On Higher-Order Program Verification and Two Notions of - PowerPoint PPT Presentation

On Higher-Order Program Verification and Two Notions of Higher-Order Model Checking Naoki Kobayashi University of Tokyo Summaries of papers from POPL09, POPL17 (joint work with Etienne Lozes, Florian Bruse), and more recent work (joint work with Takeshi Tsukada, and Keiichi Watanabe)

Two Notions of Higher-Order Model Checking Models Logic finite state modal finite state systems model checking µ -calculus

Two Notions of Higher-Order Model Checking Models Logic finite state modal finite state systems model checking µ -calculus higher-order HORS modal recursion schemes model checking µ -calculus (HORS) [Knapik+ 01; Ong 06] Useful for modeling a certain class of infinite state systems (such as higher-order functional programs)

Two Notions of Higher-Order Model Checking Models Logic finite state modal finite state systems model checking µ -calculus higher-order HORS modal recursion schemes model checking µ -calculus (HORS) [Knapik+ 01; Ong 06] HFL higher-order model checking finite state systems modal fixpoint [Viswanathan& logic (HFL) Viswanathan 04] Useful for describing non-regular properties

Two Notions of Higher-Order Model Checking Applied to verification of Models Logic higher-order programs finite state modal finite state systems [K09][K+11]... model checking µ -calculus higher-order HORS modal recursion schemes model checking µ -calculus (HORS) [Knapik+ 01; Ong 06] HFL higher-order model checking finite state systems modal fixpoint [Viswanathan& logic (HFL) Viswanathan 04] verification of concurrent systems [VV 04][Lange+ 14]

This Talk Higher-order program verification [K&Tsukada&Watanabe, [K, POPL09] draft] HFL HORS model checking model checking [K&Lozes&Bruse, POPL17]

Outline  Reviews of HORS model checking and HFL model checking – HORS model checking – HFL model checking  From program verification to HORS model checking  Conversion between HORS/HFL model checking  From program verification to HFL model checking  Conclusion

Higher-Order Recursion Scheme (HORS)  Grammar for generating an infinite tree S → a Order-0 HORS c B (regular tree grammar) B → b S → a c B S B → b S

Higher-Order Recursion Scheme (HORS)  Grammar for generating an infinite tree S → a Order-0 HORS c B (regular tree grammar) B → b S → a c B a S B → b S c b → a → a → a → ... → S a c B c b c b c b S a a c B c b

Higher-Order Recursion Scheme (HORS)  Grammar for generating an infinite tree Order-1 HORS S → A c A x → a x (A (b x)) S: o, A: o → o

Higher-Order Recursion Scheme (HORS)  Grammar for generating an infinite tree Tree whose paths Order-1 HORS are labeled by a m+1 b m c S → A c a A x → a x (A (b x)) c a S: o, A: o → o a b → a → A c → a → ... → a S b c b c a ... c A(b c) b b b A(b(b c)) c b c c

Higher-Order Recursion Scheme (HORS)  Grammar for generating an infinite tree Order-1 HORS S → A c A x → a x (A (b x)) S: o, A: o → o HORS ≈ Call-by-name simply-typed λ -calculus + recursion, tree constructors

HORS Model Checking Given G: HORS A: alternating parity tree automaton (APT) (a formula of modal µ -calculus or MSO), does A accept Tree(G)? e.g. - Does every finite path of Tree(G) end with “c”? - Does “a” occur below “b” in Tree(G)? p(x) k-EXPTIME-complete [Ong, LICS06] 2 (for order-k HORS) .. 2 but practical algorithms exist 2

HORS Model Checking as Generalization of Finite State/Pushdown Model Checking  order-0 ≈ finite state model checking  order-1 ≈ pushdown model checking ≈ infinite tree transition system a c b a a b c c b Does “a” occur Is there a transition a below “b”? sequence in which “a” occurs after “b”? c b

HORS Model Checking as Generalization of Finite State/Pushdown Model Checking  order-0 ≈ finite state model checking  order-1 ≈ pushdown model checking infinite tree ≈ (infinite-state) transition system a a a ... a a c a a b b b ... b c a b c b ... Does “a” b Is there a transition occur b sequence in which c below “b”? “a” occurs after “b”? b

Outline  Reviews of HORS model checking and HFL model checking – HORS model checking – HFL model checking  From program verification to HORS model checking  Conversion between HORS/HFL model checking  From program verification to HFL model checking  Conclusion

Higher-Order Modal Fixpoint Logic (HFL) [Viswanathan&Viswanathan 04]  Higher-order extension of the modal µ -calculus ϕ ::= true ϕ 1 ∧ ϕ 2 ϕ 1 ∨ ϕ 2 [a] ϕ ϕ must hold after a <a> ϕ ϕ may hold after a X propositional variable µ X. ϕ least fixpoint ν X. ϕ greatest fixpoint

Higher-Order Modal Fixpoint Logic (HFL) [Viswanathan&Viswanathan 04]  Higher-order extension of the modal µ -calculus ϕ ::= true ϕ 1 ∧ ϕ 2 ϕ 1 ∨ ϕ 2 [a] ϕ ϕ must hold after a <a> ϕ ϕ may hold after a X predicate variable µ X κ . ϕ least fixpoint ν X κ . ϕ greatest fixpoint λ X κ . ϕ (higher-order) predicate ϕ 1 ϕ 2 application κ ::=  | κ 1 →κ 2

