Section: New Results
We have investigated extensions of regular model-checking to new classes of rewrite relations on trees. We have applied model-checking to collaborative editors and studied generation of JML annotations for liveness properties. Finally we have proposed test-generation techniques from behaviours or scenarii.
Safety Verification Techniques with Regular Fixpoint Computations
Term rewriting systems are now commonly used as a modelling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. Many recent works have shown the relevance of regular approximation techniques to tackle in practice undecidable reachability problems.
In  we show a theoretical limit of regular fixpoint-based techniques pointing out a regular tree language I , a left-linear term rewriting system R and a term t such that and t is in every regular over-approximation of R*( I) . Hence, it is not possible to prove by using regular over-approximations.
In  , we improve an over-approximation approach initially developed in  to check the reachability of terms. Given a term t , we try to compute an over-approximation which does not contain t by refining the approximation. If the approximation refinement fails then t is a reachable term. This semi-algorithm has been prototyped in the Timbuk tool. The above technique works for linear term-rewriting systems. This approach has been extended to left-linear term rewriting systems using results in  . However it requires to perform some determinisation steps with an exponential time and space complexity and it is therefore practically unfeasible. We address this problem for left-quadratic rules by proposing in  an algorithm replacing determinisation steps by polynomial time constructions on involved automata. It should be noticed that many industrial specifications give rise to non-left linear rules that are left-quadratic ones.
Partially Ordered Tree Automata
Participant : Pierre-Cyrille Héam.
Computing images of regular languages by transitive closures of semi-commutation relations (i.e. of the form abba ) is a quite old trace theory problem that has been recently revisited in a regular model-checking context. The work in  shows that if a regular word language is accepted by a partially ordered automaton (or equivalently by a 2 formula in First Order Logic), then its image by the transitive closure of semi-commutation relation is computable, regular and also accepted by a partially ordered automaton. We extended in  this result to a larger class of regular languages and by proposing a better computation algorithm. We investigate in  whether results can be extended to tree data structures. We show that the class of tree languages accepted by 2 formulae on trees is strictly included in the class of tree languages accepted by partially ordered tree automata. Moreover, we point out a regular tree language K accepted by a 2 formula and a semi-commutation relation R such that R*( K) is not regular.
Regular Model-Checking with Hedges
Participant : Michaël Rusinowitch.
We consider in collaboration with F. Jacquemard (DAHU project)  rewriting systems for unranked ordered terms, i.e. trees where the number of successors of a node is not determined by its label, and is not a priori bounded. The rewriting systems are defined such that variables in the rewrite rules can be substituted by hedges (sequences of terms) instead of just terms. Consequently, this notion of rewriting subsumes both standard term rewriting and word rewriting. We investigate some preservation properties for two classes of languages of unranked ordered terms under this generalization of term rewriting. The considered classes include languages of hedge automata (HA) and some extension (called CF-HA) with context-free languages in transitions, instead of regular languages. In particular, we show that the set of unranked terms reachable from a given HA language, using a so called inverse context-free rewrite system, is a HA language. Moreover, we prove that the closure of CF-HA languages with respect to restricted context-free rewrite systems, the symmetric case of the above rewrite systems, is a CF-HA language. As a consequence, the problems of ground reachability and regular hedge model checking are decidable in both cases. Several counterexamples show that we cannot relax the restrictions.
Model-Checking Optimistic Replication Algorithms
Participant : Abdessamad Imine.
We consider in collaboration with Hanifa Boucheneb (Professor at Ecole Polytechnique de Montréal, Canada) automatic verification of optimistic replication algorithms, based on the Operational Transformation (OT) approach, that are mostly used for supporting collaborative edition  . Using the UPPAAL Model Checker, we formally define the behavior and the main consistency requirement ( i.e. convergence property ) of the collaborative editing systems, as well as the abstract behavior of the environment where these systems are supposed to operate. Two models are proposed. The first one, called concrete model , is very close to the system implementation but runs up against a severe explosion of states. The second model, called symbolic model , aims to overcome the limitation of the concrete model by delaying the effective selection and execution of editing operations until the construction of symbolic execution traces of all sites is completed. Experimental results have shown that the symbolic model allows a significant gain in both space and time. Using the symbolic model, we have been able to show that if the number of sites exceeds 2 then the convergence property is not satisfied for all OT algorithms considered here. A counterexample is provided for every algorithm.
In joint work with J. Groslambert (Trusted Labs) we address static checking of liveness properties via JML annotations  . Static checking is essential for the security of software components. As a component model, we consider a Java class enriched with annotations from the Java Modeling Language (JML). We define a formal execution semantics for repetitive method invocations from this annotated class, called the class in isolation semantics. A pattern of liveness properties is defined, together with its formal semantics, providing a foundation for both static and runtime checking. This pattern is then inscribed in a complete language of temporal properties, called JTPL (Java Temporal Pattern Language), extending JML. We particularly address the verification of liveness properties by automatically translating the temporal properties into JML annotations for this class. Correctness of the generated annotations ensures that the temporal property is established for the executions of the class in isolation.