Results 1  10
of
62
A robust class of contextsensitive languages
 In LICS
, 2007
"... We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown auto ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown automata with two restrictions: (a) the pushdown automaton is visible, i.e. the input letter determines the operation on the stacks, and (b) any computation of the machine can be split into�stages, where in each stage, there is at most one stack that is popped. MVPLs are an extension of visibly pushdown languages that captures noncontext free behaviors, and has applications in analyzing abstractions of multithreaded recursive programs, significantly enlarging the search space that can be explored for them. We show that MVPLs are closed under boolean operations, and problems such as emptiness and inclusion are decidable. We characterize MVPLs using monadic secondorder logic over appropriate structures, and exhibit a Parikh theorem for them. 1.
On notions of regularity for data languages
 In FCT
, 2007
"... Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expres ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expressive yet decidable automaton model for data languages. Recently, such a model, data automata, was introduced. This paper introduces a simpler but equivalent model and investigates its expressive power, algorithmic and closure properties, and some extensions. 1
Firstorder and temporal logics for nested words
 In LICS 2007
"... Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested words, which are natural extensions of LTL, and prove that these logics are firstorder expressivelycomplete. One of them is based on adding a ”within” modality, evaluating a formula on a subword, to a logic CaRet previously studied in the context of verifying properties of recursive state machines. The other logic is based on the notion of a summary path that combines the linear and nesting structures. For that logic, both modelchecking and satisfiability are shown to be EXPTIMEcomplete. Finally, we prove that firstorder logic over nested words has the threevariable property, and we present a temporal logic for nested words which is complete for the twovariable fragment of firstorder. 1
Directed proof generation for machine code
, 2010
"... Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures commonly relied on by sourcecode verification tools, such as controlflow graphs and callgraphs, and (ii) metadata, such as information about variables, types, and aliasing. It cannot even rely on outofscope local variables and return addresses being protected from the program’s actions. What distinguishes MCVETO from other work on software model checking is that it shows how verification of machinecode can be performed, while avoiding conventional techniques that would be unsound if applied at the machinecode level. 1
StaticallyDirected Dynamic Automated Test Generation ∗
"... We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a sm ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a small number of seed tests to resolve indirect jumps in the binary code and build a visibly pushdown automaton (VPA) reflecting the global controlflow of the program. Further, we augment the computed VPA with statically computable jumps not executed by the seed tests. In the second stage, we apply static analysis to the inferred automaton to find potential vulnerabilities, i.e., targets for the dynamic analysis. In the third stage, we use the results of the prior phases to assign weights to VPA edges. Our symbolicexecution based automated test generation tool then uses the weighted shortestpath lengths in the VPA to direct its exploration to the target potential vulnerabilities. Preliminary experiments on a suite of benchmarks extracted from real applications show that static analysis allows exploration to reach vulnerabilities it otherwise would not, and the generated test inputs prove that the static warnings indicate true positives.
Improved MemoryAccess Analysis for x86 Executables
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand that refers to a global address (i.e., an access to a global variable) or that uses a stackframe offset (i.e., an access to a local scalar variable via the frame pointer or stack pointer). In our work, our algorithms are able to provide useful information for close to 100% of such “direct ” uses and defs. It is much harder for a staticanalysis algorithm to track the effects of an instruction operand that uses a nonstackframe register. These “indirect” uses and defs correspond to accesses to an array or a dynamically allocated memory object. In one study, our approach recovered useful information for only 29 % of indirect uses and 33 % of indirect defs. However, using the technique described in this paper, the algorithm recovered useful information for 81 % of indirect uses and 90 % of indirect defs.
Query Automata for Nested Words
"... We study visibly pushdown automata (VPA) models for expressing and evaluating queries, expressed using MSO formulas, on words with a nesting structure (like XML documents). We define a query VPA model, which is a 2way deterministic VPA that can mark positions in a document, and show that it is equi ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We study visibly pushdown automata (VPA) models for expressing and evaluating queries, expressed using MSO formulas, on words with a nesting structure (like XML documents). We define a query VPA model, which is a 2way deterministic VPA that can mark positions in a document, and show that it is equiexpressive as unary monadic queries. This surprising result parallels a classic result for queries on regular word languages. We also compare our model to query models on unranked trees. We then consider the algorithmic problem of evaluating, in one pass, the set of all positions satisfying a query in a streaming nested word. We present an algorithm that answers any fixed unary monadic query on a streaming document which uses, at any point, at most space O(d+I log n), where d is the depth of the document at that point and I is the number of potential answers to the query in the word processed thus far. This algorithm uses space close to the minimal space any streaming algorithm would need, and generalizes to answering nary queries. 1
The Tree Width of Auxiliary Storage
"... We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate grap ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate graph automata (without storage) restricted to monadic secondorder (MSO) definable graphs of bounded treewidth, where the graph structure encodes the mechanism provided by the auxiliary storage. Our results outline a uniform mechanism to derive emptiness algorithms for automata, explaining and simplifying several existing results, as well as proving new decidability results. Categories and Subject Descriptors F.1.1 [Theory of Computation]:
Language strength reduction
, 2008
"... This paper concerns methods to check for atomicset serializability violations in concurrent Java programs. The straightforward way to encode a reentrant lock is to model it with a contextfree language to track the number of successive lock acquisitions. We present a construction that replaces th ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
This paper concerns methods to check for atomicset serializability violations in concurrent Java programs. The straightforward way to encode a reentrant lock is to model it with a contextfree language to track the number of successive lock acquisitions. We present a construction that replaces the contextfree language that describes a reentrant lock by a regular language that describes a nonreentrant lock. We call this replacement language strength reduction. Language strength reduction produces an average speedup (geometric mean) of 3.4. Moreover, for 2 programs that previously exhausted available space, the tool is now able to run to completion.
Languages of Nested Trees
, 2006
"... We study languages of nested trees—structures obtained by augmenting trees with sets of nested jumpedges. These graphs can naturally model branching behaviors of pushdown programs, so that the problem of branchingtime software model checking may be phrased as a membership question for such langua ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We study languages of nested trees—structures obtained by augmenting trees with sets of nested jumpedges. These graphs can naturally model branching behaviors of pushdown programs, so that the problem of branchingtime software model checking may be phrased as a membership question for such languages. We define finitestate automata accepting such languages—these automata can pass states along jumpedges as well as tree edges. We find that the modelchecking problem for these automata on pushdown systems is EXPTIMEcomplete, and that their alternating versions are expressively equivalent to NTµ, a recently proposed temporal logic for nested trees that can express a variety of branchingtime, “contextfree ” requirements. We also show that monadic second order logic (MSO) cannot exploit the structure: MSO on nested trees is too strong in the sense that it has an undecidable model checking problem, and seems too weak to capture NTµ.