Thèse de Doctorat école doctorale sciences pour l’ingénieur et microtechniques U N I V E R S I T É D E F R A N C H E - C O M T É N◦ 6 6 6 THE`SE pre´sente´e par Vincent HUGOT pour obtenir le Grade de Docteur de l’Universite´ de Franche-Comte´ Spe´cialite´ : Informatique Tree Automata, Approximations, and Constraints for Verification Tree (Not-Quite) Regular Model-Checking Soutenue le 27 Septembre 2013 devant le Jury : Philippe SCHNOEBELEN Rapporteur Directeurderecherche,CNRS Jean-Marc TALBOT Rapporteur Professeura` l’Universite´ d’Aix-Marseille Pierre-Cyrille HE´AM Co-Directeur Professeura` l’Universite´ deFranche-Comte´ Olga KOUCHNARENKO Directeur de the`se Professeura` l’Universite´ deFranche-Comte´ Florent JACQUEMARD Examinateur Charge´ derechercheHDR,INRIA Jean-Franc¸ois RASKIN Examinateur Professeura` l’Universite´ libredeBruxelles Sophie TISON Examinateur Professeura` l’Universite´ deLille 2 Version of the document: 8c9c3, dated 2013-06-21 01:26:43+02:00 , compiled on June 21, 2013. Table of Contents I Motivations and Preliminaries 8 1 Formal Tools for Verification 9 11 10 . Model-Checking: Simple, Symbolic & Bounded . . . . . . . . . . . . 12 13 . Regular Model-Checking. . . . . . . . . . . . . . . . . . . . . . . . . . 13 16 . Tree Automata in Verification . . . . . . . . . . . . . . . . . . . . . . . 14 19 . Outline and Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 2 Some Technical Preliminaries 21 21 22 . Pervasive Notions and Notations . . . . . . . . . . . . . . . . . . . . . 22 23 . Ranked Alphabets, Terms, and Trees . . . . . . . . . . . . . . . . . . . 23 26 . Term Rewriting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 24 29 . Bottom-Up Tree Automata . . . . . . . . . . . . . . . . . . . . . . . . . 25 34 . Tree Automata With Global Constraints . . . . . . . . . . . . . . . . . 26 36 . Decision Problems and Complexities . . . . . . . . . . . . . . . . . . . II Semi-Deciding LTL over Rewrite Sequences 40 3 Term Rewriting for Model-Checking 41 31 42 . On the Usefulness of Rewriting for Verification . . . . . . . . . . . . 32 44 . Reachability Analysis for Term Rewriting . . . . . . . . . . . . . . . . 321 45 . . Preservation of Regularity Through Forward Closure . . . . . 322 46 . . Tree Automata Completion Algorithm . . . . . . . . . . . . . 323 47 . . Exact Behaviours of Completion . . . . . . . . . . . . . . . . . 324 47 . . One-Step Rewriting, and Completion . . . . . . . . . . . . . . 325 49 . . The Importance of Being Left-Linear . . . . . . . . . . . . . . 326 51 . . One-Step Rewriting, and Constraints . . . . . . . . . . . . . . 4 Semi-Deciding LTL on Rewrite Sequences 53 41 56 . Preliminaries & Problem Statement . . . . . . . . . . . . . . . . . . . 411 56 . . Rewrite Words & Maximal Rewrite Words . . . . . . . . . . . 412 57 . . Defining Temporal Semantics on Rewrite Words. . . . . . . . 413 58 . . Rewrite Propositions & Problem Statement . . . . . . . . . . . 42 59 . Technical Groundwork: Antecedent Signatures . . . . . . . . . . . . . 421 59 . . Overview & Intuitions . . . . . . . . . . . . . . . . . . . . . . . 422 61 . . Choosing a Suitable Fragment of LTL . . . . . . . . . . . . . . 423 62 . . Girdling the Future: Signatures. . . . . . . . . . . . . . . . . . 43 73 . From Temporal Properties to Rewrite Propositions . . . . . . . . . . 44 88 . Generating a (Semi-)Decision Procedure . . . . . . . . . . . . . . . . . 441 88 . . Juggling Assumptions and Expressive Power . . . . . . . . . 3 4 TABLE OF CONTENTS 442 96 . . Optimisation of Rewrite Propositions . . . . . . . . . . . . . . 45 98 . Examples & Discussion of Applicability . . . . . . . . . . . . . . . . . 451 98 . . Examples: Three Derivations . . . . . . . . . . . . . . . . . . . 452 102 . . Coverage of Temporal Specification Patterns . . . . . . . . . . 453 103 . . Encodings: Java Byte-Code, Needham–Schroeder & CCS . . . 46 105 . Conclusions & Perspectives . . . . . . . . . . . . . . . . . . . . . . . . III Decision Problems for Tree Automata with Global Constraints 106 5 A Brief History of Constraints 107 51 107 . Tree Automata With Positional Constraints . . . . . . . . . . . . . . . 511 108 . . The Original Proposal . . . . . . . . . . . . . . . . . . . . . . . 