Handling Left-Quadratic Rules When Completing Tree Automata

HAL Id: hal-00563293

https://hal.archives-ouvertes.fr/hal-00563293

Submitted on 4 Feb 2011

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires

Handling Left-Quadratic Rules When Completing Tree Automata

Yohan Boichut, Roméo Courbis, Pierre-Cyrille Héam, Olga Kouchnarenko

To cite this version:

Yohan Boichut, Roméo Courbis, Pierre-Cyrille Héam, Olga Kouchnarenko. Handling Left-Quadratic

Rules When Completing Tree Automata. 2nd Workshop on Reachability Problems in Computational

Models - RP’08, Sep 2008, Liverpool, United Kingdom. pp.61–70, �10.1016/j.entcs.2008.12.031�. �hal-

00563293�

Completing Tree Automata

Y. Boihut

1

, R. Courbis

2

, P.-C. Héam

2

and O. Kouhnarenko

2

1

INRIA/PAREO

615 rue duJardin BotaniqueBP-101 F-54602 Villers-Lès Nany Cedex

boihutloria.fr

2

INRIA/CASSIS andLIFC/ University of Franhe-Comté 16route deGray

F-25030 Besançon Cedex

lastname.firstnamelif.univ-fomte.fr

Abstrat

Thispaperaddresses thefollowing general problem of treeregular model-heking:

deide whether

R ^∗ (L) ∩ L p = ∅

^where

R ^∗

^{is the reexive and transitive losure of}

a suessor relationindued by aterm rewriting system

R

^,and

L

^and

L p

^{are both}

regulartreelanguages.Wedevelopanautomati approximation-basedtehnique to

handle this undeidable in general problem in the ase when term rewriting

system rules are left-quadrati. The most ommon pratial ase is handled this

way.

Keywords: Rewritingtehniques, tree automata,left-linearity,seurity.

1 Introdution

Automati veriation of software systems is one of the most hallenging re-

searhproblemsinomputeraidedveriation.Inthisontext,regularmodel-

hekinghasbeenproposedasageneralframeworkforanalysingandverifying

innite state systems. In this framework, systems are modelled using regular

representations: the systems ongurations are modelled by nite words or

trees (of unbounded size) and the dynami behaviour of systems is modelled

either by a transduer or a (term) rewriting system. Afterwards, a system

reahability-basedanalysisisreduedtothe regularlanguageslosureompu-

tation under(term) rewriting systems: given a regularlanguage

L

^{,a relation}

R

^{indued by a (term) rewriting system and a regular set}

L P

^{of bad ong-}

urations, the problem is to deide whether

R ^∗ (L) ∩ L p = ∅

^where

R ^∗

^{is the}

reexiveand transitivelosureof

R

^{. Sine}

R ^∗ (L)

^{isingeneralneitherregular}

nor deidable, several approahes handle restrited ases of this problem.

In this paper we address this problem for tree regular languages by auto-

matially omputing over- and under-approximations of

R ^∗ (L)

^{. Computing}

an over-approximation

K _over

^of

R ^∗ (L)

^{may be useful for the veriation if}

K over ∩ L p = ∅

^{, proving that}

R ^∗ (L) ∩ L p = ∅

^{. Dually,} under-approximation may be suitable to prove that

R ^∗ (L) ∩ L p 6= ∅

^{. This approah is relevant if}

the omputed approximations are not too oarse. Another important point

is that in general, there are some restritions on the rewriting systems in or-

der to ensure the soundness of the above approah. This paper follows and

adapts an expert-human guided approximation tehnique introdued in [18℄

forleft-linearterm-rewritingsystems.Morepreisely,thepaper1)extendsthis

approahtotermrewritingsystemswithleft-quadratirules,and2)illustrates

itsadvantages on examples.

Related Work Given a term rewriting system

R

^{and two ground terms}

s

and

t

^{, deidingwhether}

s → ^∗ _R t

^{is a entralquestion in automati proof the-}

ory. This problem is shown deidable for term rewriting systems whih are

terminatingbut itis undeidablein general.Several syntati lasses of term

rewritingsystemshavebeenpointedouttohaveadeidableaessibilityprob-

lem, for instane by providing an algorithm to ompute

R ^∗ (L)

^when

L

^{is a}

regular tree language [15,13,20,23,25,26℄. In [18℄, authors fous on a general

ompletion based human-guided tehnique. This tehnique has been suess-

fullyused(notautomatially)toprovethe seurityofryptographiprotools

[19℄andreentlyJavaByteodeprograms[5℄.Thisframeworkwasextendedin

[24℄tolanguages aepted byAC-treeautomata.Several work ontreeregular

modelheking are proposed in[9,1,8,21℄.

Layout of the paper Thepaperisorganised asfollows.Setion2introdues

notations and the basi ompletion approah. Next, Setion 3 presents the

maintheoretialontributionsofthe paper, whileSetion4desribesafamily

of examples and gives relatedseurity issues. Finally, Setion5 onludes.

2 Preliminaries

2.1 Terms and TRSs

Comprehensivesurveys anbefound in[16,2℄forterm rewritingsystems,and

in[12,20℄ for tree automata and tree languagetheory.

