## A Temporal Logic of Nested Calls and Returns (2004)

### Cached

### Download Links

- [homepages.inf.ed.ac.uk]
- [www-faculty.cs.uiuc.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 54 - 11 self |

### BibTeX

@INPROCEEDINGS{Alur04atemporal,

author = {Rajeev Alur and Kousha Etessami and P. Madhusudan},

title = {A Temporal Logic of Nested Calls and Returns},

booktitle = {},

year = {2004},

pages = {467--481},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Model checking of linear temporal logic (LTL) speci cations with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures with respect to pre and post conditions, that require matching of calls and returns, are not regular. We introduce a temporal logic of calls and returns (CaRet) for speci cation and algorithmic veri cation of correctness requirements of structured programs. The formulas of CaRet are interpreted over sequences of propositional valuations tagged with special symbols call and ret. Besides the standard global temporal modalities, CaRet admits the abstract-next operator that allows a path to jump from a call to the matching return. This operator can be used to specify a variety of non-regular properties such as partial and total correctness of program blocks with respect to pre and post conditions. The abstract versions of the other temporal modalities can be used to specify regular properties of local paths within a procedure that skip over calls to other procedures. CaRet also admits the caller modality that jumps to the most recent pending call, and such caller modalities allow speci cation of a variety of security properties that involve inspection of the call-stack. Even though verifying contextfree properties of pushdown systems is undecidable, we show that model checking CaRet formulas against a pushdown model is decidable. We present a tableau construction that reduces our model checking problem to the emptiness problem for a Buchi pushdown system. The complexity of model checking CaRet formulas is the same as that of checking LTL formulas, namely, ...

### Citations

3836 |
Introduction to automata theory, languages, and computation
- Hopcroft, Motwani, et al.
- 2001
(Show Context)
Citation Context ...the module returns." This requires matching of calls and returns, and is a context-free property if calls are nested (recall that the language fa n b n j n 2 Ng is a non-regular context-free lang=-=uage [17-=-]). Correctness of program blocks with respect to pre and post conditions has been emphasized in the verication literature since the early days of logics for structured programs [15], and also forms a... |

1506 |
The Temporal Logic of Reactive and Concurrent Systems: Specification
- Manna, Pnueli
- 1991
(Show Context)
Citation Context ... model and singly exponential in the size of the specication. 1 Introduction Propositional linear temporal logic (LTL) is a popular choice for specifying correctness requirements of reactive systems [=-=23, 22]. LTL formulas-=- are built from atomic propositions using temporal modalities such as \next," \always," and \until," and are interpreted over innite sequences of states that assign values to atomic pro... |

1369 | An axiomatic basis for computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...ext-free language [17]). Correctness of program blocks with respect to pre and post conditions has been emphasized in the verication literature since the early days of logics for structured programs [=-=15-=-], and also forms an integral part of modern interface specication languages for object oriented programming such as JML [6]. In this paper, we introduce CaRet |a temporal logic that can express requi... |

1266 | The Model Checker SPIN
- HOLZMANN
- 1997
(Show Context)
Citation Context ...s to determine whether all the computations of a system satisfy a given LTL specication. In ? Supported in part by ARO URI award DAAD19-01-1-0473 and NSF award CCR0306382. traditional model checking [=-=11, 21, 16]-=-, the model is asnite state machine whose vertices correspond to system states and whose edges correspond to system transitions. However, model checking is also feasible when the model is a recursive ... |

1214 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ... model and singly exponential in the size of the specication. 1 Introduction Propositional linear temporal logic (LTL) is a popular choice for specifying correctness requirements of reactive systems [=-=23, 22]. LTL formulas-=- are built from atomic propositions using temporal modalities such as \next," \always," and \until," and are interpreted over innite sequences of states that assign values to atomic pro... |

820 | Dynamic Logic - Harel, Kozen, et al. - 2000 |

795 |
The design and synthesis of synchronization skeletons using temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...s to determine whether all the computations of a system satisfy a given LTL specication. In ? Supported in part by ARO URI award DAAD19-01-1-0473 and NSF award CCR0306382. traditional model checking [=-=11, 21, 16]-=-, the model is asnite state machine whose vertices correspond to system states and whose edges correspond to system transitions. However, model checking is also feasible when the model is a recursive ... |

292 | Reachability analysis of pushdown automata: Application to model-checking
- Bouajjani, Esparza, et al.
- 1997
(Show Context)
Citation Context ...ages with recursive procedure calls. Model checking of LTL specications with respect to RSMs can be solved in time polynomial in the size of the model and exponential in the size of the specication [7=-=, 5, 12, 1, 3, 20]-=-. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs [24, 2, 13, 10]. Whi... |

289 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2003
(Show Context)
Citation Context ...ication literature since the early days of logics for structured programs [15], and also forms an integral part of modern interface specication languages for object oriented programming such as JML [6=-=-=-]. In this paper, we introduce CaRet |a temporal logic that can express requirements about matching calls and returns, along with the necessary tools for algorithmic reasoning. Algorithmic verication ... |

