Michael I. Schwartzbach

Precise analysis of string expressions

We perform static analysis of Java programs to answer a simple question: which values may occur as results of string expressions? The answers are summarized for each expression by a regular language that is guaranteed to contain all possible values. We present several applications of this analysis, including statically checking the syntax of dynamically generated expressions, such as SQL queries. Our analysis constructs flow graphs from class files and generates a context-free grammar with a nonterminal for each string expression. The language of this grammar is then widened into a regular language through a variant of an algorithm previously used for speech recognition. The collection of resulting regular languages is compactly represented as a special kind of multi-level automaton from which individual answers may be extracted. If a program error is detected, examples of invalid strings are automatically produced. We present extensive benchmarks demonstrating that the analysis is efficient and produces results of useful precision.

Secure Multiparty Computation Goes Live

In this note, we report on the first large-scale and practical application of secure multiparty computation, which took place in January 2008. We also report on the novel cryptographic protocols that were used.

The pointer assertion logic engine

We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted to simple special cases such as lists or trees. Even so, our current implementation is as fast as the previous specialized tools. Programs are annotated with partial specifications expressed in Pointer Assertion Logic, a new notation for expressing properties of the program store. We work in the logical tradition by encoding the programs and partial specifications as formulas in monadic second-order logic. Validity of these formulas is checked by the MONA tool, which also can provide explicit counterexamples to invalid formulas. To make verification decidable, the technique requires explicit loop and function call invariants. In return, the technique is highly modular: every statement of a given program is analyzed only once. The main target applications are safety-critical data-type algorithms, where the cost of annotating a program with invariants is justified by the value of being able to automatically verify complex properties of the program.

Object-oriented type inference

We present a new approach to inferring types in untyped object-oriented programs with inheritance, assignments, and late binding. It guarantees that all messages are understood, annotates the program with type information, allows polymorphic methods, and can be used as the basis of an optimizing compiler. Types are finite sets of classes and subtyping is set inclusion. Using a trace graph, our algorithm constructs a set of conditional type constraints and computes the least solution by least fixed-point derivation.

Graph types

Recursive data structures are abstractions of simple records and pointers. They impose a shape invariant, which is verified at compile-time and exploited to automatically generate code for building, copying, comparing, and traversing values without loss of efficiency. However, such values are always tree shaped, which is a major obstacle to practical use. We propose a notion of graph types, which allow common shapes, such as doubly-linked lists or threaded trees, to be expressed concisely and efficiently. We define regular languages of routing expressions to specify relative addresses of extra pointers in a canonical spanning tree. An efficient algorithm for computing such addresses is developed. We employ a second-order monadic logic to decide well-formedness of graph type specifications. This logic can also be used for automated reasoning about pointer structures.

Extending Java for high-level Web service construction

We incorporate innovations from the <bigwig> project into the Java language to provide high-level features for Web service programming. The resulting language, JWIG, contains an advanced session model and a flexible mechanism for dynamic construction of XML documents, in particular XHTML. To support program development we provide a suite of program analyses that at compile time verify for a given program that no runtime errors can occur while building documents or receiving form input, and that all documents being shown are valid according to the document type definition for XHTML 1.0.We compare JWIG with Servlets and JSP which are widely used Web service development platforms. Our implementation and evaluation of JWIG indicate that the language extensions can simplify the program structure and that the analyses are sufficiently fast and precise to be practically useful.

Automatic verification of pointer programs using monadic second-order logic

We present a technique for automatic verification of pointer programs based on a decision procedure for the monadic second-order logic on finite strings.We are concerned with a while-fragment of Pascal, which includes recursively-defined pointer structures but excludes pointer arithmetic.We define a logic of stores with interesting basic predicates such as pointer equality, tests for nil pointers, and garbage cells, as well as reachability along pointers.We present a complete decision procedure for Hoare triples based on this logic over loop-free code. Combined with explicit loop invariants, the decision procedure allows us to answer surprisingly detailed questions about small but non-trivial programs. If a program fails to satisfy a certain property, then we can automatically supply an initial store that provides a counterexample.Our technique had been fully and efficiently implemented for linear linked lists, and it extends in principle to tree structures. The resulting system can be used to verify extensive properties of smaller pointer programs and could be particularly useful in a teaching environment.