Let

F

^{beanitesetofsymbols,assoiatedwithanarityfuntion}

ar : F → ^N

^,

and let

X

^{be a ountable set of variables.}

T (F , X )

^{denotes the set of terms,}

and

T (F )

^{denotes the set of groundterms (termswithout}variables).The set of variables of a term

t

^{is denoted by}

V ar(t)

^{. A} substitution is a funtion

σ

from

X

^into

T (F , X )

^{, whih an be extended uniquely to an} endomorphism of

T (F , X )

^{. A position}

p

^{for a term}

t

^{is a word over}

^N

^{. The empty sequene}

ǫ

^{denotes the top-most position. The set}

P os(t)

^{of positions of a term}

t

^is

indutively dened by:

P os(t) = {ǫ}

^if

t ∈ X

^and

Pos(f (t ₁ , . . . , t n )) = {ǫ} ∪ {i.p | 1 ≤ i ≤ n

^and

p ∈ P os(t i )}

^{. If}

p ∈ Pos(t)

^{, then}

t| p

^{denotes the subterm}

of

t

^{at position}

p

^and

t[s] p

^{denotes the term obtained by replaement of the}

subterm

t| p

^{at position}

p

^{by the term}

s

^{. We also denote by}

t(p)

^{the symbol}

ourring in

t

^atposition

p

^{. Given a term}

t ∈ T (F , X )

^{, wedenote}

P os A (t) ⊆ P os(t)

^{the set of positions of}

t

^{suh that}

P os A (t) = {p ∈ Pos(t) | t(p) ∈ A}

^.

Thus

P os F (t)

^{isthe set of funtional positionsof}

t

^.

A term rewriting system (TRS)

R

^{is a set of rewrite rules}

l → r

^{, where}

l, r ∈ T (F , X )

^and

l 6∈ X

^{. A rewrite rule}

l → r

^is left-linear (resp. right- linear) if eah variable of

l

^(resp.

r

^{) ours only one within}

l

^(resp.

r

^{). A}

TRS

R

^isleft-linear(resp.right-linear)if every rewriterule

l → r

^of

R

^isleft-

linear (resp. right-linear). A TRS

R

^{is linear if it isright and} left-linear.The TRS

R

^{indues a rewriting relation}

→ R

^{on terms whose reexive transitive}

losure is written

→ ^⋆ _R

^{. The set of}

R

-desendants of a set of ground terms

E

is

R ^∗ (E) = {t ∈ T (F) | ∃s ∈ E

^s.t.

s → ^⋆ _R t}

^.

2.2 Tree Automata Completion

Notethat

R ^∗ (E)

^{ispossibly innite:}

R

^{may not terminate and/or}

E

^{may be}

innite.Theset

R ^∗ (E)

^{isgenerallynotomputable[20℄.However,itispossible}

toover-approximate it [18℄ using tree automata,i.e. anite representation of

innite(regular) sets of terms. We next dene tree automata.

Let

Q

^{be aniteset of symbols,ofarity}

0

^{,alledstates suh that}

Q ∩ F = ∅

^.

T (F ∪ Q)

^{is alled the set of} ongurations A transition is a rewrite rule

c → q

^{, where}

c ∈ T (F ∪ Q)

^{is a onguration and}

q ∈ Q

^{. A normalised}

transition is a transition

c → q

^where

c = f(q 1 , . . . , q n )

^,

f ∈ F

^,

ar(f) = n

^,

and

q 1 , . . . , q n ∈ Q

^.Abottom-upnon-deterministinitetree automaton(tree automaton for short) is a quadruple

A = hF , Q, Q f , ∆i

^,

Q f ⊆ Q

^and

∆

is a nite set of normalised transitions. The rewriting relation on

T (F ∪ Q)

indued by the transition set

∆

^of

A

^{is denoted}

→ ∆

^{. When}

∆

^{is lear from}

the ontext,

→ ∆

^{is alsowritten}

→ A

^{. The tree language reognised by}

A

^{in a}

state

q

^is

L(A, q) = {t ∈ T (F ) | t → ^⋆ _A q}

^{. The language reognised by}

A

^is

L(A) = ^S _{q∈Q f} L(A, q)

^{.Atreelanguageisregularifandonlyifitisreognised}

by a tree automaton.

ability analysis. Given a tree automaton

A

^{and a TRS}

R

^{, the tree automata}

ompletion algorithm proposed in [18℄ omputes a tree automaton

A ^k _R

^suh

that

L(A ^k _R ) = R ^∗ (L(A))

^{when it is possible (for the lasses of TRSs where}

anexatomputationispossible,see [18℄),andsuhthat

L(A ^k _R ) ⊇ R ^∗ (L(A))

otherwise.