Selected Typing Rules for HFL Γ ┝ ϕ :  Γ ┝ true :  −−−−−−−−−−−−−−−−−− Γ ┝ [a] ϕ :  Γ ┝ ϕ :  Γ ┝ ψ :  −−−−−−−−−−−−−−−−−−−−−−−− Γ ┝ ϕ ∧ψ :  Γ, X: κ 1 ┝ ϕ : κ 2 −−−−−−−−−−−−−−−−−− Γ ┝ λ X. ϕ : κ 1 → κ 2 Γ, X: κ ┝ X : κ Γ, X: κ ┝ ϕ : κ Γ ┝ ϕ : κ 1 → κ 2 Γ ┝ ψ : κ 1 −−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−−−−− Γ ┝ µ X. ϕ : κ Γ ┝ ϕ ψ : κ 2

Semantics [ ϕ ] I : the set of states that satisfy ϕ L |=ϕ  s init ∈ [ ϕ ] ∅ (s init : initial state of L) [true] I ＝ States [ ϕ∧ψ ] I = [ ϕ ] I ∩ [ ψ ] I [ ϕ∨ψ ] I = [ ϕ ] I ∪ [ ψ ] I [ [ α ] ϕ ] I = {s | ∀ t.(s → α t implies t ∈ [ ϕ ] I )} [< α > ϕ ] I = {s | ∃ t.(s → α t and t ∈ [ ϕ ] I )} [ µ X κ . ϕ ] I = lfp( λ x ∈ [ κ ].[ ϕ ] I{X=x} ) [ ν X κ . ϕ ] I = gfp ( λ x ∈ [ κ ].[ ϕ ] I{X=x} ) [  ] = 2 States [ κ 1 →κ 2 ] = {f ∈ [ κ 1 ] → [ κ 2 ] [ λ X κ . ϕ ] I = λ x ∈ [ κ ].[ ϕ ] I{X=x} | f: monotonic} [ ϕ ψ ] I = [ ϕ ] I [ ψ ] I [X] I ＝ I(X)

Example ( µ F  →  →  . λ X. λ Y. (X ∧ Y) ∨ F (<a>X) (<b>Y) ) P Q = (P ∧ Q) ∨ ( µ F  →  →  . λ X. λ Y. (X ∧ Y) ∨ F(<a>X)(<b>Y) ) (<a>P)(<b>Q) = (P ∧ Q) ∨ (<a>P ∧ <b>Q) ∨ (<a><a>P ∧ <b><b>Q) ∨ ... For some n, <a> n P and <b> n Q hold b n Q a n P

HFL Model Checking Given L: (finite-state) labeled transition system ϕ : HFL formula, does L satisfy ϕ ? e.g. L |= ϕ for: L: ϕ : ( µ F. λ X. λ Y. (X ∧ Y) a ∨ F (<a>X) (<b>Y)) d c b (<c>true) (<d>true)

HES ( Hierarchical Equation Systems ) Representation of HFL Formulas X 1 = α 1 ϕ 1 ; ...; X n = α n ϕ n ( α i ∈ { µ , ν } ) Example: HFL: ν X. µ Y.(<a>X ∨ <b>Y) (there exists a path (b*a) ω ) HES: X= ν Y; Y= µ <a>X ∨ <b>Y

HORS vs HFL model checking Model Spec. complexity Applications Automated k-EXPTIME HORS verification of complete model HORS APT functional (for order-k programs checking HORS) [K 09][K+11]... Assume-guarantee HFL k-EXPTIME reasoning [VV 04] model LTS HFL complete Process equivalence (for order-k HFL) checking checking [Lange+ 14] APT: alternating parity tree automaton LTS: finite-state labeled transition system

This Talk Higher-order program verification [K&Tsukada&Watanabe, [K, POPL09] draft] HFL HORS model checking model checking [K&Lozes&Bruse, POPL17]

This Talk Higher-order program verification [K&Tsukada&Watanabe, [K, POPL09] draft] HFL HORS model checking model checking [K&Lozes&Bruse, Tree(G)|= ϕ ? POPL17]

From Program Verification to HORS Model Checking [K. POPL 2009] HORS G Higher-order (describing all HORS program event sequences Program Model + or outputs) Transformation specification Checking + (on events or Tree property ϕ , output) describing valid event sequences or outputs

From Program Verification to Model Checking: Example F x k → + (c k) (r(F x k)) let f x = S → F d  if ∗ then close(x) + else (read(x); f x) c r in + let y = open “foo”  r in c f (y) +  c r ... Is the file “foo”  Is each path of the tree accessed according labeled by r*c? to read* close?

continuation parameter, From Program Verification to Model Checking: expressing how “foo” is Example accessed after the call returns F x k → + (c k) (r(F x k)) let f x = S → F d  if ∗ then close(x) + else (read(x); f x) CPS c r in Transformation! + let y = open “foo”  r in c f (y) +  c r ... Is the file “foo”  accessed according Is each path of the tree to read* close? labeled by r*c?