13 research outputs found
A Tighter Bound for the Determinization of Visibly Pushdown Automata
Visibly pushdown automata (VPA), introduced by Alur and Madhusuan in 2004, is
a subclass of pushdown automata whose stack behavior is completely determined
by the input symbol according to a fixed partition of the input alphabet. Since
its introduce, VPAs have been shown to be useful in various context, e.g., as
specification formalism for verification and as automaton model for processing
XML streams. Due to high complexity, however, implementation of formal
verification based on VPA framework is a challenge. In this paper we consider
the problem of implementing VPA-based model checking algorithms. For doing so,
we first present an improvement on upper bound for determinization of VPA.
Next, we propose simple on-the-fly algorithms to check universality and
inclusion problems of this automata class. Then, we implement the proposed
algorithms in a prototype tool. Finally, we conduct experiments on randomly
generated VPAs. The experimental results show that the proposed algorithms are
considerably faster than the standard ones
Optimizing an LTS-Simulation Algorithm
When comparing the fastest algorithm for computing the largest simulation preorder over Kripke structures with the one for labeled transition systems (LTS), there is a noticeable time and space complexity blow-up proportional to the size of the alphabet of an LTS. In this paper, we present optimizations that suppress this increase of complexity and may turn a large alphabet of an LTS to an advantage. Our experimental results show significant speed-ups and memory savings. Moreover, the optimized algorithm allows one to improve asymptotic complexity of procedures for computing simulations over tree automata using recently proposed algorithms based on computing simulation over certain special LTS derived from a tree automaton
Symblicit algorithms for optimal strategy synthesis in monotonic Markov decision processes
When treating Markov decision processes (MDPs) with large state spaces, using
explicit representations quickly becomes unfeasible. Lately, Wimmer et al. have
proposed a so-called symblicit algorithm for the synthesis of optimal
strategies in MDPs, in the quantitative setting of expected mean-payoff. This
algorithm, based on the strategy iteration algorithm of Howard and Veinott,
efficiently combines symbolic and explicit data structures, and uses binary
decision diagrams as symbolic representation. The aim of this paper is to show
that the new data structure of pseudo-antichains (an extension of antichains)
provides another interesting alternative, especially for the class of monotonic
MDPs. We design efficient pseudo-antichain based symblicit algorithms (with
open source implementations) for two quantitative settings: the expected
mean-payoff and the stochastic shortest path. For two practical applications
coming from automated planning and LTL synthesis, we report promising
experimental results w.r.t. both the run time and the memory consumption.Comment: In Proceedings SYNT 2014, arXiv:1407.493
Static Program Analysis for String Manipulation Languages
In recent years, dynamic languages, such as JavaScript or Python, have been
increasingly used in a wide range of fields and applications. Their tricky and
misunderstood behaviors pose a hard challenge for static analysis of these
programming languages. A key aspect of any dynamic language program is the
multiple usage of strings, since they can be implicitly converted to another
type value, transformed by string-to-code primitives or used to access an
object-property. Unfortunately, string analyses for dynamic languages still
lack precision and do not take into account some important string features.
Moreover, string obfuscation is very popular in the context of dynamic language
malicious code, for example, to hide code information inside strings and then
to dynamically transform strings into executable code. In this scenario, more
precise string analyses become a necessity. This paper is placed in the context
of static string analysis by abstract interpretation and proposes a new
semantics for string analysis, placing a first step for handling dynamic
languages string features.Comment: In Proceedings VPT 2019, arXiv:1908.0672
Regular Methods for Operator Precedence Languages
The operator precedence languages (OPLs) represent the largest known subclass of the context-free languages which enjoys all desirable closure and decidability properties. This includes the decidability of language inclusion, which is the ultimate verification problem. Operator precedence grammars, automata, and logics have been investigated and used, for example, to verify programs with arithmetic expressions and exceptions (both of which are deterministic pushdown but lie outside the scope of the visibly pushdown languages). In this paper, we complete the picture and give, for the first time, an algebraic characterization of the class of OPLs in the form of a syntactic congruence that has finitely many equivalence classes exactly for the operator precedence languages. This is a generalization of the celebrated Myhill-Nerode theorem for the regular languages to OPLs. As one of the consequences, we show that universality and language inclusion for nondeterministic operator precedence automata can be solved by an antichain algorithm. Antichain algorithms avoid determinization and complementation through an explicit subset construction, by leveraging a quasi-order on words, which allows the pruning of the search space for counterexample words without sacrificing completeness. Antichain algorithms can be implemented symbolically, and these implementations are today the best-performing algorithms in practice for the inclusion of finite automata. We give a generic construction of the quasi-order needed for antichain algorithms from a finite syntactic congruence. This yields the first antichain algorithm for OPLs, an algorithm that solves the ExpTime-hard language inclusion problem for OPLs in exponential time
Deciding Entailments in Inductive Separation Logic with Tree Automata
Separation Logic (SL) with inductive definitions is a natural formalism for
specifying complex recursive data structures, used in compositional
verification of programs manipulating such structures. The key ingredient of
any automated verification procedure based on SL is the decidability of the
entailment problem. In this work, we reduce the entailment problem for a
non-trivial subset of SL describing trees (and beyond) to the language
inclusion of tree automata (TA). Our reduction provides tight complexity bounds
for the problem and shows that entailment in our fragment is EXPTIME-complete.
For practical purposes, we leverage from recent advances in automata theory,
such as inclusion checking for non-deterministic TA avoiding explicit
determinization. We implemented our method and present promising preliminary
experimental results
Static Analysis for ECMAScript String Manipulation Programs
In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a great challenge for static analysis of these languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. In this scenario, more precise string analyses become a necessity. The goal of this paper is to place a first step for precisely handling dynamic language string features. In particular, we propose a new abstract domain approximating strings as finite state automata and an abstract interpretation-based static analysis for the most common string manipulating operations provided by the ECMAScript specification. The proposed analysis comes with a prototype static analyzer implementation for an imperative string manipulating language, allowing us to show and evaluate the improved precision of the proposed analysis