Reachability Analysis of Pushdown Automata: Application to Model-Checking
01 Jul 1997-pp 135-150
TL;DR: This work considers the more general class of alternating pushdown systems and uses alternating finite-state automata as a representation structure for sets of their configurations and gives a simple and natural procedure to compute sets of predecessors using this representation structure.
Abstract: We apply the symbolic analysis principle to pushdown systems. We represent (possibly infinite) sets of configurations of such systems by means of finite-state automata. In order to reason in a uniform way about analysis problems involving both existential and universal path quantification (such as model-checking for branching-time logics), we consider the more general class of alternating pushdown systems and use alternating finite-state automata as a representation structure for sets of their configurations. We give a simple and natural procedure to compute sets of predecessors using this representation structure. We incorporate this procedure into the automata-theoretic approach to model-checking to define new model-checking algorithms for pushdown systems against both linear and branching-time properties. From these results we derive upper bounds for several model-checking problems as well as matching lower bounds.
Citations
More filters
29 Mar 2004
TL;DR: This work introduces a temporal logic of calls and returns (CaRet) for specification and algorithmic verification of correctness requirements of structured programs and presents a tableau construction that reduces the model checking problem to the emptiness problem for a Buchi pushdown system.
Abstract: Model checking of linear temporal logic (LTL) specifications with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures with respect to pre and post conditions, that require matching of calls and returns, are not regular. We introduce a temporal logic of calls and returns (CaRet) for specification and algorithmic verification of correctness requirements of structured programs. The formulas of CaRet are interpreted over sequences of propositional valuations tagged with special symbols call and ret. Besides the standard global temporal modalities, CaRet admits the abstract-next operator that allows a path to jump from a call to the matching return. This operator can be used to specify a variety of non-regular properties such as partial and total correctness of program blocks with respect to pre and post conditions. The abstract versions of the other temporal modalities can be used to specify regular properties of local paths within a procedure that skip over calls to other procedures. CaRet also admits the caller modality that jumps to the most recent pending call, and such caller modalities allow specification of a variety of security properties that involve inspection of the call-stack. Even though verifying context-free properties of pushdown systems is undecidable, we show that model checking CaRet formulas against a pushdown model is decidable. We present a tableau construction that reduces our model checking problem to the emptiness problem for a Buchi pushdown system. The complexity of model checking CaRet formulas is the same as that of checking LTL formulas, namely, polynomial in the model and singly exponential in the size of the specification.
3,516 citations
Cites background from "Reachability Analysis of Pushdown A..."
...Model checking of LTL speci cations with respect to RSMs can be solved in time polynomial in the size of the model and exponential in the size of the speci cation [7, 4, 11, 1, 3, 19]....
[...]
...It is known that checking RSMs against LTL is already Exptime-hard, even when the RSM is xed (this follows from the proof in [4])....
[...]
11 Jan 2004
TL;DR: In this paper, a finite-state abstraction of a sequential program with potentially recursive procedures and input from the environment is checked statically whether there are input sequences that can drive the system into "bad/good" executions.
Abstract: Given a finite-state abstraction of a sequential program with potentially recursive procedures and input from the environment, we wish to check statically whether there are input sequences that can drive the system into “bad/good” executions. Pushdown games have been used in recent years for such analyses and there is by now a very rich literature on the subject. (See, e.g., [BS92,Tho95,Wal96,BEM97,Cac02a,CDT02].)
1,144 citations
Journal Article•
TL;DR: Given a finite-state abstraction of a sequential program with potentially recursive procedures and input from the environment, whether there are input sequences that can drive the system into “bad/good” executions is checked.
