Abstract
While model checking of pushdown systems is by now an established technique in software verification, temporal logics and automata traditionally used in this area are unattractive on two counts. First, logics and automata traditionally used in model checking cannot express requirements such as pre/post-conditions that are basic to analysis of software. Second, unlike in the finite-state world, where the μ-calculus has a symbolic model-checking algorithm and serves as an “assembly language” to which temporal logics can be compiled, there is no common formalism—either fixpoint-based or automata-theoretic—to model-check requirements on pushdown models. In this article, we introduce a new theory of temporal logics and automata that addresses the above issues, and provides a unified foundation for the verification of pushdown systems.
The key idea here is to view a program as a generator of structures known as nested trees as opposed to trees. A fixpoint logic (called NT-μ) and a class of automata (called nested tree automata) interpreted on languages of these structures are now defined, and branching-time model-checking is phrased as language inclusion and membership problems for these languages. We show that NT-μ and nested tree automata allow the specification of a new frontier of requirements usable in software verification. At the same time, their model checking problem has the same worst-case complexity as their traditional analogs, and can be solved symbolically using a fixpoint computation that generalizes, and includes as a special case, “summary”-based computations traditionally used in interprocedural program analysis. We also show that our logics and automata define a robust class of languages—in particular, just as the μ-calculus is equivalent to alternating parity automata on trees, NT-μ is equivalent to alternating parity automata on nested trees.
- Abadi, M. and Fournet, C. 2003. Access control based on execution history. In Proceedings of the Network and IT Security Conference (NDSS).Google Scholar
- Alur, R., Benedikt, M., Etessami, K., Godefroid, P., Reps, T., and Yannakakis, M. 2005. Analysis of recursive state machines. ACM Trans. Prog. Lang. Syst. 27, 4, 786--818. Google Scholar
Digital Library
- Alur, R., Chaudhuri, S., and Madhusudan, P. 2006a. A fixpoint calculus for local and global program flows. In Proceedings of the 33rd Annual ACM Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Alur, R., Chaudhuri, S., and Madhusudan, P. 2006b. Languages of nested trees. In Proceedings of the Symposium on Computer-Aided Verification (CAV'06). Google Scholar
Digital Library
- Alur, R., Etessami, K., and Madhusudan, P. 2004. A temporal logic of nested calls and returns. In Proceedings of the 10th International Conference on Tools and Algorithms for the Construction and Analysis of Software. Lecture Notes in Computer Science, vol. 2988. Springer, 467--481.Google Scholar
- Alur, R. and Madhusudan, P. 2004. Visibly pushdown languages. In Proceedings of the 36th ACM Symposium on Theory of Computing. 202--211. Google Scholar
Digital Library
- Alur, R. and Madhusudan, P. 2006. Adding nesting structure to words. In Proceedings of the Symposium on Developments in Language Theory. Google Scholar
Digital Library
- Alur, R. and Madhusudan, P. 2009. Adding nesting structure to words. J. ACM 56, 3. Google Scholar
Digital Library
- Ball, T. and Rajamani, S. 2000. Bebop: A symbolic model checker for boolean programs. In Proceedings of the Workshop on Model Checking of Software. Lecture Notes in Computer Science, vol. 1885. Springer, 113--130. Google Scholar
Digital Library
- Ball, T. and Rajamani, S. 2001. The SLAM toolkit. In Proceedings of the 13th International Conference on Computer Aided Verification. Google Scholar
Digital Library
- Burdy, L., Cheon, Y., Cok, D., Ernst, M., Kiniry, J., Leavens, G., Leino, R., and Poll, E. 2003. An overview of JML tools and applications. In Proceedings of the 8th International Workshop on Formal Methods for Industrial Critical Systems. 75--89.Google Scholar
- Burkart, O. and Steffen, B. 1999. Model checking the full modal mu-calculus for infinite sequential processes. Theoret. Comput. Sci. 221, 251--270. Google Scholar
Digital Library
- Clarke, E., Grumberg, O., and Peled, D. 1999. Model Checking. MIT Press. CLA e 99:1 1.Ex. Google Scholar
