Skip to main content

LTL model checking for communicating concurrent programs

Abstract

We present in this paper a new approach to the static analysis of concurrent programs with procedures. To this end, we model multi-threaded programs featuring recursive procedure calls and synchronization by rendezvous between parallel threads with communicating pushdown systems (from now on CPDSs). The reachability problem for this particular class of automata is unfortunately undecidable. However, it has been shown that an efficient abstraction of the execution traces language can nonetheless be computed. To this end, an algebraic framework to over-approximate context-free languages has been introduced by Bouajjani et al. In this paper, we combine this framework with an automata-theoretic approach in order to approximate an answer to the model checking problem of the linear-time temporal logic (from now on LTL) on CPDSs. We then present an algorithm that, given a single-indexed or stutter-invariant LTL formula, allows us to prove that no run of a CPDS verifies this formula if the procedure ends.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

References

  1. 1.

    Atig MF (2012) Model-checking of ordered multi-pushdown automata. Log Methods Comput Sci 8(3):20

    Article  MathSciNet  Google Scholar 

  2. 2.

    Bouajjani A, Esparza J, Maler O (1997) Reachability analysis of pushdown automata: Application to model-checking. In: Mazurkiewicz A, Winkowski J (eds) CONCUR ’97: Concurrency Theory. Springer, Berlin Heidelberg, pp 135–150

    Chapter  Google Scholar 

  3. 3.

    Bouajjani A, Esparza J, Touili T (2003) A generic approach to the static analysis of concurrent programs with procedures. In: Proceedings of the 30th ACM SIGPLAN–SIGACT symposium on principles of programming languages, POPL ’03. ACM, New York, pp 62–73

  4. 4.

    Bouajjani A, Müller-Olm M, Touili T (2005) Regular symbolic analysis of dynamic networks of pushdown systems. In: Abadi M, de Alfaro L (eds) CONCUR 2005—concurrency theory. Springer, Berlin, pp 473–487

  5. 5.

    Caucal D (1992) On the regular structure of prefix rewriting. Theor Comput Sci 106(1):61–86

    Article  MathSciNet  Google Scholar 

  6. 6.

    Chaki S, Clarke E, Kidd N, Reps T, Touili T (2006) Verifying concurrent message-passing c programs with recursive calls. In: Hermanns H, Palsberg J (eds) Tools and algorithms for the construction and analysis of systems, ETAPS ’06. Springer, Berlin

  7. 7.

    Esparza J, Hansel D, Rossmanith P, Schwoon S (2000) Efficient algorithms for model checking pushdown systems. In: Proceedings of the 12th international conference on computer aided verification, CAV ’00. Springer, London, pp 232–247

  8. 8.

    Kesten Y, Manna Z, McGuire H, Pnueli A (1993) A decision algorithm for full propositional temporal logic. In: Courcoubetis C (ed) Computer aided verification. Springer, Berlin, pp 97–109

    Chapter  Google Scholar 

  9. 9.

    Patin G, Sighireanu M, Touili T (2007) Spade: verification of multithreaded dynamic and recursive programs. In: Damm W, Hermanns H (eds) Computer aided verification. Springer, Berlin, pp 254–257

    Chapter  Google Scholar 

  10. 10.

    Peled DA, Wilke T (1997) Stutter-invariant temporal properties are expressible without the next-time operator. Inf Process Lett 63(5):243–246

    Article  MathSciNet  Google Scholar 

  11. 11.

    Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th annual symposium on foundations of computer science, SFCS ’77. IEEE Computer Society, Washington, DC, pp 46–57

  12. 12.

    Pommellet A, Touili T (2017) Static analysis of multithreaded recursive programs communicating via rendez-vous. In: APLAS, volume 10695 of lecture notes in computer science. Springer, pp 235–254

  13. 13.

    Pommellet A, Touili T (2018) LTL model-checking for communicating concurrent programs. In: Verification and evaluation of computer and communication systems—12th international conference, VECoS 2018, Grenoble, France, September 26–28, 2018, Proceedings, pp 150–165

  14. 14.

    Qadeer S, Rehof J (2005) Context-bounded model checking of concurrent software. In: Halbwachs N, Zuck LD (eds) Tools and algorithms for the construction and analysis of systems. Springer, Berlin, pp 93–107

    Chapter  Google Scholar 

  15. 15.

