Section: New Results
Modelbased Verification
We have investigated extensions of regular modelchecking to new classes of rewrite relations on trees. We have studied specification and proof of modular imperative programs.
Safety Verification Techniques with Regular Fixpoint Computations
Participants : Roméo Courbis, PierreCyrille Héam, Olga Kouchnarenko.
Term rewriting systems are now commonly used as a modelling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. Many recent works have shown the relevance of regular approximation techniques to tackle in practice undecidable reachability problems.
In [67] , we address the following general problem of tree regular modelchecking: decide whether R^{*}(L)L_{p} = where R^{*} is the reflexive and transitive closure of a successor relation induced by a term rewriting system R , and L and L_{p} are both regular tree languages. We develop an automatic approximationbased technique to handle this – undecidable in general – problem in most practical cases, extending an overapproximation approach initially developed in [73] to check the reachability of terms. Moreover, we also show in [37] how the approach can be used to compute underapproximations. We also make approximationbased approach fully automatic for practical validation of security protocols. In particular, the technique was successfully used to detect attacks in security protocols like NSPKxor, DHexp.
To check reachability of particular terms, we improved the overapproximation approach above. Given a term t , we try to compute an overapproximation which does not contain t by refining the approximation. If the approximation refinement fails then t is a reachable term. The above technique has been extended to leftlinear term rewriting systems. However it requires to perform some determinisation steps with an exponential time and space complexity, and it is therefore practically unfeasible. In [16] , we address this problem for nonleft linear rules by proposing an algorithm replacing determinisation (exponential steps) by polynomial time constructions on involved automata. This algorithm is a generalisation of the algorithm presented in [65] which addresses the problem of leftquadratic rules. It should be noticed that many industrial specifications give rise to nonleft linear rules, like in security protocols analysis, or in backward analysis of Java bytecode.
To go further, we propose in [35] , to exploit rewriting approximations for modelchecking of linear time temporal properties. We show the helpfulness of the reachability analysis for modelchecking three useful temporal property patterns on infinite state rewriting graphs. The reachability problem being in general undecidable on non terminating TRSs, we provide a construction based on tree automata with global equalities and disequalities (TAGED for short), and then design approximationbased semidecision procedures to modelcheck useful temporal patterns on infinite state rewriting graphs. To show that the above TAGEDbased construction can be effectively carried out, complexity analysis for rewriting TAGEDdefinable languages is given. A deep integration of our proposals in the modelchecking process is achieved by using the same overapproximations for computing (finite representations of) some parts of the infinite state model, as for verifying linear time temporal properties.
Random Generation of Tree Automata
Participant : PierreCyrille Héam.
The widespread use of automata as primitive bricks in verification motivates an ever renewed search for efficient algorithms taking automata as input. Developing new algorithms and heuristics raises crucial evaluation issues, as improved worstcase complexity upperbounds do not always transcribe into clear practical gains. A suite for software performance evaluation can usually gather three types of entries:(All of the three types are used in SATsolver competitions like http://www.satcompetition.org/ .)

benchmarks, i.e. large sets of typical samples, which can be prohibitively difficult to collect, and thus only exist for a few general problems,

hard instances, that provide good estimations of the worst case behaviour, but are not always relevant for average case evaluations,

random inputs, that deliver average complexity estimations, for which the catch resides in obtaining a meaningful random distribution (for instance a uniform random distribution). As the mathematical computation of the average complexity of an algorithm is an intricate task that cannot be undertaken in general, random inputs can prove themselves invaluable for its empirical estimation.
We present in [38] a general rejection algorithm that uniformaly generates sequential lettertoletter transducers up to isomorphism. We tailor this general scheme to randomly generate deterministic tree walking automata and deterministic topdown tree automata. We apply our implementation of the generator to the estimation of the average complexity of a deterministic tree walking automata to nondeterministic topdown tree automata construction we also implemented. Overall, the translation results in a size increase on average, which is significantly better than the worstcase bound.
Integer Weighted Automata Positivity Problem
Participants : PierreCyrille Héam, Olga Kouchnarenko.
Weighted automata is a formalism widely used in computer science for applications in image compression, speechtotext processing or discrete event systems. These large application areas make them intensively studied from the theoretical point of view. The expressive power of these automata is high enough so that many natural problems are not decidable. Among them the problem to know whether for a given integer weighted automaton , every word has a positive cost, called the positivity problem, was shown to be undecidable [74] . This problem is of special interest because systems/components comparisons modelled by integer weighted automata can be based on or reduced to it.
In [27] , we translate the above problem into a reachability problem and investigate two semidecision approaches to tackle it. The first approach is based on a configuration space exploration using a pruning property to reduce the search. The second approach uses a rewriting encoding of the problem and applies approximation techniques developed in the rewriting theoretical framework. These two approaches have been implemented and tested on random inputs providing promising results.
Modular Specification of Imperative Programs
Participants : Alain Giorgetti, Olga Kouchnarenko, Elena Tushkanova.
A well conceived program is developed in a modular way, that is by the structured assembly of simpler components. A challenge is to get modularity to specify and prove modular imperative programs. It is one of the objectives of the INRIA CeProMi “Action de Recherche Collaborative”(ARC). In [61] we have illustrated the subject by specifying an algorithm to sort a Java array. An INRIA research report on all the CASSIS contributions to the CeProMi project will be made public at the end of 2009. Some of the work done prepares a joint (intra Cassis, NancyBesançon) work on “Specification and formal certification of (combination of) decision procedures”.