Abstract
We describe a new algorithm for proving temporal properties expressed in LTL of infinite-state programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branching-time logic CTL than they can with native LTL algorithms. The caveat is that, in certain instances, nondeterminism in the system's transition relation can cause CTL methods to report counter examples that are spurious with respect to the original LTL formula. To address this problem we describe an algorithm that, as it attempts to apply CTL proof methods, finds and then removes problematic nondeterminism via an analysis on the potentially spurious counterexamples. Problematic nondeterminism is characterized using decision predicates, and removed using a partial, symbolic determinization procedure which introduces new prophecy variables to predict the future outcome of these choices. We demonstrate---using examples taken from the PostgreSQL database server, Apache web server, and Windows OS kernel---that our method can yield enormous performance improvements in comparison to known tools, allowing us to automatically prove properties of programs where we could not prove them before.
Supplemental Material
- Cadence SMV. http://www.kenmcmil.com/smv.html.Google Scholar
- The Z3 Theorem Prover. research.microsoft.com/projects/Z3.Google Scholar
- Abadi, M., and Lamport, L. The existence of refinement mappings. Theoretical Computer Science 82, 2 (1991), 253--284. Google Scholar
Digital Library
- Abdulla, P. A., Jonsson, B., Nilsson, M., d'Orso, J., and Saksena, M. Regular model checking for LTL(MSO). In CAV (2004).Google Scholar
- Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S., and Ustuner, A. Thorough static analysis of device drivers. ACM SIGOPS Operating Systems Review 40, 4 (2006), 85. Google Scholar
Digital Library
- Bouajjani, A., Legay, A., and Wolper, P. Handling liveness properties in (ω-) regular model checking. Electronic Notes in Theoretical Computer Science 138, 3 (2005), 101--115. Google Scholar
Digital Library
- Bradley, A., Manna, Z., and Sipma, H. Termination of polynomial programs. In VMCAI (2005). Google Scholar
Digital Library
- Bradley, A. R., Manna, Z., and Sipma, H. B. Linear ranking with reachability. In CAV (2005). Google Scholar
Digital Library
- Burch, J., Clarke, E., McMillan, K., Dill, D., and Hwang, L. Symbolic model checking: 10 to the 20 states and beyond. Information and Computation 98, 2 (1992). Google Scholar
Digital Library
- Clarke, E., Emerson, E., and Sistla, A. Automatic verification of finite-state concurrent systems using temporal logic specifications. TOPLAS 8, 2 (1986), 263. Google Scholar
Digital Library
- Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. Counterexample-guided abstraction refinement for symbolic model checking. JACM 50, 5 (2003), 794. Google Scholar
Digital Library
- Clarke, E., Grumberg, O., and Peled, D. Model checking. Springer, 1999. Google Scholar
Digital Library
- Clarke, E., Jha, S., Lu, Y., and Veith, H. Tree-like counterexamples in model checking. In LICS (2002). Google Scholar
Digital Library
- Clarke, E. M., Grumberg, O., and Hamaguchi, K. Another look at LTL model checking. Form. Methods Syst. Des. 10, 1 (1997), 47--71. Google Scholar
Digital Library
- Cook, B., Gotsman, A., Podelski, A., Rybalchenko, A., and Vardi, M. Y. Proving that programs eventually do something good. In POPL (2007). Google Scholar
Digital Library
- Cook, B., and Koskinen, E. Making prophecies with decision predicates. Tech. Rep. UCAM-CL-TR-789, University of Cambridge, Computer Laboratory, Jan. 2011.Google Scholar
Digital Library
- Cook, B., Koskinen, E., and Vardi, M. Branching-time reasoning for programs. Tech. Rep. UCAM-CL-TR-788, University of Cambridge, Computer Laboratory, Jan. 2011.Google Scholar
- Cook, B., Podelski, A., and Rybalchenko, A. Termination proofs for systems code. In PLDI (2006). Google Scholar
Digital Library
- Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. The ASTREE analyzer. In ESOP (2005). Google Scholar
Digital Library
- Dutertre, B., and de Moura, L. M. A fast linear-arithmetic solver for dpll(t). In CAV (2006), T. Ball and R. B. Jones, Eds., vol. 4144 of LNCS, Springer, pp. 81--94. Google Scholar
Digital Library
- Esparza, J., Kucera, A., and Schwoon, S. Model-checking LTL with regular valuations for pushdown systems. In TACS (2001). Google Scholar
Digital Library
- Fang, Y., Piterman, N., Pnueli, A., and Zuck, L. Liveness with invisible ranking. International Journal on Software Tools for Technology Transfer (STTT) 8, 3 (2006), 261--279. Google Scholar
