Verifying Temporal Regular Properties of Abstractions of Term Rewriting Systems

I. Mackie and A. Martins Moreira (Eds.): T enth International W orksho p on Rule-Based Programming (RULE 2 009) EPTCS 21, 2010, pp. 99–108, doi:10.4204/EPTCS.21.9 c  Boyer & Genet V erifying T emporal Regular Pr operties of Abstractio ns of T erm Rewritin g Syste ms Beno ˆ ıt Boyer Univ ersit ´ e Rennes 1, France Benoit.Boy er@irisa.f r Thomas Genet Univ ersit ´ e Rennes 1, France Thomas.Gen et@irisa.f r The tree autom aton completion is an algorithm used for proving safety properties of systems that can be modeled by a term re writing system. This representation and verification technique works well for proving prop erties of infinite systems like cryp tograph ic protoco ls or mo re recently on Java Bytecode prog rams. This algorith m co mputes a tree automaton which re presents a (regular ) over approx imation of the set of r eachable terms by re wr iting initial terms. This approach is limited by the lack o f inform ation about rewriting relation between terms. Actu ally , term s in relation by r ewriting are in the same equiv alence clas s: there are recogn ized by the same state in the tree automato n. Our objective is to p roduce an auto maton embedd ing an abstra ction of the rewriting relation sufficient to prove temporal prope rties of the term rewriting system. W e prop ose to extend the algorithm to p roduce an au tomaton h aving mo re equ iv alenc e classes to distinguish a term or a subterm from its successors w .r .t. rewriting. While groun d transition s are used to r ecognize equi valence classes of terms, ε -transitions represent the re w riting relation b etween terms. From the co mpleted autom aton, it is possible to autom atically build a Krip ke structure ab- stracting the rewriting seq uence. States of the K ripke struc ture are states of the tree automa ton a nd the transition relation is given by the set of ε -transitions. States of the Kripke structure are labelled by the set of terms recognized using groun d transitions. On this Kripke stru cture, we define the Regular Linear T emporal Log ic (R-L TL) for expr essing proper ties. Such proper ties can then be checked using standard model checking algorithms. Th e only dif fer ence between L TL and R-L TL i s that predicates are replaced by regular sets of acceptable t erms. 1 Introd uction Our main objecti ve is to formally veri fy programs or systems modeled using T erm Rewritin g S ystems. In a pre vious wo rk [2], we hav e sho wn that it is poss ible to transl ate a Jav a byte code pr ogram i nto a T erm Rewri ting Syste m (TRS). I n thi s case, terms m odel Ja va V irtual Machine ( JVM) stat es and the exec ution of bytecode instructions is represe nted by rewriting , according to the small-step semantics of Jav a. An interes ting point of this approach is the possibility to classify rewritin g rules. More precisely , there is a strong relation between the position of rewritin g in a term and the semantics of the ex ecuted transitio n on the corre spond ing state. For the case of Ja va byt ecode, since a term repres ents a JVM state, rewrit ing at the top-most positi on correspo nds to manipulation s of the call stack, i.e. it simulates a method call or method return. On the other hand, since the left-most subterm repres ents the ex ecution contex t of the curren t method (so called frame), re writing at this position simulates the exec ution of the code of this method. Hence, by fo cusing on r e writing at a particular position , it is poss ible to anal yse a Ja va prog ram at the method call lev el (inter procedur al control flow) or at the instruct ion le vel (local control flow). The contrib ution of this paper is dual. First, we propo se an abstract rewriting relation to charact erize the re writing paths at a particular depth in terms. Second, we propose an algorithm which bui lds a tree automaton recogni zing this relation between terms. Thus , it is possible for instance to bui ld a tree 100 V erifyin g T emporal Regul ar Properties of Abstraction s of T erm Rewriting Systems automato n recognizin g the graph of method calls by abstrac ting the rewritin g relation for the top-most positi on of JVM terms. The ver ification technique used in [2], called