The tree automata ompletion works as follows. From

A = A ⁰ _R

^ompletion

builds a sequene

A ⁰ _R , A ¹ _R . . . A ^k _R

^{of automata suh that if}

s ∈ L(A ⁱ _R )

^and

s → R t

^then

t ∈ L(A ⁱ⁺¹ _R )

^{. If there is a x-point automaton}

A ^k _R

^{suh that}

R ^∗ (L(A ^k _R )) = L(A ^k _R )

^{, then}

L(A ^k _R ) = R ^∗ (L(A ⁰ _R ))

^(or

L(A ^k _R ) ⊇ R ^∗ (L(A))

if

R

^{is in no lass of [18℄). To build}

A ⁱ⁺¹ _R

^from

A ⁱ _R

^{, a ompletion step is}

ahieved. Itonsistsof ndingritialpairs between

→ R

^and

→ _A ⁱ

R

. Todene

the notion of ritial pair, the substitution denition is extended to terms in

T (F ∪ Q)

^{. For a} substitution

σ : X 7→ Q

^{and a rule}

l → r ∈ R

^{suh that}

Var(r) ⊆ Var(l)

^{,ifthereexists}

q ∈ Q

^satisfying

lσ → ^∗ _A i

R q

^then

lσ → ^∗ _A i

R q

^and

lσ → R rσ

^{isaritialpair. Notethatsine}

R

^and

A ⁱ _R

^{isnite,there isonlya}

nite number of ritial pairs. Thus, for every ritial pair deteted between

R

^and

A ⁱ _R

^{suh that}

rσ 6→ ^∗ _A i

R q

^{, the tree automaton}

A ⁱ⁺¹ _R

^{is onstruted}

by adding a new transition

rσ → q

^to

A ⁱ _R

^. Consequently,

A ⁱ⁺¹ _R

^reognises

rσ

ⁱⁿ

q

^{, i.e.}

rσ → _A ⁱ⁺¹

R q

^{. However, the transition}

rσ → q

^{is not neessarily}

normalised.Then,weuseabstrationfuntionswhosegoalistodeneasetof

normalised transitions

Norm

^{suh that}

rσ → ^∗ _{N orm} q

^{. Thus, instead of adding}

the transition

rσ → q

^{whih isnot} normalised,the set oftransitions

Norm

^is

added to

∆

^{,i.e., the transitionset of the urrentautomaton}

A ⁱ _R

^.

Wegivebelowaverygeneraldenitionof abstrationfuntionswhihallotto

eahfuntionalpositionof

rσ

^astateof

Q

^{.The roleofanabstrationfuntion}

remains to dene equivalene lasses of terms where one lass orresponds

to one state of

Q

^{. An abstration funtion}

γ

^{is a funtion}

γ : ((R × (X → Q)×Q) 7→ N ^∗ ) 7→ Q

^suhthat

γ(l → r, σ, q)(ǫ) = q

^{.Thus,givenanabstration}

funtion

γ

^{, the} normalisation of a transition

rσ → q

^{is dened as follows.}

Let

γ

^{be an abstration funtion,}

∆

^{be a transition set,}

l → r ∈ R

^with

Var(r) ⊆ Var(l)

^and

σ : X → Q

^{suh that}

lσ → ^∗ _∆ q

^.The

γ−

normalisation of the transition

rσ → q

^,written

Norm γ (l → r, σ, q)

^{, is dened by:}

Norm γ (l → r, σ, q) = {r(p)(β _p.1 , . . . , β p.n ) → β | p ∈ Pos F (r),

β =



 

 

q if p = ǫ

γ(l → r, σ, q)(p) otherwise.

β p.i =



 

 

σ(r(p.i)) if r(p.i) ∈ X

γ(l → r, σ, q)(p.i) otherwise.

Example 1 Let

A = hF, Q, Q f , ∆i

^{be the tree automaton suh that}

F = {a, b, c, d, e, f, ω}

^with

ar(s) = 1

^with

s ∈ {a, b, c, d, e, f }

^and

ar(ω) = 0

^,

Q = {q b , q f , q ω }

^,

Q f = {q f }

^and

∆ = {ω → q ω , b(q ω ) → q b , a(q b ) → q f }

^.

Thus,

L(A) = {a(b(ω))}

^{. Given the TRS}

R = {a(x) → c(d(x)), b(x) → e(f(x))}

^{, two ritial pairs are omputed:}

a(q b ) → ^∗ _A q f

^,

a(q b ) → R c(d(q b ))

and

b(q ω ) → ^∗ _A b(q ω ) → R e(f (q ω ))

^{. Let}

γ

^{be the abstration funtion suh that}

γ(a(x) → c(d(x)), {x → q b }, q f )(ǫ) = q f

^,

γ(a(x) → c(d(x)), {x → q b }, q f )(1) = q f

^,

γ(b(x) → e(f(x)), {x → q ω }, q b )(ǫ) = q b

^and

γ(b(x) → e(f(x)), {x → q ω }, q b )(1) = q b

^{. So,}

Norm γ (a(x) → c(d(x)), {x → q b }, q f ) = {d(q b ) → q f , c(q f ) → q f }

^and

Norm γ (b(x) → e(f (x)), {x → q ω }, q b ) = {f (q ω ) → q b , e(q b ) → q b }

^.

