MODEL CHECKING FOR DYNAMIC ALLOCATION AND DEALLOCATION Extended Abstract

MODEL CHECKING FOR DYNAMIC ALLOCATION AND DEALLOCATION Extended Abstract Dino Distefano, Arend Rensink, Joost-Pieter Katoen Department of Computer Science, University of Twente P.O. Box 217, 7500 AE Enschede, The Netherlands E-mail: {ddino, rensink, katoen}@cs.utwente.nl Fax: +31-53-4893247 Abstract Allocational Temporal Logic (ATL) is a formalism to express properties concerning the dynamic allocation and de-allocation of entities, such as the objects in an object-based system. The logic is interpreted on History-Dependent Automata, extended with a symbolic representation for certain cases of unbounded allocation. A simple imperative language with primitive statements for (de)allocation, demonstrate the kind of behaviour that can be modelled. A model checking algorithm for ATL is shortly sketched. 1. Introduction One of the aspects of computation that state-of-the-art model checking does not deal with very well is that of dynamic allocation and deallocation (birth and death) of entities. This is especially true if the number of entities is not known beforehand, or even unbounded. Though there are now calculi (such as the π-calculus [7]) that can express the generation of fresh names, as well as models (such as history-dependent automata [8]) that can describe both the birth and the death of entities, what has been missing so far is a logic where these concepts are captured as primitives. An attempt to formulate such a logic is presented in this extended abstract. It is called allocational temporal logic (ATL). The logic is interpreted over so-called high-level allocational Büchi automata (HABA), which extend history-dependent automata [8] with a predicate for the unboundedness of (the number of entities in) a state, and with a (generalised) Büchi acceptance condition. The model-checking problem for ATL is shown to be decidable [4]. Here, we describe informally the 1

2 tableau-based model-checking algorithm. To the best of our knowledge, this yields the first approach to effectively model-check models with an unbounded number of entities. This is of particular interest to e.g. the verification of object-oriented systems in which the number of objects is typically not known in advance and may be even unbounded. Proofs can be found in [4] Related work. History-dependent (HD) automata [8] are the main inspiration for HABAs. The novelty introduced in HABAs is the black hole abstraction that allows us to deal with a possibly unbounded number of entities. Related to ATL, concerning properties of freshness, is the recent Spatial Logic (SL) [2, 1] defined for the Ambient Calculus. In SL fresh means distinct from any name used in the formula and in the model satisfying it. In contrast, in ATL, if an entity is fresh it means that the entity is used in the current state and did not appear previously. There are in principle two approaches to model-checking LTL: the automata-theoretic approach [10] and the tableau method [6]. Our algorithm is strongly based on the latter. Model-checking tools for object-oriented systems are becoming more and more popular (e.g. Bandera [3] and Java PathFinder [5]). However, in the approaches we are aware of, dynamic creation of objects is only supported to a limited extent (the number of created objects must be bounded). 2. Allocational temporal logic Let LVar be a countable set of logical variables ranged over by x, y, z, and Ent be a countable set of entities ranged over by e, e, e 1,.... Allocational Temporal Logic (ATL) is an extension of propositional LTL [9] that allows existential quantification over logical variables that can denote entities, or may be undefined. For x LVar, the syntax of ATL is defined by the following grammar: φ ::= x new x = x x.φ φ φ φ Xφ φ U φ The operators have the following intuitive meaning. Formula x new holds if the entity denoted by x is fresh in the current state. Formula x = y holds if variables x and y denote the same entity in the current state; x = x is violated if x is undefined, i.e., if x does not denote any entity. x.φ is valid in the current state if there exists an entity for which φ holds if assigned to x. X (next) and U (until) are the standard LTL operators. We denote x y for (x = y), x alive for x = x and x dead for x x, while x old for x alive (x new). The other boolean connectives and