Digital Library
- Farkas, J. Uber die theorie der einfachen ungleichungen. Journal fur die Reine und Angewandte Mathematik 124 (1902), 1--27.Google Scholar
- Gastin, P., and Oddoux, D. Fast LTL to Büchi automata translation. In CAV (July 2001). Google Scholar
Digital Library
- Havelund, K., and Pressburger, T. Model checking Java programs using Java pathfinder. International Journal on Software Tools for Technology Transfer (STTT) 2, 4 (2000), 366--381.Google Scholar
- Henzinger, T. A., Jhala, R., Majumdar, R., Necula, G. C., Sutre, G., and Weimer, W. Temporal-safety proofs for systems code. In CAV (2002). Google Scholar
Digital Library
- Hobor, A., Appel, A. W., and Nardelli, F. Z. Oracle semantics for concurrent separation logic. In ESOP (2008). Google Scholar
Digital Library
- Holzmann, G. J. The model checker SPIN. IEEE Trans. Software Eng. 23, 5 (1997), 279--295. Google Scholar
Digital Library
- Kwiatkowska, M., Norman, G., and Parker, D. PRISM: Probabilistic symbolic model checker. LNCS 2324 (2002), 200--204. Google Scholar
Digital Library
- Magill, S., Berdine, J., Clarke, E., and Cook, B. Arithmetic strengthening for shape analysis. LNCS 4634 (2007), 419. Google Scholar
Digital Library
- Maidl, M. The common fragment of CTL and LTL. In FOCS (2000). Google Scholar
Digital Library
- Nain, S., and Vardi, M. Branching vs. linear time: Semantical perspective. In ATVA (2007). Google Scholar
Digital Library
- Pnueli, A. The temporal logic of programs. In 18th Annual Symposium on Foundations of Computer Science (1977), IEEE, pp. 46--57. Google Scholar
Digital Library
- Pnueli, A., and Zaks, A. PSL model checking and run-time verification via testers. In FM (2006), J. Misra, T. Nipkow, and E. Sekerinski, Eds., vol. 4085 of LNCS, Springer, pp. 573--586. Google Scholar
Digital Library
- Podelski, A., and Rybalchenko, A. A Complete Method for the Synthesis of Linear Ranking Functions. LNCS (2003), 239--251.Google Scholar
- Podelski, A., and Rybalchenko, A. Transition invariants. In LICS (2004), pp. 32--41. Google Scholar
Digital Library
- Podelski, A., and Rybalchenko, A. ARMC: the logical choice for software model checking with abstraction refinement. In PADL (2007). Google Scholar
Digital Library
- Qadeer, S., Sezgin, A., and Tasiran, S. Back and forth: Prophecy variables for static verification of concurrent programs. Tech. Rep. MSR-TR-2009-142, Microsoft, 2009.Google Scholar
- Safra, S. On the complexity of omega-automata. In SFCS (1988). Google Scholar
Digital Library
- Sankaranarayanan, S., Sipma, H., and Manna, Z. Constraint-based linear-relations analysis. In SAS (2004).Google Scholar
- Schneider, K. Model checking on product structures. FMCAD (1998). Google Scholar
Digital Library
- Schuppan, V., and Biere, A. Liveness checking as safety checking for infinite state spaces. In Workshop on Verification of Infinite-State Systems (INFINITY) (2005).Google Scholar
- Vardhan, A., Sen, K., Viswanathan, M., and Agha, G. Using language inference to verify Omega-regular properties. In TACAS (2005). Google Scholar
Digital Library
- Vardi, M. Branching time vs. linear time: Final showdown. In TACAS (2001). Google Scholar
Digital Library
- Vardi, M. Y., and Wolper, P. An automata-theoretic approach to automatic program verification (preliminary report). In LICS (1986).Google Scholar
Index Terms
Making prophecies with decision predicates
Recommendations
Making prophecies with decision predicates
POPL '11: Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe describe a new algorithm for proving temporal properties expressed in LTL of infinite-state programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the ...
Temporal property verification as a program analysis task
We describe a reduction from temporal property verification to a program analysis problem. First we present a proof system that, unlike the standard formulation, is more amenable to reasoning about infinite-state systems: disjunction is treated by ...
Conditional model checking: a technique to pass information between verifiers
FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software EngineeringSoftware model checking, as an undecidable problem, has three possible outcomes: (1) the program satisfies the specification, (2) the program does not satisfy the specification, and (3) the model checker fails. The third outcome usually manifests itself ...







Comments