512 109 . . A Stable Superclass With Propositional Constraints . . . . . . 513 109 . . Constraints Between Brothers . . . . . . . . . . . . . . . . . . . 514 110 . . Reduction Automata . . . . . . . . . . . . . . . . . . . . . . . . 515 111 . . Reduction Automata Between Brothers . . . . . . . . . . . . . 52 111 . Tree Automata With Global Constraints . . . . . . . . . . . . . . . . . 521 112 . . Generalisation to Propositional Constraints and More . . . . 522 113 . . Rigid Tree Automata . . . . . . . . . . . . . . . . . . . . . . . . 53 114 . Synthetic Taxonomy of Automata With Constraints . . . . . . . . . . 54 115 . Notations: Modification of an Automaton . . . . . . . . . . . . . . . . 6 Bounding the Number of Constraints 117 61 118 . The Emptiness & Finiteness Problems . . . . . . . . . . . . . . . . . . 62 121 . The Membership Problem . . . . . . . . . . . . . . . . . . . . . . . . . 63 126 . A Strict Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 128 . Summary and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . 7 SAT Encodings for TAGED Membership 129 71 130 . Propositional Encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . 72 135 . Complexity and Optimisations . . . . . . . . . . . . . . . . . . . . . . 73 136 . Implementation and Experiments . . . . . . . . . . . . . . . . . . . . 731 137 . . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . 732 138 . . The Tool: Inputs and Outputs . . . . . . . . . . . . . . . . . . 74 139 . Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV Decision Problems for Tree-Walking Automata 142 8 Tree Automata for XML 143 81 144 . Tree-Walking Automata . . . . . . . . . . . . . . . . . . . . . . . . . . 82 148 . Abstracting Away Unranked Trees . . . . . . . . . . . . . . . . . . . . 821 148 . . Unranked Trees and Their Automata . . . . . . . . . . . . . . 822 151 . . Document Type Definitions (DTD) . . . . . . . . . . . . . . . . 823 152 . . Binarisation of Trees and Automata . . . . . . . . . . . . . . . 83 155 . Queries, Path Expressions, and Their Automata . . . . . . . . . . . . 831 156 . . Logic-based Queries . . . . . . . . . . . . . . . . . . . . . . . . 832 157 . . (Core) XPath: a Navigational Language . . . . . . . . . . . . . 833 160 . . Caterpillar Expressions . . . . . . . . . . . . . . . . . . . . . . TABLE OF CONTENTS 5 84 162 . The Families of Tree-Walking Automata . . . . . . . . . . . . . . . . . 841 163 . . Basic Tree-Walking Automata . . . . . . . . . . . . . . . . . . . 842 164 . . Nested Tree-Walking Automata . . . . . . . . . . . . . . . . . 9 Loops and Overloops: Effects on Complexity 165 91 166 . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 167 . Loops, Overloops and the Membership Problem . . . . . . . . . . . . 921 167 . . Defining, Classifying and Computing Loops . . . . . . . . . . 922 170 . . A Direct Application of Loops to Membership Testing . . . . 923 172 . . From Loops to Overloops . . . . . . . . . . . . . . . . . . . . . 93 174 . Transforming TWA into equivalent BUTA . . . . . . . . . . . . . . . . 931 176 . . Two Variants: Loops and Overloops . . . . . . . . . . . . . . . 932 177 . . Overloops: Deterministic Size Upper-Bound . . . . . . . . . . 94 180 . A Polynomial Over-Approximation for Emptiness . . . . . . . . . . . 95 182 . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951 182 . . Evaluating the Approximation’s Effectiveness . . . . . . . . . 952 183 . . Overloops Yield Smaller BUTA . . . . . . . . . . . . . . . . . . 953 184 . . Demonstration Software . . . . . . . . . . . . . . . . . . . . . . 96 185 . Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V Summary and Perspectives 186 10 Summary and Future Works 187 101 187 . Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . 102 188 . Future Works & Perspectives . . . . . . . . . . . . . . . . . . . . . . . 11 Appendix 191 111 191 . More Relatives of Automata With Constraints . . . . . . . . . . . . . 1111 191 . . Directed Acyclic Ordered Graph Automata . . . . . . . . . . . 1112 192 . . Tree Automata With One Memory . . . . . . . . . . . . . . . . 112 195 . More Relatives of Tree-Walking Automata. . . . . . . . . . . . . . . . 1121 195 . . Tree-Walking Pebble Automata . . . . . . . . . . . . . . . . . . 