the temporal operators F (eventually) and G (always) are derived in the usual way. An allocational sequence σ is an infinite sequence of sets of entities E 0 E 1 E 2 where E i Ent, for i N. Let σ i = E i E i+1. For given σ, Ei σ denotes the set of entities in the i-th state of σ. The semantics of ATL-formulae is defined by satisfaction relation σ, N, θ = φ where σ is an allocational sequence, N E0 σ is the set of entities that is initially new, and θ : LVar Ent is a partial valuation of the free variables in φ. Let Ni σ denote the set of new entities in state i, i.e., N0 σ = N and Ni+1 σ = Eσ i+1 \Eσ i, and let θσ i : LVar Ent denote the valuation at state i, where θi σ(x) = θ(x) if θ(x) Eσ k for all k i, and θσ i is undefined elsewhere. The satisfaction relation = is defined as follows: σ, N, θ = x new iff x dom(θ) and θ(x) N σ, N, θ = x = y iff x, y dom(θ) and θ(x) = θ(y) σ, N, θ = x.φ iff e E0 σ : σ, N, θ{e/x} = φ σ, N, θ = φ iff σ, N, θ φ σ, N, θ = φ ψ iff either σ, N, θ = φ or σ, N, θ = ψ σ, N, θ = Xφ iff σ, N, θ = φ U ψ iff σ 1, N1 σ, θσ 1 = φ i : (σ i, Ni σ, θσ i = ψ and j < i : σ j, Nj σ, θσ j = φ). Here, θ{e/x} is defined as usual, i.e., θ{e/x}(x) = e and θ{e/x}(y) = θ(y) for y x. Example 2.1. Properties concerning dynamic allocation/de-allocation can be formalised in ATL. For example, formula G( x. y. z.(x = y x = z y = z)) asserts that the number of entities that are alive never exceeds 2, while G((F x.x new) x.x(x alive)) states that the number of entities that are alive grows unboundedly. As a more involved example, x alive U y.(y new (x alive U z.(z new y z x alive))) states that before x is deallocated, two new entities will be allocated. In ATL-formulae, entities can only be addressed through logical variables and valuations of variables (i.e., entities) can only be compared in the same state. These observations allow a reallocation of entities from one state to its next state, as long as this is done injectively. For E, E Ent, a reallocation λ from E to E is a partial injective function λ : E E. A folded allocational sequence is an infinite alternating sequence E 0 λ 0 E 1 λ 1, where λ i is a reallocation from E i to E i+1 for i 0. We write λ σ i for the reallocation function of σ in state i. Note that for folded allocational sequence σ, N0 σ = N, and N i+1 σ = Eσ i+1 \cod(λσ i ). Similarly, θ0 σ = θ and θσ i+1 = λσ i θi σ. Thus, entity e is considered to be deallocated if e dom(λ). Using these adapted definitions of N and θ, an alternative satisfaction relation for ATL can be defined in 3

4 terms of folded allocational sequences. Allocational and folded allocational sequences are not fully abstract with respect to the validity of ATL-formulas as several of such sequences may satisfy the same formulae. We therefore consider folded allocational sequences and allocational triple (σ, N, θ) modulo isomorphism. Isomorphic allocational triples satisfy the same set of ATL-formulae. HABA. The following class of automata we introduce are based on Büchi automata and on history-dependent (HD) automata [8]. Let / Ent be a special, distinguished entity, called black hole. Its role will become clear later on. We denote E = E { } for arbitrary E Ent. Furthermore, for E, E 1 Ent, an -reallocation is a partial function λ : E E1 such that λ(e) = λ(e ) e = e for all e, e E and dom(λ) λ( ) =. That is, λ is injective when mapping away from and preserves. Definition 2.2. A High-level Allocational Büchi Automaton (HABA) H is a tuple X, Q, E,, I, F, with X LVar a finite set of logical variables; Q a (possibly infinite) set of states; E : Q 2 Ent B, a function that associates to each state q Q a finite set E q of entities and a predicate B q expressing that there is an unbounded number of entities in q not explicitly modelled by E q ; Q (Ent Ent ) Q, such that for (q, λ, q ), λ is an -reallocation from E q to E q with (i) dom(λ) iff E q = (E, ff) and E q = (E, ff), and (ii) cod(λ) E q = (E, ff); I : Q 2 Ent (X Ent) a partial function yielding for every initial state q dom(i) an initial valuation (N, θ), where N E q is a finite set of entities, and θ : X E q is a partial valuation of the variables in X; F 2 Q a set of sets of accept states. Notational conventions: we write (q, N, θ) I for I(q) = (N, θ) and q λ q for (q, λ, q ). We adopt the generalised Büchi acceptance condition, i.e, ρ = q 0 λ 0 q 1 λ 1 q 2 is a run of HABA H if q i λi q i+1 for all i N and {i q i F } = ω for all F F. Let runs(h) denote the set of runs of H. Predicate B q holds in state q iff the number of entities in q is bounded. An unbounded state q (denoted q ), possesses the distinguished entity that represents all entities that may be added to q (imploded entities). High-level state q thus represents all possible

