- 109 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Languages of nested trees' - tannar

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Languages of nested trees

Swarat Chaudhuri

University of Pennsylvania

(with Rajeev Alur and P. Madhusudan)

Automata-theoretic, branching-time model-checking

Abstraction (FSM, boolean program…)

Specification tree

automaton

Tree unfolding

Modelchecker

- Abstraction: boolean programs (or pushdown systems)
- Specification: finite-state tree automata?

Yes/No

Tree automata

Set of states:

Initial state:

Transitions:

Acceptance: final state, Buchi, parity

- Closed under union, intersection, projection, complement
- Emptiness and model-checking decidable
- Equivalent to MSO; bisimulation-closed version captures mu-calculus…

Typical property: if A holds now, then along some path, B holds later.

Tree automata and pre/post-conditions

“if A holds at a call, then along some path, B holds at the matching return.”

foo

call

ret

B

main

A

ret

call

- If you use pushdown tree automata, you get undecidability
- Basic primitive, intrinsic to real software specification languages
- Logic and automata: foundations for specifications
- Theory lagging behind practice?

Our contributions

- Pre/post-conditions
- Interprocedural dataflow involving local + global variables
- Stack inspection
- Local, context-sensitive reachability

Regularlanguages of nested trees

mu-calculus =

Tree automata

Alternating automata on nested trees=

Mu-calculus on nested trees (NT-mu)

Model-checking algorithm matches CTL in complexity

(EXPTIME)

Boolean program: tree unfolding

x = true;

foo

bar();

call bar

if (*)

y = false;

else

x = true;

return y;

bar

return

return

return

Trees are infinite in general

Nested trees

foo

- To trace global path, follow tree edges
- To trace local path, followjump-edges acrossprocedure calls

- A dag obtained by augmenting a tree with jump-edges
- Jump-edges are nested
- While modeling programs, jump-edges map to summary edges

Instead of making

acceptors stronger, why not add more structure to the model?

call

bar

return

return

return

Infinite in general

Nested trees

Infinite in general

Finite automata on nested trees

Set of states:

Initial state:

Transitions:

Transitions distinguish between call,

local and return nodes

State at return node depends on states at both parents

Acceptance: final state, Buchi, parity

Local reachability

main

entry

entry

- Stack inspection: if foo is to be called along some path, then all methods
- on stack must be privileged.
- Expression expr(g,l), where g is global
- and l is local, is very busy.

“p is reachable in the main context.”

Model-checking

Pushdown system

Nested tree

automaton

Nested tree

Modelchecker

Solution for trees: take product; reduce to pushdown game

Solution for nested trees: take product; reduce to pushdown game

Yes/No

Model-checking: product

- Stack of program synchronized with implicit stack
- of automaton
- Conditions on left and right branch must both hold
- Reduces to pushdown game
- Complexity: EXPTIME-complete
- Complexity of CTL: EXPTIME-completeAlternating reachability: EXPTIME complete

Properties of nondeterministic nested tree automata

- Closed under union, projection.
- Closed under intersection (product as in tree automata; implicit stacks are synchronized).
- Emptiness in EXPTIME.
- Not closed under complement.
- Solution: alternation.

Alternating automata on nested trees

- Acceptance a game between the automaton and an adversary. Tree accepted iff automaton has a winning strategy.
- For automata on nested trees, terms such as
- [If the left child is a return node and q1 is at the top of the stack at the current point in the game, then pop the stack and move to state q2. Left subtree accepted with new configuration.]

Trivially closed under boolean operations.

Model-checking: product still leads to a pushdown game. Thus, alternation comes free of cost.

Emptiness: undecidable. More expressive thannondeterministic automata; different in flavor from tree logics.

A mu-calculus on nested trees [POPL 2006]

call

s

ret

v

ret

u

p

local

local

Jump edges let us chop a nested tree into subtrees that summarize contexts. Mu-calculus interpretedon summary trees.

Expressive equivalence

Theorem: Bisimulation-closed alternating parity

automata on nested trees and NT-mu have the

same expressiveness.

Corollary: NT-mu can capture every property that the mu-calculus can.

Corollary: The temporal logic CARET is contained in NT-mu.

Corollary: Satisfiability of NT-mu is undecidable.

(Note: Even monadic second-order logic on trees has decidable satisfiability.)

Most expressive temporal logic for which

software model-checking is theoreticallyfeasible.

Theorem: Model-checking even the bisimulation-closed fragment of MSO is undecidable.

Theorem: Can encode nondeterministic NTAs.

Conjecture: Incomparable with alternating NTAs.

Monadic second-order logic on nested treesOur contributions

NTA = NT-mu

- Local, context-sensitive reachability
- Interprocedural dataflow involving local + global variables
- Pre/post-conditions
- Stack inspection

LTL

CTL

mu-calculus =

Tree automata

- New class of structures called nested trees
- Logic and automata accepting regular languages of nested trees
- Model-checking in EXPTIME
- Expressiveness: analog of connection between
- alternating tree automata and mu-calculus
- MSO does not seem interesting

NTA, NT-mu: EXPTIME

Mu-calculus, CTL, alternating tree automata: EXPTIME

Reachability games: EXPTIME

Professor Vardi asks

Why not use mu-calculus + “abstract edge”?

Cannot relate the path till the

matching return with the path

after the matching return.

Effect: plucking the structure at

the join-node and making a clone

Resultant logic may be embedded into

the tree and therefore MSO on trees.

Hence decidable satisfiability.

Questions

Why is emptiness undecidable?

You can encode Post’s correspondence problem. Using

the stack, you can ensure that the orders of dominoes

are the same. Using alternation/branching, check that

their conjunctions are the same word.

Why is MSO model checking undecidable?

Existential quantification in this world is hopeless.

You can pick out a structure from the full tree that can

encode the undecidability of alternating NTA emptiness.

A truly branching property

call

call

p

All path fragments through a context agree on state of specification automaton:

If p is seen between a call and one of its matching returns, then p is seen between that call and all of its matching returns.

p

ret

ret

Questions

Is branching really needed?

Dataflow analysis = branching time model checking.

Comparing paths in a procedure.

Is this practical?

I cannot hear you.

Have you implemented this?

We are currently implementing a checker for Java stack inspection properties on top of IBM’s Java bytecode analysis

infrastructure. Uses subclass of NTAs as specs.

Download Presentation

Connecting to Server..