Abstract: Given a finite-state abstraction of a sequential program with potentially recursive procedures and input from the environment, we wish to check statically whether there are input sequences that can drive the system into bad/good executions. Pushdown games have been used in recent years for such analyses and there is by now a very rich literature on the subject. (See, e.g., [BS92,Tho95,Wal96,BEM97,Cac02a,CDT02].) In this paper we use recursive game graphs to model such interprocedural control flow in an open system. These models are intimately related to pushdown systems and pushdown games , but more directly capture the control flow graphs of recursive programs ([AEY01,BGR01,ATM03b]). We describe alternative algorithms for the well-studied problems of determining both reachability and Buchi winning strategies in such games. Our algorithms are based on solutions to second-order data flow equations, generalizing the Datalog rules used in [AEY01] for analysis of recursive state machines. This offers what we feel is a conceptually simpler view of these well-studied problems and provides another example of the close links between the techniques used in program analysis and those of model checking. There are also some technical advantages to the equational approach. Like the approach of Cachat [Cac02a], our solution avoids the necessarily exponential-space blow-up incurred by Walukiewicz's algorithms for pushdown games. However, unlike [Cac02a], our approach does not rely on a representation of the space of winning configurations of a pushdown graph by (alternating) automata. Only minimal sets of exits that can be forced need to be maintained, and this provides the potential for greater space efficiency. In a sense, our algorithms can be viewed as an automaton-free version of the algorithms of [Cac02a].
1,038 citations
TL;DR: It is shown that the PSPACE upper bounds cannot be substantially improved without a breakthrough on long standing open problems: the square-root sum problem and an arithmetic circuit decision problem that captures P-time on the unit-cost rational arithmetic RAM model.
Abstract: We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finite-state Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer a natural abstract model for probabilistic programs with procedures. They generalize, in a precise sense, a number of well-studied stochastic models, including Stochastic Context-Free Grammars (SCFG) and Multi-Type Branching Processes (MT-BP).We focus on algorithms for reachability and termination analysis for RMCs: what is the probability that an RMC started from a given state reaches another target state, or that it terminatesq These probabilities are in general irrational, and they arise as (least) fixed point solutions to certain (monotone) systems of nonlinear equations associated with RMCs. We address both the qualitative problem of determining whether the probabilities are 0, 1 or in-between, and the quantitative problems of comparing the probabilities with a given bound, or approximating them to desired precision.We show that all these problems can be solved in PSPACE using a decision procedure for the Existential Theory of Reals. We provide a more practical algorithm, based on a decomposed version of multi-variate Newton's method, and prove that it always converges monotonically to the desired probabilities. We show this method applies more generally to any monotone polynomial system. We obtain polynomial-time algorithms for various special subclasses of RMCs. Among these: for SCFGs and MT-BPs (equivalently, for 1-exit RMCs) the qualitative problem can be solved in P-time; for linearly recursive RMCs the probabilities are rational and can be computed exactly in P-time.We show that our PSPACE upper bounds cannot be substantially improved without a breakthrough on long standing open problems: the square-root sum problem and an arithmetic circuit decision problem that captures P-time on the unit-cost rational arithmetic RAM model. We show that these problems reduce to the qualitative problem and to the approximation problem (to within any nontrivial error) for termination probabilities of general RMCs, and to the quantitative decision problem for termination (extinction) of SCFGs (MT-BPs).
632 citations
13 Jun 2004
TL;DR: This framework explains, unifies, and generalizes many of the decision procedures in the program analysis literature, and allows algorithmic verification of recursive programs with respect to many context-free properties including access control properties via stack inspection and correctness of procedures withrespect to pre and post conditions.
Abstract: We propose the class of visibly pushdown languages as embeddings of context-free languages that is rich enough to model program analysis questions and yet is tractable and robust like the class of regular languages. In our definition, the input symbol determines when the pushdown automaton can push or pop, and thus the stack depth at every position. We show that the resulting class Vpl of languages is closed under union, intersection, complementation, renaming, concatenation, and Kleene-*, and problems such as inclusion that are undecidable for context-free languages are Exptime-complete for visibly pushdown automata. Our framework explains, unifies, and generalizes many of the decision procedures in the program analysis literature, and allows algorithmic verification of recursive programs with respect to many context-free properties including access control properties via stack inspection and correctness of procedures with respect to pre and post conditions. We demonstrate that the class Vpl is robust by giving two alternative characterizations: a logical characterization using the monadic second order (MSO) theory over words augmented with a binary matching predicate, and a correspondence to regular tree languages. We also consider visibly pushdown languages of infinite words and show that the closure properties, MSO-characterization and the characterization in terms of regular trees carry over. The main difference with respect to the case of finite words turns out to be determinizability: nondeterministic Buchi visibly pushdown automata are strictly more expressive than deterministic Muller visibly pushdown automata.