TAPSOFT '95: Theory and Practice of Software Development

A decade of TAPSOFT.- Theory and practice of software development.- Rational spaces and set constraints.- Formal methods and social context in software development.- Testing can be formal, too.- Anatomy of the Pentium bug.- Rational mechanics and natural mathematics.- First-order logic on finite trees.- Decidability of equivalence for deterministic synchronized tree automata.- The equivalence problem for letter-to-letter bottom-up tree transducers is solvable.- ?I: A symmetric calculus based on internal mobility.- Complete inference systems for weak bisimulation equivalences in the ?-calculus.- Reasoning about higher-order processes.- Confluence of processes and systems of objects.- An algebraic approach to temporal logic.- On behavioural abstraction and behavioural satisfaction in higher-order logic.- Assumption/guarantee specifications in linear-time temporal logic (extended abstract).- Fine hierarchy of regular ?-languages.- Computing the Wadge degree, the Lifschitz degree, and the Rabin index of a regular language of infinite words in polynomial time.- Semi-trace morphisms and rational transductions.- Nonfinite axiomatizability of shuffle inequalities.- On the category of Petri net computations.- High undecidability of weak bisimilarity for Petri nets.- Polynomial algorithms for the synthesis of bounded nets.- Semi-completeness of hierarchical and super-hierarchical combinations of term rewriting systems.- Lazy narrowing: Strong completeness and eager variable elimination (extended abstract).- On the expressive power of algebraic graph grammars with application conditions.- Generated models and the ?-rule: The nondeterministic case.- CPO models for a class of GSOS languages.- Statecharts, transition structures and transformations.- An imperative object calculus.- A refinement of import/export declarations in modular logic programming and its semantics.- Strictness and totality analysis with conjunction.- Generic techniques for source-level debugging and dynamic program slicing.- Reasoning with executable specifications.- Calculating software generators from solution specifications.- Comparing flow-based binding-time analyses.- Can you trust your data.- Static and dynamic processor allocation for higher-order concurrent languages.- Mechanized inductive proof of properties of a simple code optimizer.- Describing a Signal Analyzer in the process algebra PMC - A case study.- A gentle introduction to specification engineering using a case study in telecommunications.- Precise interprocedural dataflow analysis with applications to constant propagation.- Formal specification and prototyping of a program specializer.- Proving the correctness of recursion-based automatic program transformations.- Reactive system specification and refinement.- Measuring concurrency of regular distributed computations.- Non-speculative and upward invocation of continuations in a parallel language.- A model inference system for generic specification with application to code sharing.- Relations as abstract datatypes: An institution to specify relations between algebras.- Performance-oriented formal specifications - the LotoTis approach.- Signal: A formal design environment for real-time systems.- The META-Frame: An environment for flexible tool management.- STeP: The Stanford Temporal Prover.- The HOL-UNITY verification system.- PLATO: A tool to assist programming as term rewriting and theorem proving.- LOFT: A tool for assisting selection of test data sets from algebraic specifications.- The SMoLCS ToolSet.- The Asf+Sdf Meta-environment documentation tools for free.- The B-Toolkit demonstration.- Object Oriented Semantics Directed Compiler Generation: A prototype.

Static analysis of XML transformations in Java

XML documents generated dynamically by programs are typically represented as text strings or DOM trees. This is a low-level approach for several reasons: 1) traversing and modifying such structures can be tedious and error prone, 2) although schema languages, e.g., DTD, allow classes of XML documents to be defined, there are generally no automatic mechanisms for statically checking that a program transforms from one class to another as intended. We introduce XACT, a high-level approach for Java using XML templates as a first-class data type with operations for manipulating XML values based on XPath. In addition to an efficient runtime representation, the data type permits static type checking using DTD schemas as types. By specifying schemes for the input and output of a program, our analysis algorithm will statically verify that valid input data is always transformed into valid output data and that the operations are used consistently.

PowerForms: Declarative client-side form field validation

All uses of HTML forms may benefit from validation of the specified input field values. Simple validation matches individual values against specified formats, while more advanced validation may involve interdependencies of form fields. There is currently no standard for specifying or implementing such validation. Today, CGI programmers often use Perl libraries for simple server-side validation or program customized JavaScript solutions for client-side validation. We present PowerForms, which is an add-on to HTML forms that allows a purely declarative specification of input formats and sophisticated interdependencies of form fields. While our work may be seen as inspiration for a future extension of HTML, it is also available for CGI programmers today through a preprocessor that translates a PowerForms document into a combination of standard HTML and JavaScript that works on all combinations of platforms and browsers. The definitions of PowerForms formats are syntactically disjoint from the form itself, which allows a modular development where the form is perhaps automatically generated by other tools and the formats and interdependencies are added separately. PowerForms has a clean semantics defined through a fixed-point process that resolves the interdependencies between all field values. Text fields are equipped with status icons (by default traffic lights) that continuously reflect the validity of the text that has been entered so far, thus providing immediate feed-back for the user. For other GUI components the available options are dynamically filtered to present only the allowed values. PowerForms are integrated into the system for generating interactive Web services, but is also freely available in an Open Source distribution as a stand-alone package.