Abstract
We present in this paper a new approach to the static analysis of concurrent programs with procedures. To this end, we model multithreaded programs featuring recursive procedure calls and synchronization by rendezvous between parallel threads with communicating pushdown systems (from now on CPDSs). The reachability problem for this particular class of automata is unfortunately undecidable. However, it has been shown that an efficient abstraction of the execution traces language can nonetheless be computed. To this end, an algebraic framework to overapproximate contextfree languages has been introduced by Bouajjani et al. In this paper, we combine this framework with an automatatheoretic approach in order to approximate an answer to the model checking problem of the lineartime temporal logic (from now on LTL) on CPDSs. We then present an algorithm that, given a singleindexed or stutterinvariant LTL formula, allows us to prove that no run of a CPDS verifies this formula if the procedure ends.
This is a preview of subscription content, access via your institution.
References
 1.
Atig MF (2012) Modelchecking of ordered multipushdown automata. Log Methods Comput Sci 8(3):20
 2.
Bouajjani A, Esparza J, Maler O (1997) Reachability analysis of pushdown automata: Application to modelchecking. In: Mazurkiewicz A, Winkowski J (eds) CONCUR ’97: Concurrency Theory. Springer, Berlin Heidelberg, pp 135–150
 3.
Bouajjani A, Esparza J, Touili T (2003) A generic approach to the static analysis of concurrent programs with procedures. In: Proceedings of the 30th ACM SIGPLAN–SIGACT symposium on principles of programming languages, POPL ’03. ACM, New York, pp 62–73
 4.
Bouajjani A, MüllerOlm M, Touili T (2005) Regular symbolic analysis of dynamic networks of pushdown systems. In: Abadi M, de Alfaro L (eds) CONCUR 2005—concurrency theory. Springer, Berlin, pp 473–487
 5.
Caucal D (1992) On the regular structure of prefix rewriting. Theor Comput Sci 106(1):61–86
 6.
Chaki S, Clarke E, Kidd N, Reps T, Touili T (2006) Verifying concurrent messagepassing c programs with recursive calls. In: Hermanns H, Palsberg J (eds) Tools and algorithms for the construction and analysis of systems, ETAPS ’06. Springer, Berlin
 7.
Esparza J, Hansel D, Rossmanith P, Schwoon S (2000) Efficient algorithms for model checking pushdown systems. In: Proceedings of the 12th international conference on computer aided verification, CAV ’00. Springer, London, pp 232–247
 8.
Kesten Y, Manna Z, McGuire H, Pnueli A (1993) A decision algorithm for full propositional temporal logic. In: Courcoubetis C (ed) Computer aided verification. Springer, Berlin, pp 97–109
 9.
Patin G, Sighireanu M, Touili T (2007) Spade: verification of multithreaded dynamic and recursive programs. In: Damm W, Hermanns H (eds) Computer aided verification. Springer, Berlin, pp 254–257
 10.
Peled DA, Wilke T (1997) Stutterinvariant temporal properties are expressible without the nexttime operator. Inf Process Lett 63(5):243–246
 11.
Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th annual symposium on foundations of computer science, SFCS ’77. IEEE Computer Society, Washington, DC, pp 46–57
 12.
Pommellet A, Touili T (2017) Static analysis of multithreaded recursive programs communicating via rendezvous. In: APLAS, volume 10695 of lecture notes in computer science. Springer, pp 235–254
 13.
Pommellet A, Touili T (2018) LTL modelchecking for communicating concurrent programs. In: Verification and evaluation of computer and communication systems—12th international conference, VECoS 2018, Grenoble, France, September 26–28, 2018, Proceedings, pp 150–165
 14.
Qadeer S, Rehof J (2005) Contextbounded model checking of concurrent software. In: Halbwachs N, Zuck LD (eds) Tools and algorithms for the construction and analysis of systems. Springer, Berlin, pp 93–107
 15.
Qadeer S, Wu D (2004) KISS: keep it simple and sequential. In: Proceedings of the ACM SIGPLAN 2004 conference on programming language design and implementation, PLDI ’04. ACM, New York, pp 14–24
 16.
Ramalingam G (2000) Contextsensitive synchronizationsensitive analysis is undecidable. ACM Trans Program Lang Syst 22(2):416–430
 17.
Song F, Touili T (2014) Efficient CTL modelchecking for pushdown systems. Theor Comput Sci 549:127–145
 18.
Song F, Touili T (2015) Modelchecking dynamic pushdown networks. Form Asp Comput 27(2):397–421
 19.
Song F, Touili T (2016) LTL modelchecking for dynamic pushdown networks communicating via locks. CoRR arXiv:1611.02528
 20.