Nowweformallydenewhataompletionstepis.Let

A = hF , Q, Q f , ∆i

^bea

treeautomaton,

γ

^{anabstrationfuntionand}

R

^aleft-linearTRS.Wedene atree automaton

C _γ ^R (A) = hF , Q ^′ , Q ^′ _f , ∆ ^′ i

^with:

• ∆ ^′ = ∆ ∪ ^S l→r∈R, σ:X 7→Q, lσ→ ^∗ _A q,rσ6→ ^∗ _A q Norm γ (l → r, σ, q)

^,

• Q ^′ = {q | c → q ∈ ∆ ^′ }

^and

• Q ^′ _f = Q f

^.

Example 2 Given

A

^,

R

^and

γ

^{of Example 1, performing one ompletion}

step on

A

^{gives the automaton}

C _γ ^R (A)

^{suh that}

C _γ ^R (A) = hF , Q, Q f , ∆ ^′ i

where

∆ ^′ = ∆ ∪ Norm γ (a(x) → c(d(x)), {x → q b }, q f ) ∪ Norm γ (b(x) → e(f(x)), {x → q ω }, q b ) = {ω → q ω , b(q ω ) → q b , a(q b ) → q f , d(q b ) → q f , c(q f ) → q f , f(q ω ) → q b , e(q b ) → q b }

^.Notiethat

C _γ ^R (A)

^is

R

^{-lose,andinfatanover-}

approximation of

R ^∗ (L(A))

^{is omputed. Indeed, the tree automaton}

C _γ ^R (A)

reognises the term

a(e(e(f(ω))))

^when

R ^∗ (L(A)) = {a(b(ω)), a(e(f(ω))), c(d(b(ω))), c(d(e(f(ω))))}.

Proposition 3 ([18, Theorem 1℄) Let

A

^{be a tree automaton and}

R

^{be a}

TRSsuhthat

A

^isdeterministior

R

^isleft-linear,and forevery

l → r ∈ R

^,

Var(r) ⊆ Var(l)

^{. For any abstration funtion}

γ

^{, one has:}

L(A) ∪ R(L(A)) ⊆ C _γ ^R (A).

Inaddition,anabstrationfuntionsan bedened insuhaway onlyterms,

atually reahable, will be omputed. This lass of abstration funtions is

alled

(A, R)−

^{exat abstration funtionsin [3℄.}

Let

A = hF , Q, Q f , ∆)

^{be a tree automaton and}

R

^{be a TRS. Let}

Im(γ) = {q | ∀l → r ∈ R, ∀p ∈ P os F (r) s.t. γ(l → r, σ, q)(p) = q}

^{. An abstration}

funtion

γ

^is

(A, R)−

^{exat if}

γ

^{is injetiveand}

Im(γ) ∩ Q = ∅

^.

ByadaptingtheproofofTheorem2in[18℄tothenewlassofabstrations,we

showthatwithsuhabstrationfuntions,onlyreahabletermsareomputed.

Theorem 1 ([18, Theorem 2℄) Let

A

^{beatreeautomatonand}

R

^beaTRS

suh that

A

^is deterministi or

R

^is right-linear. Let

α

^{be an}

(A, R)−

^exat

abstration funtion. One has:

C _α ^R (A) ⊆ R ^∗ (L(A))

^.

We now give the general result in [18℄ saying that, if there exists a x-point

automaton, then its language ontains all the terms atually reahable by

rewriting, atleast.

(A, R)−

^{exat abstrationfuntions.}

Theorem 2 ([18, Theorem 1℄) Let

A

^,

R

^and

γ

^be respetively a tree au- tomaton,a TRS.For any abstration funtion,ifthereexists

N ∈ N

and

N ≥ 0

^{suh that}

(C _γ ^R ) ^(N) (A) = (C _γ ^R ) ^{(N +1)} (A)

^{, then}

R ^∗ (L(A)) ⊆ L((C _γ ^R ) ^(N) (A)).

The above method doesnot work for all TRSs. Forinstane, onsider aon-

stant

A

^{andthetreeautomaton}

A = ({q ₁ , q 2 , q f }, {A → q 1 , A → q 2 , f(q 1 , q 2 ) → q f }, {q f })

^andtheTRS

R = {f (x, x) → g(x)}

^.Thereisnosubstitution

σ

^suh

that

lσ → ^∗ _A q

^{, for a}

q

ⁱⁿ

{q 1 , q 2 , q f }

^{. Thus, following the proedure, there is}

no transition to add. But

f(A, A) ∈ L(A)

^{. Thus}

g(A) ∈ R(L(A))

^{. Sine}

g(A) ∈ L(A) /

^{, the proedure stops (in fat does not begin) before providing}

anover-approximation of

R ^∗ (L(A))

^.

3 Contributions

This setionextends anapproximation-basedtehnique introdued in[18℄ for

left-linearterm-rewritingsystems, to TRSs with left-quadratirules.

Let

A = (Q, ∆, Q f )

^{be a nite bottom-up tree automaton. The automaton}

A = (Q , ∆ , Q _f )

^{isdened by:}

• Q = {{q} | q ∈ Q} ∪ {{q 1 , q 2 } | q 1 , q 2 ∈ Q}

^{(states of}

Q

^{are denoted with}

a

exponent),

• Q _f = {{q} | q ∈ Q f }

^,

• ∆ = {f (q ₁ , . . . , q _n ) → q | ∀q ∈ q , ∃q 1 , . . . , q n ∈ Q, ∀1 ≤ i ≤ n, q i ∈ q _i

^and

f (q 1 , . . . , q n ) → q ∈ ∆}

^.

