Christina Jansen

A local greibach normal form for hyperedge replacement grammars

Heap-based data structures play an important role in modern programming concepts. However standard verification algorithms cannot cope with infinite state spaces as induced by these structures. A common approach to solve this problem is to apply abstraction techniques. Hyperedge replacement grammars provide a promising technique for heap abstraction as their production rules can be used to partially abstract and concretise heap structures. To support the required concretisations, we introduce a normal form for hyperedge replacement grammars as a generalisation of the Greibach Normal Form for string grammars and the adapted construction.

Generating Inductive Predicates for Symbolic Execution of Pointer-Manipulating Programs

We study the relationship between two abstraction approaches for pointer programs, Separation Logic and hyperedge replacement grammars. Both employ inductively defined predicates and replacement rules, respectively, for representing (dynamic) data structures, involving abstraction and concretisation operations for symbolic execution. In the Separation Logic case, automatically generating a complete set of such operations requires certain properties of predicates, which are currently implicitly described and manually established. In contrast, the structural properties that guarantee correctness of grammar abstraction are decidable and automatable. Using a property-preserving translation we argue that it is exactly the logic counterparts of those properties that ensure the direct applicability of predicate definitions for symbolic execution.

Juggrnaut : an abstract JVM

We introduce a new kind of hypergraphs and hyperedge replacement grammars, where nodes are associated types. We use them to adapt the abstraction framework Juggrnaut presented by us in [7,8] --- for the verification of Java Bytecode programs. The framework is extended to handle additional concepts needed for the analysis of Java Bytecode like null pointers and method stacks as well as local and static variables. We define the abstract transition rules for a significant subset of opcodes and show how to compute the abstract state space. Finally we complete the paper with some experimental results.

Unified Reasoning about Robustness Properties of Symbolic-Heap Separation Logic

We introduce heap automata, a formalism for automatic reasoning about robustness properties of the symbolic heap fragment of separation logic with user-defined inductive predicates. Robustness properties, such as satisfiability, reachability, and acyclicity, are important for a wide range of reasoning tasks in automated program analysis and verification based on separation logic. Previously, such properties have appeared in many places in the separation logic literature, but have not been studied in a systematic manner. In this paper, we develop an algorithmic framework based on heap automata that allows us to derive asymptotically optimal decision procedures for a wide range of robustness properties in a uniform way.

Generating Abstract Graph-Based Procedure Summaries for Pointer Programs

The automated analysis and verification of pointer-manipulating programs operating on a heap is a challenging task. It requires abstraction techniques for dealing with complex program behaviour and unbounded state spaces that arise from both dynamic data structures and recursive procedures. In previous work it was shown that hyperedge replacement grammars provide an intuitive and versatile concept for defining and implementing such abstractions.

Static Analysis of Pointer Programs - Linking Graph Grammars and Separation Logic

This thesis presents a sound abstraction framework for the static analysis of pointer programs, which is able to handle (recursive) procedures as well as concurrency. The framework builds on a graph representation of the heap using so-called hypergraphs. In these graphs edges are labelled and can be connected to arbitrarily many vertices. Understanding edges between two vertices as pointers and the remaining edges as placeholders for parts of the heap, hypergraphs feature the necessary concepts for heap abstraction. More concretely, edge labels are used to specify the shape of the heap that is abstracted. Hyperedge replacement grammars formalise this mapping. That is, they define the data structures each of the labels represents. Concretisation and abstraction of heaps then directly correspond to forward and backward application of production rules of the hyperedge replacement grammar, respectively. The first part of the thesis lays the formal foundation for hypergraphbased heap representation and its concretisation and abstraction. Utilising this, an analysis approach for non-procedural pointer programs is presented. Additionally, we make requirements of hyperedge replacement grammars that are crucial for the soundness and termination of concretisation and abstraction. It is shown that each hyperedge replacement grammar can be transformed such that it satisfies these requirements. In the second part of the thesis, a bridge between hyperedge replacement grammars and the symbolic heap fragment of Separation Logic is built. In particular, a translation procedure between both formalisms is given and proven correct. Additionally, we provide the Separation Logic counterparts of the requirements determined in the preceding part and show that they are preserved by the translation. The relationship between Separation Logic and hyperedge replacement grammars inspired the extension to a framework that modularly handles procedures and forkjoin-concurrency. That is, in the last part of the thesis we adopt the concept of contracts, i.e. pairs consisting of a preand a postcondition that capture the effect of a procedure or thread execution, to obtain procedure and thread

Tree-Like Grammars and Separation Logic

Separation Logic with inductive predicate definitions (\(\texttt {SL}\)) and hyperedge replacement grammars (HRG) are established formalisms to describe the abstract shape of data structures maintained by heap-manipulating programs. Fragments of both formalisms are known to coincide, and neither the entailment problem for \(\texttt {SL}\) nor its counterpart for HRGs, the inclusion problem, are decidable in general.

Incremental Construction of Greibach Normal Form

This paper presents an incremental version of the well-known algorithm for constructing the Greibach normal form (GNF) of a context-free string grammar. It supports the extension of the grammar by additional rules without the need of reperforming the GNF construction from scratch. Thus it offers an efficiency advantage over the classical GNF algorithm in use cases where grammars are extended at a later stage. It ensures that nonterminals and production rules once generated during GNF construction are not removed due to recomputation of GNF, thus preserving the structure of derivations. We present a commandline tool implementing both the classical and the incremental GNF algorithm and compare both by means of two case studies.

Graph-Based Shape Analysis Beyond Context-Freeness.

We develop a shape analysis for reasoning about relational properties of data structures. Both the concrete and the abstract domain are represented by hypergraphs. The analysis is parameterized by user-supplied indexed graph grammars to guide concretization and abstraction. This novel extension of context-free graph grammars is powerful enough to model complex data structures such as balanced binary trees with parent pointers, while preserving most desirable properties of context-free graph grammars.

Let this Graph Be Your Witness

We present a graph-based tool for analysing Java programs operating on dynamic data structures. It involves the generation of an abstract state space employing a user-defined graph grammar. LTL model checking is then applied to this state space, supporting both structural and functional correctness properties. The analysis is fully automated, procedure-modular, and provides informative visual feedback including counterexamples in the case of property violations.