On Reachability Analysis of Pushdown Systems with Transductions: Application to Boolean Programs with Call-by-Reference

Pushdown systems with transductions (TrPDSs) are an extension of pushdown systems (PDSs) by associating each transition rule with a transduction, which allows to inspect and modify the stack content at each step of a transition rule. It was shown by Uezato and Minamide that TrPDSs can model PDSs with checkpoint and discrete-timed PDSs. Moreover, TrPDSs can be simulated by PDSs and the predecessor configurations pre^*(C) of a regular set C of configurations can be computed by a saturation procedure when the closure of the transductions in TrPDSs is finite. In this work, we comprehensively investigate the reachability problem of finite TrPDSs. We propose a novel saturation procedure to compute pre^*(C) for finite TrPDSs. Also, we introduce a saturation procedure to compute the successor configurations post^*(C) of a regular set C of configurations for finite TrPDSs. From these two saturation procedures, we present two efficient implementation algorithms to compute pre^*(C) and post^*(C). Finally, we show how the presence of transductions enables the modeling of Boolean programs with call-by-reference parameter passing. The TrPDS model has finite closure of transductions which results in model-checking approach for Boolean programs with call-by-reference parameter passing against safety properties

CARET analysis of multithreaded programs

Dynamic Pushdown Networks (DPNs) are a natural model for multithreaded programs with (recursive) procedure calls and thread creation. On the other hand, CARET is a temporal logic that allows to write linear temporal formulas while taking into account the matching between calls and returns. We consider in this paper the model-checking problem of DPNs against CARET formulas. We show that this problem can be effectively solved by a reduction to the emptiness problem of B\"uchi Dynamic Pushdown Systems. We then show that CARET model checking is also decidable for DPNs communicating with locks. Our results can, in particular, be used for the detection of concurrent malware.Comment: Pre-proceedings paper presented at the 27th International Symposium on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur, Belgium, 10-12 October 2017 (arXiv:1708.07854

LTL Model-Checking for Dynamic Pushdown Networks Communicating via Locks

A Dynamic Pushdown Network (DPN) is a set of pushdown systems (PDSs) where each process can dynamically create new instances of PDSs. DPNs are a natural model of multi-threaded programs with (possibly recursive) procedure calls and thread creation. Extension of DPNs with locks allows processes to synchronize via locks. Thus, DPNs with locks are a well adapted formalism to model multi-threaded programs that synchronize via locks. Therefore, it is important to have model-checking algorithms for DPNs with locks. However, in general, the model-checking problem of DPNs with locks against reachability properties, and hence Linear Temporal Logic (LTL), is undecidable. To obtain de-cidable results, we study in this work the model-checking problem of DPNs with well-nested locks against single-indexed Linear Temporal Logic (LTL) properties of the form E f i s.t. f i is a LTL formula interpreted over the PDS i. We show that this model-checking problem is decidable. We propose an automata-based approach for computing the set of configurations of a DPN with locks that satisfy the corresponding single-indexed LTL formula

A Navigation Logic for Recursive Programs with Dynamic Thread Creation

Dynamic Pushdown Networks (DPNs) are a model for multithreaded programs with recursion and dynamic creation of threads. In this paper, we propose a temporal logic called NTL for reasoning about the call- and return- as well as thread creation behaviour of DPNs. Using tree automata techniques, we investigate the model checking problem for the novel logic and show that its complexity is not higher than that of LTL model checking against pushdown systems despite a more expressive logic and a more powerful system model. The same holds true for the satisfiability problem when compared to the satisfiability problem for a related logic for reasoning about the call- and return-behaviour of pushdown systems. Overall, this novel logic offers a promising approach for the verification of recursive programs with dynamic thread creation

Constrained Dynamic Tree Networks

We generalise Constrained Dynamic Pushdown Networks, introduced by Bouajjani\et al, to Constrained Dynamic Tree Networks.<br>In this model, we have trees of processes which may monitor their children.<br>We allow the processes to be defined by any computation model for which the alternating reachability problem is decidable.<br>We address the problem of symbolic reachability analysis for this model. More precisely, we consider the problem of computing an effective representation of their reachability<br>sets using finite state automata. <div>We show that backwards reachability sets starting from regular sets of configurations are always regular. </div><div>We provide an algorithm for computing backwards reachability sets using tree automata.<br><br></div

Model Checking Dynamic Pushdown Networks with Locks and Priorities

International audienceA dynamic pushdown network (DPN) is a set of pushdown systems (PDSs) where each process can dynamically create new instances of PDSs. DPNs are a natural model of multi-threaded programs with (possibly recursive) procedure calls and thread creation. A PL-DPN is an extension of DPNs that allows threads to synchronize using locks and priorities. Transitions in a PL-DPN can have different priorities and acquire/release locks. We consider in this work model checking PL-DPNs against single-indexed LTL and CTL properties of the form fi such that fi is a LTL/CTL formula over the PDS i. We show that these model checking problems are decidable. We propose automata-based approaches for computing the set of configurations of a PL-DPN that satisfy the corresponding single-indexed LTL/CTL formula

Model Checking Dynamic Pushdown Networks with Locks and Priorities.

International audienc