To illustratethe denition above, let's onsider the automaton

A

^whosenal

state is

q f

^{and whose} transitions are

A → q ₁

^,

A → q ₂

^and

f (q ₁ , q ₂ ) → q f

^.

The states of

A

^{are all pairs of states and singletons over}

{q 1 , q 2 , q f }

^{, and}

the transitions are

A → {q ₁ }

^,

A → {q ₂ }

^,

A → {q ₁ , q 2 }

^,

f ({q ₁ }, {q ₂ }) → {q f }

^,

f({q ₁ , q i }, {q ₂ , q j }) → {q f }

^{for all}

i, j ∈ {1, 2, f}

^{. When onsidering only the}

aessible states, among allthe transitions above we just have the transition

f({q ₁ , q 2 }, {q ₂ , q 1 }) → {q f }

⁽

i = 2

^and

j = 1

^).

Proposition 4 Onehas

L(A) = L(A )

^.

Proof. Bydenitionof

A

^,if

f(q ₁ , . . . , q n ) → q ∈ ∆

^,then

f ({q ₁ }, . . . , {q n }) → {q} ∈ ∆

^. Consequently, for every term

t

^{suh that}

t → ^∗ _A q

^{, one also has}

t → ^∗ _A {q}

^{. Sinefor every}

q f ∈ Q f

^,

{q f } ∈ Q _f

^,

L(A) ⊆ L(A )

^.

Itremainstoprovethat

L(A ) ⊆ L(A)

^{.Wewillproveby indutionon}

k

^that

for every

k ≥ 1

^{, for every term}

t

^{, every state}

q

^of

A

^{, if}

t → ^k _A q

^{, then for}

all

q ∈ q

^,

t → ^k _A q

^.

•

^If

t → A q

^{, then, by denition of}

∆

^,

t

^{is a onstant and for all}

q ∈ q

^,

thereexists atransition

t → q

^of

A

^.

•

^{Assumenow that the laim is truefor a xed positiveinteger}

k

^{. Let}

t

^{be a}

term and

q ∈ A

^{suh that}

t → ^k+1 _A q

^. Consequently, there exists

f ∈ F n

suh that

t → ^k _A f (q ₁ , . . . , q _n ) → A q

^{. It follows that}

t = f(t ₁ , . . . , t k )

and for all

1 ≤ i ≤ k

^,

t i → ^k _A q _i

^{. Usingthe indution} hypothesis,

t i → ^k _A q i

^,

forall

q i ∈ q _i

^.Consequently, for all

q ∈ q

^,

f (q 1 , . . . , q n ) → q ∈ ∆

^{, proving}

the indution.

So,

L(A ) ⊆ L(A)

^.

2

Lemma 5 If

C[q 1 , . . . , q n ] → ^∗ _A q

^{and if}

q ₁ , . . . q _n

^{are states of}

A

^satisfying

q i ∈ q _i

^{for all}

1 ≤ i ≤ n

^{, then}

C[q ₁ , . . . , q _n ] → ^∗ _A {q}

^.

Proof. Weprovebyindutionon

k

^thatforevery

k ≥ 1

^,if

C[q 1 , . . . , q n ] → ^k _A q

and if

q ₁ , . . . q _n

^{are states of}

A

^satisfying

q i ∈ q _i

^{for all}

1 ≤ i ≤ n

^{, then}

C[q ₁ , . . . , q _n ] → ^k _A {q}

^.

•

^If

k = 1

^,then

C[q 1 , . . . , q n ] → q

^{isatransitionof}

A

^{.Therefore,by denition}

of

∆

^,

C[q ₁ , . . . , q _n ] → {q}

^{isa transitionof}

A

^.

•

^{Assumenowthatthe}propositionistrueforall

j ≤ k

^andthat

C[q 1 , . . . , q n ] → ^k+1 _A q

^{. There exist}

q ₁ ^′ , . . . , q _ℓ ^′

^{states of}

A

^and

f ∈ F ℓ

^{suh that}

C[q 1 , . . . , q n ] → ^k _A f(q ^′ ₁ , . . . , q _ℓ ^′ ) → A q

^.Consequently,

C[q ₁ , . . . , q n ]

^isoftheform

C[q ₁ , . . . , q n ] = f(t 1 , . . . , t ℓ )

^{where the}

t i

^{'s are terms over}

F ∪ {q 1 , . . . , q n }

^{. Moreover, for}

all

i

^{, there exists}

k i ≤ k

^{suh that}

t i → ^k _A ⁱ {q _i ^′ }

^and

^P _i k i = k

^{. There-}

fore, by indution hypothesis,

t i → ^k _A ⁱ {q _i ^′ }

^where

t i

^{is the term obtained}

from

t i

^by substituting

q i

^by

q _i

^{. Now, sine}

f(q ₁ ^′ , . . . , q _ℓ ^′ ) → q

^{is a tran-}

sition of

A

^,

f ({q ₁ ^′ }, . . . , {q _ℓ ^′ }) → {q}

^{is a transition of}

A

^{. It follows that}

C[q ₁ , . . . , q _n ] → ^k+1 _A {q}

^{, provingthe lemma.}

2

Lemma 6 If

t → ^∗ _A q ₁

^and

t → ^∗ _A q ₂

^{, then}

t → ^∗ _A {q ₁ , q ₂ }

^.

