Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking From Tools to Theory Rajeev Alur University of Pennsylvania 25MC, FLOC, August 2006.

Similar presentations

Presentation on theme: "Model Checking From Tools to Theory Rajeev Alur University of Pennsylvania 25MC, FLOC, August 2006."— Presentation transcript:

1 Model Checking From Tools to Theory Rajeev Alur University of Pennsylvania 25MC, FLOC, August 2006

2 Automata/Logics CS Theory Algorithms/Complexity Model CheckingDatabasesCompilersLinguistic/NLP How has model checking influenced basic theory? Connecting tree automata, fixpoint logics, parity games Temporal logics and automata over infinite words Data structures: OBDDs Timed and hybrid automata Many more examples

3 Software Analysis Analysis tool Model checking Static analysis Deductive reasoning Testing Runtime monitoring Product M Specification SProgram P Logics/automata Ad-hoc patterns Implicit (built in tool) Program annotations

4 Checking Structured Programs Classical model checking: Both program and specification define regular languages Control-flow requires stack, so program defines a context-free language Algorithms exist for checking regular specifications against context- free models Emptiness of pushdown automata is solvable Product of a regular language and a context-free language is context-free But, checking context-free spec against a context-free model is undecidable! Context-free languages are not closed under intersection Inclusion as well as emptiness of intersection undecidable Existing software model checkers: pushdown models (Boolean programs) and regular specifications SLAM, BLAST, F-SOFT, jMoped … Even in absence of recursion, hierarchical structure retained for analysis

5 Are Context-free Specs Interesting? Classical Hoare-style pre/post conditions If p holds when procedure A is invoked, q holds upon return Total correctness: every invocation of A terminates Integral part of emerging standard JML Stack inspection properties (security/access control) If setuuid bit is being set, root must be in call stack Interprocedural data-flow analysis All these need matching of calls with returns, or finding unmatched calls Recall: Language of words over [, ] such that brackets are well matched is not regular, but context-free

6 Checking Context-free Specs Many tools exist for checking specific properties Security research on stack inspection properties Annotating programs with asserts and local variables Inter-procedural data-flow analysis algorithms Whats common to checkable properties? Both model M and spec S have their own stacks, but the two stacks are synchronized, so product is possible As a generator, program should expose the matching structure of calls and returns Solution: Nested words and theory of regular languages over nested words

7 Nested Words Nested word: Linear sequence + well-nested edges Positions labeled with symbols in a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a7a7 a8a8 a9a9 a 10 a 11 a 12 Positions classified as: Call positions: both linear and hierarchical successors Return positions: both linear and hierarchical predecessors Internal positions: otherwise

8 Program Executions as Nested Words Program global int x; bool P() { … x = 3; if Q x = 1 ; … } bool Q () { local int y; … x = y; return (x==0); } An execution as a word Symbols: w : write x r : read x s : other s w s w r s w s An execution as a nested word s w s w r s w s Summary edges from calls to returns

9 RNA as a Nested Word Primary structure: Linear sequence of nucleotides (A, C, G, U) Secondary structure: Hydrogen bonds between complementary nucleotides (A-U, G-C, G-U) In literature, this is modeled as trees. Algorithmic question: Find similarity between RNAs using edit distances G C U G A A U A C G C G C U C G

10 Model for Linear Hierarchical Data Nested words: both linear and hierarchical structure is made explicit. This seems natural in many applications Executions of structured program RNA: primary backbone is linear, secondary bonds are well-nested XML documents: matching of open/close tags Words: only linear structure is explicit Pushdown automata add/discover hierarchical structure Parantheses languages: implicit nesting edges Ordered Trees: only hierarchical structure is explicit Ordering of siblings imparts explicit partial order Linear order is implicit, and can be recovered by infix traversal

11 Nested Word Automata (NWA) a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a7a7 a8a8 a9a9 States Q, initial state q 0, final states F Starts in initial state, reads the word from left to right labeling edges with states, where states on the outgoing edges are determined from states of incoming edges Transition function: c : Q x -> Q x Q (for call positions) i : Q x -> Q (for internal positions) r : Q x Q x -> Q (for return positions) Nested word is accepted if the run ends in a final state q8q8 q7q7 q5q5 q4q4 q3q3 q2q2 q1q1 q0q0 q 9 = r (q 8,q 29,a 9 )q 6 = i (q 5,a 6 )(q 2,q 29 )= c (q 1,a 2 )q 29 q 47

