Reachability Analysis of Innermost Rewriting

TL;DR

This paper adapts a tree automata technique to accurately analyze the output of functional programs under innermost rewriting, improving static analysis precision for call-by-value strategies.

Contribution

It introduces a sound and precise method for innermost rewriting analysis, extending existing algorithms and implementing them in a new tool.

Findings

Improved accuracy in static analysis for call-by-value evaluation.

Formal proof of soundness and precision for the proposed technique.

Implementation in the Timbuk reachability tool with successful experiments.

Abstract

We consider the problem of inferring a grammar describing the output of a functional program given a grammar describing its input. Solutions to this problem are helpful for detecting bugs or proving safety properties of functional programs, and several rewriting tools exist for solving this problem. However, known grammar inference techniques are not able to take evaluation strategies of the program into account. This yields very imprecise results when the evaluation strategy matters. In this work, we adapt the Tree Automata Completion algorithm to approximate accurately the set of terms reachable by rewriting under the innermost strategy. We formally prove that the proposed technique is sound and precise w.r.t. innermost rewriting. We show that those results can be extended to the leftmost and rightmost innermost case. The algorithms for the general innermost case have been implemented in the Timbuk reachability tool. Experiments show that it noticeably improves the accuracy of static analysis for functional programs using the call-by-value evaluation strategy.