A new algorithm for Higher-order model checking Jérémy Ledent Martin Hofmann 1 / 25
For first order programs (M. Hofmann & W. Chen) Let Σ be a set of events and F a set of procedure identifiers. ◮ Syntax of expressions: e ::= a | f | e 1 ; e 2 | e 1 + e 2 where a ∈ Σ and f ∈ F 2 / 25
For first order programs (M. Hofmann & W. Chen) Let Σ be a set of events and F a set of procedure identifiers. ◮ Syntax of expressions: e ::= a | f | e 1 ; e 2 | e 1 + e 2 where a ∈ Σ and f ∈ F ◮ Program: an expression e f for every f ∈ F . Examples: = a ; b ; g f g = d + ( c ; f ) = ( abc ) ∗ abd ∪ { ( abc ) ω } L ( f ) 2 / 25
For first order programs (M. Hofmann & W. Chen) Let Σ be a set of events and F a set of procedure identifiers. ◮ Syntax of expressions: e ::= a | f | e 1 ; e 2 | e 1 + e 2 where a ∈ Σ and f ∈ F ◮ Program: an expression e f for every f ∈ F . Examples: = a ; b ; g = a ; v f u g = d + ( c ; f ) v = v = ( abc ) ∗ abd ∪ { ( abc ) ω } L ( f ) = { a } L ( u ) 2 / 25
For first order programs (M. Hofmann & W. Chen) Let Σ be a set of events and F a set of procedure identifiers. ◮ Syntax of expressions: e ::= a | f | e 1 ; e 2 | e 1 + e 2 where a ∈ Σ and f ∈ F ◮ Program: an expression e f for every f ∈ F . Examples: = a ; b ; g = a ; v f u g = d + ( c ; f ) v = v L ∗ ( f ) = ( ab � c � ) ∗ ab � d L ω ( f ) = { ( ab � c � ) ω } L ω ( u ) = { a ( � ) ω } L ∗ ( u ) = ∅ 2 / 25
Policy Automaton #define TIMEOUT 65536 while (true) { int i,s; i = s = 0; while (i++ < TIMEOUT && s == 0) { s = auth(); } work(); } 3 / 25
Policy Automaton #define TIMEOUT 65536 while (true) { int i,s; i = s = 0; while (i++ < TIMEOUT && s == 0) { s = auth(); /* a */ } /* c */ work(); /* b */ } f = g ; b ; f g = ( a ; g ) + c 3 / 25
Policy Automaton #define TIMEOUT 65536 while (true) { int i,s; i = s = 0; while (i++ < TIMEOUT && s == 0) { s = auth(); /* a */ } /* c */ work(); /* b */ } b q 1 q 0 q 2 f = g ; b ; f a , b , c g = ( a ; g ) + c a , b , c a , b , c a , b “If c occurs infinitely often, then b occurs infinitely often.” 3 / 25
Büchi type system Let GFb = ( a ∗ b ) ω be a type asserting “ b occurs infinitely often”. Consider the procedure: f = a ; f Assuming f : GFb , we can derive ( a ; f ) : aGFb , and since aGFb = GFb , that means we have a derivation f : GFb ⊢ ( a ; f ) : GFb 4 / 25
Büchi type system Let GFb = ( a ∗ b ) ω be a type asserting “ b occurs infinitely often”. Consider the procedure: f = a ; f Assuming f : GFb , we can derive ( a ; f ) : aGFb , and since aGFb = GFb , that means we have a derivation f : GFb ⊢ ( a ; f ) : GFb Under “usual” typing rules, this would allow us to establish ⊢ f : GFb which is clearly wrong. 4 / 25
Büchi type system Idea: f : X ⊢ e f : T ( X ) ⊢ f : gfp( λ X . T ( X )) 5 / 25