Proof. If

t → ^∗ _A q 1

^and

t → ^∗ _A q 2

^{, then there exists a funtion}

π 1

^(reps.

π 2

⁾

from positions of

t

^into

Q

^{suh that}

π 1 (ε) = q 1

^(resp.

π 2 (ε) = q 2

^{) and for}

every position

p

^of

t

^,if

t p ∈ F n

^,then

t(p)(π ₁ (p.1), . . . , π ₁ (p.n)) → π ₁ (p)

^(resp.

t(p)(π 2 (p.1), . . . , π 2 (p.n)) → π 2 (p)

^{) is a transitionof}

A

^{. Therefore, by deni-}

tion of

∆

^,

t(p)({π ₁ (p.1), π 2 (p.1)}, . . . , {π ₁ (p.n), π 2 (p.n)}) → {π ₁ (p), π 2 (p)}

^is

in

∆

^{. It follows that}

t → ^∗ _A {q ₁ , q ₂ }

^.

2

Proposition 7 If

R

^isleft-quadrati, then

R(L(A)) ∪ L(A) ⊆ L(C γ (A ))

^.

Proof. Sine

L(A) = L(A )

^{and sine}

L(A ) ⊆ L(C γ (A ))

^,

L(A) ⊆ L(C γ (A ))

^.

Let

t ∈ R(L(A))

^{.By denition there exists a rule}

l → r ∈ R

^{, a position}

p

^of

t

^{and a} substitution

µ

^from

X

^into

T (F)

^{suh that}

t = t[rµ] p

^and

t[lµ] p ∈ L(A)

⁽¹⁾

It follows thereexist states

q, q f

^of

A

^{suh that}

q f

^isnal,

lµ → ^∗ _A q

^and

t[q] p → ^∗ _A q f .

⁽²⁾

Consequently,

lµ → ^∗ _A {q}

^and

t[{q}] p → ^∗ _A {q f }.

⁽³⁾

If

rµ → ^∗ _A {q}

^{, then (3) implies that}

t[rµ] p → ^∗ _A {q f }

^{. In this ase, sine}

t = t[rµ] p

^{and sine}

{q f }

^{is by onstrution anal state of}

A

^,

t

^{is in}

L(A )

^,

whih is asubset of

L(C γ (A ))

^.

Now wemay assumethat

rµ 6→ ^∗ _A {q}

^.Let

P l

^{bethe set of variable positions}

of

l

^{; i.e.}

P l = {p | l(p) ∈ X )}

^{. Set}

P l = {p 1 , . . . , p ℓ }

^{. Sine}

lµ → ^∗ _A q

^{, by (2)}

there existstates

q 1 , . . . , q ℓ

^of

A

^{suh that}

µ(l(p i )) → ^∗ _A q i

^and

l[q 1 ] p 1 . . . [q ℓ ] p ℓ → ^∗ _A q.

⁽⁴⁾

We denethe substitution

σ

^{fromvariablesourringin}

l

^into

2 ^Q

^by:

σ(x i ) = {q i | l(p i ) = x i }

^{. Sine}

l

^is left-quadrati, for eah

x i

^,

σ(x i )

^{ontains atmost}

two states. We laim that

lσ → ^∗ _A q

^{. Indeed by (4) and by Lemma 6for eah}

x i

^{ourring in}

l

^,

µ(x i ) → ^∗ _A σ(x i )

^{. It follows that}

lµ → ^∗ _A lσ

^{. By (4) and}

using Lemma 5,

lσ → ^∗ _A {q}

^{, proving the laim. By onstrution of}

C γ (A )

^,

rσ → ^∗ _{C γ (A )} {q}

^{. Moreover, by denition of}

σ

^,

rµ → ^∗ _A rσ

^{. It follows that}

t = t[rµ] p → ^∗ _A t[rσ] p → ^∗ _{C γ (A )} t[{q}] p → ^∗ _A {q f },

whih ompletes the proof.

2

Proposition 8 If

R

^isright-linearandif

α

^is

(A, R)

^-exat,then

L(C γ (A )) ⊆ R ^∗ (L(A))

^.

Proof. This is a diretonsequene of Theorem 1and Proposition 4.

2

4.1 Example

We have tested our approah on the following family of examples. We rst

onsider afamilyoftree automata

(A n )

^{dened asfollows:the set ofstates of}

A n

^is

{q ₁ , . . . , q 2n+2 , q f }

^{,thesetofnalstateis}

{q f }

^{,andtheset of}transitions is

{ω → q ₁ , ω → q ₂ , a(q ₁ ) → q ₁ , a(q ₂ ) → q ₂ , b(q ₁ ) → q ₁ , b(q ₂ ) → q ₂ , a(q ₁ ) → q 3 , a(q 2 ) → q 4 , a(q i ) → q i+2 , b(q i ) → q i+2 , f(q 2n+1 , q 2n+2 ) → q f }

^{, for}

i ≥ 3

^.

