ABSTRACT
We define a new fixpoint modal logic, the visibly pushdown μ-calculus (VP-μ), as an extension of the modal μ-calculus. The models of this logic are execution trees of structured programs where the procedure calls and returns are made visible. This new logic can express pushdown specifications on the model that its classical counterpart cannot, and is motivated by recent work on visibly pushdown languages [4]. We show that our logic naturally captures several interesting program specifications in program verification and dataflow analysis. This includes a variety of program specifications such as computing combinations of local and global program flows, pre/post conditions of procedures, security properties involving the context stack, and interprocedural dataflow analysis properties. The logic can capture flow-sensitive and inter-procedural analysis, and it has constructs that allow skipping procedure calls so that local flows in a procedure can also be tracked. The logic generalizes the semantics of the modal μ-calculus by considering summaries instead of nodes as first-class objects, with appropriate constructs for concatenating summaries, and naturally captures the way in which pushdown models are model-checked. The main result of the paper is that the model-checking problem for VP-μ is effectively solvable against pushdown models with no more effort than that required for weaker logics such as CTL. We also investigate the expressive power of the logic VP-μ: we show that it encompasses all properties expressed by a corresponding pushdown temporal logic on linear structures (caret [2]) as well as by the classical μ-calculus. This makes VP-μ the most expressive known program logic for which algorithmic software model checking is feasible. In fact, the decidability of most known program logics (μ-calculus, temporal logics LTL and CTL, caret, etc.) can be understood by their interpretation in the monadic second-order logic over trees. This is not true for the logic VP-μ, making it a new powerful tractable program logic.
- R. Alur, S. Chaudhuri, and P. Madhusudan. Visibly pushdown tree languages. http://www.cis.upenn.edu/~swarat/pubs/vptl.ps+.]]Google Scholar
- R. Alur, K. Etessami, and P. Madhusudan. A temporal logic of nested calls and returns. In 10th Int. Conf. on Tools and Algorithms for the Const. and Analysis of Software, LNCS 2988, pages 467--481, 2004.]]Google Scholar
Cross Ref
- R. Alur, K. Etessami, and M. Yannakakis. Analysis of recursive state machines. In Proc. of the 13th International Conference on Computer Aided Verification, LNCS 2102, pages 207--220. Springer, 2001.]] Google Scholar
Digital Library
- R. Alur and P. Madhusudan. Visibly pushdown languages. In Proc. of the 36th STOC, pages 202--211, 2004.]] Google Scholar
Digital Library
- T. Ball and S. Rajamani. Bebop: A symbolic model checker for boolean programs. In SPIN 2000 Workshop on Model Checking of Software, LNCS 1885, pages 113--130. Springer, 2000.]] Google Scholar
Digital Library
- T. Ball and S. Rajamani. The SLAM project: debugging system software via static analysis. In Proc. of the 29th ACM Symposium on Principles of Programming Languages, pages 1--3, 2002.]] Google Scholar
Digital Library
- M. Benedikt, P. Godefroid, and T. Reps. Model checking of unrestricted hierarchical state machines. In 28th ICALP, volume LNCS 2076, pages 652--666. Springer, 2001.]] Google Scholar
Digital Library
- J.R. Burch, E.M. Clarke, D.L. Dill, L.J. Hwang, and K.L. McMillan. Symbolic model checking: $10^20$ states and beyond. Information and Computation, 98(2):142--170, 1992.]] Google Scholar
Digital Library
- L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G.T. Leavens, R. Leino, and E. Poll. An overview of JML tools and applications. In Proceedings of the 8th International Workshop on Formal Methods for Industrial Critical Systems, pages 75--89, 2003.]]Google Scholar
- O. Burkart and B. Steffen. Model checking the full modal mu-calculus for infinite sequential processes. Theoretical Computer Science, 221:251--270, 1999.]] Google Scholar
Digital Library