Büchi type system Idea: f : X ⊢ e f : T ( X ) ⊢ f : gfp( λ X . T ( X )) f = ( a ; f ) + b Looks like a language equation X = aX + b Smallest solution: X = a ∗ b Greatest solution: X = a ∗ b + a ω = L ( f ) 5 / 25
Büchi type system Idea: f : X ⊢ e f : T ( X ) ⊢ f : gfp( λ X . T ( X )) f = ( a ; f ) + b Looks like a language equation X = aX + b Smallest solution: X = a ∗ b Greatest solution: X = a ∗ b + a ω = L ( f ) For first-order programs: T ( X ) = U · X + V gfp( T ) = U ∗ V + U ω 5 / 25
Büchi Abstraction Let L ∗ = P (Σ ∗ ) and L ω = P (Σ ω ) . Given the policy automaton A , we can construct complete lattices M ∗ and M ω such that: ◮ They are finite. 6 / 25
Büchi Abstraction Let L ∗ = P (Σ ∗ ) and L ω = P (Σ ω ) . Given the policy automaton A , we can construct complete lattices M ∗ and M ω such that: ◮ They are finite. ◮ They are related to L ∗ , L ω by a galois insertion . There are α ∗ /ω : L ∗ /ω → M ∗ /ω and γ ∗ /ω : M ∗ /ω → L ∗ /ω such that γ ∗ /ω ( α ∗ /ω ( L )) ⊇ L and α ∗ /ω ( γ ∗ /ω ( U )) = U 6 / 25
Büchi Abstraction Let L ∗ = P (Σ ∗ ) and L ω = P (Σ ω ) . Given the policy automaton A , we can construct complete lattices M ∗ and M ω such that: ◮ They are finite. ◮ They are related to L ∗ , L ω by a galois insertion . There are α ∗ /ω : L ∗ /ω → M ∗ /ω and γ ∗ /ω : M ∗ /ω → L ∗ /ω such that γ ∗ /ω ( α ∗ /ω ( L )) ⊇ L and α ∗ /ω ( γ ∗ /ω ( U )) = U ◮ L ⊆ L ( A ) ⇐ ⇒ α ( L ) ⊑ α ( L ( A )) 6 / 25
Büchi Abstraction Let L ∗ = P (Σ ∗ ) and L ω = P (Σ ω ) . Given the policy automaton A , we can construct complete lattices M ∗ and M ω such that: ◮ They are finite. ◮ They are related to L ∗ , L ω by a galois insertion . There are α ∗ /ω : L ∗ /ω → M ∗ /ω and γ ∗ /ω : M ∗ /ω → L ∗ /ω such that γ ∗ /ω ( α ∗ /ω ( L )) ⊇ L and α ∗ /ω ( γ ∗ /ω ( U )) = U ◮ L ⊆ L ( A ) ⇐ ⇒ α ( L ) ⊑ α ( L ( A )) ◮ The abstraction function α preserves unions, concatenation, least fixpoints and ω -iteration (but not greatest fixpoints !): ( − ) ( ω ) M ∗ M ω α ∗ α ω ( − ) ω L ∗ L ω 6 / 25
Büchi Abstraction Define the equivalence relation ∼ A on Σ + as follows: u ∼ A v iff → q ′ ⇐ → F q ′ ⇐ u v u v ∀ q , q ′ . ( q → q ′ ) ∧ ( q → F q ′ ) − ⇒ q − − ⇒ q − and extend it to Σ ∗ such that [ ε ] = { ε } . 7 / 25
Büchi Abstraction Define the equivalence relation ∼ A on Σ + as follows: u ∼ A v iff → q ′ ⇐ → F q ′ ⇐ u v u v ∀ q , q ′ . ( q → q ′ ) ∧ ( q → F q ′ ) − ⇒ q − − ⇒ q − and extend it to Σ ∗ such that [ ε ] = { ε } . ◮ Equivalence classes are regular languages. ◮ There’s a finite number of classes. 7 / 25
Büchi Abstraction Define the equivalence relation ∼ A on Σ + as follows: u ∼ A v iff → q ′ ⇐ → F q ′ ⇐ u v u v ∀ q , q ′ . ( q → q ′ ) ∧ ( q → F q ′ ) − ⇒ q − − ⇒ q − and extend it to Σ ∗ such that [ ε ] = { ε } . ◮ Equivalence classes are regular languages. ◮ There’s a finite number of classes. ◮ For every class C , either C ∩ L ∗ ( A ) = ∅ or C ⊆ L ∗ ( A ) . 7 / 25
