Software Model Checking Using Languages of Nested Trees

While model checking of pushdown systems is by now an established technique in software verification, temporal logics and automata traditionally used in this area are unattractive on two counts. First, logics and automata traditionally used in model checking cannot express requirements such as pre/post-conditions that are basic to analysis of software. Second, unlike in the finite-state world, where the mu-calculus has a symbolic model-checking algorithm and serves as an "assembly language" to which temporal logics can be compiled, there is no common formalism-either fixpoint-based or automata-theoretic-to model-check requirements on pushdown models. In this article, we introduce a new theory of temporal logics and automata that addresses the above issues, and provides a unified foundation for the verification of pushdown systems. The key idea here is to view a program as a generator of structures known as nested trees as opposed to trees. A fixpoint logic (called NT-mu) and a class of automata (called nested tree automata) interpreted on languages of these structures are now defined, and branching-time model-checking is phrased as language inclusion and membership problems for these languages. We show that NT-mu and nested tree automata allow the specification of a new frontier of requirements usable in software verification. At the same time, their model checking problem has the same worst-case complexity as their traditional analogs, and can be solved symbolically using a fixpoint computation that generalizes, and includes as a special case, "summary"-based computations traditionally used in interprocedural program analysis. We also show that our logics and automata define a robust class of languages-in particular, just as the mu-calculus is equivalent to alternating parity automata on trees, NT-mu is equivalent to alternating parity automata on nested trees. Categories and Subject Descriptors: D. 2.4 [Software Engineering]: Software/Program Verification-Model checking; F. 1.1 [Computation by abstract devices]: Models of computation-Automata; F. 3.1 [Theory of Computation]: Specifying and Verifying and Reasoning about Programs; F. 4.1 [Theory of Computation]: Mathematical Logic-Temporal logic