Project-Cassis:Model-based Verification

Inria / Raweb 2009
Presentation of the Project Cassis

Section: New Results

Model-based Verification

We have investigated extensions of regular model-checking to new classes of rewrite relations on trees. We have studied specification and proof of modular imperative programs.

Safety Verification Techniques with Regular Fixpoint Computations

Participants : Roméo Courbis, Pierre-Cyrille Héam, Olga Kouchnarenko.

Term rewriting systems are now commonly used as a modelling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. Many recent works have shown the relevance of regular approximation techniques to tackle in practice undecidable reachability problems.

In [67] , we address the following general problem of tree regular model-checking: decide whether R^*(L) $\cap$ L_p = $\emptyset$ where R^* is the reflexive and transitive closure of a successor relation induced by a term rewriting system R , and L and L_p are both regular tree languages. We develop an automatic approximation-based technique to handle this – undecidable in general – problem in most practical cases, extending an over-approximation approach initially developed in [73] to check the reachability of terms. Moreover, we also show in [37] how the approach can be used to compute under-approximations. We also make approximation-based approach fully automatic for practical validation of security protocols. In particular, the technique was successfully used to detect attacks in security protocols like NSPK-xor, DH-exp.

To check reachability of particular terms, we improved the over-approximation approach above. Given a term t , we try to compute an over-approximation which does not contain t by refining the approximation. If the approximation refinement fails then t is a reachable term. The above technique has been extended to left-linear term rewriting systems. However it requires to perform some determinisation steps with an exponential time and space complexity, and it is therefore practically unfeasible. In [16] , we address this problem for non-left linear rules by proposing an algorithm replacing determinisation (exponential steps) by polynomial time constructions on involved automata. This algorithm is a generalisation of the algorithm presented in [65] which addresses the problem of left-quadratic rules. It should be noticed that many industrial specifications give rise to non-left linear rules, like in security protocols analysis, or in backward analysis of Java bytecode.

To go further, we propose in [35] , to exploit rewriting approximations for model-checking of linear time temporal properties. We show the helpfulness of the reachability analysis for model-checking three useful temporal property patterns on infinite state rewriting graphs. The reachability problem being in general undecidable on non terminating TRSs, we provide a construction based on tree automata with global equalities and disequalities (TAGED for short), and then design approximation-based semi-decision procedures to model-check useful temporal patterns on infinite state rewriting graphs. To show that the above TAGED-based construction can be effectively carried out, complexity analysis for rewriting TAGED-definable languages is given. A deep integration of our proposals in the model-checking process is achieved by using the same over-approximations for computing (finite representations of) some parts of the infinite state model, as for verifying linear time temporal properties.

Random Generation of Tree Automata

Participant : Pierre-Cyrille Héam.

The widespread use of automata as primitive bricks in verification motivates an ever renewed search for efficient algorithms taking automata as input. Developing new algorithms and heuristics raises crucial evaluation issues, as improved worst-case complexity upper-bounds do not always transcribe into clear practical gains. A suite for software performance evaluation can usually gather three types of entries:(All of the three types are used in SAT-solver competitions like http://www.satcompetition.org/ .)

benchmarks, i.e. large sets of typical samples, which can be prohibitively difficult to collect, and thus only exist for a few general problems,
hard instances, that provide good estimations of the worst case behaviour, but are not always relevant for average case evaluations,
random inputs, that deliver average complexity estimations, for which the catch resides in obtaining a meaningful random distribution (for instance a uniform random distribution). As the mathematical computation of the average complexity of an algorithm is an intricate task that cannot be undertaken in general, random inputs can prove themselves invaluable for its empirical estimation.

We present in [38] a general rejection algorithm that uniformaly generates sequential letter-to-letter transducers up to isomorphism. We tailor this general scheme to randomly generate deterministic tree walking automata and deterministic top-down tree automata. We apply our implementation of the generator to the estimation of the average complexity of a deterministic tree walking automata to nondeterministic top-down tree automata construction we also implemented. Overall, the translation results in a $Im3 ${\#119978 (2^n)}$$ size increase on average, which is significantly better than the worst-case $Im4 ${\#119978 (2^{n2})}$$ bound.

Integer Weighted Automata Positivity Problem

Participants : Pierre-Cyrille Héam, Olga Kouchnarenko.

Weighted automata is a formalism widely used in computer science for applications in image compression, speech-to-text processing or discrete event systems. These large application areas make them intensively studied from the theoretical point of view. The expressive power of these automata is high enough so that many natural problems are not decidable. Among them the problem to know whether for a given integer weighted automaton $Im5 $\#119964 $$ , every word has a positive cost, called the positivity problem, was shown to be undecidable [74] . This problem is of special interest because systems/components comparisons modelled by integer weighted automata can be based on or reduced to it.

In [27] , we translate the above problem into a reachability problem and investigate two semi-decision approaches to tackle it. The first approach is based on a configuration space exploration using a pruning property to reduce the search. The second approach uses a rewriting encoding of the problem and applies approximation techniques developed in the rewriting theoretical framework. These two approaches have been implemented and tested on random inputs providing promising results.

Modular Specification of Imperative Programs

Participants : Alain Giorgetti, Olga Kouchnarenko, Elena Tushkanova.

A well conceived program is developed in a modular way, that is by the structured assembly of simpler components. A challenge is to get modularity to specify and prove modular imperative programs. It is one of the objectives of the INRIA CeProMi “Action de Recherche Collaborative”(ARC). In [61] we have illustrated the subject by specifying an algorithm to sort a Java array. An INRIA research report on all the CASSIS contributions to the CeProMi project will be made public at the end of 2009. Some of the work done prepares a joint (intra Cassis, Nancy-Besançon) work on “Specification and formal certification of (combination of) decision procedures”.

Logo Inria