A Fixpoint Calculus for Local and Global Program Flows

1. A Fixpoint Calculus for Local and Global Program Flows

Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

2. Software model-checking

Code Abstraction Specification Modelchecker Yes/No Model M (pushdown for interprocedural; finite-state for intraprocedural) Logical formula (f) Does M satisfy f? mu-calculus, LTL, CTL� Flow sensitive I work in the area of software model checking, where the big picture is this. The objective is to analyze code w.r.t. a formal specification. Given a program we generate an abstraction out of it�. Now as for the specification, they can be logics or automata; in this case we are interested in logical specifications. There�s a whole variety of these� Note that some of them are more expressive than others. Given all this, we use a module called the model checker.. It�s desirable that the complexity of this model-checking.I work in the area of software model checking, where the big picture is this. The objective is to analyze code w.r.t. a formal specification. Given a program we generate an abstraction out of it�. Now as for the specification, they can be logics or automata; in this case we are interested in logical specifications. There�s a whole variety of these� Note that some of them are more expressive than others. Given all this, we use a module called the model checker.. It�s desirable that the complexity of this model-checking.

3. Logics for software model-checking

mu-calculus Canonical temporal logic Fixpoints over sets of states Suitable for symbolic implementation Equivalent to alternating tree automata Decidable model-checking on pushdown systems LTL CTL Is the mu-calculus the best specification logic for procedural programs?

4. Problem #1

The mu-calculus cannot capture all properties of interest in pushdown models. call call call ret ret ret local local local local local local write(v) Reachability: Is write(v) reachable? In mu-calculus, Local reachability: Is write(v) reachable in the current context?

5. Problem #2

Reachability in mu-calculus: Formula describes a terminating symbolic computation in finite-state systems (intraprocedural analysis). Application: mu-calculus is the �assembly language� in temporal logic model-checkers like NuSMV. What about pushdown models (interprocedural analysis)? Model-checking the mu-calculus on pushdown systems is decidable. But�

6. Our contributions

LTL CTL mu-calculus VP-mu VP-mu: EXPTIME Mu-calculus, CTL: EXPTIME Reachability games: EXPTIME Local, context-sensitive reachability Interprocedural dataflow involving local + global variables Pre/post-conditions Stack inspection Pushdown games Access control Formulas encode symbolic, interprocedural summary computations Our contributions in this paper are on the specification side. We propose a new program logic called the visibly pushdown mu-calculus � VP-mu in short. As we can see in this figure,... What makes it even more interesting is an analogy which we will soon qualify: if the mu-calculus is good for reasoning about local variables, then VP-mu is �. If mu-calculus is good for�Our contributions in this paper are on the specification side. We propose a new program logic called the visibly pushdown mu-calculus � VP-mu in short. As we can see in this figure,... What makes it even more interesting is an analogy which we will soon qualify: if the mu-calculus is good for reasoning about local variables, then VP-mu is �. If mu-calculus is good for�

7. Local reachability

call call call ret ret ret local local local local local local write(v) Is write(v) reachable in the current context? To jump across contexts, specification needs to have a stack. Unfortunately, model-checking pushdown specifications onpushdown models is undecidable.

8. Visibility; structured trees

call call call ret ret ret ret ret ret local local local local local p p p q p q foo bar foo bar bar Tree model = Unfolding of the graph of configurations of a procedural program Node of tree = control state + stack + history Procedure structure visible via an edge labeling p The first idea is to make the call-return structure visible to the specification via a labeling of the tree. No problem, mu-calculus can also work on such trees� it will just refer to the labels in modalitiesThe first idea is to make the call-return structure visible to the specification via a labeling of the tree. No problem, mu-calculus can also work on such trees� it will just refer to the labels in modalities

9. Summary trees

call ret ret local local local p local s u v Visibility lets us chop a tree into subtrees that summarize contexts. We could jump across contexts if we could reason about concatenation. call ret ret local Summary s u v Matching returns of s = {u,v}

10. Logics on subtrees

local s u Mu-calculus formulas can be interpreted at subtrees rather than nodes Formulas ? sets of subtrees Modalities argue about full subtrees rooted at children Why not a fixpoint calculus where: Formulas ? sets of summary trees and modalities argue about concatenation? Enter VP-mu.

11. Reasoning using summaries

local s u s Formulas? sets of summariesTrees are possibly infinite (unmatched paths) call ret

12. One-step local reachability

local s u call ret

13. Colored summary trees

call ret Number of �leaves� is unbounded Solution: assign leaves k colors Colors are defined by formulas on demand

14. Using colors

call q 1

15. Local reachability

call 1 Use a variable X to store sets of summaries Compute a fixpoint of summaries 1 Summaries plugged into computation Symbolic computation Does this remind you of interprocedural dataflow analysis? Reach a leaf colored 1:

16. The mu-calculus vs VP-mu

The mu-calculus: fixpoints over full subtrees VP-mu: fixpoints over summary trees

17. Global and local program flow

Very busy expression e (x): Along all paths, use (e) appears before x is written. If x is local, use local reachability-like spec. If e involves local as well as global variables, trackthem using a combination of reachability and localreachability.

18. Other properties

Many other context and flow sensitive dataflow properties Pre/post-conditions: If P is satisfied at a call and R holds within its scope, then Q holds on return. Stack inspection: If control reaches an unsafe procedure, then a guaranteeing procedure must be on the stack. If control has ever been in an unsafe procedure, then P must hold so long as control is in a critical procedure. Games where some procedures are owned by Attacker and others are owned by Protector. Access control, stack boundedness�

19. Model-checking

Configuration of an interprocedural control-flow graph : foo bar Node of a tree: bar x u v Stackless summaries: Configuration for matching returns: Enough to consider stackless summaries. But they are finite in number! Same symbolic algorithm as for the mu-calculus (stackless summaries replacing states). History doesn�t matter (no past operator) Stack stays thesame betweencall and matching return

20. Expressiveness

The mu-calculus is contained in VP-mu. CARET (Alur, Etessami, Madhusudan 2004) is contained in VP-mu. Satisfiability of VP-mu is undecidable. Even monadic second-order logic on trees has decidable satisfiability. Subsequent result: VP-mu = visibly pushdown alternating parity tree automata [Visibly pushdown tree languages � Alur, Chaudhuri, Madhusudan. Submitted; draft available on homepage] Analog of equivalence between the mu-calculus and alternating parity tree automata.

21. Conclusions

LTL CTL mu-calculus VP-mu VP-mu: EXPTIME Mu-calculus, CTL: EXPTIME Reachability games: EXPTIME Local, context-sensitive reachability Interprocedural dataflow involving local + global variables Pre/post-conditions Stack inspection Pushdown games Access control Mu-calculus: Intraproceduralfixpoints VP-mu: Interprocedural fixpoints Our contributions in this paper are on the specification side. We propose a new program logic called the visibly pushdown mu-calculus � VP-mu in short. As we can see in this figure,... What makes it even more interesting is an analogy which we will soon qualify: if the mu-calculus is good for reasoning about local variables, then VP-mu is �. If mu-calculus is good for�Our contributions in this paper are on the specification side. We propose a new program logic called the visibly pushdown mu-calculus � VP-mu in short. As we can see in this figure,... What makes it even more interesting is an analogy which we will soon qualify: if the mu-calculus is good for reasoning about local variables, then VP-mu is �. If mu-calculus is good for�

22. Current work

Modular specifications for static analysis and security. A model-checker for C code applying ideas presented here. A unified theory of visibly pushdown automata, fixpoint calculi over summaries, and quantifier logics.