Advanced Querying for Property Checking

Extended weighted pushdown systems (EWPDSs) are an extension of pushdown systems that incorporate infinite-state data abstractions. Nested-word automata (NWAs) are able to recognize languages that exhibit context-free properties, while retaining many of the decidability properties of finite automata. We study property checking of programs where the program model is an EWPDS and the property is specified by an NWA. We show how to combine an NWA A with an EWPDS E to create an EWPDS E' such that reachability analysis on E' checks property A on program E. This construction allows us to retain the capability of running advanced queries on programs modeled as EWPDSs, such as the ability to (i) find all program nodes that lie on an error path (via error projections); and (ii) answer context-bounded reachability queries for concurrent programs with infinite-state abstractions (via context-bounded model checking)

Interprocedural Analysis of Concurrent Programs Under a Context Bound

Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. A common approach is to remove the recursive nature of the program while dealing with concurrency. A different approach is to bound the number of context switches, which has been shown to be very useful for program analysis. In previous work, Qadeer and Rehof [36] showed that context-bounded analysis is decidable for recursive programs under a finite-state abstraction of program data. In this paper, we generalize their result to infinite-state abstractions, and also provide a new symbolic algorithm for the finite case

Verifying Concurrent Programs via Bounded Context-Switching and Induction

This paper presents a new approach to the problem of verifying safety properties of concurrent programs with shared memory and interleaving semantics. The method described leverages recent work on context-bounded analysis (CBA) via "sequentialization". In such work, a concurrent program P is converted to a sequential program whose behavior is equivalent to P for up to K context switches. By itself, CBA is not a sound verification method because it bounds the number of context switches considered, and hence does not explore all of P's behaviors. We combine CBA with K-induction to create a method that can verify properties for an unbounded number of context switches. In a K-induction argument, two "windows" of K steps are considered: the base case considers a prefix of up to K steps; the inductive case assumes that the property of interest is true for the previous K steps, and attempts to establish the property for one more step. We argue that CBA has the right characteristics to complement K-induction. In fact, our method uses CBA unchanged to discharge the base case. It also uses CBA as a subroutine when discharging the inductive case. The method works by analyzing two sequential programs, T1 and T2, each of which is a transformed version of P that simulates P's behavior for K context switches. T1 and T2 work slightly differently, and the analyses performed on them start from different sets of initial configurations. If, in both T1 and T2, the analyzer shows that the error state cannot be reached in K context switches, K-induction implies that P cannot reach the error state in any number of context switches. The account sketched out above over-simplifies. There are actually several impediments to being able to apply K-induction to verify concurrent programs. The paper identifies the elements that make it difficult to push through a K-induction argument in this context, and introduces three techniques that, when used together,side-step the difficulties