Verifying Programs with Dynamic 1-Selector-Linked Structures in Regular Model Checking

International audienceWe address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, non-recursive programs manipulating 1-selector-linked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an automata-based approach for a symbolic verification of such programs using the regular model checking framework. Given a program, the configurations of the memory are systematically encoded as words over a suitable finite alphabet, potentially infinite sets of configurations are represented by finite-state automata, and statements of the program are automatically translated into finite-state transducers defining regular relations between configurations. Then, abstract regular model checking techniques are applied in order to automatically check safety properties concerning the shape of the computed configurations or relating the input and output configurations. For that, we introduce new techniques for the computation of abstractions of the set of reachable configurations, and to refine these abstractions if spurious counterexamples are detected. Finally, we present experimental results showing the applicability of the approach and its efficiency

A Logic of Reachable Patterns in Linked Data-Structures

We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamically-allocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express precondition, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of data-structures, and low-level heap mutations. Moreover, our logic can express properties of arbitrary data-structures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on entry to a procedure to the fields on exit. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing low-level heap mutations

Shape Analysis via Monotonic Abstraction

We propose a new formalism for reasoning about dynamic memory heaps, using monotonic abstraction and symbolic backward reachability analysis. We represent the heaps as graphs, and introduce an ordering on these graphs. This enables us to represent the violation of a given safety property as the reachability of a finitely representable set of bad graphs. We also describe how to symbolically compute the reachable states in the transition system induced by a program

Abstract Regular Tree Model Checking

International audienceRegular (tree) model checking (RMC) is a promising generic method for formal verification of infinite-state systems. It encodes configurations of systems as words or trees over a suitable alphabet, possibly infinite sets of configurations as finite word or tree automata, and operations of the systems being examined as finite word or tree transducers. The reachability set is then computed by a repeated application of the transducers on the automata representing the currently known set of reachable configurations. In order to facilitate termination of RMC, various acceleration schemas have been proposed. One of them is a combination of RMC with the abstract-check-refine paradigm yielding the so-called abstract regular model checking (ARMC). ARMC has originally been proposed for word automata and transducers only and thus for dealing with systems with linear (or easily linearisable) structure. In this paper, we propose a generalisation of ARMC to the case of dealing with trees which arise naturally in a lot of modelling and verification contexts. In particular, we first propose abstractions of tree automata based on collapsing their states having an equal language of trees up to some bounded height. Then, we propose an abstraction based on collapsing states having a non-empty intersection (and thus "satisfying") the same bottom-up tree "predicate" languages. Finally, we show on several examples that the methods we propose give us very encouraging verification results

Regular hedge model checking

We extend the regular model checking framework so that it can handle systems with arbitrary width tree-like structures. Con gurations of a system are represented by trees of arbitrary arities, sets of con gurations are represented by regular hedge automata, and the dynamics of a system is modeled by a regular hedge transducer. We consider the problem of computing the transitive closure T + of a regular hedge transducer T. This construction is not possible in general. Therefore, we present a general acceleration technique for computing T+. Our method consists of enhancing the termination of the iterative computation of the different compositions Ti by merging the states of the hedge transducers according to an appropriate equivalence relation that preserves the traces of the transducers. We provide a methodology for effectively deriving equivalence relations that are appropriate. We have successfully applied our technique to compute transitive closures for some mutual exclusion protocols de ned on arbitrary width tree topologies, as well as for an XML application.4th IFIP International Conference on Theoretical Computer ScienceRed de Universidades con Carreras en Informática (RedUNCI

Automata-Based Termination Proofs

This paper describes our generic framework for detecting termination of programs handling infinite and complex data domains, such as pointer structures. The framework is based on a counterexample-driven abstraction refinement loop. We have instantiated the framework for programs handling tree-like data structures, which allowed us to prove automatically termination of programs such as the depth-first tree traversal, the Deutsch-Schorr-Waite tree traversal, or the linking leaves algorithm

Linear Encodings of Bounded LTL Model Checking

We consider the problem of bounded model checking (BMC) for linear temporal logic (LTL). We present several efficient encodings that have size linear in the bound. Furthermore, we show how the encodings can be extended to LTL with past operators (PLTL). The generalised encoding is still of linear size, but cannot detect minimal length counterexamples. By using the virtual unrolling technique minimal length counterexamples can be captured, however, the size of the encoding is quadratic in the specification. We also extend virtual unrolling to Buchi automata, enabling them to accept minimal length counterexamples. Our BMC encodings can be made incremental in order to benefit from incremental SAT technology. With fairly small modifications the incremental encoding can be further enhanced with a termination check, allowing us to prove properties with BMC. Experiments clearly show that our new encodings improve performance of BMC considerably, particularly in the case of the incremental encoding, and that they are very competitive for finding bugs. An analysis of the liveness-to-safety transformation reveals many similarities to the BMC encodings in this paper. Using the liveness-to-safety translation with BDD-based invariant checking results in an efficient method to find shortest counterexamples that complements the BMC-based approach.Comment: Final version for Logical Methods in Computer Science CAV 2005 special issu

Injecting continuous time execution into service-oriented computing

Service-Oriented Computing is a computing paradigm that utilizes services as fundamental elements to support rapid, low-cost development of distributed applications in heterogeneous environments. In Service-Oriented Computing, a service is defined as an independent and autonomous piece of functionality which can be described, published, discovered and used in a uniform way. SENSORIA Reference Modeling Language is developed in the IST-FET integrated project. It provides a formal abstraction for services at the business level. Hybrid systems arise in embedded control when components that perform discrete changes are coupled with components that perform continuous processes. Normally, the discrete changes can be modeled by finite-state machines and the continuous processes can be modeled by differential equations. In an abstract point of view, hybrid systems are mixtures of continuous dynamics and discrete events. Hybrid systems are studied in different research areas. In the computer science area, a hybrid system is modeled as a discrete computer program interacting with an analog environment. In this thesis, we inject continuous time execution into Service-Oriented Computing by giving a formal abstraction for hybrid systems at the business level in a Service-Oriented point of view, and develop a method for formal verifications. In order to achieve the first part of this goal, we make a hybrid extension of Service-Oriented Doubly Labeled Transition Systems, named with Service-Oriented Hybrid Doubly Labeled Transition Systems, make an extension of the SENSORIA Reference Modeling Language and interpret it over Service-Oriented Hybrid Doubly Labeled Transition Systems. To achieve the second part of this goal, we adopt Temporal Dynamic Logic formulas and a set of sequent calculus rules for verifying the formulas, and develop a method for transforming the SENSORIA Reference Modeling Language specification of a certain service module into the respective Temporal Dynamic Logic formulas that could be verified. Moreover, we provide a case study of a simplified small part of the European Train Control System which is specified and verified with the approach introduced above. We also provide an approach of implementing the case study model with the IBM Websphere Process Server, which is a comprehensive Service-Oriented Architecture integration platform and provides support for the Service Component Architecture programming model. In order to realize this approach, we also provide functions that map models specified with the SENSORIA Reference Modeling Language to Websphere Process Server applications