Torre SL, Madhusudan P, Parlato G (2007) A robust class of contextsensitive languages. In: 22nd Annual IEEE symposium on logic in computer science (LICS 2007), pp 161–170
Acknowledgements
Funding was provided by Université Paris Diderot.
Author information
Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Kleene abstractions
We detail the mathematical framework introduced by Bouajjani et al. [3] in order to abstract trace languages of PDSs.
A.1 Abstractions and Galois connections
Let \(\mathcal {L} = (2^{ Act ^*}, \subseteq , \cup , \cap , \emptyset , Act ^*)\) be the complete lattice of languages on Act.
Our abstraction of \(\mathcal {L}\) requires a lattice \(E = ( D, \le , \sqcup , \sqcap , \bot , \top )\), from now on called the abstract lattice, where D is a set called the abstract domain, as well as a pair of mappings \(( \alpha , \beta )\) called a Galois connection, where \(\alpha : 2^{ Act ^*} \rightarrow D\) and \(\beta : D \rightarrow 2^{ Act ^*}\) are such that
\(\forall L \in \mathcal {L}\), given a Galois connection \((\alpha , \beta )\), we have \(L \subseteq \beta (\alpha ( L ))\); the Galois connection can be used to overapproximate a language in \(2^{ Act ^*}\) (e.g. the trace language of a PDS).
Moreover, it is easy to see that
if and only if
A.2 Kleene algebras
We consider a special class of abstractions called Kleene abstractions.
An idempotent semiring is a structure \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\), where \(\oplus \) is an associative, commutative, and idempotent (\(a \oplus a = a\)) operation such that A is closed under the infinite sum \(\bigoplus \), and \(\odot \) is an associative operation. \(\overline{0}\) and \(\overline{1}\) are neutral elements for \(\oplus \) and \(\odot \), respectively, \(\overline{0}\) is an annihilator for \(\odot \) (\(a \odot \overline{0} = \overline{0} \odot a = \overline{0}\)) and \(\odot \) distributes over \(\oplus \).
K is an \( Act \)semiring if it can be generated by \(\overline{0}\), \(\overline{1}\), and elements of the form \(v_{a} \in A\), \(\forall a \in Act \). A semiring is said to be closed if \(\oplus \) can be extended to an operator over countably infinite sets while keeping the same properties as \(\oplus \).
We define \(a^{0} = \overline{1}\), \(a^{n+1} = a \odot a^{n}\) and \(a^{*} = \mathop {\bigoplus } \limits _{n \ge 0} a^{n}\). Adding the \(*\) operation to an idempotent closed \( Act \)semiring K transforms it into a Kleene algebra.
A.3 Kleene abstractions
An abstract lattice \(E = ( D, \le , \sqcup , \sqcap , \bot , \top )\) is said to be compatible with a Kleene algebra \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\) if \(D = A\), \(x \le y \Leftrightarrow x \oplus y = y\), \(\bot = \overline{0}\) and \(\sqcup = \oplus \).
A Kleene abstraction is an abstraction such that the abstract lattice E is compatible with the Kleene algebra and the Galois connections \(\alpha : 2^{ Act ^*} \rightarrow D\) and \(\beta : D\rightarrow 2^{ Act ^*}\) are defined by:
Intuitively, a Kleene abstraction is such that the abstract operations \(\oplus \), \(\odot \), and \(*\) can be matched to the union, the concatenation, and the Kleene closure of the languages of the lattice \(\mathcal {L}\), \(\overline{0}\) and \(\overline{1}\) to the empty language and \(\{ \varepsilon \}\), \(v_a\) to the language \(\{ a \}\), the upper bound \(\top \in K\) to \( Act ^*\), and the operation \(\sqcap \) to the intersection of languages in the lattice \(\mathcal {L}\).
In order to compute \(\alpha ( L )\) for a given language L, each word \(a_{1} \ldots a_{n}\) in L is matched to its abstraction \(v_{a_1} \odot \ldots \odot v_{a_n}\), and we consider the sum of these abstractions.
A finitechain abstraction is such that the lattice \(( A, \le )\) has no infinite ascending chains: as a consequence, infinite sequences of concatenations \(\bigodot \limits _{i \ge 0} v_{a_i}\) can be defined and effectively computed, and the abstraction framework can be applied to infinite traces in \( Act ^\omega \). The prefix and first occurrence ordering abstractions defined previously are finitechain.
A.4 The set of Kpredecessors
Let \(\mathcal {P} = ( P, Act , \varGamma , \varDelta , c_0 )\) be a PDS and \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\) a Kleene algebra corresponding to a Kleene abstraction of the set \( Act \).
