Results 1  10
of
121
A robust class of contextsensitive languages
 In LICS
, 2007
"... We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown auto ..."
Abstract

Cited by 43 (7 self)
 Add to MetaCart
(Show Context)
We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown automata with two restrictions: (a) the pushdown automaton is visible, i.e. the input letter determines the operation on the stacks, and (b) any computation of the machine can be split into�stages, where in each stage, there is at most one stack that is popped. MVPLs are an extension of visibly pushdown languages that captures noncontext free behaviors, and has applications in analyzing abstractions of multithreaded recursive programs, significantly enlarging the search space that can be explored for them. We show that MVPLs are closed under boolean operations, and problems such as emptiness and inclusion are decidable. We characterize MVPLs using monadic secondorder logic over appropriate structures, and exhibit a Parikh theorem for them. 1.
On notions of regularity for data languages
 In FCT
, 2007
"... Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expres ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
(Show Context)
Motivated by considerations in XML database theory and model checking, data strings have been introduced as an extension of finite alphabet strings which carry, at each position, a symbol and a data value from an infinite domain. Previous work has shown that it is difficult to come up with an expressive yet decidable automaton model for data languages. Recently, such a model, data automata, was introduced. This paper introduces a simpler but equivalent model and investigates its expressive power, algorithmic and closure properties, and some extensions. 1
Firstorder and temporal logics for nested words
 In LICS 2007
"... Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
(Show Context)
Nested words are a structured model of execution paths in procedural programs, reflecting their call and return nesting structure. Finite nested words also capture the structure of parse trees and other treestructured data, such as XML. We provide new temporal logics for finite and infinite nested words, which are natural extensions of LTL, and prove that these logics are firstorder expressivelycomplete. One of them is based on adding a ”within” modality, evaluating a formula on a subword, to a logic CaRet previously studied in the context of verifying properties of recursive state machines. The other logic is based on the notion of a summary path that combines the linear and nesting structures. For that logic, both modelchecking and satisfiability are shown to be EXPTIMEcomplete. Finally, we prove that firstorder logic over nested words has the threevariable property, and we present a temporal logic for nested words which is complete for the twovariable fragment of firstorder. 1
The Tree Width of Auxiliary Storage
"... We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate grap ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate graph automata (without storage) restricted to monadic secondorder (MSO) definable graphs of bounded treewidth, where the graph structure encodes the mechanism provided by the auxiliary storage. Our results outline a uniform mechanism to derive emptiness algorithms for automata, explaining and simplifying several existing results, as well as proving new decidability results. Categories and Subject Descriptors F.1.1 [Theory of Computation]:
StaticallyDirected Dynamic Automated Test Generation
, 2011
"... We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a sm ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a threestage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a small number of seed tests to resolve indirect jumps in the binary code and build a visibly pushdown automaton (VPA) reflecting the global controlflow of the program. Further, we augment the computed VPA with statically computable jumps not executed by the seed tests. In the second stage, we apply static analysis to the inferred automaton to find potential vulnerabilities, i.e., targets for the dynamic analysis. In the third stage, we use the results of the prior phases to assign weights to VPA edges. Our symbolicexecution based automated test generation tool then uses the weighted shortestpath lengths in the VPA to direct its exploration to the target potential vulnerabilities. Preliminary experiments on a suite of benchmarks extracted from real applications show that static analysis allows exploration to reach vulnerabilities it otherwise would not, and the generated test inputs prove that the static warnings indicate true positives.
Improved MemoryAccess Analysis for x86 Executables
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand that refers to a global address (i.e., an access to a global variable) or that uses a stackframe offset (i.e., an access to a local scalar variable via the frame pointer or stack pointer). In our work, our algorithms are able to provide useful information for close to 100% of such “direct ” uses and defs. It is much harder for a staticanalysis algorithm to track the effects of an instruction operand that uses a nonstackframe register. These “indirect” uses and defs correspond to accesses to an array or a dynamically allocated memory object. In one study, our approach recovered useful information for only 29 % of indirect uses and 33 % of indirect defs. However, using the technique described in this paper, the algorithm recovered useful information for 81 % of indirect uses and 90 % of indirect defs.