Tre e Automata Completio n [5 ], is able to finitely o ver - approx imate the set of reachable terms, i.e. the set of all reachable states of the JVM. Howe ver , this techni que lacks precision in the sense that it makes no diffe rence between all those reachable terms. Due to the approximatio n algorithm, all reachab le terms are conside red as equiv alent and the ex ecution orderi ng is lost. In particula r , this pre ven ts to prov e temporal properti es of such models. Howe ver , using approx imations makes it po ssible to prov e unreac habili ty properties of infinite state systems. In this prelimina ry work, w e propos e to improv e the Tree Automata Completion m ethod so as to pro ve temporal propertie s of a TR S represent ing a fi nite state system. The first step is to refine the algori thm so as to produce a tree automaton keeping an approx imation of the re writing relation between terms. Then, in a second step, we propose a way to check L T L-like fo rmulas on this tree automato n. 2 Pr eliminaries Comprehen si ve surve ys can be found in [1] for rewriti ng, and in [4, 7] for tree automata and tree languag e theory . Let F be a finite set of symbols, each associated with an arity functio n, and let X be a countable set of v ariabl es. T ( F , X ) denote s the set of terms, and T ( F ) denotes the set of ground terms (terms without varia bles). The set of variab les of a term t is denoted by V ar ( t ) . A subst itution is a function σ from X into T ( F , X ) , which can be uniquely extend ed to an endomorphis m of T ( F , X ) . A positi on p for a term t is a word ov er N . The empty seque nce λ denote s the top-most position. The set P os ( t ) of positio ns of a term t is induct i vel y defined by: • P os ( t ) = { λ } if t ∈ X • P os ( f ( t 1 , . . . , t n )) = { λ } ∪ { i . p | 1 ≤ i ≤ n and p ∈ P os ( t i ) } If p ∈ P os ( t ) , then t | p denote s the subterm of t at positio n p and t [ s ] p denote s the term obtained by replac ement of the subterm t | p at position p by the term s . A term re writing system (TR S) R is a set of re w rite rules l → r , where l , r ∈ T ( F , X ) , l 6∈ X , and V ar ( l ) ⊇ V ar ( r ) . The TRS R induces a rewriti ng relation → R on terms as follo w s. Let s , t ∈ T ( F , X ) and l → r ∈ R , s → p R t denote s that there exists a positio n p ∈ P o s ( t ) and a substi tution σ such that s | p = l σ and r = s [ r σ ] p . Note that the rewriting positio n p can generally be omitted, i.e. we generally write s → R t . The reflexi ve transit i ve closure of → R is denote d by → ∗ R . The set of R -descen dants of a set of ground terms E is R ∗ ( E ) = { t ∈ T ( F ) | ∃ s ∈ E s.t. s → ∗ R t } . The verificati on techni que defined in [6 , 5 ] is based on the approximatio n of R ∗ ( E ) . N ote that R ∗ ( E ) is possib ly infinite: R may not terminate and/or E may be infinite. The set R ∗ ( E ) is general ly not computa ble [7]. Ho wev er , it is possible to over -approxi mate it [6, 5, 9] using tree automata, i.e. a finite representati on of infinite (regu lar) sets of terms. In this verificati on setting, the TRS R repr esents the system to verify , sets of terms E and Bad respecti vely repres ent the set of initial configurations and the s et of “b ad” c onfigurat ions that sh ould no t be reached. Using tre e a utomata co mpletion , we co nstruc t a tree automaton B whose langua ge L ( B ) is such that L ( B ) ⊇ R ∗ ( E ) . If L ( B ) ∩ Bad = / 0 then this pro ves that R ∗ ( E ) ∩ Bad = / 0, and thus that none of the “bad” configuratio ns is reachable. W e no w define tree automata . Let Q be a fini te set of symbols, with arity 0, called stat es such that Q ∩ F = / 0. T ( F ∪ Q ) is called the set of config ura tions . Boyer & Genet 101 Definition 1 (T ransition , normalized transition, ε -transi tion) . A transiti on is a re write rule c → q, w her e c is a configura tion i.e. c ∈ T ( F ∪ Q ) and q ∈ Q. A normalized transition is a trans ition c → q wher e c = f ( q 1 , . . . , q n ) , f ∈ F whose arity is n, and q 1 , . . . , q n ∈ Q. An ε -transi tion is a transit ion of the form q → q ′ wher e q and q ′ ar e states. Definition 2 (Bottom-up nondet erministi c finite tree automaton ) . A bottom-up nondeterminis tic finite tr ee automaton (tre e automaton