The automaton

A n

^{aepts the set of terms of the form}

f (t 1 , t 2 )

^where

t 1

and

t ₂

^{are terms over}

{a, b, ω}

^{suh that}

t ₁ | ₁ ⁿ⁻¹

^and

t ₂ | ₁ ⁿ⁻¹

^{exist and are in}

{a}.{a, b} ^∗

^{. Roughly speaking, when using word automata,}

a(b(ω))

^denotes

ab

^{, and eah pair}

(t 1 , t 2 )

^{an be viewed as words of}

L = {a, b} ⁿ⁻¹ .{a}.{a, b} ^∗

satisfyingthe onditionabove. We seondonsider the termrewriting system

R

^{ontainingthesinglerule}

f (x, x) → x

^{,andwewanttoprovethat}

b ⁿ⁻¹ a(ω) ∈ R ^∗ (L(A n ))

^{.UsingnitelymanytimesTheorem1diretlyon}

A n

^maynotprove

the results. However, to prove the results, one an determinise

A n

^before

using Theorem 1. But, the minimal automaton of

L(A n )

^has

2 ⁿ

^{states at}

least [22℄, [Exerise 3.20, p. 73℄. Then, the ompletion should be applied to

this automaton. Consequently, this automati proof requires an exponential

timestep. Usingour approah,one anompute

A

^{and apply}Proposition8, that providesthe proofrequiring a polynomialtime step.

4.2 Left-linearity and Seurity Issues

4.2.1 Seurity Protool Analysis

The TRSs used in the seurity protool veriation ontext are often non

left-linear.Indeed, there isa lot of protools that annotbemodeledby left-

linear TRSs. Unfortunately, to be sound, the approximation-based analysis

desribedin[19℄requirestheuseofleft-linearTRSs.Nevertheless,thismethod

an stillbe applied to some non left-linear TRSs, whih satisfy some weaker

onditions. In [17℄ the authors propose new linearity onditions. However,

these new onditions are not well-adapted to be automatiallyheked.

In our previous work [6℄ we explain how to dene a riterion on

R

^and

A

^to

makethe proedure automatiallywork forindustrialprotoolsanalysis. This

riterion ensures the soundness of the method desribed in [19,17℄. However,

tohandle protools the approah in[6℄is basedon akind ofonstant typing.

In [7℄ we go further and propose a proedure supporting a fully automati

analysis and handling withouttyping algebrai properties likeXOR.

theXORnon-leftlinearrule.Seond,in[6℄wehaverestritedXORoperationsto

typedtermstodealwiththeXORnon-leftlinearrule.However, someprotools

are known tobe awed by type onfusing attaks [14,10,11℄.Notie that our

approah in [7℄ an be applied to any kinds of TRSs. Moreover, it an ope

with exponentiation algebraiproperties and this way analyse Die-Hellman

based protools.

4.2.2 Bakward Analysis of Java Byteode

A reent work [4℄, dediated tothe stati analysis of Java byteode programs

using term-rewritingsystems, providesanautomati proeduretotranslatea

Java byteode into a term rewriting system modeling the ode exeution on

the JavaVirtual Mahine. In this ontext, generated TRSs are left-linearbut

right-quadrati. In order to ompute approximation renements as in [3℄ or

to manage bakward analyses that are in general and in pratie more

eient that forward analyses term rewriting systems have to be turned

left-right,i.e.left-and right-hand sides of rules have tobepermuted. Bythis

permutationright-quadratiTRSs beomeleft-quadrati ones.

5 Conlusion

Regularapproximation tehniques have been suessfully used in the ontext

of seurity protool analysis. In order to apply them to other appliations,

thispaperproposedanextensionoftheompletionproedureforhandlingleft-

quadratirules.Ourontributionsallowanalysingsomereahabilityproblems

usingpolynomialsteps omputing

A

^{,ratherthan automata} determinisation steps that are exponential, even in pratial ases. Notie that the approah

presented only for quadrati rules an be extended to more omplex TRSs.

We intend to optimise this tehnique: polynomial is better than exponential

butmay alsoleadtohuge automatainfewsteps.Wehavebeen implementing

the tehniques in an eient rewriting tool in order to investigate omplex

systems bakward analyses.

Referenes

[1℄ Parosh Aziz Abdulla, Bengt Jonsson, Pritha Mahata, and Julien d'Orso.

Regular tree model heking. In Ed Brinksma and Kim Guldstrand Larsen,

editors,ComputerAidedVeriation,volume2404ofLetureNotesinComputer

Siene, pages555568. Springer-Verlag,July 2731 2002.

Press,1998.

[3℄ Y. Boihut, R. Courbis, P.-C. Héam, and O. Kouhnarenko. Finer is better:

Abstrationrenement for rewriting approximations. In RTA'08,LNCS, 2008.

To appear.

[4℄ Y.Boihut,Th.Genet,Th.Jensen,and L.Le Roux. Rewritingapproximations

for fast prototyping of stati analyzers. In proeedings of RTA, LNCS 4533,

pages4862. Springer,2007.