621 citations
References
More filters
Book•
01 Jan 1974
TL;DR: This text introduces the basic data structures and programming techniques often used in efficient algorithms, and covers use of lists, push-down stacks, queues, trees, and graphs.
Abstract: From the Publisher:
With this text, you gain an understanding of the fundamental concepts of algorithms, the very heart of computer science. It introduces the basic data structures and programming techniques often used in efficient algorithms. Covers use of lists, push-down stacks, queues, trees, and graphs. Later chapters go into sorting, searching and graphing algorithms, the string-matching algorithms, and the Schonhage-Strassen integer-multiplication algorithm. Provides numerous graded exercises at the end of each chapter.
0201000296B04062001
9,262 citations
"Reachability Analysis of Pushdown A..." refers background in this paper
...The computation time of the set is quadratic in the number of states of Ai (which is equal to the number of states of A) and linear in the length of w ([1], Theorem 9....
[...]
TL;DR: Alur et al. as discussed by the authors proposed timed automata to model the behavior of real-time systems over time, and showed that the universality problem and the language inclusion problem are solvable only for the deterministic automata: both problems are undecidable (II i-hard) in the non-deterministic case and PSPACE-complete in deterministic case.
7,096 citations
30 Sep 1977
TL;DR: A unified approach to program verification is suggested, which applies to both sequential and parallel programs, and the main proof method is that of temporal reasoning in which the time dependence of events is the basic concept.
Abstract: A unified approach to program verification is suggested, which applies to both sequential and parallel programs. The main proof method suggested is that of temporal reasoning in which the time dependence of events is the basic concept. Two formal systems are presented for providing a basis for temporal reasoning. One forms a formalization of the method of intermittent assertions, while the other is an adaptation of the tense logic system Kb, and is particularly suitable for reasoning about concurrent programs.
5,174 citations
Journal Article•
TL;DR: The Feather River Coordinated Resource Management Group (FR-CRM) has been restoring channel/ meadow/ floodplain systems in the Feather River watershed since 1985 and recognized the possibility of a significant change in carbon stocks in these restored meadows and valleys.
Abstract: The Feather River Coordinated Resource Management Group (FR-CRM) has been restoring channel/ meadow/ floodplain systems in the Feather River watershed since 1985. Project and watershed-wide monitoring has shown multiple benefits of this type of work. With the concern over global climate change, the group wanted to measure the carbon sequestered in project areas. No protocol was found to measure carbon stores in native Sierra Nevada meadows. Plumas County funded the FR-CRM to conduct a pilot study to develop such a protocol. The sampling protocol included discrete sampling at consistent soil depths to determine the vertical distribution of carbon. A Technical Advisory Committee developed and refined a multi-project sampling protocol for three restored meadows and three un-restored meadows. Data from the un-restored meadows will also provide base-line data for before and after restoration comparisons. Initial data analysis indicates that restored meadows contain twice as much total carbon as degraded meadows; on average approximately 40 tonnes more carbon per acre. Virtually all of the additional carbon in restored meadows occurs in the soil, and is thus protected from loss via grazing, haying, wildfire, etc. Introduction In 1994 the Feather River Coordinated Resource Management (FR-CRM) group shifted its stream restoration approach from bank stabilization to landscape function. Called meadow re-watering, this approach entails returning the incised stream channel to the remnant channel(s) on the historic floodplain and eliminating the incised channel as a feature in the landscape. Historic channel incision resulted in significant land degradation as the adjacent groundwater levels dropped commensurate with the incising stream bed. Vegetation conversion rapidly follows as deep, densely rooted meadow plant communities convert to xeric shrubs and other plants. After a decade of meadow restoration, the FR-CRM recognized the possibility of a significant change in carbon stocks in these restored meadows and valleys. Plumas County has been a leader in advocating for investment in watershed