601 research outputs found
Pushdown Control-Flow Analysis of Higher-Order Programs
Context-free approaches to static analysis gain precision over classical
approaches by perfectly matching returns to call sites---a property that
eliminates spurious interprocedural paths. Vardoulakis and Shivers's recent
formulation of CFA2 showed that it is possible (if expensive) to apply
context-free methods to higher-order languages and gain the same boost in
precision achieved over first-order programs.
To this young body of work on context-free analysis of higher-order programs,
we contribute a pushdown control-flow analysis framework, which we derive as an
abstract interpretation of a CESK machine with an unbounded stack. One
instantiation of this framework marks the first polyvariant pushdown analysis
of higher-order programs; another marks the first polynomial-time analysis. In
the end, we arrive at a framework for control-flow analysis that can
efficiently compute pushdown generalizations of classical control-flow
analyses.Comment: The 2010 Workshop on Scheme and Functional Programmin
Introspective Pushdown Analysis of Higher-Order Programs
In the static analysis of functional programs, pushdown flow analysis and
abstract garbage collection skirt just inside the boundaries of soundness and
decidability. Alone, each method reduces analysis times and boosts precision by
orders of magnitude. This work illuminates and conquers the theoretical
challenges that stand in the way of combining the power of these techniques.
The challenge in marrying these techniques is not subtle: computing the
reachable control states of a pushdown system relies on limiting access during
transition to the top of the stack; abstract garbage collection, on the other
hand, needs full access to the entire stack to compute a root set, just as
concrete collection does. \emph{Introspective} pushdown systems resolve this
conflict. Introspective pushdown systems provide enough access to the stack to
allow abstract garbage collection, but they remain restricted enough to compute
control-state reachability, thereby enabling the sound and precise product of
pushdown analysis and abstract garbage collection. Experiments reveal
synergistic interplay between the techniques, and the fusion demonstrates
"better-than-both-worlds" precision.Comment: Proceedings of the 17th ACM SIGPLAN International Conference on
Functional Programming, 2012, AC
Symbolic Backwards-Reachability Analysis for Higher-Order Pushdown Systems
Higher-order pushdown systems (PDSs) generalise pushdown systems through the
use of higher-order stacks, that is, a nested "stack of stacks" structure.
These systems may be used to model higher-order programs and are closely
related to the Caucal hierarchy of infinite graphs and safe higher-order
recursion schemes.
We consider the backwards-reachability problem over higher-order Alternating
PDSs (APDSs), a generalisation of higher-order PDSs. This builds on and extends
previous work on pushdown systems and context-free higher-order processes in a
non-trivial manner. In particular, we show that the set of configurations from
which a regular set of higher-order APDS configurations is reachable is regular
and computable in n-EXPTIME. In fact, the problem is n-EXPTIME-complete.
We show that this work has several applications in the verification of
higher-order PDSs, such as linear-time model-checking, alternation-free
mu-calculus model-checking and the computation of winning regions of
reachability games
Recursion Schemes and Logical Reflection
International audienceLet R be a class of generators of node-labelled infinite trees, and L be a logical language for describing correctness properties of these trees. Given r in R and phi in L, we say that r_phi is a phi-reflection of r just if (i) r and r_phi generate the same underlying tree, and (ii) suppose a node u of the tree t(r) generated by r has label f, then the label of the node u of t(r_phi) is f* if u in t(r) satisfies phi; it is f otherwise. Thus if t(r) is the computation tree of a program r, we may regard r_phi as a transform of r that can internally observe its behaviour against a specification phi. We say that R is (constructively) reflective w.r.t. L just if there is an algorithm that transforms a given pair (r,phi) to r_phi. In this paper, we prove that higher-order recursion schemes are reflective w.r.t. both modal mu-calculus and monadic second order (MSO) logic. To obtain this result, we give the first characterisation of the winning regions of parity games over the transition graphs of collapsible pushdown automata (CPDA): they are regular sets defined by a new class of automata. (Order-n recursion schemes are equi-expressive with order-n CPDA for generating trees.) As a corollary, we show that these schemes are closed under the operation of MSO-interpretation followed by tree unfolding a la Caucal
Recursion Schemes and Logical Reflection
International audienceLet R be a class of generators of node-labelled infinite trees, and L be a logical language for describing correctness properties of these trees. Given r in R and phi in L, we say that r_phi is a phi-reflection of r just if (i) r and r_phi generate the same underlying tree, and (ii) suppose a node u of the tree t(r) generated by r has label f, then the label of the node u of t(r_phi) is f* if u in t(r) satisfies phi; it is f otherwise. Thus if t(r) is the computation tree of a program r, we may regard r_phi as a transform of r that can internally observe its behaviour against a specification phi. We say that R is (constructively) reflective w.r.t. L just if there is an algorithm that transforms a given pair (r,phi) to r_phi. In this paper, we prove that higher-order recursion schemes are reflective w.r.t. both modal mu-calculus and monadic second order (MSO) logic. To obtain this result, we give the first characterisation of the winning regions of parity games over the transition graphs of collapsible pushdown automata (CPDA): they are regular sets defined by a new class of automata. (Order-n recursion schemes are equi-expressive with order-n CPDA for generating trees.) As a corollary, we show that these schemes are closed under the operation of MSO-interpretation followed by tree unfolding a la Caucal
Doctor of Philosophy in Computer Science
dissertationControl-flow analysis of higher-order languages is a difficult problem, yet an important one. It aids in enabling optimizations, improved reliability, and improved security of programs written in these languages. This dissertation explores three techniques to improve the precision and speed of a small-step abstract interpreter: using a priority work list, environment unrolling, and strong function call. In an abstract interpreter, the interpreter is no longer deterministic and choices can be made in how the abstract state space is explored and trade-offs exist. A priority queue is one option. There are also many ways to abstract the concrete interpreter. Environment unrolling gives a slightly different approach than is usually taken, by holding off abstraction in order to gain precision, which can lead to a faster analysis. Strong function call is an approach to clean up some of the imprecision when making a function call that is introduced when abstractly interpreting a program. An alternative approach to building an abstract interpreter to perform static analysis is through the use of constraint solving. Existing techniques to do this have been developed over the last several decades. This dissertation maps these constraints to three different problems, allowing control-flow analysis of higher-order languages to be solved with tools that are already mature and well developed. The control-flow problem is mapped to pointer analysis of first-order languages, SAT, and linear-algebra operations. These mappings allow for fast and parallel implementations of control-flow analysis of higher-order languages. A recent development in the field of static analysis has been pushdown control-flow analysis, which is able to precisely match calls and returns, a weakness in the existing techniques. This dissertation also provides an encoding of pushdown control-flow analysis to linear-algebra operations. In the process, it demonstrates that under certain conditions (monovariance and flow insensitivity) that in terms of precision, a pushdown control-flow analysis is in fact equivalent to a direct style constraint-based formulation
Game semantic analysis of equivalence in IMJ
Using game semantics, we investigate the problem of verifying contextual equivalences in Interface Middleweight Java (IMJ), an imperative object calculus in which program phrases are typed using interfaces. Working in the setting where data types are non-recursive and restricted to finite domains, we identify the frontier between decidability and undecidability by reference to the structure of interfaces present in typing judgments. In particular, we show how to determine the decidability status of problem instances (over a fixed type signature) by examining the position of methods inside the term type and the types of its free identifiers. Our results build upon the recent fully abstract game semantics of IMJ. Decidability is proved by translation into visibly pushdown register automata over infinite alphabets with fresh-input recognition
- âŠ