220 | Bebop: A symbolic model checker for Boolean programs
- Ball, Rajamani
- 2000
(Show Context)
Citation Context ...[7, 5, 12, 1, 3, 20]. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs =-=[24, 2, 13, 10]. Wh-=-ile LTL is an attractive specication language for capturing regular sequencing requirements such as \between successive write operations to a variable, a read operation should occur," it cannot e... |

195 | D.: Mops: an infrastructure for examining security properties of software
- Chen, Wagner
(Show Context)
Citation Context ...[7, 5, 12, 1, 3, 20]. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs =-=[24, 2, 13, 10]. Wh-=-ile LTL is an attractive specication language for capturing regular sequencing requirements such as \between successive write operations to a variable, a read operation should occur," it cannot e... |

148 | Efficient algorithms for model checking pushdown systems
- Esparza, Hansel, et al.
(Show Context)
Citation Context ...ages with recursive procedure calls. Model checking of LTL specications with respect to RSMs can be solved in time polynomial in the size of the model and exponential in the size of the specication [7=-=, 5, 12, 1, 3, 20]-=-. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs [24, 2, 13, 10]. Whi... |

110 | Analysis of recursive state machines
- ALUR, BENEDIKT, et al.
- 2005
(Show Context)
Citation Context ...ages with recursive procedure calls. Model checking of LTL specications with respect to RSMs can be solved in time polynomial in the size of the model and exponential in the size of the specication [7=-=, 5, 12, 1, 3, 20]-=-. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs [24, 2, 13, 10]. Whi... |

78 | Model checking for contextfree processes
- Burkart, Steffen
- 1992
(Show Context)
Citation Context |

65 | Model checking LTL with regular valuations for pushdown systems
- Esparza, Ku˘cera, et al.
(Show Context)
Citation Context ...[7, 5, 12, 1, 3, 20]. This problem has been well studied over the last few years leading to ecient implementations and applications to program analysis as well as model checking of C or Java programs =-=[24, 2, 13, 10]. Wh-=-ile LTL is an attractive specication language for capturing regular sequencing requirements such as \between successive write operations to a variable, a read operation should occur," it cannot e... |

43 | Model checking of unrestricted hierarchical state machines
- Benedikt, Godefroid, et al.
- 2001
(Show Context)
Citation Context |

33 |
On the Verification Problem of Nonregular Properties for Nonregular Processes
- Bouajjani, Echahed, et al.
- 1995
(Show Context)
Citation Context ...an express requirements about matching calls and returns, along with the necessary tools for algorithmic reasoning. Algorithmic verication of nonregular specications have been considered previously [4=-=, 14, 1-=-9], but to the best of our knowledge, this is thesrst specication language that allows specication of partial and total correctness with respect to pre and post conditions, and has a decidable model c... |

20 | Stack size analysis of interrupt driven software
- Chatterjee, Ma, et al.
- 2004
(Show Context)
Citation Context ...specifying correctness of security properties and calling sequences of interrupt handlers has been identied by many researchers, and decision procedures for checking specic properties already exist [1=-=8, 10, 13, 9]-=-. In particular, [13] uses LTL on pushdown systems but allows the atomic propositions of the LTL formula to correspond to any regular language evaluated over the call stack. Our logic mixes global, ab... |

14 |
Precise interprocedural data analysis via graph reachability
- Reps, Horwitz, et al.
- 1995
(Show Context)
Citation Context |

5 |
Veri of control based security properties
- Jensen, Metayer, et al.
- 1999
(Show Context)
Citation Context ...specifying correctness of security properties and calling sequences of interrupt handlers has been identied by many researchers, and decision procedures for checking specic properties already exist [1=-=8, 10, 13, 9]-=-. In particular, [13] uses LTL on pushdown systems but allows the atomic propositions of the LTL formula to correspond to any regular language evaluated over the call stack. Our logic mixes global, ab... |

3 |
Checking that concurrent programs satisfy their linear speci
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...s to determine whether all the computations of a system satisfy a given LTL specication. In ? Supported in part by ARO URI award DAAD19-01-1-0473 and NSF award CCR0306382. traditional model checking [=-=11, 21, 16]-=-, the model is asnite state machine whose vertices correspond to system states and whose edges correspond to system transitions. However, model checking is also feasible when the model is a recursive ... |

2 |
Solving pushdown games with a �3 winning condition
- CACHAT, DUPARC, et al.
- 2002
(Show Context)
Citation Context ...ck should be repeatedly bounded, that is, there exists a natural number n such that innitely often the stack is of height at most n. These kinds of specications have been studied for pushdown games [8]. This property can be specied in CaRet by the formula: ' rep-bounded : 32 ( call !sa ret ) Even though this specication does not rule out the possibility that the stack grows unboundedly, an RSM S ... |

1 |
Pushdown Speci
- Kupferman, Piterman, et al.
- 2002
(Show Context)
Citation Context ...an express requirements about matching calls and returns, along with the necessary tools for algorithmic reasoning. Algorithmic verication of nonregular specications have been considered previously [4=-=, 14, 1-=-9], but to the best of our knowledge, this is thesrst specication language that allows specication of partial and total correctness with respect to pre and post conditions, and has a decidable model c... |

1 |
Model checking linear properties of pre systems
- Kupferman, Piterman, et al.
- 2002
(Show Context)
Citation Context |

1 | size analysis for interrupt driven programs - Stack - 2003 |