for short) is a quadrup le A = h F , Q , Q F , ∆ ∪ ∆ ε i , wher e Q F ⊆ Q, ∆ is a set of normali zed transitio ns and ∆ ε is a set of ε -tra nsitio ns. The r ewriti ng r elation on T ( F ∪ Q ) induced by the transit ions of A (the set ∆ ∪ ∆ ε ) is denoted by → ∆ ∪ ∆ ε . When ∆ is clear from the conte xt, → ∆ ∪ ∆ ε will also be denot ed by → A . W e also introduce → 6 ε A the tran sitive r elation which is induc ed by the set ∆ alone. Definition 3 (Recognized langua ge, canonical term) . T he tr ee languag e re cog nized by A in a state q is L ( A , q ) = { t ∈ T ( F ) | t → ∗ A q } . The languag e r ecogniz ed by A is L ( A ) = S q ∈ Q F L ( A , q ) . A tre e langu ag e is re gular if and only if it can be r ecognize d by a tre e automaton. A term t is a canonical term of the state q, if t → 6 ε A q. Example 1. Let A be the tr ee automaton h F , Q , Q F , ∆ i such that F = { f , g , a } , Q = { q 0 , q 1 , q 2 } , Q F = { q 0 } , ∆ = { f ( q 0 ) → q 0 , g ( q 1 ) → q 0 , a → q 1 , b → q 2 } and ∆ ε = { q 2 → q 1 } . In ∆ , transitio ns ar e normalized . A trans ition of the form f ( g ( q 1 )) → q 0 is not normalize d. The term g ( a ) is a term of T ( F ∪ Q ) (and of T ( F ) ) and can be r ewritten by ∆ in the following way: g ( a ) → 6 ε A g ( q 1 ) → 6 ε A q 0 . Hence g ( a ) is a canonic al term of q 1 . Note also that b → A q 2 → A q 1 . Hence, L ( A , q 1 ) = { a , b } and L ( A ) = L ( A , q 0 ) = { g ( a ) , g ( b ) , f ( g ( a )) , f ( f ( g ( b ))) , . . . } = { f ∗ ( g ([ a | b ])) } . 3 The T ree A utomata Completion with ε -transitions Giv en a tree automaton A and a TR S R , the tree automata completion algorit hm, propose d in [6, 5], compute s a tr ee complet e automat on A ∗ R such th at L ( A ∗ R ) = R ∗ ( L ( A )) when it is possible (for some of the c lasses o f TRSs w here an exact c omputati on is pos sible, see [ 5]), an d suc h tha t L ( A ∗ R ) ⊇ R ∗ ( L ( A )) otherwis e. In this paper , we only consider the exact case. The tree automata completion with ε -transt ions works as follow . From A = A 0 R completi on bu ilds a sequen ce A 0 R . A 1 R . . . A k R of automata such that if s ∈ L ( A i R ) and s → R t then t ∈ L ( A i + 1 R ) . Trans itions of A i R are denoted by the set ∆ i ∪ ∆ i ε . Since for ev ery tree automaton, there exists a deterministic tree automato n recog nizing the same language, we can assume that initially A has the follo w ing propertie s: Pro perty 1 ( → 6 ε determin istic) . If ∆ contain s two normalized transi tions of the form f ( q 1 , . . . , q n ) → q and f ( q 1 , . . . , q n ) → q ′ , it means q = q ′ . This ensur es that the re writing r elatio n → 6 ε is deter ministic. Pro perty 2. F or all state q ther e is at most one normalized tran sition f ( q 1 , . . . , q n ) → q in ∆ . This ensur es that if w e have t → 6 ε q and t ′ → 6 ε q then t = t ′ . If we find a fixpoint au tomaton A k R such that R ∗ ( L ( A k R )) = L ( A k R ) , th en we no te A ∗ R = A k R and we ha ve L ( A ∗ R ) ⊇ R ∗ ( L ( A 0 R )) [5]. T o bui ld A i + 1 R from A i R , w e a chie ve a completion step whi ch consists of finding critica l p air s between → R and → A i R . T o define the notion of critical pair , we extend the definitio n of substitution s to the terms of T ( F ∪ Q ) . For a sub stituti on σ : X 7→ Q and a rule l → r ∈ R , a critical pair is an instance l σ of l such that there exists q ∈ Q satisfyin g l σ → ∗ A i R q and l σ → R r σ . Note that since R , A i R and the set Q of states of A i R are finite, there is only a finite number of critical pairs. For e ver y critical pair detected between R and A i R such that w e do not ha ve a state q ’ for which r σ → 6 ε A i R q ′ 102 V erifyin g T emporal Regul ar Properties of Abstraction s of T erm Rewriting Systems l σ R / / ∗ A i R   r σ 6 ε A i + 1 R   q q ′ A i + 1 R o o Figure 1: A critical pair solved and q ′ → q ∈ ∆ i ε , the tree automaton A i + 1 R is constructed by adding new transitions r σ → 6 ε q ′ to ∆ i and q ′ → q to ∆ i ε such that A i + 1 R recogn izes r σ in q , i.e. r σ → ∗ A i + 1 R q , see Figure 1 . It is important to note that we cons ider the crit ical pair onl y if th e last step of the reducti on l σ → ∗ A i R q , is the l ast step o f re w riting is not a ε -transi tion. W ithout this con