    Qadeer S, Wu D (2004) KISS: keep it simple and sequential. In: Proceedings of the ACM SIGPLAN 2004 conference on programming language design and implementation, PLDI ’04. ACM, New York, pp 14–24

  16. 16.

    Ramalingam G (2000) Context-sensitive synchronization-sensitive analysis is undecidable. ACM Trans Program Lang Syst 22(2):416–430

    Article  Google Scholar 

  17. 17.

    Song F, Touili T (2014) Efficient CTL model-checking for pushdown systems. Theor Comput Sci 549:127–145

    Article  MathSciNet  Google Scholar 

  18. 18.

    Song F, Touili T (2015) Model-checking dynamic pushdown networks. Form Asp Comput 27(2):397–421

    Article  MathSciNet  Google Scholar 

  19. 19.

    Song F, Touili T (2016) LTL model-checking for dynamic pushdown networks communicating via locks. CoRR arXiv:1611.02528

  20. 20.

    Torre SL, Madhusudan P, Parlato G (2007) A robust class of context-sensitive languages. In: 22nd Annual IEEE symposium on logic in computer science (LICS 2007), pp 161–170

Download references

Acknowledgements

Funding was provided by Université Paris Diderot.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Adrien Pommellet.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Kleene abstractions

We detail the mathematical framework introduced by Bouajjani et al. [3] in order to abstract trace languages of PDSs.

A.1 Abstractions and Galois connections

Let \(\mathcal {L} = (2^{ Act ^*}, \subseteq , \cup , \cap , \emptyset , Act ^*)\) be the complete lattice of languages on Act.

Our abstraction of \(\mathcal {L}\) requires a lattice \(E = ( D, \le , \sqcup , \sqcap , \bot , \top )\), from now on called the abstract lattice, where D is a set called the abstract domain, as well as a pair of mappings \(( \alpha , \beta )\) called a Galois connection, where \(\alpha : 2^{ Act ^*} \rightarrow D\) and \(\beta : D \rightarrow 2^{ Act ^*}\) are such that

$$\begin{aligned} \forall x \in 2^{ Act ^*}, \forall y \in D, \alpha (x) \le y \Leftrightarrow x \subseteq \beta (y) \end{aligned}$$

\(\forall L \in \mathcal {L}\), given a Galois connection \((\alpha , \beta )\), we have \(L \subseteq \beta (\alpha ( L ))\); the Galois connection can be used to over-approximate a language in \(2^{ Act ^*}\) (e.g. the trace language of a PDS).

Moreover, it is easy to see that

$$\begin{aligned} \forall L_1, \forall L_2 \in \mathcal {L}, \alpha ( L_1 ) \sqcap \alpha ( L_2 ) = \bot \end{aligned}$$

if and only if

$$\begin{aligned} \beta (\alpha ( L_1 )) \cap \beta (\alpha ( L_2 )) = \emptyset . \end{aligned}$$

A.2 Kleene algebras

We consider a special class of abstractions called Kleene abstractions.

An idempotent semiring is a structure \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\), where \(\oplus \) is an associative, commutative, and idempotent (\(a \oplus a = a\)) operation such that A is closed under the infinite sum \(\bigoplus \), and \(\odot \) is an associative operation. \(\overline{0}\) and \(\overline{1}\) are neutral elements for \(\oplus \) and \(\odot \), respectively, \(\overline{0}\) is an annihilator for \(\odot \) (\(a \odot \overline{0} = \overline{0} \odot a = \overline{0}\)) and \(\odot \) distributes over \(\oplus \).

K is an \( Act \)-semiring if it can be generated by \(\overline{0}\), \(\overline{1}\), and elements of the form \(v_{a} \in A\), \(\forall a \in Act \). A semiring is said to be closed if \(\oplus \) can be extended to an operator over countably infinite sets while keeping the same properties as \(\oplus \).

We define \(a^{0} = \overline{1}\), \(a^{n+1} = a \odot a^{n}\) and \(a^{*} = \mathop {\bigoplus } \limits _{n \ge 0} a^{n}\). Adding the \(*\) operation to an idempotent closed \( Act \)-semiring K transforms it into a Kleene algebra.