states obtained from q by adding a finite number of entities to E q. If a transition to state q maps (implodes) entities onto the black hole, these entities cannot be distinguished anymore from there on. Moreover, if q λ q, entities in the black hole are either preserved (if q ), or are destroyed (if q ). The black hole thus allows to abstract from the identity of entities if these are not relevant anymore. A run ρ = q 0 λ 0 q 1 λ 1 of HABA H = X, Q, E,, I, F generates an allocation triple (σ, N, θ), where σ = E 0 λ σ 0 E 1λ σ 1 is a folded allocational sequence, if there is a generator, i.e., a family of functions φ i : E i Eq i satisfying for all i 0: 1 e, e E i. (φ i (e) = φ i (e ) e = e ) 2 E qi cod(φ i ) 3 q i ( e E i : φ i (e) ) 4 λ i φ i = φ i+1 λ σ i 5 e E i+1. (φ i+1 (e) = e cod(λ σ i )) 6 I(q 0 ) = (φ 0 (N), φ 0 θ). Let L(H) = {(σ, N, θ) ρ runs(h) : ρ generates (σ, N, θ)}. Example 2.3. The picture below depicts a HABA with X = {x, y}. Squares denote bounded states, (large) circles denote unbounded states, small circles denote entities, and accept states have a bold boundary. Dashed arrows indicate -reallocations. In initial states, dotted lines represent θ, and filled circles denote new entities. In q 1, variable x denotes (old) entity e 1, while y is undefined. Entity e 3 in state q 2 represents the same entity as e 1 in q 1, while e 1 (in q 2 ) represents a new entity. Run q 1 λ 12 (q 2 λ 22 ) ω generates sequences where the initial entity dies after q 2 q 1 λ e 12 3 the second state, while the new entity created in the second state will be alive x e 1 e1 y λ 14 forever. Run q 1 λ 14 (q 4 λ 44 ) ω generates λ 22 λ 44 sequences where the entity in the initial state dies immediately. Once q 4 is λ 13 e λ 3 33 reached, a new entity e 3 is created at every e 3 q 4 step, and in this run thus the number q 3 e 1 of entities grows unboundedly. 3. Programming allocation and deallocation This section introduces a simple programming language L capturing the essence of allocation and deallocation. It provides an intuition about the setup and the sort of behaviour that can be modelled by HABA. 5

6 For PVar a set of program variables with v, v i PVar and PVar LVar =, the set of statements of L is given by: (p ) L ::= decl v 1,..., v n : (s 1 s k ) (s ) Stat ::= new(v) del(v) v := v skip s; s if b then s else s fi while b do s od (b ) Bexp ::= v = v b b b A program p is a parallel composition of a finite number of statements preceded by the declaration of a finite number of global variables. new(v) creates (i.e., allocates) a new entity that will be referred to by the program variable v. The old value of v is lost. Thus, if v is the only variable that refers to entity e, say, then after the execution of new(v), e cannot be referenced anymore. del(v) destroys (i.e., deallocates) the entity associated to v, and makes v undefined. The assignment v := w passes the reference held by w (if any) to v. Again, the entity v was referring to might become unreferenced (for ever). Example 3.1. The following program, where g(i) = (i+1) mod 4, models the implementation of a naive solution to the dining philosopher problem: DPhil decl v 1, v 2, v 3, v 4 : (P h 1 P h 2 P h 3 P h 4 ) where Ph i while tt do if (v i alive v g(i) alive) then del(v i ); del(v g(i) ); new(v i ); new(v g(i) ) else skip fi od The variables v i and v g(i) represent the left and the right chopstick of philosopher Ph i, respectively. If v i and v g(i) are defined 1, then the chopsticks are on the table. Taking the chopsticks from the table is represented by destroying the corresponding entities, while putting the chopsticks back on the table is modelled by creating new entities. Some properties that can possibly be satisfied by this program, stated in ATL, are: F( x.x dead), stating that eventually two philosophers will eat at the same time; F( x. y.(x = y)), expressing that eventually there is only one chopstick on the table (an inconsistency); or G( x. y. z.(x old y old z old (x = y x = z y = z))), expressing that among the philosophers there exists a greedy impostor who always eats and never thinks (an unfair computation).