ecosystem services such as water storage and filtering, and now, carbon sequestration. The county provided funding for the FR-CRM to conduct a pilot study of carbon in biomass and soils. Watershed Location and Characteristics The upper Feather River watershed is located in northeastern California encompassing 3,222 square miles that drains west from east of the Sierra crest into Oroville Reservoir and thence to the Sacramento River. Annual runoff produced from this watershed provides over 1,400 MW of hydroelectric power, and represents a significant component of the California State Water Project, annually providing 2.3 millionacre feet of water for urban, industrial and agricultural consumers downstream. The Feather River watershed is primarily comprised of two distinct geologies: the Sierra Nevada granitic batholith of the western third of the watershed; and Basin and Range fault-block meta-volcanics, metasedimentary and recent basalts in the eastern two-thirds. It is the Basin and Range zone (Diamond Mtns.) of the watershed that has been the primary area of restoration. This geologic mélange of faulted and weathered rock has resulted in over 390 square miles of expansive meadows and valleys comprised of deep fine grained alluvium, shown as green and yellow in Figure 1. Figure 1. Upper Feather River Watershed Upper watershed meadows and valleys (shown as green/yellow in Figure 1), often dozens of miles in length, once supported a rich ecosystem of meadow and riparian habitats, for coldwater-loving trout, a diversity of wildlife, and indigenous peoples during the dry summers of California’s Mediterranean climate. The densely rooted vegetation, cohesive soils and expansive floodplains all contributed to the sustainability of these meso-scale floodplain meadows, with associated alluvial fans. River system segments are often characterized simplistically as transport and depositional reaches. Depositional reaches feature lower gradients and a more expansive fluvial setting. These landscape attributes, in conjunction with the type and quantity of sediment, debris and nutrients, are what provide for the development and evolution of meso-scale “sinks” or “warehouses”, for the hydrologic products of the basin. Viewed as a macro-hyporheic corridor ( Harvey and Wagner, 2000; Boulton, et.al., 1998; Stanford and Ward, 1993) these features are crucial as a landscape zone of active mass and energy transfer as well as an active storage reservoir for water, sediment and nutrients. The long-term recruitment and evolution of these features involve physical, Figure 2. Typical Alluvial Features biological and chemical synthesis within the natural variability of fluvial processes. Euro-American settlement of the watershed began in 1850 with gold mining in the western portions of the watershed and, soon thereafter, agricultural production in meadows to support the mining communities. Dairy farming, horses (for cavalry mounts), sheep and beef cattle were some of the early intensive disturbances that led to localized channel incision. The resultant lowering of shallow groundwater elevations began to alter and weaken the vegetative structure of the system. Soon, near the burgeoning communities in the mid-elevation valleys, a permanent road system was established with frequent channel manipulation and relocation efforts to simplify drainage and minimize bridge construction, again leading to localized incision. In the early 1900’s both an intercontinental, and numerous local, railroad systems were constructed throughout the watershed. The local railroad networks, for the purpose of both mining and logging, were routed through the long low-gradient valleys for ease of construction. These valleys were still relatively wet at that time so elevated grades were constructed using adjacent borrow ditches. By 1940, the severe morphological changes imposed by the railroad grades, in conjunction with the above referenced land use impacts resulted in rapid, severe systemic incision of many upper watershed meadow systems. In the mid 1980’s numerous watershed stakeholders adopted a statutory authority that allowed for Coordinated Resource Management and Planning (CRMP). Twenty-four federal, state and local, public and private entities now form the Feather River Coordinated Resource Management (FRCRM) group to adopt, support and implement a watershed-wide restoration program. FR-CRM Restoration Approach & Background The FRCRM began an ongoing implementation program to address these watershed issues in 1990. Initially, these projects focused on geomorphic restoration techniques (Rosgen, 1996) to stabilize incised stream