1 / 7

Logics and automata for nested trees

Logics and automata for nested trees. Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan). Pushdown models. write(v ). local. ret. call. local. local. local. call. ret. ret. call. local. local. Reachability: Is write(v) reachable? In mu-calculus,

cale
Download Presentation

Logics and automata for nested trees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logics and automata for nested trees Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

  2. Pushdown models write(v) local ret call local local local call ret ret call local local • Reachability: Is write(v) reachable? In mu-calculus, • How to express local reachability? (not a regular property, but pushdown properties on pushdown models are undecidable) • A mu-calculus formula describes a symbolic computation. But this is not the right fixpoint computation for interproceduralanalysis.

  3. Nested trees p Adding summary edges leads to nested trees. Can model interprocedural control flow. We are interested in languages of nested trees Acceptors (mu-calculus, tree automata, MSO logic) can pass requirements along summary edges. call ret call local summary local ret local p q ret local ret p call ret ret local p q

  4. A mu-calculus for nested trees (VP-mu) [POPL 2006] VP-mu • Local, context-sensitive reachability • Interprocedural dataflow involving local + global variables • Pre/post-conditions • Stack inspection • Pushdown games • Access control LTL CTL mu-calculus VP-mu: EXPTIME Mu-calculus, CTL: EXPTIME Reachability games: EXPTIME Formulas encode symbolic, interprocedural summary computations

  5. Automata on nested trees (q,w) Just like tree automata, except you can pass states along “local edges” as well as “summary edges.” call (q’,b.w) ret call Can be implemented using a stack – push on calls, pop on returns (visibly pushdown tree automata) local (q’’,w) summ local local ret p q Theorem: alternating parity VPTAs are equivalent to VP-mu. Theorem: emptiness undecidable, model-checking in EXPTIME.

  6. Goal: finding bugs in large programs Abstractions: similar to interprocedural control flow graphs (inspired by Wagner and Engler). Atomic properties: patterns on source code (“foo (#,#)” matches a call to foo with arbitrary parameters ) Specifications: easily checkable subclass of VPTAs Target properties: stack inspection, control-flow based security properties, branching pre/post-conditions, local data flow… If foo is on the stack, do not write variable x While foo can call itself recursively, do not call it again after it returns All paths to the return points of foo must suspend privilege VEEP: model-checking C code using VPTAs

  7. Thank you! Papers linked from my homepage: http://www.cis.upenn.edu/~swarat VEEP is currently under development.

More Related