7 while new := {{v 1 }} {v 1 } {v 1, v 2 } := {v 1, v 2 } {v 2 } new {{v 1 }, {v 2 }} {{v 1, v 2 }} id 1 while {{v 1, v 2 }} {v 1 } {v 1, v 2 } {v 2 } {v 1, v 2 } {v 2 } id := while 2 new {{v 1 }, {v 2 }, } {{v 1, v 2 }, } {{v 1, v 2 }, } := v 2 := v 1 ; while while while tt do new(v 1 ); v 2 := v 1 od new new(v 1 ); v 2 := v 1 ; while {v 1 } {v1, v 2 } {v 2 } id 1 = {v 1, v 2 } {v 1, v 2 } id 2 = ({v 1, v 2 } {v 1, v 2 }, ) Figure 1. Semantics for p Example 3.2. Consider the following L program p decl v 1, v 2 : while tt do new(v 1 ); v 2 := v 1 od Figure 1 depicts the p operational semantics in terms of HABA. Entities in a state are represented by partitions of the program variables (every partition corresponds to an entity). Variables in the same partition refer to the same entity. As a convention, if is among these partitions the state is unbounded (i.e, we identify by ). Note how by using black hole abstraction and -reallocations, the automaton implodes in a finite state one although the number of entities grows unboundedly. In [4], a symbolic semantics for the language L is defined using HABA and it is shown to be always finite state. 4. Model-checking ATL In this section, we sketch an algorithm, defined in [4] for modelchecking ATL formulae against a HABA. The algorithm extends the tableau method for LTL [6] to ATL. Valuations. ATL-formulae are evaluated on states of a HABA by mapping the free variables of the formula to entities of the state. Any such mapping resolves all basic propositions: x new (a freshness proposition) and x = y (entity equation proposition). In turn, the basic propositions determine the validity of arbitrary formulae. There is, however, a fundamental obstacle to this principle. For variables (of the formula 1 Again, here we use the notation v alive standing for v = v.

8 in question) that are mapped to the black hole, entity equations are not resolved, since it is not clear whether the variables are mapped to distinct entities that have imploded into the black hole, or to the same one. To deal with this difficulty, we introduce an intermediate layer in the evaluation of the formula on the state. This additional layer consists of a partial partitioning of the free variables. An entity equation is then resolved by the question whether the equated variables are in the same partition. Closure. Along the lines of [6], we associate to each state q of a HABA sets of valuations, specifically aimed at establishing the validity of a given formula φ. We first collect all ATL-formulae whose validity is possibly relevant to the validity of φ into the so-called closure of φ. Tableau graph. We then construct a graph whose nodes, called atoms, are built from states of a HABA, valuations of formulae from the closure, and a bound on the number of entities that are imploded into the black hole. This last number is particularly important in the construction of the transition between atoms. The transitions of the graph take into account the corresponding -reallocation on the transition of the original HABA H. If H is finite-state, then the graph can be effectively constructed: the set of atoms is finite for every given state. Allocational path. Informally, an allocational path through a tableau graph is an infinite sequence of atoms and transitions (labelled by - reallocations), where the state of the atoms correspond to a run of the HABA such that all until -subformulae in any of the atoms are satisfied somewhere further down the sequence. An allocational path that correspond to a run that satisfies a formula φ is called fulfilling path. There exists a correspondence between the fulfilment of a formula by a path and the presence of that formula in the initial atom of the path. This observation is crucial for the proof of the decidability of the model checking problem for ATL. Furthermore, there is a correspondence between the satisfiability of a formula in the HABA and the existence of a fulfilling path in the tableau graph. The machinery briefly sketched here, together with some rather standard theory, is sufficient to prove the following result stating in essence that the model-checking problem for ATL over HABA is decidable [4]. Theorem 4.1. For any HABA H and formula φ, it is decidable whether or not H φ.

5. Future work In the future we plan to investigate the use of HABA for the definition of the semantics of more realistic OOP languages. The first step would be the definition of automata where entities can reference each other. Another (long term) open research question that need further investigations is satisfiability of ATL. Similarly, it would be interesting to develop a proof theory for ATL, as well as, to explore a possible embedding of LTL in ATL. References [1] L. Caires and L. Cardelli. A spatial logic for concurrency (part I). In TACS 01, LNCS 2255, pp. 1 37, Springer, 2001. [2] L. Cardelli and A. D. Gordon. Logical properties of name restriction. In TLCA 01, LNCS 2044, pp. 46 60, Springer, 2001. [3] J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In ICSE 00, pp. 439 448, IEEE CS Press, 2000. [4] D. Distefano, A. Rensink, J.-P. Katoen. Model Checking for dynamic Allocation and Deallocation. Technical report TR-01-40, University of Twente, 2001. [5] K. Havelund and T. Pressburger. Model checking Java programs using Java PathFinder. Int. J. on Software Tools for Technology Transfer, 2(4):366 381, 2000. [6] O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In POPL 85, pp. 97 107, ACM Press, 1985. [7] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes (part I and II). Inf. & Comp., 100(1): 1-77, 1992. [8] U. Montanari and M. Pistore. An introduction to history-dependent automata. Electr. Notes in Th. Comp. Sci., 10, 1998. [9] A. Pnueli. The temporal logic of programs. In FOCS 77, pp. 46 57, IEEE CS Press, 1977. [10] M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In LICS 86, pp. 332 344, IEEE CS Press, 1986. 9