dition , the completi on computes the transiti ve closure of the e xpected relatio n ∆ ε , and thus looses precis ion. T he transition r σ → q ′ is not necessaril y a normalized transiti on of the form f ( q 1 , . . . , q n ) → q ′ and so it has to be normalized fi rst. Instea d of adding r σ → q ′ we add ↓ ( r σ → q ′ ) to transitions of ∆ i . H ere is the ↓ functio n used to normalize transiti ons. Note that, in this functi on, transi tions are normalized using new sta tes of Q new . Definition 4 ( ↓ ) . Let A = h F , Q , Q F , ∆ ∪ ∆ ε i be a tree automaton , Q new a set of new states such that Q ∩ Q new = / 0 , s ∈ T ( F ∪ Q ) and q ′ ∈ Q. The normaliza tion of the tran sition s → q ′ is done in two mutually inducti ve steps. The first step denoted by ↓ ( s → q ′ | ∆ ) , we r ewrite s by ∆ until r ewriting is impossible: we obtain a unique configur ation t if ∆ r espects the pr operty 1. The second step ↓ ′ is induct ively defined by: • ↓ ′ ( f ( t 1 , . . . , t n ) → q | ∆ ) = ∆ ∪ { f ( t 1 , . . . , t n ) → q } if ∀ i = 1 . . . n : t i ∈ Q • ↓ ′ ( f ( t 1 , . . . , t n ) → q | ∆ ) = ↓ ( f ( t 1 , . . . , q i , . . . , t n ) → q | ↓ ′ ( t i → q i | ∆ ) ) wher e t i is subterm s.t. t i ∈ T ( F ∪ Q ) \ Q and q i ∈ Q new . Lemma 1. If the pr operty 1 holds for A i R then it holds also for A i + 1 R . Intuiti on. The determinism of → 6 ε is preserv ed by ∆ , since when a new set of transiti ons is added to ∆ for a subterm t i , we rewrite all other subterms t j with the ne w ∆ until re writing is impossible before resuming the n ormalizat ion. Then, if w e try to a dd to ∆ a transition f ( q 1 , . . . , q n ) → q t hough ther e e xists a transition f ( q 1 , . . . , q n ) → q ′ ∈ ∆ , it means that the configuratio n f ( q 1 , . . . , q n ) can be re written by ∆ . This is a contradictio n : when we resume the normalizatio n all subterms t i can not be rewritte n by the curren t ∆ . So, w e nev er add a such transitio n to ∆ . T he normalization produces a new set of transiti ons ∆ that preserv es the property 1. It is very important to remark that the transition q ′ → q in F igure 1 creates an order between the langua ge recogniz ed by q and the one recogn ized by q ′ . Intuiti vely , we know that for all subst itution σ ′ : X → T ( F ) such that l σ ′ is a term rec ognize d by q , it is r e written by R into a canonic al term ( r σ ′ ) of q ′ . By duality , the term r σ ′ has a parent ( l σ ′ ) in the state q . Extendin g this reasoning , ∆ ε defines a relatio n between canonical terms. T his relation follo ws re writing steps at the top position and forg ets re w riting in the subterms . Definition 5 ( 99K ) . L et R be a TRS. F or all terms u v, we have u 99K R v if f ther e exi sts w such that u → ∗ R w, w → λ R v and ther e is not re writing on top position λ on the sequ ence denoted by u → ∗ R w. In th e f ollo wing, we s ho w that th e comp letion b uilds a tree au tomaton where the set ∆ ε is an abstrac- tion 99K R i of the re w riting relatio n → R , for any rel e v ant set R i . Boyer & Genet 103 Theor em 1 (Correctness ) . Let be A ∗ R a complete tr ee automato n such that q ′ → q is a ε -tra nsitio n of A ∗ R . T hen, for all cano nical terms u v of states q and q ′ r espectivel y s.t. q ′ → q, w e hav e : u 6 ε A ∗ R   R / / _ _ _ v 6 ε A ∗ R   q q ′ o o First, we hav e to pro ve that the property 1 is preserve d by completio n. T o pr ov e theorem 1, we need a strong er lemma. Lemma 2. Let be A ∗ R a complete tr ee automato n, q a state of A ∗ R and v ∈ L ( A ∗ R , q ) . Then, for all canon ical term u of q, we have u → ∗ R v. Pr oof sketc h. The proof is done by indu ction on the number of completio n steps to reach the post-fixpo int A ∗ R : we are going to sho w that if A i R respec ts the pro perty of lemma 2, then A i + 1 R also does. The initial A 0 R respec ts the expect ed property : we consider any state q and a canonica l term t of q : since no completion step was done, A 0 R has no ε -transi tions. It means that for all term t ′ → 6 ε q . Thanks to the property 2, we ha ve t = t ′ and obv iously t → ∗ R t ′ . No w , w e consid er the normalization of a transition of the form r σ → 6 ε q ′ such that l σ → ∗ A i R q with ∆ the ground transition set and ∆ ε the ε -transi tion set of A i R . W e show that the property is true for all ne w states (includ ing q ′ ). Then, in a second time, we will sho w that it is true for state q , if we add the secon d transit ion of completion: q ′ → q . Let us focus on the normalizatio n of ↓ ′ ( r σ → q ′ | ∆ ) where for an y existin g state q and for all u v ∈ T ( F ) such that v → ∆ ∪ ∆ ε q and u → ∆ q , we hav e u → ∗ R v . W e sho w that for all t ∈ T ( F ∪ Q ) , if we ha ve ∆ ′ = ↓ ′ ( t → q ′ | ∆ ) , for all u v ∈ T ( F ) such that v → ∆ ′ ∪ ∆ ε q ′ and u → ∆ ′ q , we hav e u → ∗ R v . The induc tion is done on the number of symbols of F used to build t . First case ↓ ′ ( t → q | ∆ ) where t = f ( q 1 , . . . , q n ) : w e define ∆ ′ by adding the transitio n f ( q 1 , . . . , q n ) → q to ∆ , where q is a ne w state. Then, for all substitut ions σ ′ : Q 7→ T ( F ) such that t σ ′ → ∆ ∪ ∆ ε q , and all substitu tions σ ′′ : Q 7→ T ( F ) such that t σ ′′ → ∆ ′ q we aim at provin g that t σ ′′ → ∗ R t σ ′ . Since each state q i is alread y defined, using the hypot hesis on ∆ we deduce th at σ ′′ ( q i ) → ∗ R σ ′ ( q i ) . This implie s tha t t σ ′′ → ∗ R t σ ′ , the prope rty also holds for ∆ ′ . Second case ↓ ′ ( t → q | ∆ ) where t = f ( t 1 , . . . , t n ) : we select t i a subterm of t , obviousl y the number of symbols is strictly lo wer to the number of symbols of t . By induction , for the normalizat ion of ↓ ′ ( t i → q i | ∆ ) we hav e a new set ∆ ′ that respect s the expec ted property . T hen, we normalize t into t ′ = f ( t ′ 1 , . . . , q i , . . . , t ′ n ) , the term obtained after rewri ting w ith ∆ ′ thanks to ↓ . Since t i 6∈ Q , the number of symbols of F in t ′ = f ( t 1 , . . . , q i , . . . , t n ) is strictly smaller than the number of symbols of F in t . Note that re w riting t ′ with ∆ ′ can only decrease the number of symbols of F in t ′ . Since t ′ has a decrea sing number of symbols and ∆ ′ respec ts the property w e can deduce by induct ion that we hav e ∆ ′′ = ↓ ′ ( t ′ → q | ∆ ′ ) such that for all v → ∆ ′′ ∪ ∆ ε q ′ and u → ∆ ′′ q , u → ∗ R v . So, we conclu de that the no rmalizati on ↓ ′ ( r σ → q ′ | ∆ ) compu tes ∆ ′ the set of ground tran sitions for A i + 1 R . For all ter ms u v such that u → ∆ ′ ∪ ∆ ε q ′ and u → ∆ ′ q ′ we ha ve u → ∗ R v . No w , let us consider the second added transition q ′ → q to ∆ ε , all canonical terms r σ ′′ of q ′ , and all terms l σ ′′′ ∈ L ( A i R , q ) such that l σ ′′′ → R r σ ′′′ and r σ ′′′ = r σ ′′ . By hypoth esis on A i R , we know that ev ery canonic al term u of q we ha ve u → ∗ R l σ ′′′ . By transiti vity , we ha ve u → ∗ R r σ ′′ . The last step consists in provin g that for all terms of all states of A i + 1 R , the proper ty holds: this can be done by induct ion on the depth of the recognized terms. 104 V erifyin g T emporal Regul ar Properties of Abstraction s of T erm Rewriting Systems The theorem 1 is sho wn by consid ering the introd uction of the transit ion q ′ → q . B y constructio n, there e xists a subs titutio n σ : X 7→ Q and a rule l → r ∈ R such that we hav e l σ → ∗ A ∗ R q and r σ → 6 ε A ∗ R q ′ . W e conside r all substitu tion σ ′ : X 7→ T ( F ) such that for each variab le x ∈ V ( l ) , σ ′ ( x ) is a canonic al term of the state σ ( x ) . Obvio usly , using the result of the lemma 2, for all canonical term u of q w e ha ve u → ∗ R l σ ′ . S ince the last step of re writing in the re ductio n l σ → ∗ A ∗ R q is not a ε -transi tion, we also de duce that l σ ′ is not produ ced by a re writing at the top position of u whereas it is the case for r σ ′ and we ha ve u 99K R r σ ′ . Theor em 2 (Completeness) . Let A ∗ R be a complete tr ee automaton, q , q ′ states of A ∗ R and u , v ∈ T ( F ) suc h that u is a canonical term of q and v is a canon ical term of q ′ . If u 99K R v then ther e ex ists a ε -tra nsitio n q ′ → q in A ∗ R . Pr oof sketc h. By definition of u 99K R v there exis ts a term w such that u → ∗ R w and and there exists a rule l → r ∈ R and a substitu tion σ : X 7→ T ( F ) such that w = l σ and v = r σ . Since A ∗ R is a complete tree automato n, it is closed by rewriti ng. This m eans that any term obtained by re writing any term of L ( A ∗ R , q ) is also in L ( A ∗ R , q ) . T his property is true in partic ular for the terms u and w . Since