Results 1  10
of
63
A type system equivalent to the modal mucalculus model checking of higherorder recursion schemes
 IN: PROCEEDINGS OF LICS
, 2009
"... The model checking of higherorder recursion schemes has important applications in the verification of higherorder programs. Ong has previously shown that the modal mucalculus model checking of trees generated by ordern recursion scheme is nEXPTIME complete, but his algorithm and its correctness ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
The model checking of higherorder recursion schemes has important applications in the verification of higherorder programs. Ong has previously shown that the modal mucalculus model checking of trees generated by ordern recursion scheme is nEXPTIME complete, but his algorithm and its correctness proof were rather complex. We give an alternative, typebased verification method: Given a modal mucalculus formula, we can construct a type system in which a recursion scheme is typable if, and only if, the (possibly infinite, ranked) tree generated by the scheme satisfies the formula. The model checking problem is thus reduced to a type checking problem. Our typebased approach yields a simple verification algorithm, and its correctness proof (constructed without recourse to game semantics) is comparatively easy to understand. Furthermore, the algorithm is polynomialtime in the size of the recursion scheme, assuming that the formula and the largest order and arity of nonterminals of the recursion scheme are fixed.
ModelChecking HigherOrder Functions
, 2009
"... We propose a novel typebased model checking algorithm for higherorder recursion schemes. As shown by Kobayashi, verification problems of higherorder functional programs can easily be translated into model checking problems of recursion schemes. Thus, the model checking algorithm serves as a basis ..."
Abstract

Cited by 28 (13 self)
 Add to MetaCart
We propose a novel typebased model checking algorithm for higherorder recursion schemes. As shown by Kobayashi, verification problems of higherorder functional programs can easily be translated into model checking problems of recursion schemes. Thus, the model checking algorithm serves as a basis for verification of higherorder functional programs. To our knowledge, this is the first practical algorithm for model checking recursion schemes: all the previous algorithms always suffer from the nEXPTIME bottleneck, not only in the worst case, and there was no implementation of the algorithms. We have implemented a model checker for recursion schemes based on the proposed algorithm, and applied it to verification of functional programs, including reachability, flow analysis and resource usage verification problems. According to our experiments, the model checker is surprisingly fast: it could automatically verify a number of small but tricky higherorder functional programs in less than a second.
HigherOrder MultiParameter Tree Transducers . . .
, 2010
"... We introduce higherorder, multiparameter, tree transducers (HMTTs, for short), which are kinds of higherorder tree transducers that take input trees and output a (possibly infinite) tree. We study the problem of checking whether the tree generated by a given HMTT conforms to a given output specif ..."
Abstract

Cited by 26 (10 self)
 Add to MetaCart
We introduce higherorder, multiparameter, tree transducers (HMTTs, for short), which are kinds of higherorder tree transducers that take input trees and output a (possibly infinite) tree. We study the problem of checking whether the tree generated by a given HMTT conforms to a given output specification, provided that the input trees conform to input specifications (where both input/output specifications are regular tree languages). HMTTs subsume higherorder recursion schemes and ordinary tree transducers, so that their verification has a number of potential applications to verification of functional programs using recursive data structures, including resource usage verification, string analysis, and exact typechecking of XMLprocessing programs. We propose a sound but incomplete verification algorithm for the HMTT verification problem: the algorithm reduces the verification problem to a modelchecking problem for higherorder recursion schemes extended with finite data domains, and then uses (an extension of) Kobayashi’s algorithm for modelchecking recursion schemes. While the algorithm is incomplete (indeed, as we show in the paper, the verification problem is undecidable in general), it is sound and complete for a subclass of HMTTs called linear HMTTs. We have applied our HMTT verification algorithm to various program verification problems and obtained promising results.
CFA2: A contextfree approach to controlflow analysis
 Logical Methods Comput. Sci
, 2011
"... Abstract. In a functional language, the dominant controlflow mechanism is function call and return. Most higherorder flow analyses, including kCFA, do not handle call and return well: they remember only a bounded number of pending calls because they approximate programs with controlflow graphs ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In a functional language, the dominant controlflow mechanism is function call and return. Most higherorder flow analyses, including kCFA, do not handle call and return well: they remember only a bounded number of pending calls because they approximate programs with controlflow graphs. Call/return mismatch introduces precisiondegrading spurious controlflow paths and increases the analysis time. We describe CFA2, the first flow analysis with precise call/return matching in the presence of higherorder functions and tail calls. We formulate CFA2 as an abstract interpretation of programs in continuationpassing style and describe a sound and complete summarization algorithm for our abstract semantics. A preliminary evaluation shows that CFA2 gives more accurate dataflow information than 0CFA and 1CFA. 1
Introspective Pushdown Analysis of HigherOrder Programs
"... In the static analysis of functional programs, pushdown flow analysis and abstract garbage collection skirt just inside the boundaries of soundness and decidability. Alone, each method reduces analysis times and boosts precision by orders of magnitude. This work illuminates and conquers the theoreti ..."
Abstract

