Markus Lohrey,et al.  Infinite State Model-Checking of Propositional Dynamic Logics , 2006, CSL.

[90]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[91]  David E. Muller,et al.  Alternating Automata, the Weak Monadic Theory of Trees and its Complexity , 1992, Theor. Comput. Sci..

[92]  J. R. Büchi Regular Canonical Systems , 1964 .

[93]  Thomas W. Reps,et al.  Extended Weighted Pushdown Systems , 2005, CAV.

[94]  Olivier Serre Note on winning positions on pushdown games with [omega]-regular conditions , 2003, Inf. Process. Lett..

[95]  Sampath Kannan,et al.  Communicating Hierarchical State Machines , 1999, ICALP.

[96]  Klaus Aehlig,et al.  Safety Is not a Restriction at Level 2 for String Languages , 2005, FoSSaCS.

[97]  Thierry Cachat,et al.  Games on pushdown graphs and extensions , 2003 .

[98]  Jan A. Bergstra,et al.  Process Algebra for Synchronous Communication , 1984, Inf. Control..

[99]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[100]  Igor Walukiewicz,et al.  Unsafe Grammars and Panic Automata , 2005, ICALP.

[101]  Andreas Podelski,et al.  Terminator: Beyond Safety , 2006, CAV.

[102]  Ernst W. Mayr,et al.  An algorithm for the general Petri net reachability problem , 1981, STOC '81.

[103]  Tayssir Touili,et al.  Regular Symbolic Analysis of Dynamic Networks of Pushdown Systems , 2005, CONCUR.

[104]  Bernhard Steffen,et al.  Bisimulation Collapse and the Process Taxonomy , 1996, CONCUR.

[105]  Thomas W. Reps,et al.  Improving Pushdown System Model Checking , 2006, CAV.

[106]  Edward A. Lee,et al.  A Formalism for Higher-Order Composition Languages that Satisfies the Church-Rosser Property , 2006 .

[107]  A. Prasad Sistla,et al.  On Model-Checking for Fragments of µ-Calculus , 1993, CAV.

[108]  Bruno Courcelle,et al.  Monadic Second-Order Logic, Graph Coverings and Unfoldings of Transition Systems , 1998, Ann. Pure Appl. Log..

[109]  Moshe Y. Vardi A temporal fixpoint calculus , 1988, POPL '88.

[110]  Somesh Jha,et al.  Analysis of SPKI/SDSI certificates using model checking , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[111]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[112]  Didier Caucal On Infinite Terms Having a Decidable Monadic Theory , 2002, MFCS.

[113]  Igor Walukiewicz,et al.  The Complexity of Games on Higher Order Pushdown Automata , 2007, ArXiv.

[114]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[115]  Javier Esparza,et al.  On the Model Checking Problem for Branching Time Logics and Basic Parallel Processes , 1995, CAV.

[116]  Rajeev Alur,et al.  Visibly pushdown languages , 2004, STOC '04.

[117]  Jakob Rehof,et al.  Context-Bounded Model Checking of Concurrent Software , 2005, TACAS.

[118]  Javier Esparza,et al.  Abstraction Refinement with Craig Interpolation and Symbolic Pushdown Systems , 2006, J. Satisf. Boolean Model. Comput..

[119]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[120]  John Penix,et al.  Formal Analysis of the Remote Agent Before and After Flight , 2000 .

[121]  Olivier Serre,et al.  Games with winning conditions of high Borel complexity , 2006, Theor. Comput. Sci..

[122]  Christof Löding,et al.  Alternating Automata and Logics over Infinite Words , 2000, IFIP TCS.

[123]  Javier Esparza,et al.  Model checking LTL with regular valuations for pushdown systems , 2001, Inf. Comput..

[124]  Pawel Urzyczyn,et al.  Deciding Monadic Theories of Hyperalgebraic Trees , 2001, TLCA.

[125]  Chin-Laung Lei,et al.  Modalities for Model Checking: Branching Time Logic Strikes Back , 1987, Sci. Comput. Program..