w is rewritten in q by transitions of A ∗ R , we can define a second substitution σ ′ : X 7→ Q such that l σ → ∗ A ∗ R l σ ′ → ∗ A ∗ R q . Using again the closure property of A ∗ R , we kno w that the critical pair l σ ′ → R r σ ′ and l σ ′ → ∗ A ∗ R q is solved by adding the transiti ons r σ ′ → 6 ε A ∗ R q ′′ and q ′′ → q . Since the property 1 is preser ved by completion steps, we can deduce that q ′′ = q ′ which means q ′ → q . Example 2. T o illustra te this r esult, w e give a completed tre e automato n for a small T RS. W e define R as the unio n of the two sets of rules R 1 = { a → b , b → c } and R 2 = { f ( c ) → g ( a ) , g ( c ) → h ( a ) , h ( c ) → f ( a ) } . W e defin e initial set E = { f ( a ) } . W e obtain the following tr ee auto maton fixpoint : A ∗ R = * Q F = { q f } , ∆ =                a → q a b → q b c → q c f ( q a ) → q f g ( q a ) → q g h ( q a ) → q h                ∆ ε =            q b → q a q c → q b q g → q f q h → q g q f → q h            + If we consid er the transiti on q h → q g , and its canonica l terms h ( a ) and g ( a ) r espectivel y , we can deduc e g ( a ) 99K R h ( a ) . This is obvious ly an abstra ction since we have g ( a ) → 1 R g ( b ) → 1 R g ( c ) → λ R h ( a ) . In the follo wing, w e use the not ation 99K R i to speci fy the relation for a rele v ant subset R i of R . For instan ce, u 99K R i v denot es that there exis ts w such that u → ∗ R w with no rewri ting at the λ positi on of u and w → λ R i v . In example 2, we can sa y that g ( a ) 99K R 2 h ( a ) . 4 Fr om T ree A utomaton to Kripk e Structur e Let A ∗ R = h T ( F ) , Q , Q F , ∆ ∪ ∆ ε i be a complete tree automaton , for a giv en TRS R and an initial lan- guage recognized by A . A Kripke structure is a four tuple K = ( S , S 0 , R , L ) where S is a set of states, S 0 ⊆ S initial states, R ⊆ S × S a left-tot al transition relation and L a function that labels each state w ith a set of predicat es which are true in that state. In our case, the set of true predicates is a regular set of terms. Boyer & Genet 105 Definition 6 (Labelling Function) . Let A P = h T ( F ) , Q , ∆ i be the structur e de fined fr om A ∗ R by r emovi ng ε -tra nsitio ns and final s tates. W e defin e the l abellin g function L : q 7→ h T ( F ) , Q , { q } , ∆ i as the functio n which associate s to a state q the automaton A P wher e q is the unique final state . W e obviously have the pr operty for all state state q : ∀ t ∈ L ( L ( q )) , t → 6 ε A ∗ R q No w , w e can bu ild the Kripke structure for the subset R i of R on which we want to prov e some temporal proper ties. Definition 7 (Construction of a Kripke S tructur e) . W e b uild the 4-tupl e ( S , S 0 , R , L ) fr om a tr ee automaton suc h tha t we have S = Q, S 0 ⊆ S is a set of initial sta tes, R ( q , q ′ ) if q ′ → q ∈ ∆ ε and the la bellin g function L as just defined pr eviously . Kripk e stru ctures must ha ve a complete re lation R . For any state q whose h a ve no suc cessor by R , we had a loop such that R ( q , q ) holds . Note that this is a classical transfo rmation of Kripke structures [3]. A Kripke structu re is parametrized by the set S 0 . It defines which connected compone nt of R we are interes ted to analyze. For instance, to analyze the abstract rewriti ng at the top posi tion of terms in L ( A ∗ R ) , we define set S 0 = Q F (the set of final states of A ∗ R ), since all canonical terms of final states are initial terms. For all abstract re w riting at a deeper position p , we need to define a set Sub of initial subter ms consid ered as the beginnin g of the rewriting at the positi on p . Then the set S 0 will be defined as S 0 = { q | ∃ t ∈ S ub , t → 6 ε A ∗ R q } . Kripk e structure models exactly the abstrac t re writing relatio n 99K ∗ R i for the correspond ing subset R i ⊆ R . Theor em 3. Le be K = ( S , S 0 , R , L ) a Kripke structur e b uilt fr om A ∗ R . F or a ny states s, s ′ suc h that R ( s , s ′ ) holds, ther e exists two terms u ∈ L ( s ) and v ∈ L ( s ′ ) suc h that u 99K R i v. Pr oof. Here, the proof is quite trivi al. It is a consequence of the theorem 1 w hich can be applied on the relatio n R of the Kripk e structure . In Example 2, if we want to verify prope rties of R 1 or R 2 , we need to consider a dif ferent subset of ∆ ε corres pondin g to the abstraction of the relation rewri ting 99K R i . F igures 2 and 3 sho w the Kripke structu res correspond ing to those abs tractio ns. Note that in figu re 2, a lo op is needed on st ate c to ha ve a total relation for K 1 . q a q b q c Figure 2: Kripke structure K 1 for 99K R 1 q f q g q h Figure 3: Kripke structure K 2 for 99K R 2 The set S 0 of initial s tates depen ds of the abstract re w riting relation se lected . For example, if we want to analyze 99K R 2 (or 99K R 1 ), we define S 0 = { q f } (resp. S 0 = { q a } ). 