A.3 Kleene abstractions

An abstract lattice \(E = ( D, \le , \sqcup , \sqcap , \bot , \top )\) is said to be compatible with a Kleene algebra \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\) if \(D = A\), \(x \le y \Leftrightarrow x \oplus y = y\), \(\bot = \overline{0}\) and \(\sqcup = \oplus \).

A Kleene abstraction is an abstraction such that the abstract lattice E is compatible with the Kleene algebra and the Galois connections \(\alpha : 2^{ Act ^*} \rightarrow D\) and \(\beta : D\rightarrow 2^{ Act ^*}\) are defined by:

$$\begin{aligned} \alpha (L) = \mathop {\bigoplus } \limits _{a_{1} \ldots a_{n} \in L} v_{a_1} \odot \cdots \odot v_{a_n} \end{aligned}$$
$$\begin{aligned} \beta (x) = \left\{ a_{1} \ldots a_{n} \in Act ^* \mid v_{a_1} \odot \cdots \odot v_{a_n} \le x\right\} . \end{aligned}$$

Intuitively, a Kleene abstraction is such that the abstract operations \(\oplus \), \(\odot \), and \(*\) can be matched to the union, the concatenation, and the Kleene closure of the languages of the lattice \(\mathcal {L}\), \(\overline{0}\) and \(\overline{1}\) to the empty language and \(\{ \varepsilon \}\), \(v_a\) to the language \(\{ a \}\), the upper bound \(\top \in K\) to \( Act ^*\), and the operation \(\sqcap \) to the intersection of languages in the lattice \(\mathcal {L}\).

In order to compute \(\alpha ( L )\) for a given language L, each word \(a_{1} \ldots a_{n}\) in L is matched to its abstraction \(v_{a_1} \odot \ldots \odot v_{a_n}\), and we consider the sum of these abstractions.

A finite-chain abstraction is such that the lattice \(( A, \le )\) has no infinite ascending chains: as a consequence, infinite sequences of concatenations \(\bigodot \limits _{i \ge 0} v_{a_i}\) can be defined and effectively computed, and the abstraction framework can be applied to infinite traces in \( Act ^\omega \). The prefix and first occurrence ordering abstractions defined previously are finite-chain.

A.4 The set of K-predecessors

Let \(\mathcal {P} = ( P, Act , \varGamma , \varDelta , c_0 )\) be a PDS and \(K = ( A, \oplus , \odot , \overline{0}, \overline{1} )\) a Kleene algebra corresponding to a Kleene abstraction of the set \( Act \).

We define inductively the set \(\varPi _{K}\) of path expressions as the smallest subset of K such that:

  • \(\overline{1} \in \varPi _{K}\);

  • if \(\pi \in \varPi _{K}\), then \(\forall a \in Act \), \(v_a \odot \pi \in \varPi _{K}\).

For a given path expression \(\pi \), we define its length \(\left| \pi \right| \) as the number of occurrences of simple elements of the form \(v_a\) in \(\pi \).

A K-configuration of \(\mathcal {P}\) is a pair \((c, \pi )\) in \( Conf ^K_\mathcal {P} = P \times \varGamma ^* \times \varPi _K\). We can extend the transition relation \(\longrightarrow _{\mathcal {P}}\) to K-configurations with the following semantics: \(\forall a \in Act \), if \(c \xrightarrow {a}_{\mathcal {P}} c'\), then

$$\begin{aligned} \forall \pi \in \varPi _K, ( c, v_{a} \odot \pi ) \longrightarrow _{\mathcal {P}, K} ( c', \pi ) \end{aligned}$$

\(( c, v_{a} \odot \pi )\) is said to be an immediate K-predecessor of \(( c', \pi )\). The reachability relation \(\leadsto _{\mathcal {P}, K}\) is the reflexive transitive closure of \(\longrightarrow _{\mathcal {P}, K}\).