- K. Chatterjee, D. Ma, R. Majumdar, T. Zhao, T.A. Henzinger, and J. Palsberg. Stack size analysis for interrupt driven programs. In Proceedings of the 10th International Symposium on Static Analysis, volume LNCS 2694, pages 109--126, 2003.]]Google Scholar
Digital Library
- H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In Proceedings of ACM Conference on Computer and Communications Security, pages 235--244, 2002.]] Google Scholar
Digital Library
- E.A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages 995--1072. Elsevier Science Publishers, 1990.]] Google Scholar
Digital Library
- E.A. Emerson and C.S. Jutla. Tree automata, mu-calculus, and determinacy. In Proceedings of the 32nd IEEE Symposium on Foundations of Computer Science, pages 368--377, 1991.]] Google Scholar
Digital Library
- J. Esparza, A. Kucera, and S. Schwoon. Model-checking LTL with regular valuations for pushdown systems. Information and Computation, 186(2):355--376, 2003.]] Google Scholar
Digital Library
- E. Grädel, W. Thomas, and T. Wilke, editors. Automata, Logics, and Infinite Games: A Guide to Current Research {outcome of a Dagstuhl seminar, February 2001}, volume 2500 of Lecture Notes in Computer Science. Springer, 2002.]]Google Scholar
- T.A. Henzinger, R. Jhala, R. Majumdar, G.C. Necula, G. Sutre, and W. Weimer. Temporal-safety proofs for systems code. In Proc. of 14th CAV Conference, LNCS 2404, pp. 526--538, 2002.]] Google Scholar
Digital Library
- D. Janin and I. Walukiewicz. On the expressive completeness of the propositional mu-calculus with respect to monadic second order logic. In CONCUR'96: Seventh International Conference on Concurrency Theory, LNCS 1119, pages 263--277. Springer-Verlag, 1996.]] Google Scholar
Digital Library
- T. Jensen, D. Le Metayer, and T. Thorn. Verification of control flow based security properties. In Proceedings of the IEEE Symposium on Security and Privacy, pages 89--103, 1999.]]Google Scholar
Cross Ref
- D. Kozen. Results on the propositional mu-calculus. Theoretical Computer Science, 27:333--354, 1983.]]Google Scholar
- K.L. McMillan. Symbolic model checking: an approach to the state explosion problem. Kluwer Academic Publishers, 1993.]] Google Scholar
Digital Library
- T. Reps, S. Horwitz, and S. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proc. of the ACM Symposium on Principles of Programming Languages, pages 49--61, 1995.]] Google Scholar
Digital Library
- D.A. Schmidt. Data flow analysis is model checking of abstract interpretations. In Proceedings of the 25th Annual ACM Symposium on Principles of Programming Languages, pages 68--78, 1998.]] Google Scholar
Digital Library
- B. Steffen. Data flow analysis as model checking. In Theoretical Aspects of Computer Software, LNCS 526, pages 346--365, 1991.]] Google Scholar
Digital Library
- C.S. Stirling. Modal and temporal logic. In Handbook of Logic in Computer Science, pages 477--563. Oxford University Press, 1991.]] Google Scholar
Digital Library
- I. Walukiewicz. Pushdown processes: Games and model-checking. Information and Computation, 164(2):234--263, 2001.]] Google Scholar
Digital Library
Index Terms
A fixpoint calculus for local and global program flows
Recommendations
A fixpoint calculus for local and global program flows
Proceedings of the 2006 POPL ConferenceWe define a new fixpoint modal logic, the visibly pushdown μ-calculus (VP-μ), as an extension of the modal μ-calculus. The models of this logic are execution trees of structured programs where the procedure calls and returns are made visible. This new ...
Software model checking using languages of nested trees
While model checking of pushdown systems is by now an established technique in software verification, temporal logics and automata traditionally used in this area are unattractive on two counts. First, logics and automata traditionally used in model ...
An embedding of the ACL2 logic in HOL
ACL2 '06: Proceedings of the sixth international workshop on the ACL2 theorem prover and its applicationsWe describe an embedding of the ACL2 logic into higher-order logic. An implementation of this embedding allows ACL2 to be used as an oracle for higher-order logic provers.







Comments