5 V erification of R-L TL pr operties T o exp ress our properti es, we propose to define the R egu lar L inear T emporal Logic (R-L TL). R-L TL is L TL w here predicate s are replace d by a tree auto maton. The language of such a tree automaton 106 V erifyin g T emporal Regul ar Properties of Abstraction s of T erm Rewriting Systems charac terizes a set of admissibl e terms. A state q of a Kripke structure valida tes the atomic proper ty P charac terized by a tree automaton A P if and only if one term recogniz ed by L ( q ) must be recogn ized by A P to satisfy the property . More formally : K ( Q , Q F , R , L ) , q | = P ⇐ ⇒ L ( L ( q )) ∩ L ( A P ) 6 = / 0 W e also add the operato rs ( ∧ , ∨ , ¬ , X , F , G , U , R ) w ith their standard semantic s as in L TL to keep the expres si veness of the temporal logic. More information about these operato rs can be found in [3]. Note that tempor al propertie s do not ra nge ov er the rewri ting relation → R b ut ov er its ab stractio n 99K R . It means that the semantics of the temporal opera tors has to be interpret ed w .r .t. this specific relatio n. For example, the formula G ( { f ( a ) } = ⇒ X { g ( a ) } ) on K 2 (for more clarity , we note predicate s as sets of terms): the formula has to be interpret ed as : for all q q ′ , if K 2 , q | = { f ( a ) } and R ( q , q ′ ) then we ha ve K 2 , q ′ | = { g ( a ) } . In the rewriting inte rpreta tion the only term u such that f ( a ) 99K R 2 u is u = g ( a ) . W e use the B ¨ uch i automata frame work to perform model checking. A surve y of this technique can be found in the chapter 9 of [3]. L TL (or R-L TL ) formulas and Kripke structu res can be transla ted into B ¨ u chi automata. W e constr uct two B ¨ uch i automata : B K obtain ed from the K ripk e structure and B L defined by the L TL formula. Since the set of beha viors of the K ripk e structure is the language of the automato n B K , the Kripke structure satisfies the R-L TL formula if all its behav iors are recognize d by the automato n B L . It m eans checking L ( B K ) ⊆ L ( B L ) . F or this purpose, we construc t the automaton B L that recognizes the languag e L ( B L ) and we check the emptiness of the automato n B ∩ that accepts the intersecti on of languages L ( B K ) and L ( B L ) . If this intersectio n is empty , the term rewriting system satisfies the property . This is the stand ard model-checki ng techniq ue. B M and B K are classical ly defined as 5 -tuples : alphabet , states, i nitial states, final state s and trans ition relatio n. G enerall y , the alphab et of B ¨ uchi automat a i s a set of predicates. Since we use here tr ee automata to define predicates, the alphabe t of B K and B L is Σ the set of tree automata that can be defined over T ( F ) . Actually , a set of beha viors is a word which describ es a sequence of states: if π = s 0 s 1 s 2 s 3 . . . denote s a valid sequence of states in the Kripke structu re, then the word π ′ = L ( s 0 ) L ( s 1 ) L ( s 2 ) . . . is recogn ized by B K . The algorith ms used to b uild B M and B K can be found in [3]. The automato n intersec tion B ∩ is obtained by computing the product of B K by B L . By construct ion all st ates of B K ha ve to be final. Intuiti vely an y infinite p ath o ver the Kripk e structure must be re cogni zed by B K . T his case allo ws to use a simpler version of the general B ¨ u chi automata produc t. Definition 8 ( B K × B L ) . The pr oduct of B K = h Σ , Q , Q i , ∆ , Q i by B L = h Σ , Q ′ , Q ′ i , ∆ ′ , F i is defin ed as h Σ , Q × Q ′ , Q i × Q ′ i , ∆ × , Q × F i wher e ∆ × is the set of transit ions ( q K , q L ) ( A K , A L ) − → ( q ′ K , q ′ L ) suc h that q K A K − → q ′ K is a transitio n of B K and q L A L − → q ′ L is a transit ion of B L . Mor eover , the transi tion is only valid if the intersec tion between the langu ag es of A K and A L is non empty as e xpecte d by the satisfi abilit y of the R-LTL atomic formula. Finally the emptines s of the language L ( B ∩ ) can be check ed using the standar d algorithm based on depth first search to check if final states are reacha ble. Example 3. T o illustr ate the appr oach , we pr opose to chec k the formula P = G ( { f ( a ) } = ⇒ X { g ( a ) } ) on example 2. T he automaton B L (fig . 