Model Checking Recursive Programs with Numeric Data Types
Pushdown systems (PDS) naturally model sequential recursive programs. Numeric data types also often arise in real-world programs. We study the extension of PDS with unbounded counters, which naturally model numeric data types. Although this extension is Turing-powerful, reachability is known to be decidable when the number of reversals between incrementing and decrementing modes is bounded. In this paper, we (1) pinpoint the decidability/complexity of reachability and linear/branching time model checking over PDS with reversal-bounded counters (PCo), and (2) experimentally demonstrate the effectiveness of our approach in analysing software. We show reachability over PCo is NP-complete, while LTL is coNEXP-complete (coNP-complete for fixed formulas). In contrast, we prove that EF-logic over PCo is undecidable. Our NP upper bounds are by a direct poly-time reduction to satisfaction over existential Presburger formulas, allowing us to tap into highly optimized solvers like Z3. Although reversal-bounded analysis is incomplete for PDS with unbounded counters in general, our experiments suggest that some intricate bugs (e.g. from Linux device drivers) can be discovered with a small number of reversals. We also pinpoint the decidability/complexity of various extensions of PCo, e.g., with discrete clocks.
KeywordsModel Check Mode Vector Bounded Model Check Model Check Problem Counter Test
Unable to display preview. Download preview PDF.
- 3.Ball, T., Rajamani, S.K.: Bebop: A Symbolic Model Checker for Boolean Programs. In: SPIN 2000, pp. 113–130 (2000)Google Scholar
- 6.Cachat, T.: Uniform Solution of Parity Games on Prefix-Recognizable Graphs. Electr. Notes Theor. Comput. Sci. 68(6) (2002)Google Scholar
- 17.Hague, M.: Saturation Methods for Global Model-Checking Pushdown Systems. PhD thesis, Oxford University Computing Laboratory (2009)Google Scholar
- 18.Howell, R., Rosier, L.: An Analysis of the Nonemptiness Problem for Classes of Reversal-Bounded Multicounter Machines. J. Comput. Syst. Sci. 34(1), 55–74Google Scholar
- 25.Patterson, A.: PCI: fix memory leak in aer_inject (2003), https://patchwork.kernel.org/patch/53058/
- 27.Sipser, M.: Introduction to the Theory of Computation. PWS Publishing Co. (1997)Google Scholar
- 30.Thornbur, J.: dm: Fix memory leak in dm_register_target() (2003), http://lkml.org/lkml/2003/6/9/70
- 31.To, A.W.: Model Checking Infinite-State Systems: Generic and Specific Approaches. PhD thesis, School of Informatics, University of Edinburgh (2010)Google Scholar
- 32.Vardi, M.Y., Wolper, P.: An Automata-Theoretic Approach to Automatic Program Verification. In: LICS 1986, pp. 332–344 (1986)Google Scholar
- 35.Walukiewicz, I.: Model Checking CTL Properties of Pushdown Systems. In: FSTTCS 2000, pp. 127–138 (2000)Google Scholar