In dynamic analysis, program properties are monitored at runtime. Automata theory has been used for specifying monitors. Letxbe a global variable of a programP. We can use Finite-state Automata (FA) to describe “correct” values of xduring the execution of P. For example, if xhas type bool, an FA can specify that xis truethroughout the execution ofP.
Infinite domains. In the previous example,x has typebool. In practice, one would want to express properties about variables of any type. If x is of type int and has infinitely many possible values, FAs do not suffice any more. For example, no FA can express the propertyϕevstating thatxremains even throughout the whole execution of
P. One solution to this problem is to use predicate abstraction and create an alphabet of two symbolseven(x)and¬even(x). However, this solution causes the input alphabet to be different from the original one ({even(x),¬even(x)}instead of the set of integers), and requires choosing a priori which abstraction to use.
Symbolic Finite Automata (S-FA) [DV14, Vea13] solve this problem by allowing tran- sitions to be labeled with predicates over a decidable theory, and enjoy all the closure and decidability properties of finite state automata. The S-FA Aev for the property ϕev has one state looping on an edge labeled with the predicate even(x)expressible in Presburger arithmetic. Unlike predicate abstraction, S-FAs do not change the un- derlying alphabet and allow predicates to be combined. For example, let Apos be the
S-FA accepting all the sequences of positive integers. When intersecting Aposand Aev the transition predicates will be combined, and we will obtain an S-FA accepting all the sequences containing only integers that are both even and positive. An important restriction is that the underlying theory of the predicates needs to be decidable. For example, the property ϕpr, which states that xis a prime number at some point in P, cannot be expressed by an S-FA.
S-FAs allow only unary predicates and cannot relate values at different positions. Sym- bolic Extended Finite Automata (S-EFA) (Section 2.3) allow binary predicates for com- paring adjacent positions, but this extension causes the model to lose closure and de- cidability properties (Section 2.4). Other models for comparing values over infinite alphabets at different positions are Data Automata (DA) [BDM+11] and Register Au- tomata (RA) [KT08], where one can check that all the symbols in an input sequence are equal for example. This property is not expressible by an S-FA or an S-EFA, but Data Automata can only use equality and cannot specify properties such aseven(x).
Procedure calls. Let x be of type bool and assume that the program P contains a procedure q. The following property ϕ= can be specified by neither an FA nor an S- FA: every timeqis called, the value ofxat the call is the same as the value of xwhen
q returns. The problem is that none of the previous models are able to “remember” which call corresponds to which return. Visibly Pushdown Automata (VPA) [AM09] solve this problem by storing the value of xon a stack at a call and then retrieve it at the corresponding return. Unlike pushdown automata, this model still enjoys closure under Boolean operations and decidable equivalence. This is achieved by making calls and returns visible in the input, and allowing the stack to push only at calls and to pop only at returns.
Procedure calls and infinite domains. Let x be of type int and let’s assume that the programPcontains a procedureq. No VPA can express the propertyψ<requiring that, wheneverqis called, the value ofxat the call is smaller than the value ofxat the corresponding return. Expressing this kind of property in a decidable automata model is the topic of this chapter.
We introduce Symbolic Visibly Pushdown Automata (S-VPA), which combine the fea- tures of S-FAs and VPAs by allowing transitions to be labeled with predicates over any decidable theory and values to be stored on a stack at calls and retrieved at the corre- sponding returns. The propertyψ<can then be expressed by an S-VPAA<as follows: at a procedure call ofq, A<will store the valuecof xon the stack. When reading the valuerofxat a procedure return ofq, the valuecofxat the corresponding call will be
on top of the stack. Using the predicatec < r, the transition assures that the property
ψ<is met. S-VPAs still enjoy closure under Boolean operations, determinizability, and decidable equivalence; the key to decidability is that binary predicates can only be used to compare values at matching calls and returns (unlike S-EFAs).