[5℄ Y. Boihut, Th. Genet, Th. P. Jensen, and L. Le Roux. Rewriting

approximationsforfastprototyping ofstatianalyzers.InFranzBaader,editor,

Term Rewriting and Appliations, 18th International Conferene, RTA 2007,

Paris,Frane, June 26-28,2007, Proeedings, volume4533 ofLNCS,pages48

62.Springer, 2007.

[6℄ Y. Boihut, P.-C. Héam, and O. Kouhnarenko. Automati Veriation of

SeurityProtools Using Approximations. Tehnial Report RR-5727, INRIA,

2005.

[7℄ Y.Boihut, P.-C. Héam,and O. Kouhnarenko. Handling algebrai properties

inautomatianalysisofseurityprotools.InKamelBarkaoui,AnaCavalanti,

andAntonioCerone,editors, ICTAC'06,volume 4281of LNCS,pages153167.

Springer,2006.

[8℄ A. Bouajjani, P. Habermehl, A. Rogalewiz, and T. Vojnar. Abstrat regular

treemodelheking.InInnity'05,volume149ofEletroniNotesinTheoretial

ComputerSiene, pages3748, 2006.

[9℄ Ahmed Bouajjani and Tayssir Touili. Extrapolating tree transformations. In

EdBrinksmaandKimGuldstrandLarsen,editors,ComputerAidedVeriation,

volume 2404 of Leture Notes in Computer Siene, pages 539554. Springer-

Verlag,July 27312002.

[10℄L.Bozga, Y. Lakhneh, and M. Perin. Pattern-based abstration for verifying

serey inprotools. In9th International Conferene on Tools and Algorithms

fortheConstrutionandAnalysisofSystems,TACAS2003,Proeedings,volume

2619 ofLNCS.Springer-Verlag,2003.

[11℄I. Cibrario, L. Durante, R. Sisto, and A. Valenzano. Automati detetion

of attaks on ryptographi protools: A ase study. In Christopher Kruegel

Klaus Julish, editor, Intrusion and Malware Detetion and Vulnerability

Assessment: Seond International Conferene, volume 3548 of LNCS, Vienna,

2005.

[12℄H.Comon, M. Dauhet, R. Gilleron, F. Jaquemard, D. Lugiez, S.Tison, and

M. Tommasi. Tree AutomataTehniquesand Appliations, 2002.

[13℄J.-L. Coquidé, M. Dauhet, R. Gilleron, and Vágvölgyi S. Bottom-up tree

pushdownautomataandrewritesystems.InRonaldV.Book,editor,Rewriting

TehniquesandAppliations,4thInternationalConferene,RTA-91,LNCS488,

pages287298, Como,Italy,April1012,1991. Springer-Verlag.

inryptographiprotools. Journalof Computer Seurity,14:143,2006.

[15℄DauhetandTison. Thetheoryofgroundrewritesystemsisdeidable.InLICS:

IEEE Symposiumon Logi in Computer Siene, 1990.

[16℄N.DershowitzandJ.-P.Jouannaud. HandbookofTheoretialComputerSiene,

volume B, hapter 6: Rewrite Systems, pages 244320. Elsevier Siene

Publishers B.V,1990.

[17℄G.Feuillade,Th.Genet,andV.VietTriemTong. Reahabilityanalysisofterm

rewriting systems. Tehnial Report RR-4970, INRIA, 2003. To be published

inJournal ofAutomated Reasoning,2004.

[18℄G.Feuillade,Th.Genet,andV.VietTriemTong.Reahabilityanalysisoverterm

rewritingsystems. Journal of Automated Reasonning,33 (3-4),2004.

[19℄Th. Genet and F. Klay. Rewritingfor Cryptographi ProtoolVeriation. In

proeedings of CADE, volume 1831 of LNCS, pages 271290. Springer-Verlag,

2000.

[20℄R. Gilleron and S. Tison. Regular tree languages and rewrite systems.

Fundamenta Informatia,24(1/2):157174, 1995.

[21℄P. Habermehl, R. Iosif, A. Rogalewiz, and T. Vojnar. Abstrat regular

tree model heking of omplex dynami data strutures. In SAS'06, 13th

International Stati Analysis Symposium, volume 4134 of LNCS,pages 5270,

2006.

[22℄J. Hoproft and J. D. Ullman. Introdution to Automata Theory, Languages,

andComputation. Addison-Wesley,1979.

[23℄F. Jaquemard. Deidable approximations of term rewriting systems. In

proeedings of RTA,volume 1103,pages 362376. Springer Verlag, 1996.

[24℄H. Ohsaki and T. Takai. ACTAS: A system design for assoiative and

ommutative tree automata theory. Eletr. Notes Theor. Comput. Si,

124(1):97111,2005.

[25℄P.RétyandJ.Vuotto. Regularsets ofdesendantsbyleftmoststrategy. Eletr.

NotesTheor. Comput.Si, 70(6), 2002.

[26℄K.Salomaa. Deterministitreepushdownautomataandmonaditreerewriting

systems. JCSS:Journal of Computer and SystemSienes,37,1988.