4) rec ogn izes the ne gatio n o f the formula P expr essed as F ( { f ( a ) } ∧ X ¬{ g ( a ) } ) and B K (fig . 5) r ecognize s the all behavio rs of the Kripke structur e K 2 (fig . 3 ). The notation A α denote s the tr ee automaton such that its langua ge is described by α (A ¬ g ( a ) r ecogniz es the com- plement of the langua ge L ( A g ( a ) ) and A ∗ r ecogniz es all term in T ( F ) ). F igur e 6 shows the r esult of Boyer & Genet 107 inter section B ∩ between B K and B L . Only r eachable states and valid transi tions (labele d by non empty tr ee automata intersect ion) ar e showed. Since no rea cha ble states of B ∩ ar e final, its languag e is empty . It means that all behav ior s of K 2 satisfy P : the only success or of f ( a ) for the r elation 99K R 2 is g ( a ) . 1 2 3 A ∗ A f ( a ) A g ( a ) A ∗ Figure 4: Automaton B L 4 5 6 7 L ( q f ) L ( q g ) L ( q g ) L ( q g ) Figure 5: Automaton B K 1 , 4 1 , 5 1 , 6 1 , 7 2 , 5 A ∗ ∩ L ( q f ) A f ( a ) ∩ L ( q f ) A ∗ ∩ L ( q g ) A ∗ ∩ L ( q h ) A ∗ ∩ L ( q f ) A f ( a ) ∩ L ( q g ) Figure 6: Automaton B ∩ 6 Conclusion, Discussion In this paper , w e sho w ho w to impro ve the tree automata completion mechanis m to kee p the ordering between reachab le terms. T his ordering was lost in the origina l algorith m [5]. Another contrib ution is the mechanism making it possible to prove L TL-like temporal properties on such abstraction s of sets of reachable terms. The work presen ted here only deals w ith finite state systems and exact tree au- tomata completion results. Future plans are to extend this result so as to prove temporal proper ties on ov er-app roximati ons of infinite state systems. A similar objecti ve has already been tackled in [8]. How- e ver , this was done in a pure rewriting framewo rk w here abstracti ons are more heavil y constrain ed than in tree automata completion [5]. Hence, by extendi ng L TL formula checking on tree automata ov er - approx imations , we hope to ease the verificatio n of temporal formula on infinite state systems. Ackno wledgements Many thanks to Axel Legay and V lad Rusu for fruitf ul discus sions on this work and to anony mous referee s for thei r comments. Refer ences [1] F . Baader & T . Nipko w (1998): T erm Rewriting and All That . Cam bridge Uni versity P ress. [2] Y . Boichut, T . Genet, T . Jensen & L. L eroux (2007 ): Rewriting App r oximation s f or Fast Pr o totyping of S tatic Analyzers . I n: R T A , LNCS 4533. Springer V erlag, pp. 48–62. [3] Edmund M. Clarke, Orna Grumberg & Doron A. Peled (2000 ): Model Checking . MIT Press. [4] H. Comon, M. Dauche t, R. Gillero n, F . Jacquemar d, D. Lugiez, C. L ¨ o ding, S. Tison & M. T o mmasi (2008 ): T r ee Automata T echniques and Applications . http: //tat a.gfor ge.inria.fr . 108 V erifyin g T emporal Regul ar Properties of Abstraction s of T erm Rewriting Systems [5] G. Feuillade, T . Genet & V . V iet Triem T ong (2 004): Reachability Ana lysis over Term Rewriting Systems . Journal of Auto mated Reasonning 33 (3-4) , pp . 341–38 3. A vailable at http:/ /www. irisa .fr/lande/genet/publications.html . [6] T . Genet (1998 ): Decidable Appr oximations of Sets of Descend ants and Sets o f Normal forms . In: Proc. 9th R T A Conf., Tsukub a (Japan) , LNCS 1379. Springe r-V erlag, pp. 151–1 65. [7] R. Gilleron & S. T ison (19 95): Regular T r ee Langu ages and Rewrite S ystems . Fundamen ta Info rmaticae 24, pp. 157– 175. [8] J. Meseguer , M. Palomino & N. Mart´ ı-Oliet (2008) : Equa tional abstractions . TCS 403(2 -3), pp. 239 –264. [9] T . T akai (2 004): A Verification Techniqu e Using Term Rewriting S ystems and Ab stract Interp r etatio n . In: Proc. 15th R T A Conf., Aachen (Germany) , LNCS 3091. Springer, pp . 119–13 3.