Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)

Languages of nested treesLanguages of nested trees

Swarat ChaudhuriUniversity of Pennsylvania

(with Rajeev Alur and P. Madhusudan)

Automata-theoretic, branching-time model-checking

Abstraction (FSM, boolean program…)

Tree unfolding

Specification tree automaton

Modelchecker

Yes/No

• Abstraction: boolean programs (or pushdown systems)

• Specification: finite-state tree automata?

Typical property: if A holds now, then along some path, B holds later.

Tree automata

• Closed under union, intersection, projection, complement• Emptiness and model-checking decidable• Equivalent to MSO; bisimulation-closed version captures mu-calculus…

Set of states: Initial state:Transitions:

Acceptance: final state, Buchi, parity

Tree automata and pre/post-conditions

call

call

ret

retA

“if A holds at a call, then along some path, B holds at the matching return.”

main

foo

B

• If you use pushdown tree automata, you get undecidability• Basic primitive, intrinsic to real software specification languages • Logic and automata: foundations for specifications• Theory lagging behind practice?

Our contributions

mu-calculus =Tree automata

Model-checking algorithm matches CTL in complexity(EXPTIME)

Regularlanguages of nested trees

Alternating automata on nested trees=

Mu-calculus on nested trees (NT-mu)

• Pre/post-conditions

• Interprocedural dataflow involving local + global variables

• Stack inspection

• Local, context-sensitive reachability

Boolean program: tree unfolding

return

call bar

foo

bar

x = true;

bar();

return y;

returnreturn

if (*) y = false;else x = true;

Trees are infinite in general

Nested trees

call

return

foo

bar

• A dag obtained by augmenting a tree with jump-edges• Jump-edges are nested• While modeling programs, jump-edges map to summary edges

• To trace global path, follow tree edges

• To trace local path, followjump-edges acrossprocedure calls

return return

Infinite in general

Instead of makingacceptors stronger, why not add more structure to the model?

Nested trees

Infinite in general

Set of states: Initial state:

Transitions:

Transitions distinguish between call, local and return nodes

State at return node depends on states at both parents

Acceptance: final state, Buchi, parity

Finite automata on nested trees

Local reachability

“p is reachable in the main context.”

entry

entry

main

• Stack inspection: if foo is to be called along some path, then all methods on stack must be privileged.

• Expression expr(g,l), where g is global and l is local, is very busy.

Model-checking

Pushdown system

Nested tree

Nested tree automaton

Modelchecker

Yes/No

Solution for trees: take product; reduce to pushdown game

Solution for nested trees: take product; reduce to pushdown game

Model-checking: product

• Stack of program synchronized with implicit stack of automaton • Conditions on left and right branch must both hold• Reduces to pushdown game• Complexity: EXPTIME-complete• Complexity of CTL: EXPTIME-complete Alternating reachability: EXPTIME complete

Properties of nondeterministic nested tree automata

• Closed under union, projection.

• Closed under intersection (product as in tree automata; implicit stacks are synchronized).

• Emptiness in EXPTIME.

• Not closed under complement.

• Solution: alternation.

Alternating automata on nested trees

• Acceptance a game between the automaton and an adversary. Tree accepted iff automaton has a winning strategy.

• For automata on nested trees, terms such as

[If the left child is a return node and q1 is at the top of the stack at the current point in the game, then pop the stack and move to state q2. Left subtree accepted with new configuration.]

Trivially closed under boolean operations.

Model-checking: product still leads to a pushdown game. Thus, alternation comes free of cost.

Emptiness: undecidable. More expressive thannondeterministic automata; different in flavor from tree logics.

A mu-calculus on nested trees [POPL 2006]

call

ret

ret

local

p

local

s

u

v

Jump edges let us chop a nested tree into subtrees that summarize contexts. Mu-calculus interpretedon summary trees.

The logic NT-mu

Fixpoints over summary trees

Captures fixpoint computation for pushdown games.

One-step local reachability

call

ret

Expressive equivalence

Theorem: Bisimulation-closed alternating parity automata on nested trees and NT-mu have the same expressiveness.

Corollary: NT-mu can capture every property that the mu-calculus can.

Corollary: The temporal logic CARET is contained in NT-mu.

Corollary: Satisfiability of NT-mu is undecidable.

(Note: Even monadic second-order logic on trees has decidable satisfiability.)

Most expressive temporal logic for which software model-checking is theoreticallyfeasible.

Monadic second-order logic on nested trees

Theorem: Model-checking even the bisimulation-closed fragment of MSO is undecidable.

Theorem: Can encode nondeterministic NTAs.

Conjecture: Incomparable with alternating NTAs.

Our contributions

LTL CTL

mu-calculus =Tree automata

NTA = NT-mu

NTA, NT-mu: EXPTIME

Mu-calculus, CTL, alternating tree automata: EXPTIME

Reachability games: EXPTIME

• Local, context-sensitive reachability

• Interprocedural dataflow involving local + global variables

• Pre/post-conditions

• Stack inspection• New class of structures called nested trees• Logic and automata accepting regular languages of nested trees• Model-checking in EXPTIME • Expressiveness: analog of connection between alternating tree automata and mu-calculus • MSO does not seem interesting

Questions

Professor Vardi asks

Why not use mu-calculus + “abstract edge”?

Cannot relate the path till the matching return with the path after the matching return.

Effect: plucking the structure at the join-node and making a clone

Resultant logic may be embedded intothe tree and therefore MSO on trees.Hence decidable satisfiability.

Questions

Why is emptiness undecidable?

You can encode Post’s correspondence problem. Using the stack, you can ensure that the orders of dominoesare the same. Using alternation/branching, check thattheir conjunctions are the same word.

Why is MSO model checking undecidable?

Existential quantification in this world is hopeless.

You can pick out a structure from the full tree that canencode the undecidability of alternating NTA emptiness.

A truly branching propertycall

call

ret

p

p

All path fragments through a context agree on state of specification automaton:

If p is seen between a call and one of its matching returns, then p is seen between that call and all of its matching returns.

ret

Questions

Is branching really needed?

Dataflow analysis = branching time model checking. Comparing paths in a procedure.

Is this practical?

I cannot hear you.

Have you implemented this?

We are currently implementing a checker for Java stack inspection properties on top of IBM’s Java bytecode analysis infrastructure. Uses subclass of NTAs as specs.