We define inductively the set \(\varPi _{K}\) of path expressions as the smallest subset of K such that:

\(\overline{1} \in \varPi _{K}\);

if \(\pi \in \varPi _{K}\), then \(\forall a \in Act \), \(v_a \odot \pi \in \varPi _{K}\).
For a given path expression \(\pi \), we define its length \(\left \pi \right \) as the number of occurrences of simple elements of the form \(v_a\) in \(\pi \).
A Kconfiguration of \(\mathcal {P}\) is a pair \((c, \pi )\) in \( Conf ^K_\mathcal {P} = P \times \varGamma ^* \times \varPi _K\). We can extend the transition relation \(\longrightarrow _{\mathcal {P}}\) to Kconfigurations with the following semantics: \(\forall a \in Act \), if \(c \xrightarrow {a}_{\mathcal {P}} c'\), then
\(( c, v_{a} \odot \pi )\) is said to be an immediate Kpredecessor of \(( c', \pi )\). The reachability relation \(\leadsto _{\mathcal {P}, K}\) is the reflexive transitive closure of \(\longrightarrow _{\mathcal {P}, K}\).
Given a set of configurations C, we introduce the set of Kconfigurations \( pre _{K}^{*} ( \mathcal {P}, C )\):
If \(( c, \pi ) \in pre _{K}^{*} ( \mathcal {P}, C )\), then, by definition of the Kleene abstraction, \(( c, \pi ) \leadsto _{\mathcal {P}, K} ( c', \overline{1} )\) for some \(c' \in C\). Intuitively, the abstract path expression \(\pi \) is meant to be the abstraction of an actual trace from \(c'\) to C.
B Abstracting traces of pushdown systems
We now present the automatatheoretic approach used by Bouajjani et al. in [3] to compute the set \( pre _{K}^{*} (\mathcal {P}, C)\) in order to abstract runs of PDSs.
B.1 Representing regular sets of configurations
In order to represent regular sets of configurations, we consider the following structure:
Definition 12
(Bouajjani et al. [2]) Let \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta , c_0)\) be a pushdown system. A \(\mathcal {P}\)automaton \(\mathcal {A} = (Q, \varGamma , \delta , I, F)\) is a finitestate automaton on the stack alphabet \(\varGamma \) of \(\mathcal {P}\) where Q is a set of states such that \(P \subseteq Q\), \(I = P\) the set of initial states, \(F \subseteq Q\) the set of final states, and \(\delta \subseteq Q \times \varGamma \cup \{\varepsilon \} \times Q\) a set of transitions.
Intuitively, a \(\mathcal {P}\)automaton is a finitestate automaton whose edges are labelled by stack symbols of \(\mathcal {P}\) and whose initial states represent the states of \(\mathcal {P}\).
Let \(\rightarrow _\mathcal {A}\) be the transition relation inferred from \(\delta \). We say that \(\mathcal {A}\)accepts a configuration \(\langle p, w \rangle \) if there is a path \(p \xrightarrow {w}\!\!^*_\mathcal {A} f\) such that \(f \in F\). Let \(\mathcal {L} (\mathcal {A}) \subseteq Conf _\mathcal {P}\) be the set of configurations accepted by \(\mathcal {A}\). Obviously, the following lemma holds:
Lemma 3
(Bouajjani et al. [2]) A set of configurations \(\mathcal {C}\) of a PDS \(\mathcal {P}\) is regular if and only if there exists a \(\mathcal {P}\)automaton \(\mathcal {A}\) such that \(\mathcal {L} (\mathcal {A}) = \mathcal {C}\).
Let \(\mathcal {C}\) be a regular set of configurations of a PDS \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\), and let \(\mathcal {A}\) be a \(\mathcal {P}\)automaton accepting \(\mathcal {C}\). It has been proven by Caucal [5] that the sets \( pre ^* (\mathcal {P}, \mathcal {C})\) is regular. Moreover, it can be computed by applying a saturation procedure (where new transitions are incrementally added until a fixed point is reached) to a \(\mathcal {P}\)automaton representing C:
Theorem 8
(Bouajjani et al. [2]) Given a PDS \(\mathcal {P}\) and a regular set of configurations \(\mathcal {C}\), there exists a \(\mathcal {P}\)automaton \(\mathcal {A}_{ pre ^*}\) accepting \( pre ^* \left( \mathcal {C}\right) \).
B.2 Kautomata
\(\mathcal {P}\)automata are used to represent regular sets of configurations. They can be extended to Kautomata in order to handle sets of Kconfigurations of a PDS \(\mathcal {P}\).
Definition 13
(Kautomata) A Kautomaton matched to a PDS \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\) is a tuple \(\mathcal {A} = (Q, \varGamma , \delta , I, F)\) where Q is a finite set of control states, \(\delta \subseteq Q \times \varGamma \times K \times Q\) a finite set of transition rules, \(I = P\) the set of initial states, and \(F \subseteq Q\) the set of final states.