Cited by 22 (13 self)
 Add to MetaCart
(Show Context)
In the static analysis of functional programs, pushdown flow analysis and abstract garbage collection skirt just inside the boundaries of soundness and decidability. Alone, each method reduces analysis times and boosts precision by orders of magnitude. This work illuminates and conquers the theoretical challenges that stand in the way of combining the power of these techniques. The challenge in marrying these techniques is not subtle: computing the reachable control states of a pushdown system relies on limiting access during transition to the top of the stack; abstract garbage collection, on the other hand, needs full access to the entire stack to compute a root set, just as concrete collection does. Introspective pushdown systems resolve this conflict. Introspective pushdown systems provide enough access to the stack to allow abstract garbage collection, but they remain restricted enough to compute controlstate reachability, thereby enabling the sound and precise product of pushdown analysis and abstract garbage collection. Experiments reveal synergistic interplay between the techniques, and the fusion demonstrates “betterthanbothworlds ” precision.
Dependent Types from Counterexamples
, 2010
"... Motivated by recent research in abstract model checking, we present a new approach to inferring dependent types. Unlike many of the existing approaches, our approach does not rely on programmers to supply the candidate (or the correct) types for the recursive functions and instead does counterexampl ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
Motivated by recent research in abstract model checking, we present a new approach to inferring dependent types. Unlike many of the existing approaches, our approach does not rely on programmers to supply the candidate (or the correct) types for the recursive functions and instead does counterexampleguided refinement to automatically generate the set of candidate dependent types. The main idea is to extend the classical fixedpoint type inference routine to return a counterexample if the program is found untypable with the current set of candidate types. Then, an interpolating theorem prover is used to validate the counterexample as a real type error or generate additional candidate dependent types to refute the spurious counterexample. The process is repeated until either a real type error is found or sufficient candidates are generated to prove the program typable. Our system makes nontrivial use of “linear” intersection types in the refinement phase. The paper presents the type inference system and reports on the experience with a prototype implementation that infers dependent types for a subset of the Ocaml language. The implementation infers dependent types containing predicates from the quantifierfree theory of linear arithmetic and equality with uninterpreted function symbols.
Complexity of Model Checking Recursion Schemes for Fragments of the Modal MuCalculus
"... Abstract. Ong has shown that the modal mucalculus model checking problem (equivalently, the alternating parity tree automaton (APT) acceptance problem) of possiblyinfinite ranked trees generated by ordern recursion schemes is nEXPTIME complete. We consider two subclasses of APT and investigate t ..."
Abstract

Cited by 14 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Ong has shown that the modal mucalculus model checking problem (equivalently, the alternating parity tree automaton (APT) acceptance problem) of possiblyinfinite ranked trees generated by ordern recursion schemes is nEXPTIME complete. We consider two subclasses of APT and investigate the complexity of the respective acceptance problems. The main results are that, for APT with a single priority, the problem is still nEXPTIME complete; whereas, for APT with a disjunctive transition function, the problem is (n − 1)EXPTIME complete. This study was motivated by Kobayashi’s recent work showing that the resource usage verification for functional programs can be reduced to the model checking of recursion schemes. As an application, we show that the resource usage verification problem is (n − 1)EXPTIME complete. 1
Pushdown ControlFlow Analysis of HigherOrder Programs
"... Contextfree approaches to static analysis gain precision over classical approaches by perfectly matching returns to call sites— a property that eliminates spurious interprocedural paths. Vardoulakis and Shivers’s recent formulation of CFA2 showed that it is possible (if expensive) to apply context ..."
Abstract

Cited by 14 (9 self)
 Add to MetaCart
Contextfree approaches to static analysis gain precision over classical approaches by perfectly matching returns to call sites— a property that eliminates spurious interprocedural paths. Vardoulakis and Shivers’s recent formulation of CFA2 showed that it is possible (if expensive) to apply contextfree methods to higherorder languages and gain the same boost in precision achieved over firstorder programs. To this young body of work on contextfree analysis of higherorder programs, we contribute a pushdown controlflow analysis framework, which we derive as an abstract interpretation of a CESK machine with an unbounded stack. One instantiation of this framework marks the first polyvariant pushdown analysis of higherorder programs; another marks the first polynomialtime analysis. In the end, we arrive at a framework for controlflow analysis that can efficiently compute pushdown generalizations of classical controlflow analyses. 1.
Union and intersection types for secure protocol implementations
"... We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the typebased analyses of protocol implementations. In particular, our types can statically characterize: (i) more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; (ii) authenticity and integrity properties achieved by showing knowledge of secret data; (iii) applications based on zeroknowledge proofs. The type system comes with a mechanized proof of correctness and an efficient typechecker.
A Practical Linear Time Algorithm for Trivial Automata Model Checking of HigherOrder Recursion Schemes
"... The model checking of higherorder recursion schemes has been actively studied and is now becoming a basis of higherorder program verification. We propose a new algorithm for trivial automata model checking of higherorder recursion schemes. To our knowledge, this is the first practical model che ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
The model checking of higherorder recursion schemes has been actively studied and is now becoming a basis of higherorder program verification. We propose a new algorithm for trivial automata model checking of higherorder recursion schemes. To our knowledge, this is the first practical model checking algorithm for recursion schemes that runs in time linear in the size of the higherorder recursion scheme, under the assumption that the size of trivial automata and the largest order and arity of functions are fixed. The previous linear time algorithm was impractical due to a huge constant factor, and the only practical previous algorithm suffers from the hyperexponential worstcase time complexity, under the same assumption. The new algorithm is remarkably simple, consisting of just two fixedpoint computations. We have implemented the algorithm and confirmed that it outperforms Kobayashi’s previous algorithm in a certain case.