Büchi Abstraction Define the equivalence relation ∼ A on Σ + as follows: u ∼ A v iff → q ′ ⇐ → F q ′ ⇐ u v u v ∀ q , q ′ . ( q → q ′ ) ∧ ( q → F q ′ ) − ⇒ q − − ⇒ q − and extend it to Σ ∗ such that [ ε ] = { ε } . ◮ Equivalence classes are regular languages. ◮ There’s a finite number of classes. ◮ For every class C , either C ∩ L ∗ ( A ) = ∅ or C ⊆ L ∗ ( A ) . ◮ For every C , D , either CD ω ∩ L ω ( A ) = ∅ or CD ω ⊆ L ω ( A ) . ◮ For every w ∈ Σ ω , there are C , D such that w ∈ CD ω . The sets CD ω behave almost like classes, but they may overlap ! 7 / 25
Büchi Abstraction Define M ∗ = P (Σ ∗ / ∼ A ) � γ ∗ ( V ) = C C ∈V α ∗ ( L ) = { C | C ∩ L � = ∅ } 8 / 25
Büchi Abstraction Define M ∗ = P (Σ ∗ / ∼ A ) � γ ∗ ( V ) = C C ∈V α ∗ ( L ) = { C | C ∩ L � = ∅ } and M ω = {V ⊆ (Σ ∗ / ∼ A ) × (Σ ∗ / ∼ A ) | V is closed } � CD ω γ ω ( V ) = ( C , D ) ∈V α ω ( L ) = cl { ( C , D ) | CD ω ∩ L � = ∅ } 8 / 25
Extending to Higher-order Terms : e ::= x | a | e 1 ; e 2 | e 1 + e 2 | fix e | λ x . e | e 1 e 2 9 / 25
Extending to Higher-order Terms : e ::= x | a | e 1 ; e 2 | e 1 + e 2 | fix e | λ x . e | e 1 e 2 Types : τ ::= o | τ 1 → τ 2 Typing rules : Γ ⊢ e 1 : τ 1 → τ 2 Γ ⊢ e 2 : τ 1 Γ , x : τ 1 ⊢ e : τ 2 Γ ⊢ x : Γ( x ) Γ ⊢ e 1 e 2 : τ 2 Γ ⊢ λ x . e : τ 1 → τ 2 Γ ⊢ e : τ → τ Γ ⊢ e 1 : o Γ ⊢ e 2 : o Γ ⊢ e 1 : o Γ ⊢ e 2 : o Γ ⊢ fix e : τ Γ ⊢ a : o Γ ⊢ e 1 + e 2 : o Γ ⊢ e 1 ; e 2 : o 9 / 25
Extending to Higher-order Terms : e ::= x | a | e 1 ; e 2 | e 1 + e 2 | fix e | λ x . e | e 1 e 2 Types : τ ::= o | τ 1 → τ 2 Typing rules : Γ ⊢ e 1 : τ 1 → τ 2 Γ ⊢ e 2 : τ 1 Γ , x : τ 1 ⊢ e : τ 2 Γ ⊢ x : Γ( x ) Γ ⊢ e 1 e 2 : τ 2 Γ ⊢ λ x . e : τ 1 → τ 2 Γ ⊢ e : τ → τ Γ ⊢ e 1 : o Γ ⊢ e 2 : o Γ ⊢ e 1 : o Γ ⊢ e 2 : o Γ ⊢ fix e : τ Γ ⊢ a : o Γ ⊢ e 1 + e 2 : o Γ ⊢ e 1 ; e 2 : o Program : closed term of type o . 9 / 25
Examples First order: only use fix : ( o → o ) → o . ◮ fix( λ f . ( a ; f ) + b ) ◮ fix( λ f . a ; b ; fix( λ g . d + ( c ; f ))) 10 / 25
Examples First order: only use fix : ( o → o ) → o . ◮ fix( λ f . ( a ; f ) + b ) ◮ fix( λ f . a ; b ; fix( λ g . d + ( c ; f ))) Call-by-value versus call-by-name: ◮ e = ( λ x . a ; x ) b − → L ∗ ( e ) = { ab } 10 / 25
Examples First order: only use fix : ( o → o ) → o . ◮ fix( λ f . ( a ; f ) + b ) ◮ fix( λ f . a ; b ; fix( λ g . d + ( c ; f ))) Call-by-value versus call-by-name: ◮ e = ( λ x . a ; x ) b − → L ∗ ( e ) = { ab } Non context-free examples: ◮ e ′ = fix( λ f .λ x . ( a ; f ( b ; x ; c ))+ x ) L ∗ ( e ′ d ) = { a n b n dc n | n ≥ 0 } L ω ( e ′ d ) = { a ω } 10 / 25
Recommend
More recommend
![Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model](https://c.sambuz.com/809780/bounded-model-checking-s.jpg)
