Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | ernest-cobb |
View: | 214 times |
Download: | 0 times |
Languages of nested treesLanguages of nested trees
Swarat ChaudhuriUniversity of Pennsylvania
(with Rajeev Alur and P. Madhusudan)
Automata-theoretic, branching-time model-checking
Abstraction (FSM, boolean program…)
Tree unfolding
Specification tree automaton
Modelchecker
Yes/No
• Abstraction: boolean programs (or pushdown systems)
• Specification: finite-state tree automata?
Typical property: if A holds now, then along some path, B holds later.
Tree automata
• Closed under union, intersection, projection, complement• Emptiness and model-checking decidable• Equivalent to MSO; bisimulation-closed version captures mu-calculus…
Set of states: Initial state:Transitions:
Acceptance: final state, Buchi, parity
Tree automata and pre/post-conditions
call
call
ret
retA
“if A holds at a call, then along some path, B holds at the matching return.”
main
foo
B
• If you use pushdown tree automata, you get undecidability• Basic primitive, intrinsic to real software specification languages • Logic and automata: foundations for specifications• Theory lagging behind practice?
Our contributions
mu-calculus =Tree automata
Model-checking algorithm matches CTL in complexity(EXPTIME)
Regularlanguages of nested trees
Alternating automata on nested trees=
Mu-calculus on nested trees (NT-mu)
• Pre/post-conditions
• Interprocedural dataflow involving local + global variables
• Stack inspection
• Local, context-sensitive reachability
Boolean program: tree unfolding
return
call bar
foo
bar
x = true;
bar();
return y;
returnreturn
if (*) y = false;else x = true;
Trees are infinite in general
Nested trees
call
return
foo
bar
• A dag obtained by augmenting a tree with jump-edges• Jump-edges are nested• While modeling programs, jump-edges map to summary edges
• To trace global path, follow tree edges
• To trace local path, followjump-edges acrossprocedure calls
return return
Infinite in general
Instead of makingacceptors stronger, why not add more structure to the model?
Nested trees
Infinite in general
Set of states: Initial state:
Transitions:
Transitions distinguish between call, local and return nodes
State at return node depends on states at both parents
Acceptance: final state, Buchi, parity
Finite automata on nested trees
Local reachability
“p is reachable in the main context.”
entry
entry
main
• Stack inspection: if foo is to be called along some path, then all methods on stack must be privileged.
• Expression expr(g,l), where g is global and l is local, is very busy.
Model-checking
Pushdown system
Nested tree
Nested tree automaton
Modelchecker
Yes/No
Solution for trees: take product; reduce to pushdown game
Solution for nested trees: take product; reduce to pushdown game
Model-checking: product
• Stack of program synchronized with implicit stack of automaton • Conditions on left and right branch must both hold• Reduces to pushdown game• Complexity: EXPTIME-complete• Complexity of CTL: EXPTIME-complete Alternating reachability: EXPTIME complete
Properties of nondeterministic nested tree automata
• Closed under union, projection.
• Closed under intersection (product as in tree automata; implicit stacks are synchronized).
• Emptiness in EXPTIME.
• Not closed under complement.
• Solution: alternation.
Alternating automata on nested trees
• Acceptance a game between the automaton and an adversary. Tree accepted iff automaton has a winning strategy.
• For automata on nested trees, terms such as
[If the left child is a return node and q1 is at the top of the stack at the current point in the game, then pop the stack and move to state q2. Left subtree accepted with new configuration.]
Trivially closed under boolean operations.
Model-checking: product still leads to a pushdown game. Thus, alternation comes free of cost.
Emptiness: undecidable. More expressive thannondeterministic automata; different in flavor from tree logics.
A mu-calculus on nested trees [POPL 2006]
call
ret
ret
local
p
local
s
u
v
Jump edges let us chop a nested tree into subtrees that summarize contexts. Mu-calculus interpretedon summary trees.
The logic NT-mu
Fixpoints over summary trees
Captures fixpoint computation for pushdown games.
One-step local reachability
call
ret
Expressive equivalence
Theorem: Bisimulation-closed alternating parity automata on nested trees and NT-mu have the same expressiveness.
Corollary: NT-mu can capture every property that the mu-calculus can.
Corollary: The temporal logic CARET is contained in NT-mu.
Corollary: Satisfiability of NT-mu is undecidable.
(Note: Even monadic second-order logic on trees has decidable satisfiability.)
Most expressive temporal logic for which software model-checking is theoreticallyfeasible.
Monadic second-order logic on nested trees
Theorem: Model-checking even the bisimulation-closed fragment of MSO is undecidable.
Theorem: Can encode nondeterministic NTAs.
Conjecture: Incomparable with alternating NTAs.
Our contributions
LTL CTL
mu-calculus =Tree automata
NTA = NT-mu
NTA, NT-mu: EXPTIME
Mu-calculus, CTL, alternating tree automata: EXPTIME
Reachability games: EXPTIME
• Local, context-sensitive reachability
• Interprocedural dataflow involving local + global variables
• Pre/post-conditions
• Stack inspection• New class of structures called nested trees• Logic and automata accepting regular languages of nested trees• Model-checking in EXPTIME • Expressiveness: analog of connection between alternating tree automata and mu-calculus • MSO does not seem interesting
Questions
Professor Vardi asks
Why not use mu-calculus + “abstract edge”?
Cannot relate the path till the matching return with the path after the matching return.
Effect: plucking the structure at the join-node and making a clone
Resultant logic may be embedded intothe tree and therefore MSO on trees.Hence decidable satisfiability.
Questions
Why is emptiness undecidable?
You can encode Post’s correspondence problem. Using the stack, you can ensure that the orders of dominoesare the same. Using alternation/branching, check thattheir conjunctions are the same word.
Why is MSO model checking undecidable?
Existential quantification in this world is hopeless.
You can pick out a structure from the full tree that canencode the undecidability of alternating NTA emptiness.
A truly branching propertycall
call
ret
p
p
All path fragments through a context agree on state of specification automaton:
If p is seen between a call and one of its matching returns, then p is seen between that call and all of its matching returns.
ret
Questions
Is branching really needed?
Dataflow analysis = branching time model checking. Comparing paths in a procedure.
Is this practical?
I cannot hear you.
Have you implemented this?
We are currently implementing a checker for Java stack inspection properties on top of IBM’s Java bytecode analysis infrastructure. Uses subclass of NTAs as specs.