Given a set of configurations C, we introduce the set of K-configurations \( pre _{K}^{*} ( \mathcal {P}, C )\):

$$\begin{aligned}&pre _{K}^{*} ( \mathcal {P}, C ) = \{ ( c, \pi ) \mid c \in pre ^* ( \mathcal {P}, C ), \\&\quad \pi \le \alpha ( \mathcal {L}_\mathcal {P} ( \{ c \}, C ) ). \end{aligned}$$

If \(( c, \pi ) \in pre _{K}^{*} ( \mathcal {P}, C )\), then, by definition of the Kleene abstraction, \(( c, \pi ) \leadsto _{\mathcal {P}, K} ( c', \overline{1} )\) for some \(c' \in C\). Intuitively, the abstract path expression \(\pi \) is meant to be the abstraction of an actual trace from \(c'\) to C.

B Abstracting traces of pushdown systems

We now present the automata-theoretic approach used by Bouajjani et al. in [3] to compute the set \( pre _{K}^{*} (\mathcal {P}, C)\) in order to abstract runs of PDSs.

B.1 Representing regular sets of configurations

In order to represent regular sets of configurations, we consider the following structure:

Definition 12

(Bouajjani et al. [2]) Let \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta , c_0)\) be a pushdown system. A \(\mathcal {P}\)-automaton \(\mathcal {A} = (Q, \varGamma , \delta , I, F)\) is a finite-state automaton on the stack alphabet \(\varGamma \) of \(\mathcal {P}\) where Q is a set of states such that \(P \subseteq Q\), \(I = P\) the set of initial states, \(F \subseteq Q\) the set of final states, and \(\delta \subseteq Q \times \varGamma \cup \{\varepsilon \} \times Q\) a set of transitions.

Intuitively, a \(\mathcal {P}\)-automaton is a finite-state automaton whose edges are labelled by stack symbols of \(\mathcal {P}\) and whose initial states represent the states of \(\mathcal {P}\).

Let \(\rightarrow _\mathcal {A}\) be the transition relation inferred from \(\delta \). We say that \(\mathcal {A}\)accepts a configuration \(\langle p, w \rangle \) if there is a path \(p \xrightarrow {w}\!\!^*_\mathcal {A} f\) such that \(f \in F\). Let \(\mathcal {L} (\mathcal {A}) \subseteq Conf _\mathcal {P}\) be the set of configurations accepted by \(\mathcal {A}\). Obviously, the following lemma holds:

Lemma 3

(Bouajjani et al. [2]) A set of configurations \(\mathcal {C}\) of a PDS \(\mathcal {P}\) is regular if and only if there exists a \(\mathcal {P}\)-automaton \(\mathcal {A}\) such that \(\mathcal {L} (\mathcal {A}) = \mathcal {C}\).

Let \(\mathcal {C}\) be a regular set of configurations of a PDS \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\), and let \(\mathcal {A}\) be a \(\mathcal {P}\)-automaton accepting \(\mathcal {C}\). It has been proven by Caucal [5] that the sets \( pre ^* (\mathcal {P}, \mathcal {C})\) is regular. Moreover, it can be computed by applying a saturation procedure (where new transitions are incrementally added until a fixed point is reached) to a \(\mathcal {P}\)-automaton representing C:

Theorem 8

(Bouajjani et al. [2]) Given a PDS \(\mathcal {P}\) and a regular set of configurations \(\mathcal {C}\), there exists a \(\mathcal {P}\)-automaton \(\mathcal {A}_{ pre ^*}\) accepting \( pre ^* \left( \mathcal {C}\right) \).

B.2 K-automata

\(\mathcal {P}\)-automata are used to represent regular sets of configurations. They can be extended to K-automata in order to handle sets of K-configurations of a PDS \(\mathcal {P}\).

Definition 13

(K-automata) A K-automaton matched to a PDS \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\) is a tuple \(\mathcal {A} = (Q, \varGamma , \delta , I, F)\) where Q is a finite set of control states, \(\delta \subseteq Q \times \varGamma \times K \times Q\) a finite set of transition rules, \(I = P\) the set of initial states, and \(F \subseteq Q\) the set of final states.

Intuitively, a K-automaton can be seen as a \(\mathcal {P}\)-automaton whose transitions labelled by stack symbols in \(\varGamma \) have been given an additional label in K. In a similar manner, \(\mathcal {P}\)-automaton can be seen as K-automaton whose transitions are all labelled by \(\overline{1}\).

