Presentation is loading. Please wait.

Presentation is loading. Please wait.

A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia."— Presentation transcript:

1 A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia

2 Overview Context: Software model checking Paradigm: Abstract program into a boolean pushdown model Check if model satisfies the specification Main Contribution: A temporal logic (CARET) that can express useful properties of software that cannot be expressed by LTL/automata. CARET formulas express context-free properties Pushdown models can be model-checked against CARET. Moreover, Complexity of checking CARET is same as Complexity of checking LTL

3 Model Checking  Formally model the system  Model is an abstraction of the system  Model is less complex  Formal specification  Temporal logics (LTL [Pnu76], CTL [CES81]), Automata  Algorithmically verify whether model satisfies the specification System Verifier Model Abstractor Correctness specification Yes! No (Counterexample)

4 Abstracting Software int x, y; if x>0 { ……. y:=x+1.…… } else { …… y:=x+1 …… } b x : x>0 b y : y>0 Program bool b x, b y ; if b x { ……… b y :=true ……… } else { ………… b y :={true,false} ………. } Boolean Program

5 Boolean programs Boolean programs are hence finite state transition systems Entry points Exit points bool b x, b y ; if b x { ……… b y :=true ……… } else { ………… b y :={true,false} ………. } Boolean Program

6 Abstracting Modular Programs main() { bool y; … x = P(y); … z = P(x); … } bool P(u: bool) { … return Q(u); } bool Q(w: bool) { if … else return P(~w) } A2 A1 A3 A2 A3 A1 Entry-point Exit-point Box (superstate) Program Recursive State Machine (RSM)/ Pushdown automaton

7 Abstracting Modular Programs main() { bool y; … x = P(y); … z = P(x); … } bool P(u: bool) { … return Q(u); } bool Q(w: bool) { if … else return P(~w) } A2 A1 A3 A2 A3 A1 Entry-point Exit-point Box (superstate) Program Recursive State Machine (RSM)/ Pushdown automaton Nice graphical representation of pushdown models! Algorithms can work on this graph directly.

8 Abstracting modular programs  To model control flow, we need to model the call stack Models of programs are hence pushdown transition systems  Algorithms exist for checking regular specifications against pushdown models [BS92,BEM97]  Convert specification into a regular language ----> get L  Complement the (regular) specification L ----> get L  Intersection of a regular language and a context-free language is context-free: let L’’ = L M  L  Emptiness of pushdown automata is solvable: check if L’’ =  L’’=  iff model M satisfies specification  In practice, “summary” procedures are used:  Eg. SLAM (Microsoft Res.)

9 LTL  Linear-time Temporal Logic (LTL) over Prop: Q ::- p | not Q | Q or Q’ | Next Q | Always Q | Eventually Q | Q Until Q’ Interpreted over (infinite) sequences: X 0 X 1 X 2 X 3 X 4 … … … where each X i Prop. Useful for stating sequencing properties:  If req happens, then req holds until it is granted: Always ( req → (req Until grant) ) For any formula Q, Models(Q) is a regular language.

10 LTL is not expressive enough LTL cannot express:  Classical Hoare-style pre/post conditions  If p holds when procedure A is invoked, q holds upon return  Total correctness: every invocation of A terminates  Integral part of emerging standard JML  Stack inspection properties For security/access control  If a variable x is being accessed, procedure A must be in the call stack Above requires matching of calls with returns, or finding unmatched calls --- Context-free properties!

11 Context-free specifications But model-checking context-free properties against context-free models is Undecidable. (Inclusion of CFLs is undecidable) However, the properties described are verifiable.  Existing work in security that handles some stack inspection properties [JMT99, JKS03] Question: Define a logic that can state the above properties and is yet model-checkable against pushdown models.

12 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL ………….

13 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL …………. Abstract successor: Jump from calls to returns Otherwise global successor at the same level

14 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL …………. Abstract successor: Jump from calls to returns Otherwise global successor at the same level

15 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL …………. Abstract successor: Jump from calls to returns Otherwise global successor at the same level Abstract path

16 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL …………. Abstract successor: Jump from calls to returns Otherwise global successor at the same level Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes

17 CARET CARET: A temporal logic for Calls and Returns Expresses context-free properties A B C A Global successor used by LTL …………. Abstract successor: Jump from calls to returns Otherwise global successor at the same level Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes Caller path gives the stack content!