1122 197 . . Tree-Walking Invisible Pebble Automata . . . . . . . . . . . . 1123 197 . . Tree-Walking Marbles Automata . . . . . . . . . . . . . . . . . 1124 198 . . Tree-Walking Set-Pebble Automata . . . . . . . . . . . . . . . 1125 198 . . Alternating Tree-Walking Automata . . . . . . . . . . . . . . . List of Figures 11 18 . Tree representation of “Star Trek” XML document. . . . . . . . . . . 21 22 . Reading dependencies between chapters. . . . . . . . . . . . . . . . . 22 37 . Automata, their closure properties and decision complexities. . . . . 23 38 . Decision problems: inputs and outputs. . . . . . . . . . . . . . . . . . 3.1 Executions of a rewrite system satisfying (cid:3)(X ⇒ •Y). . . . . . . . . . 42 32 46 . Forward-closure regularity-preserving classes of TRS. . . . . . . . . . 41 58 . LTL semantics on maximal rewrite words. . . . . . . . . . . . . . . . 42 A 73 . Building signatures on -LTL. . . . . . . . . . . . . . . . . . . . . . . 43 1999 102 . Partially supported patterns from [Dwyer, Avrunin & Corbett, ]. 51 116 . A taxonomy of automata, with or without constraints. . . . . . . . . 61 120 . Reduction of intersection-emptiness: the language. . . . . . . . . . . 62 124 . Housings: affecting a similarity classes to each group. . . . . . . . . 71 137 . CNF solving time, laboratory example. . . . . . . . . . . . . . . . . . 7.2 CNF solving time, L=, for accepted and rejected terms. . . . . . . . . 138 73 139 . Input syntax of the membership tool: automaton and term. . . . . . 74 73 140 . Example LATEX output of the tool – cf. Fig. . [p139]. . . . . . . . . . . 91 183 . Uniform random TWA: emptiness tests. . . . . . . . . . . . . . . . . . 92 184 . Uniform random TWA: size results. . . . . . . . . . . . . . . . . . . . 111 1 193 . TA M: capabilities of transitions in the literature. . . . . . . . . . . . 6 LIST OF FIGURES 7 — Part I — Motivations and Preliminaries 8 Chapter 1 Formal Tools for Verification Contents 1.1 Model-Checking: Simple,Symbolic&Bounded . . . . . . . . . 10 1.2 RegularModel-Checking . . . . . . . . . . . . . . . . . . . . . . . 13 1.3 TreeAutomatainVerification . . . . . . . . . . . . . . . . . . . . 16 1.4 OutlineandContributions . . . . . . . . . . . . . . . . . . . . . . 19 —Where we are reminded that bugs are bad, and that formal methods are good. riane 5 s 1996 maiden flight 501 A ’ “ ”enjoysthedubiousdistinctionofbeing remembered as one of the most expensive fireworks displays in the history of mankind. Yet its most striking feature lies not in the spectacular character of the failure, but in how it came to pass. The cause was not a structural flaw of the rocket, but a software bug. The ruinous error lay in a single line of Ada code in the inertial navigation system, a fairly simple 64 16 conversion from -bit to -bit that should have checked for overflows but did not. Misled by erroneous navigation data, the rocket veered hopelessly off course, and self-destructed. There may be imponderables in rocket design, but that was not one of them. The range check had actually been deliberately deactivated for this conversion, as a performance optimisation made under the belief that there 4 was an ample margin of error. This may have been true for Ariane , from which 5 the navigation system was copied directly, but the greater acceleration of Ariane 16 turned out to be beyond the scope of the -bit variable. Not all individual software bugs cost a few hundred million to one billion dollars – 501 as did flight – but they are pervasive and the costs accrue over time. However, there is no intrinsic difference between (mostly) harmless, everyday bugs and catastrophic ones, as a quick look at some of the most publicised incidents shows. 