Intuitively, a Kautomaton can be seen as a \(\mathcal {P}\)automaton whose transitions labelled by stack symbols in \(\varGamma \) have been given an additional label in K. In a similar manner, \(\mathcal {P}\)automaton can be seen as Kautomaton whose transitions are all labelled by \(\overline{1}\).
We define \(\longrightarrow _{\mathcal {A}} \subseteq Q \times \varGamma ^* \times K \times Q \times \) as the smallest transition relation satisfying:

\(q \xrightarrow {( \varepsilon , \overline{1} )}_{\mathcal {A}} q\) for every \(q \in Q\);

if \(( q, \gamma , e, q' ) \in \delta \), then \(q \xrightarrow {( \gamma , e )}_{\mathcal {A}} q'\);

if \(q \xrightarrow {( w, e )}_{\mathcal {A}} q'\) and \(q' \xrightarrow {( w', e' )}_{\mathcal {A}} q''\) as well, then \(q \xrightarrow {( w w', e \odot e' )}_{\mathcal {A}} q''\).
We say that the Kautomaton \(\mathcal {A}\) accepts a Kconfiguration \(( < p, w >, \pi )\) if \(p \xrightarrow {( w, e )}_{\mathcal {A}} q\) for \(q \in F\) and some \(e \in K\) such that \(\pi \le e\).
Let \(\mathcal {L}_K ( \mathcal {A} )\) be the set of all configurations accepted by \(\mathcal {A}\), and \(\mathcal {T}_K ( \mathcal {A} ) = \{ \pi \mid \exists c \in C, ( c, \pi ) \in \mathcal {L}_K ( \mathcal {A} ) \}\) the set of abstract traces matched to these configurations.
By adding extra labels in K to the \(\mathcal {P}\)automaton \(\mathcal {A}_{pre^*}\) accepting \( pre ^* \left( \mathcal {C}\right) \) yielded by Theorem 1, we can compute a Kautomaton accepting set \( pre _{K}^{*} ( \mathcal {P}, C )\) using an iterative fixpoint algorithm:
Theorem 9
(Bouajjani et al. [3]) Let \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\) be a PDS, \(\mathcal {A}\) a \(\mathcal {P}\)automaton accepting a regular set of configurations C, and K a Kleene algebra matched to a finitechain Kleene abstraction \(\alpha \). Then, we can compute a Kautomaton \(\mathcal {A}_{ pre _{K}^{*}}\) matched to \(\mathcal {P}\) accepting the set \( pre _{K}^{*} ( \mathcal {P}, C )\).
Assuming the size of C is constant, the running time of this algorithm is in \(O (l \cdot \varDelta ^3 )\) operations.
B.3 Approximating the set of traces
Let \(\mathcal {P}\) be a PDS and C, \(C'\) two regular sets of configurations of \(\mathcal {P}\). Let K be a Kleene algebra matched to a finitechain Kleene abstraction \(\alpha \). Using Theorem 9, we can compute a Kautomaton \(\mathcal {A}_{pre_{K}^{*}}\) matched to \(\mathcal {P}\) accepting the set \( pre _{K}^{*} ( \mathcal {P}, C )\).
We can then construct a Kautomaton \(\mathcal {A'}_{pre_{K}^{*}}\) over \(\varGamma \times K\) equal to the restriction of \(\mathcal {A}_{pre_{K}^{*}}\) to configurations in \(C'\). To do so, we consider the product between \(\mathcal {A}_{ pre _{K}^{*}}\) and a \(\mathcal {P}\)automaton accepting the regular set of configurations \(C'\).
Finally, \(\alpha ( \mathcal {L}_\mathcal {P} ( C', C ) ) = \mathcal {T}_K ( \mathcal {A'}_{ pre _{K}^{*}} )\) is an abstraction of the set \(\mathcal {L}_\mathcal {P} ( C', C )\) of traces of the PDS \(\mathcal {P}\) leading from the regular set of configuration \(C'\) to another regular set of configurations C.
Obviously, the semantics of a PDS and a BPDA being similar, we can apply this framework to compute finite traces of BPDA as well.
Rights and permissions
About this article
Cite this article
Pommellet, A., Touili, T. LTL model checking for communicating concurrent programs. Innovations Syst Softw Eng 16, 161–179 (2020). https://doi.org/10.1007/s11334020003636
Received:
Accepted:
Published:
Issue Date:
Keywords
 Modelchecking
 Pushdown systems
 Lineartime temporal logic (LTL)
 Concurrent programs
 Stutterinvariant