Results 1  10
of
119
A robust class of contextsensitive languages
 In LICS
, 2007
"... We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown auto ..."
Abstract

Cited by 43 (7 self)
 Add to MetaCart
(Show Context)
We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown automata with two restrictions: (a) the pushdown automaton is visible, i.e. the input letter determines the operation on the stacks, and (b) any computation of the machine can be split into�stages, where in each stage, there is at most one stack that is popped. MVPLs are an extension of visibly pushdown languages that captures noncontext free behaviors, and has applications in analyzing abstractions of multithreaded recursive programs, significantly enlarging the search space that can be explored for them. We show that MVPLs are closed under boolean operations, and problems such as emptiness and inclusion are decidable. We characterize MVPLs using monadic secondorder logic over appropriate structures, and exhibit a Parikh theorem for them. 1.
On notions of regularity for data languages
 In FCT
, 2007
"... Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expres ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
(Show Context)
Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expressive yet decidable automaton model for data languages. Recently, such a model, data automata, was introduced. This paper introduces a simpler but equivalent model and investigates its expressive power, algorithmic and closure properties, and some extensions. 1
Firstorder and temporal logics for nested words
 In LICS 2007
"... Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
(Show Context)
Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested words, which are natural extensions of LTL, and prove that these logics are firstorder expressivelycomplete. One of them is based on adding a ”within” modality, evaluating a formula on a subword, to a logic CaRet previously studied in the context of verifying properties of recursive state machines. The other logic is based on the notion of a summary path that combines the linear and nesting structures. For that logic, both modelchecking and satisfiability are shown to be EXPTIMEcomplete. Finally, we prove that firstorder logic over nested words has the threevariable property, and we present a temporal logic for nested words which is complete for the twovariable fragment of firstorder. 1
Marrying words and trees
 PODS
, 2007
"... Traditionally, data that has both linear and hierarchical structure, such as annotated linguistic data, is modeled using ordered trees and queried using tree automata. In this paper, we argue that nested words and automata over nested words offer a better way to capture and process the dual structur ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Traditionally, data that has both linear and hierarchical structure, such as annotated linguistic data, is modeled using ordered trees and queried using tree automata. In this paper, we argue that nested words and automata over nested words offer a better way to capture and process the dual structure. Nested words generalize both words and ordered trees, and allow both word and tree operations. We study various classes of automata over nested words, and show that while they enjoy expressiveness and succinctness benefits over word and tree automata, their analysis complexity and closure properties are analogous to the corresponding word and tree special cases. In particular, we show that finitestate nested word automata can be exponentially more succinct than tree automata, and pushdown nested word automata include the two incomparable classes of contextfree word languages and contextfree tree languages.
The Tree Width of Auxiliary Storage
"... We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate grap ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate graph automata (without storage) restricted to monadic secondorder (MSO) definable graphs of bounded treewidth, where the graph structure encodes the mechanism provided by the auxiliary storage. Our results outline a uniform mechanism to derive emptiness algorithms for automata, explaining and simplifying several existing results, as well as proving new decidability results. Categories and Subject Descriptors F.1.1 [Theory of Computation]:
StaticallyDirected Dynamic Automated Test Generation
, 2011
"... We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a sm ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
(Show Context)
We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a small number of seed tests to resolve indirect jumps in the binary code and build a visibly pushdown automaton (VPA) reflecting the global controlflow of the program. Further, we augment the computed VPA with statically computable jumps not executed by the seed tests. In the second stage, we apply static analysis to the inferred automaton to find potential vulnerabilities, i.e., targets for the dynamic analysis. In the third stage, we use the results of the prior phases to assign weights to VPA edges. Our symbolicexecution based automated test generation tool then uses the weighted shortestpath lengths in the VPA to direct its exploration to the target potential vulnerabilities. Preliminary experiments on a suite of benchmarks extracted from real applications show that static analysis allows exploration to reach vulnerabilities it otherwise would not, and the generated test inputs prove that the static warnings indicate true positives.
Improved MemoryAccess Analysis for x86 Executables
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand that refers to a global address (i.e., an access to a global variable) or that uses a stackframe offset (i.e., an access to a local scalar variable via the frame pointer or stack pointer). In our work, our algorithms are able to provide useful information for close to 100% of such “direct ” uses and defs. It is much harder for a staticanalysis algorithm to track the effects of an instruction operand that uses a nonstackframe register. These “indirect” uses and defs correspond to accesses to an array or a dynamically allocated memory object. In one study, our approach recovered useful information for only 29 % of indirect uses and 33 % of indirect defs. However, using the technique described in this paper, the algorithm recovered useful information for 81 % of indirect uses and 90 % of indirect defs.
MSO decidability of MultiPushdown Systems via SplitWidth
, 2012
"... Multithreaded programs with recursion are naturally modeled as multipushdown systems. The behaviors are represented as multiply nested words (MNWs), which are words enriched with additional binary relations for each stack matching a push operation with the corresponding pop operation. Any MNW ca ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Multithreaded programs with recursion are naturally modeled as multipushdown systems. The behaviors are represented as multiply nested words (MNWs), which are words enriched with additional binary relations for each stack matching a push operation with the corresponding pop operation. Any MNW can be decomposed by two basic and natural operations: shuffle of two sequences of factors and merge of consecutive factors of a sequence. We say that the splitwidth of an MNW is k if it admits a decomposition where the number of factors in each sequence is at most k. The MSO theory of MNWs with splitwidth k is decidable. We introduce two very general classes of MNWs that strictly generalize known decidable classes and prove their MSO decidability via their splitwidth and obtain comparable or better bounds of treewidth of known classes.
Directed proof generation for machine code
, 2010
"... Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures commonly relied on by sourcecode verification tools, such as controlflow graphs and callgraphs, and (ii) metadata, such as information about variables, types, and aliasing. It cannot even rely on outofscope local variables and return addresses being protected from the program’s actions. What distinguishes MCVETO from other work on software model checking is that it shows how verification of machinecode can be performed, while avoiding conventional techniques that would be unsound if applied at the machinecode level. 1
R.: Instrumenting C programs with nested word monitors
 In: SPIN. (2007
"... In classical automatatheoretic model checking [6], a system model generates a language L of words modeling system executions, and verification involves ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
In classical automatatheoretic model checking [6], a system model generates a language L of words modeling system executions, and verification involves