A Logic of Reachable Patterns in Linked Data-Structures

We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamically-allocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express precondition, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of data-structures, and low-level heap mutations. Moreover, our logic can express properties of arbitrary data-structures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on entry to a procedure to the fields on exit. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing low-level heap mutations

Model checking Branching-Time Properties of Multi-Pushdown Systems is Hard

We address the model checking problem for shared memory concurrent programs modeled as multi-pushdown systems. We consider here boolean programs with a finite number of threads and recursive procedures. It is well-known that the model checking problem is undecidable for this class of programs. In this paper, we investigate the decidability and the complexity of this problem under the assumption of bounded context-switching defined by Qadeer and Rehof, and of phase-boundedness proposed by La Torre et al. On the model checking of such systems against temporal logics and in particular branching time logics such as the modal $\mu$-calculus or CTL has received little attention. It is known that parity games, which are closely related to the modal $\mu$-calculus, are decidable for the class of bounded-phase systems (and hence for bounded-context switching as well), but with non-elementary complexity (Seth). A natural question is whether this high complexity is inevitable and what are the ways to get around it. This paper addresses these questions and unfortunately, and somewhat surprisingly, it shows that branching model checking for MPDSs is inherently an hard problem with no easy solution. We show that parity games on MPDS under phase-bounding restriction is non-elementary. Our main result shows that model checking a $k$ context bounded MPDS against a simple fragment of CTL, consisting of formulas that whose temporal operators come from the set {\EF, \EX}, has a non-elementary lower bound

Verification of Parametric Concurrent Systems with Prioritized FIFO Resource Management

International audienceThis paper addresses the problem of parametric verification for a class of concurrent systems with resource sharing. The systems are composed of a parametric number of finite-state processes that are competing for exclusive access to a finite number of resources. Their access to resources is managed by a locker according to a FIFO policy distinguishing low-priority and high-priority resource requests. For such systems, we define a model based on automata with queues recording for each resource the identities of the waiting processes. Then, we address the parametric verification problem for the proposed model and the temporal logic LTL\X with global process quantification. We consider two different interpretation domains for the logic, namely the sets of finite and fair behaviours. In addition, we consider parametric verification of process deadlockability too. We establish several decidability results for different classes of the considered systems and properties by reducing their parametric verification problems to (finite-state) model-checking problems with finite numbers of processes

Automatic Verification of Recursive Procedures with One Integer Parameter

International audienceContext-free processes (BPA) have been used for dataflow analysis in recursive procedures with applications in optimizing compilers. We introduce a more refined model called BPA(Z) that can model not only recursive dependencies, but also the passing of an integer parameter to a subroutine. Moreover, this parameter can be tested against conditions expressible in Presburger arithmetic. This new and more expressive model can still be analyzed automatically. We define Z-input 1-CM, a new class of 1-counter machines that take integer numbers as input, to describe sets of configurations of BPA(Z). We show that the Post* (the set of successors) of a set of BPA(Z)-configurations described by a Z-input 1-CM can be effectively constructed. The Pre* (set of predecessors) of a regular set can be effectively constructed as well. However, the Pre* of a set described by a Z-input 1-CM cannot be represented by a Z-input 1-CM in general and has an undecidable membership problem. Then we develop a new temporal logic based on reversal-bounded counter machines (i.e. machines which use counters such that the change between increasing and decreasing mode of each counter is bounded that can be used to describe properties of BPA(Z) and show that the model-checking problem is decidable

Abstract Regular Model Checking

International audienceWe propose abstract regular model checking as a new generic technique for verification of parametric and infinite-state systems. The technique combines the two approaches of regular model checking and verification by abstraction. We propose a general framework of the method as well as several concrete ways of abstracting automata or transducers, which we use for modelling systems and encoding sets of their states as usual in regular model checking. The abstraction is based on collapsing states of automata (or transducers) and its precision is being incrementally adjusted by analysing spurious counterexamples. We illustrate the technique on verification of a wide range of systems including a novel application of automata-based techniques to an example of systems with dynamic linked data structure