1 / 25

Languages of nested trees

Languages of nested trees. Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan). Automata-theoretic, branching-time model-checking. Abstraction (FSM, boolean program…). Specification tree automaton. Tree unfolding. Model checker.

wilson
Download Presentation

Languages of nested trees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)

  2. Automata-theoretic, branching-time model-checking Abstraction (FSM, boolean program…) Specification tree automaton Tree unfolding Modelchecker • Abstraction: boolean programs (or pushdown systems) • Specification: finite-state tree automata? Yes/No

  3. Tree automata Set of states: Initial state: Transitions: Acceptance: final state, Buchi, parity • Closed under union, intersection, projection, complement • Emptiness and model-checking decidable • Equivalent to MSO; bisimulation-closed version captures mu-calculus… Typical property: if A holds now, then along some path, B holds later.

  4. Tree automata and pre/post-conditions “if A holds at a call, then along some path, B holds at the matching return.” foo call ret B main A ret call • If you use pushdown tree automata, you get undecidability • Basic primitive, intrinsic to real software specification languages • Logic and automata: foundations for specifications • Theory lagging behind practice?

  5. Our contributions • Pre/post-conditions • Interprocedural dataflow involving local + global variables • Stack inspection • Local, context-sensitive reachability Regularlanguages of nested trees mu-calculus = Tree automata Alternating automata on nested trees= Mu-calculus on nested trees (NT-mu) Model-checking algorithm matches CTL in complexity (EXPTIME)

  6. Boolean program: tree unfolding x = true; foo bar(); call bar if (*) y = false; else x = true; return y; bar return return return Trees are infinite in general

  7. Nested trees foo • To trace global path, follow tree edges • To trace local path, followjump-edges acrossprocedure calls • A dag obtained by augmenting a tree with jump-edges • Jump-edges are nested • While modeling programs, jump-edges map to summary edges Instead of making acceptors stronger, why not add more structure to the model? call bar return return return Infinite in general

  8. Nested trees Infinite in general

  9. Finite automata on nested trees Set of states: Initial state: Transitions: Transitions distinguish between call, local and return nodes State at return node depends on states at both parents Acceptance: final state, Buchi, parity

  10. Local reachability main entry entry • Stack inspection: if foo is to be called along some path, then all methods • on stack must be privileged. • Expression expr(g,l), where g is global • and l is local, is very busy. “p is reachable in the main context.”

  11. Model-checking Pushdown system Nested tree automaton Nested tree Modelchecker Solution for trees: take product; reduce to pushdown game Solution for nested trees: take product; reduce to pushdown game Yes/No

  12. Model-checking: product • Stack of program synchronized with implicit stack • of automaton • Conditions on left and right branch must both hold • Reduces to pushdown game • Complexity: EXPTIME-complete • Complexity of CTL: EXPTIME-completeAlternating reachability: EXPTIME complete

  13. Properties of nondeterministic nested tree automata • Closed under union, projection. • Closed under intersection (product as in tree automata; implicit stacks are synchronized). • Emptiness in EXPTIME. • Not closed under complement. • Solution: alternation.

  14. Alternating automata on nested trees • Acceptance a game between the automaton and an adversary. Tree accepted iff automaton has a winning strategy. • For automata on nested trees, terms such as • [If the left child is a return node and q1 is at the top of the stack at the current point in the game, then pop the stack and move to state q2. Left subtree accepted with new configuration.] Trivially closed under boolean operations. Model-checking: product still leads to a pushdown game. Thus, alternation comes free of cost. Emptiness: undecidable. More expressive thannondeterministic automata; different in flavor from tree logics.

  15. A mu-calculus on nested trees [POPL 2006] call s ret v ret u p local local Jump edges let us chop a nested tree into subtrees that summarize contexts. Mu-calculus interpretedon summary trees.

  16. The logic NT-mu Fixpoints over summary trees Captures fixpoint computation for pushdown games.

  17. One-step local reachability call ret

  18. Expressive equivalence Theorem: Bisimulation-closed alternating parity automata on nested trees and NT-mu have the same expressiveness. Corollary: NT-mu can capture every property that the mu-calculus can. Corollary: The temporal logic CARET is contained in NT-mu. Corollary: Satisfiability of NT-mu is undecidable. (Note: Even monadic second-order logic on trees has decidable satisfiability.) Most expressive temporal logic for which software model-checking is theoreticallyfeasible.

  19. Theorem: Model-checking even the bisimulation-closed fragment of MSO is undecidable. Theorem: Can encode nondeterministic NTAs. Conjecture: Incomparable with alternating NTAs. Monadic second-order logic on nested trees

  20. Our contributions NTA = NT-mu • Local, context-sensitive reachability • Interprocedural dataflow involving local + global variables • Pre/post-conditions • Stack inspection LTL CTL mu-calculus = Tree automata • New class of structures called nested trees • Logic and automata accepting regular languages of nested trees • Model-checking in EXPTIME • Expressiveness: analog of connection between • alternating tree automata and mu-calculus • MSO does not seem interesting NTA, NT-mu: EXPTIME Mu-calculus, CTL, alternating tree automata: EXPTIME Reachability games: EXPTIME

  21. Questions

  22. Professor Vardi asks Why not use mu-calculus + “abstract edge”? Cannot relate the path till the matching return with the path after the matching return. Effect: plucking the structure at the join-node and making a clone Resultant logic may be embedded into the tree and therefore MSO on trees. Hence decidable satisfiability.

  23. Questions Why is emptiness undecidable? You can encode Post’s correspondence problem. Using the stack, you can ensure that the orders of dominoes are the same. Using alternation/branching, check that their conjunctions are the same word. Why is MSO model checking undecidable? Existential quantification in this world is hopeless. You can pick out a structure from the full tree that can encode the undecidability of alternating NTA emptiness.

  24. A truly branching property call call p All path fragments through a context agree on state of specification automaton: If p is seen between a call and one of its matching returns, then p is seen between that call and all of its matching returns. p ret ret

  25. Questions Is branching really needed? Dataflow analysis = branching time model checking. Comparing paths in a procedure. Is this practical? I cannot hear you. Have you implemented this? We are currently implementing a checker for Java stack inspection properties on top of IBM’s Java bytecode analysis infrastructure. Uses subclass of NTAs as specs.

More Related