12 Regular Languages of Nested Words A set of nested words is regular if there is a finite-state NWA that accepts it Nondeterministic automata over nested words Transition function: c : Qx ->2 QxQ, i :Q x -> 2 Q, r :Q x Q x -> 2 Q Can be determinized Appealing theoretical properties Effectively closed under various operations (union, intersection, complement, concatenation, projection, Kleene-* …) Decidable decision problems: membership, language inclusion, language equivalence … Alternate characterization: MSO, syntactic congruences

13 Determinization Goal: Given a nondeterministic automaton A with states Q, construct an equivalent deterministic automaton B Intuition: Maintain a set of summaries (pairs of states) State-space of B: 2 QxQ Initially, state contains q->q, for each q At call, if state u splits into (u,u), summary q->u splits into (q->u,u->u) At return, summaries q->u and u->w join to give q->u Acceptance: must contain q->q, where q is initial and q is final q->q q->q… q->u q->v… u->u v->v… u->w v->w… q->w q->w… q->u q->v…

14 MSO-based Characterization Monadic Second Order Logic of Nested Words First order variables: x,y,z; Set variables: X,Y,Z… Atomic formulas: a(x), X(x), x=y, x y Logical connectives and quantifiers Sample formula: For all x,y. ( (a(x) and x -> y) implies b(y)) Every call labeled a is matched by a return labeled b Thm: A language L of nested words is regular iff it is definable by an MSO sentence Robust characterization of regularity as in case of languages of words and languages of trees

15 Application: Software Analysis A program P with stack-based control is modeled by a set L of nested words it generates Choice of depends on the intended application Summary edges exposing call/return structure are added (exposure can depend on what needs to be checked) If P has finite data (e.g. pushdown automata, Boolean programs, recursive state machines) then L is regular Specification S given as a regular language of nested words Verification: Does every behavior in L satisfy S ? Take product of P and complement of S and analyze Runtime monitoring: Check if current execution is accepted by S (compiled as a deterministic automaton) Model checking: Check if L is contained in S, decidable when P has finite data (no extra cost, as analysis still requires context-free reachability)

16 Temporal Logic of Nested Time: CaRet Global paths, Local paths, Caller paths Three versions of every temporal modality Sample CaRet formulas: (if p then local-next q) global-unless r if p then caller-eventually q Global-always (if p then local-eventually q)

17 Connection to Pushdown Automata Note: First formalization of our ideas led to capturing the shape by typing of input symbols as calls, internals, and returns, and the class of Visibly Pushdown Languages (STOC04) as a subclass of deterministic context- free languages with the same closure/decidability properties. Pushdown Automata WordsParse Trees Nested Word Automata Nested words Generator Acceptor

18 New Theory Problems Congruences and minimization First-order Temporal logics for nested time Infinite nested words and -regular languages Nested trees for branching-time verification Fixpoint logics

19 Application: Document Processing XML Document CAV 2006 Seattle Sheraton MSR Cadence Model a document d as a nested word Nesting edges from to Sample Query: Find documents related to conferences sponsored by Cadence in Seattle Specify query as a regular language L of nested words Analysis: Membership question Does document d satisfy query L ? Use NWA instead of tree automata! (typically, no recursion, but only hierarchy) Query Processing

20 Nested Words vs Ordered Trees Why not use tree encoding and tree automata ? Notion of regularity is basically the same in both views Nested words are more flexible: can take prefix, suffix, word concatenation, being well-matched not a pre-req Reading input from left to right for query processing is more natural with nested words Many versions of tree automata with different properties NWA have both top-down and bottom-up aspect, more succinct! x y z a xyz bc

21 Recap 1.Program executions have both linear and hierarchical structure Allow specification logics/automata to refer to both structures Robust foundation for more expressive specifications Analysis techniques for structured programs already based uopn computing summaries, so extra expressiveness comes for free 2.Nested words are worth theoretical investigations New way of looking at pushdown automata Nested trees and fixpoint logics Temporal modalities for nested time … 3.Modeling documents as nested words can be fruitful Automata have both top-down and bottom-up flavor Better ways of querying streaming documents? Talk based on joint work with P. Madhusudan S. Chaudhuri, K. Etessami, M. Viswanathan …

Download ppt "Model Checking From Tools to Theory Rajeev Alur University of Pennsylvania 25MC, FLOC, August 2006."

Similar presentations

Ads by Google