5 1962 Similar to the Ariane incident is the loss of the Mariner I space probe in : TheCostofSoftwareBugs an error in some rarely-used part of the navigation software of the Atlas-Agena A study conducted by the rocket resulted in the unrecoverable failure of its guidance system. The Phobos NIST in 2002 concluded 1988 I probe on the other hand was launched successfully in , but a malformed that software bugs cost command sent from earth forced the unexpected execution of a test routine that the US economy about $59 billion each year, or 1999 wassupposedtobedeadcode. Theyear sawthelossoftwoprobestosoftware about 0.6% of the GDP. A errors: the Mars Climate Orbiter likely disintegrated in Mars’s atmosphere because 2013 Cambridge University study estimated a global the ground-control computer was using imperial units while the probe itself used annual cost of $312 bil- metric units; the Mars Polar Lander nearly made it to the ground, but invalid lion...for the constant de- 40 buggingactivityalone. touchdowndetectionlogicpromptedittocutthrusters metersabovetheground. 2006 After a decade of loyal services, the Mars Global Surveyor was lost in because of an error causing data to be written in the wrong memory address. 9 10 art hapter 1 ormal ools for erification P I. C . F T V 25 In the medical domain, the Therac- radiation therapy machine is infamous for having killed three patients and balefully irradiated at least three others between 1985 1987 20 and . Its predecessor, the Therac- , used a mechanical safety interlock that prevented the high-powered electron beam from being used directly. The 25 Therac- used a software interlock instead, which a race condition could disable if the machine’s operator was fast enough. Another race condition, this time in 21 the alarm routines of a XA/ energy management system, escalated what was a 2003 minor power failure into the USA & Canada Northeast blackout of , depriving 55 1991 104 million people of electricity for up to two days. In , a MIM- Patriot anti-ballistic battery correctly detected an incoming Al-Hussein missile, but after 100 hoursinoperation,cumulativeroundingerrorshadcauseditsinternalsoftware clock to drift by one third of a second; using this erroneous time to predict the 600 missile’s trajectory yielded an error of about meters. Unopposed, the missile 28 hit its mark, killing soldiers. Range checks, race conditions, access to dead code, dimensional clashes, clock TotalRecall In 2010, Toyota recalled synchronisation problems... Despite their dramatic consequences, those are all 133000 Prius hybrids and perfectly mundane bugs of the same kinds that plague desktop computers on a 14500 Lexus hybrids. In daily basis, from word processors to card games. But when software controls 2004–05, Mercedes recalled almost two million SL500 rockets, missiles, or any sort of critical equipment, bugs are more than mere and E-Class vehicles. Both annoyances. Increasingly, sophisticated software replaces simpler mechanical cases were warranted by faults in the braking soft- systems and specialised circuits. Embedded systems are everywhere, from pocket ware. watches to microwave ovens to phones to cars to planes to rockets. But regardless of what it is that the software controls, preventing, handling and fixing bugs is not rocket science, but computer science. There are many approaches dedicated to the end-goal of reliable software; this verification thesis only concerns itself with the field of verification (or formal methods), whose formalmethods aims can be broadly defined as proving that a given piece of software or hardware is correct with respect to a given specification. The rise of embedded systems not only makes such methods more necessary than ever, but also contributes to create a “target-rich” environment for the field. The high cost of formal methods is indeed offset by the much higher cost of bugs in embedded systems: even if a bug is caught in time and causes no damage, recalling and fixing entire lines of products is prohibitively expensive. Furthermore, embedded systems are often smaller and more specialised than modern desktop software, which makes them easier to specify and to check. Thus the current technological advances provide a strong impetus for software verification. That field is quite vast, however; this chapter provides a very succinct and mostly informal overview of the techniques and traditions within which our work is inscribed. 1.1 Model-Checking: Simple, Symbolic & Bounded Hoarelogic One of the first approaches to program verification is Hoare logic, introduced in 1969 [Hoare, ] and further refined by many other researchers, notably Floyd and Dijkstra. The basic idea is to enclose a program code C between two assertions p