Digital Library
- Emerson, E. and Clarke, E. 1982. Using branching-time temporal logic to synthesize synchronization skeletons. Sci. Comput. Prog. 2, 241--266.Google Scholar
Cross Ref
- Emerson, E. and Jutla, C. 1991. Tree automata, mu-calculus, and determinacy. In Proceedings of the 32nd IEEE Symposium on Foundations of Computer Science. 368--377. Google Scholar
Digital Library
- Emerson, E. and Lei, C. 1985. Modalities for model-checking: Branching time logic strikes back. In Proceedings of the 12th ACM Symposium on Principles of Programming Languages. 84--96. Google Scholar
Digital Library
- Esparza, J., Kucera, A., and Schwoon, S. S. 2003. Model-checking LTL with regular valuations for pushdown systems. Inf. Computation 186, 2, 355--376. Google Scholar
Digital Library
- Grädel, E., Thomas, W., and Wilke, T., Eds. 2002. Automata, Logics, and Infinite Games: A Guide to Current Research. Lecture Notes in Computer Science, vol. 2500. Springer.Google Scholar
- Hoare, C. 1969. An axiomatic basis for computer programming. Comm. ACM 12, 10, 576--580. Google Scholar
Digital Library
- Hopcroft, J. and Ullman, J. 1979. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley. Google Scholar
Digital Library
- Jensen, T., Metayer, D. L., and Thorn, T. 1999. Verification of control flow based security properties. In Proceedings of the IEEE Symposium on Security and Privacy. 89--103.Google Scholar
- Kozen, D. 1983. Results on the propositional mu-calculus. Theoret. Comput. Sci. 27, 333--354.Google Scholar
Cross Ref
- Kupferman, O., Piterman, N., and Vardi, M. 2002. Pushdown specifications. In Proceedings of the 9th International Conference on Logics for Programming, Artifical Intelligence, and Reasoning. Lecture Notes in Computer Science, vol. 2514. Springer, 262--277. Google Scholar
Digital Library
- Kupferman, O., Vardi, M., and Wolper, P. 2000. An automata-theoretic approach to branching-time model checking. J. ACM 47, 2, 312--360. Google Scholar
Digital Library
- Reps, T. 1998. Program analysis via graph reachability. Inf. Softw. Tech. 40, 11-12, 701--726.Google Scholar
Cross Ref
- Reps, T., Horwitz, S., and Sagiv, S. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the ACM Symposium on Principles of Programming Languages. 49--61. Google Scholar
Digital Library
- Schmidt, D. 1998. Data flow analysis is model checking of abstract interpretations. In Proceedings of the 25th Annual ACM Symposium on Principles of Programming Languages. 68--78. Google Scholar
Digital Library
- Sharir, M. and Pnueli, A. 1981. Two approaches to interprocedural dataflow analysis. In Program Flow Analysis: Theory and Applications, 189--234.Google Scholar
- Steffen, B. 1991. Data flow analysis as model checking. In Proceedings of the Symposium on Theoretical Aspects of Computer Software (TACS'91). Lecture Notes in Computer Science, vol. 526. 346--365. Google Scholar
Digital Library
- Wallach, D. S. and Felten, E. W. 1998. Understanding Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy. 52--63.Google Scholar
- Walukiewicz, I. 2001. Pushdown processes: Games and model-checking. Inf. Comput. 164, 2, 234--263. Google Scholar
Digital Library
Index Terms
Software model checking using languages of nested trees
Recommendations
A fixpoint calculus for local and global program flows
POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe define a new fixpoint modal logic, the visibly pushdown μ-calculus (VP-μ), as an extension of the modal μ-calculus. The models of this logic are execution trees of structured programs where the procedure calls and returns are made visible. This new ...
A fixpoint calculus for local and global program flows
Proceedings of the 2006 POPL ConferenceWe define a new fixpoint modal logic, the visibly pushdown μ-calculus (VP-μ), as an extension of the modal μ-calculus. The models of this logic are execution trees of structured programs where the procedure calls and returns are made visible. This new ...
Visibly pushdown languages
STOC '04: Proceedings of the thirty-sixth annual ACM symposium on Theory of computingWe propose the class of visibly pushdown languages as embeddings of context-free languages that is rich enough to model program analysis questions and yet is tractable and robust like the class of regular languages. In our definition, the input symbol ...






Comments