18 CARET Definition Syntax: Q ::- p | not Q | Q or Q’ | Next Q | Always Q | Eventually Q | Q Until Q’ Abs-Next Q | Abs-always Q Abs-Eventually Q | Q Abs-Until Q’ Caller Q | Callerpath-always Q CallerPath-Eventually Q | Q CallerPath-Until Q’  Abstract- and Caller- versions of all temporal operators  All these operators can be nested

19 Expressing properties in Caret  Pre-post conditions  If P holds when A is called, then Q must hold when the call returns Always ( (P and call-to-A) Abstract-Next Q ) A P Q Pre-post conditions are integral to specifications for JML (Java Modeling Language)

20 Expressing properties in Caret  All calls to A return Always ( call-to-A Abstract-Next true ) A

21 Expressing properties in Caret  If A is called with low priority, then it cannot access the file Always ( call-to-A and low-priority Abstract-Always ( not access-file ) ) A lowpriority A highpriority access-file

22 Expressing properties in Caret Stack inspection properties  If variable x is accessed, then A must be on the call stack Always ( access-to-x CallerPath-Eventually A ) access-to-x A Also, CARET can express data-flow analysis properties

23 Model checking CARET  Given: A (boolean) recursive state machine/ pushdown automaton M A CARET formula Q  Model-checking: Do all runs of M satisfy the specification Q? CARET can be model-checked in time that is polynomial in M and exponential in Q. |M| 3. 2 O(|Q|) In fact in time |M|. θ 2. 2 O(|Q|) where θ = max number of entries/exits Complexity same as that for LTL !

24 Model checking CARET Given: Pushdown model M and CARET formula Q  Build a Büchi pushdown automaton A :  States: (s, T) where s is a state of the model T is a subset of “FL-closure” of subformulas of Q A accepts a word w iff w is a behaviour of M and w does not satisfy Q

25 Model-checking CARET: intuition Main Idea:  The specification matches calls and returns of the program.  Hence the push (pop) operations of the model and the specifications synchronize Handling Abs-Next formulas s, Q1 s Push s and Q1 Abs-Next Q1 Pop s and Q1 ; Check Q1

26 Model-checking CARET: intuition Handling Caller formulas: Keep track of which caller formulas are true. s, Caller Q1 Caller Q1 Q1 Abs-Next Q1 s Caller Q1 Can similarly handle Caller-path until formulas

27 Model-checking CARET: intuition Handling Abs-Until formulas: There can be infinitely many abstract paths. Signalling Buchi sets cannot be done for all these paths as they satisfy different Until-formulas However, there is only one infinite abstract path in any run. Automaton will guess this infinite path and use Buchi final states to signal acceptance on this path. On finite abstract paths, Buchi condition is not needed.

28 Future work that’s done already! Generalizing the idea:  M and L are context-free. Checking if M is a subset of L is decidable. So, what is going on? Intuition: M and L are synchronizing on stack operations. Can we generalize this idea? LTL Regular languages CARET ???

29 Generalizing the idea (to appear in STOC ’04)  Structured words: Partitioned alphabet: Σ = S push  S pop  S internal  Consider finite words over Σ  A visibly pushdown automaton over Σ is a pushdown automaton that  pushes a symbol onto the stack on a letter in S push  pops the stack on a letter in S pop  cannot change the stack on a letter in S internal Note: Stack size at any time is determined by the input word but not the stack content

30  A language is a VPL over a partitioned alphabet Σ, if there is a visibly pushdown automata that accepts it (acceptance by final state) CARET is contained in VPL Model-checking:  CARET Q  VPL L Q  Pushdown model M  VPL L M  M satisfies Q iff L M  L Q =  (Emptiness of pushdown automata is decidable) Visibly pushdown languages (VPL) VPL is closed under boolean operations: union, intersection and complement

31 Conclusions CARET: logic of context free specifications Specification logic for expressing interesting properties of software: pre-post conditions, stack-inspection, etc. Model-checking CARET is not more expensive than LTL. Checkable in time |M| 3. 2 O(|Q|) Also, existing model-checking algorithms can be extended easily to verify CARET.

32 Future work  Build a tool for model-checking CARET (should be simple!)  How robust is CARET? Are there more useful operators that can be handled easily? Conjecture: CARET captures all FO-definable properties of VPLs?  Can one solve games for CARET specifications? (ongoing work)

33 CARET Definition Syntax:  ::- p | ~  |    ’ | Ο  | □  | ◊  |  U  ’ | Ο a  | □ a  | ◊ a  |  U a  ’ | Ο c  | □ c  | ◊ c  |  U c  ’  Abstract- and Caller- versions of all temporal operators  All these operators can be nested

Download ppt "A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia."

Similar presentations

Model Checking From Tools to Theory University of Pennsylvania

Model Checking From Tools to Theory University of Pennsylvania
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.
Pushdown Automata Chapter 12. Recognizing Context-Free Languages Two notions of recognition: (1) Say yes or no, just like with FSMs (2) Say yes or no,

Pushdown Automata Chapter 12. Recognizing Context-Free Languages Two notions of recognition: (1) Say yes or no, just like with FSMs (2) Say yes or no,
Pushdown Automata Chapter 12. Recognizing Context-Free Languages We need a device similar to an FSM except that it needs more power. The insight: Precisely.

Pushdown Automata Chapter 12. Recognizing Context-Free Languages We need a device similar to an FSM except that it needs more power. The insight: Precisely.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.

The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.
CS21 Decidability and Tractability

CS21 Decidability and Tractability
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Similar presentations

Ads by Google