We define \(\longrightarrow _{\mathcal {A}} \subseteq Q \times \varGamma ^* \times K \times Q \times \) as the smallest transition relation satisfying:

  • \(q \xrightarrow {( \varepsilon , \overline{1} )}_{\mathcal {A}} q\) for every \(q \in Q\);

  • if \(( q, \gamma , e, q' ) \in \delta \), then \(q \xrightarrow {( \gamma , e )}_{\mathcal {A}} q'\);

  • if \(q \xrightarrow {( w, e )}_{\mathcal {A}} q'\) and \(q' \xrightarrow {( w', e' )}_{\mathcal {A}} q''\) as well, then \(q \xrightarrow {( w w', e \odot e' )}_{\mathcal {A}} q''\).

We say that the K-automaton \(\mathcal {A}\) accepts a K-configuration \(( < p, w >, \pi )\) if \(p \xrightarrow {( w, e )}_{\mathcal {A}} q\) for \(q \in F\) and some \(e \in K\) such that \(\pi \le e\).

Let \(\mathcal {L}_K ( \mathcal {A} )\) be the set of all configurations accepted by \(\mathcal {A}\), and \(\mathcal {T}_K ( \mathcal {A} ) = \{ \pi \mid \exists c \in C, ( c, \pi ) \in \mathcal {L}_K ( \mathcal {A} ) \}\) the set of abstract traces matched to these configurations.

By adding extra labels in K to the \(\mathcal {P}\)-automaton \(\mathcal {A}_{pre^*}\) accepting \( pre ^* \left( \mathcal {C}\right) \) yielded by Theorem 1, we can compute a K-automaton accepting set \( pre _{K}^{*} ( \mathcal {P}, C )\) using an iterative fixpoint algorithm:

Theorem 9

(Bouajjani et al. [3]) Let \(\mathcal {P} = (P, \varSigma , \varGamma , \varDelta )\) be a PDS, \(\mathcal {A}\) a \(\mathcal {P}\)-automaton accepting a regular set of configurations C, and K a Kleene algebra matched to a finite-chain Kleene abstraction \(\alpha \). Then, we can compute a K-automaton \(\mathcal {A}_{ pre _{K}^{*}}\) matched to \(\mathcal {P}\) accepting the set \( pre _{K}^{*} ( \mathcal {P}, C )\).

Assuming the size of C is constant, the running time of this algorithm is in \(O (l \cdot |\varDelta |^3 )\) operations.

B.3 Approximating the set of traces

Let \(\mathcal {P}\) be a PDS and C, \(C'\) two regular sets of configurations of \(\mathcal {P}\). Let K be a Kleene algebra matched to a finite-chain Kleene abstraction \(\alpha \). Using Theorem 9, we can compute a K-automaton \(\mathcal {A}_{pre_{K}^{*}}\) matched to \(\mathcal {P}\) accepting the set \( pre _{K}^{*} ( \mathcal {P}, C )\).

We can then construct a K-automaton \(\mathcal {A'}_{pre_{K}^{*}}\) over \(\varGamma \times K\) equal to the restriction of \(\mathcal {A}_{pre_{K}^{*}}\) to configurations in \(C'\). To do so, we consider the product between \(\mathcal {A}_{ pre _{K}^{*}}\) and a \(\mathcal {P}\)-automaton accepting the regular set of configurations \(C'\).

Finally, \(\alpha ( \mathcal {L}_\mathcal {P} ( C', C ) ) = \mathcal {T}_K ( \mathcal {A'}_{ pre _{K}^{*}} )\) is an abstraction of the set \(\mathcal {L}_\mathcal {P} ( C', C )\) of traces of the PDS \(\mathcal {P}\) leading from the regular set of configuration \(C'\) to another regular set of configurations C.

Obviously, the semantics of a PDS and a BPDA being similar, we can apply this framework to compute finite traces of BPDA as well.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Pommellet, A., Touili, T. LTL model checking for communicating concurrent programs. Innovations Syst Softw Eng 16, 161–179 (2020). https://doi.org/10.1007/s11334-020-00363-6

Download citation

Keywords

  • Model-checking
  • Pushdown systems
  • Linear-time temporal logic (LTL)
  • Concurrent programs
  • Stutter-invariant