channels. While overall success was encouraging, the projects illustrated the concept that any restoration work in the incised channels was subject to elevated stresses even in moderate flood events (510 year return interval). Concurrently, the benefits from this approach were localized and limited to reduced erosion, and incremental improvement of aquatic habitats and water quality. Little overall improvement of watershed conditions was being realized (Wilcox, et al 2001). This led to re-evaluating restoration approach to encompass the entire historic fluvially-evolved valley bottom. Called meadow re-watering, this approach entails returning the incised stream channel to the remnant channel(s) on the historic floodplain and eliminating the incised channel as a water conveyance feature in the landscape (Figures 3 & 4 and photos 1a, 1b, 2a & 2b). Simultaneously, the FRCRM had received a project assistance request from the United States Forest Service, Plumas National Forest (PNF) to develop restoration alternatives for Cottonwood Creek in the Big Flat Meadow (Photos 2a & 2b). FRCRM staff, led by Jim Wilcox, began conducting surveys and data collection that included the entire relic meadow from hillslope to hillslope. This data collection effort quickly pointed to the nascent meadow re-watering technology as a likely restoration alternative. Figure 3. Typical cross-section, showing pre-project incision, post-project plug elevation, and the new channel. Photos 1a and 1b below show this same cross-section, however, the entire gully is not shown in the pre-project photo. Photo 1aClarks Creek Pre-project, July, 2001 Photo 1bClarks Creek Post project, July, 2006 The rocks in the background of photos 1a and 1b can be used for reference. Because the new channel is in a different location, the photo point also moved in order to show the channel in the preand postproject conditions. Figure 4. Typical cross-section, showing pre-project incision, post-project plug elevation, and the new channel. Implemented in 1995, this project quickly validated the fundamental soundness of this approach. The one mile long, 47 acre project produced elevated shallow groundwater levels, eliminated gully wall erosion, filtered sediments delivered from the upper watershed, extended and increased summer baseflows, and reversed the xeric vegetation trends resulting in improved terrestrial, avian and aquatic habitats. These benefits persisted despite withstanding a 100-year RI (return interval) flood in 1997. Photo 2aBig Flat Pre-project, Dec.,1993 Photo 2bBig Flat Post project, May, 2006 The success of this initial project led to the implementation of an additional 18 projects utilizing this technology (Table 1.). Varying in scale and watershed characteristics, these projects have restored another 20 miles of channel and 5,000 acres of meadow/floodplain. Carbon Sequestration Qualitatively, these projects appeared to significantly increase organic carbon stocks through the much increased root mass as well as increased surface growth, and, possibly, through the more effective hyporheic exchange throughout the meadow. The purpose of the following protocol is to quantitatively establish the effe
2,305 citations
"Reachability Analysis of Pushdown A..." refers background in this paper
...Since the properties of systems one wishes to check can be usually encodedinto short formulas, model-checkers based on linear-time logics, like SPIN [16], haveproved to be useful in practice....
[...]
...Basic SPIN manual....
[...]
...Since the properties of systems one wishes to check can be usually encoded into short formulas, model-checkers based on linear-time logics, like SPIN [Hol94], have proved to be useful in practice....
[...]
TL;DR: The OBDD data structure is described and a number of applications that have been solved by OBDd-based symbolic analysis are surveyed.
Abstract: Ordered Binary-Decision Diagrams (OBDDs) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satisfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as graph algorithms on OBDD data structures. Using OBDDs, a wide variety of problems can be solved through symbolic analysis. First, the possible variations in system parameters and operating conditions are encoded with Boolean variables. Then the system is evaluated for all variations by a sequence of OBDD operations. Researchers have thus solved a number of problems in digital-system design, finite-state system analysis, artificial intelligence, and mathematical logic. This paper describes the OBDD data structure and surveys a number of applications that have been solved by OBDD-based symbolic analysis.
2,196 citations