MSO decidability of MultiPushdown Systems via SplitWidth
, 2012
"... Multithreaded programs with recursion are naturally modeled as multipushdown systems. The behaviors are represented as multiply nested words (MNWs), which are words enriched with additional binary relations for each stack matching a push operation with the corresponding pop operation. Any MNW ca ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Multithreaded programs with recursion are naturally modeled as multipushdown systems. The behaviors are represented as multiply nested words (MNWs), which are words enriched with additional binary relations for each stack matching a push operation with the corresponding pop operation. Any MNW can be decomposed by two basic and natural operations: shuffle of two sequences of factors and merge of consecutive factors of a sequence. We say that the splitwidth of an MNW is k if it admits a decomposition where the number of factors in each sequence is at most k. The MSO theory of MNWs with splitwidth k is decidable. We introduce two very general classes of MNWs that strictly generalize known decidable classes and prove their MSO decidability via their splitwidth and obtain comparable or better bounds of treewidth of known classes.
Directed proof generation for machine code
, 2010
"... Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures commonly relied on by sourcecode verification tools, such as controlflow graphs and callgraphs, and (ii) metadata, such as information about variables, types, and aliasing. It cannot even rely on outofscope local variables and return addresses being protected from the program’s actions. What distinguishes MCVETO from other work on software model checking is that it shows how verification of machinecode can be performed, while avoiding conventional techniques that would be unsound if applied at the machinecode level. 1
Streaming tree transducers
 CoRR
"... Theory of tree transducers provides a foundation for understanding expressiveness and complexity of analysis problems for specification languages for transforming hierarchically structured data such as XML documents. We introduce streaming tree transducers as an analyzable, executable, and expressiv ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Theory of tree transducers provides a foundation for understanding expressiveness and complexity of analysis problems for specification languages for transforming hierarchically structured data such as XML documents. We introduce streaming tree transducers as an analyzable, executable, and expressive model for transforming unranked ordered trees (and hedges) in a single pass. Given a linear encoding of the input tree, the transducer makes a single lefttoright pass through the input, and computes the output in linear time using a finitestate control, a visibly pushdown stack, and a finite number of variables that store output chunks that can be combined using the operations of stringconcatenation and treeinsertion. We prove that the expressiveness of the model coincides with transductions definable using monadic secondorder logic (MSO). Existing models of tree transducers either cannot implement all MSOdefinable transformations, or require regular look ahead that prohibits singlepass implementation. We show a variety of analysis problems such as typechecking and checking functional equivalence are decidable for our model. 1
HighPerformance Complex Event Processing over XML Streams
"... Much research attention has been given to delivering highperformance systems that are capable of complex event processing (CEP) in a wide range of applications. However, many current CEP systems focus on efficiently processing data having a simple structure, and are otherwise limited in their abili ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Much research attention has been given to delivering highperformance systems that are capable of complex event processing (CEP) in a wide range of applications. However, many current CEP systems focus on efficiently processing data having a simple structure, and are otherwise limited in their ability to efficiently support complex continuous queries on structured or semistructured information. However, XML streams represent a very popular form of data exchange, comprising large portions of social network and RSS feeds, financial records, configuration files, and similar applications requiring advanced CEP queries. In this paper, we present the XSeq language and system that support CEP on XML streams, via an extension of XPath that is both powerful and amenable to an efficient implementation. Specifically, the XSeq language extends XPath with natural operators to express sequential and Kleene* patterns over XML streams, while remaining highly amenable to efficient implementation. XSeq is designed to take full advantage of recent advances in the field of automata on Visibly Pushdown Automata (VPA), where higher expressive power can be achieved without compromising efficiency (whereas the amenability to efficient implementation was not demonstrated in XPath extensions previously proposed). We illustrate XSeq’s power for CEP applications through examples from different domains, and provide formal results on its expressiveness and complexity. Finally, we present several optimization techniques for XSeq queries. Our extensive experiments indicate that XSeq brings outstanding performance to CEP applications: two orders of magnitude improvement are obtained over the same queries executed in generalpurpose XML engines.