Propositional Dynamic Logic for HigherOrder Functional Programs
 1 Citations
 7.1k Downloads
Abstract
We present an extension of propositional dynamic logic called HOTPDL for specifying temporal properties of higherorder functional programs. The semantics of HOTPDL is defined over HigherOrder Traces (HOTs) that model execution traces of higherorder programs. A HOT is a sequence of events such as function calls and returns, equipped with two kinds of pointers inspired by the notion of justification pointers from game semantics: one for capturing the correspondence between call and return events, and the other for capturing higherorder control flow involving a function that is passed to or returned by a higherorder function. To allow traversal of the new kinds of pointers, HOTPDL extends PDL with new path expressions. The extension enables HOTPDL to specify interesting properties of higherorder programs, including stackbased access control properties and those definable using dependent refinement types. We show that HOTPDL model checking of higherorder functional programs over bounded integers is decidable via a reduction to modal \(\mu \)calculus model checking of higherorder recursion schemes.
Keywords
Propositional Dynamic Logic (PDL) Higherorder Functional Programs Higher Order Trace (HOTs) Higherorder Recursion Schemes (HORS) Model Execution Traces1 Introduction
 Prop.1.
If the function returned by a partial application of \(\mathtt {tw}\) to some function (e.g., \(\lambda x.\mathtt {inc}\ (\mathtt {inc}\ x)\) in the above sequence) is called with some integer n, the function argument passed to \(\mathtt {tw}\) (i.e., \(\mathtt {inc}\)) is eventually called with n.
 Prop.2.
If the function returned by a partial application of \(\mathtt {tw}\) to some function is never called, then the function argument passed to \(\mathtt {tw}\) is never called.
To remedy the limitation, we introduce a notion of HigherOrder Trace (HOT) that captures the control flow of higherorder programs and propose a dynamic logic over HOTs called HigherOrder Trace Propositional Dynamic Logic (HOTPDL) for specifying temporal properties of higherorder programs.
Intuitively, a HOT models a program execution trace which is a possibly infinite sequence of events such as function calls and returns with information about actual arguments and return values. Furthermore, HOTs are equipped with two kinds of pointers to enable precise specification of control flow: one for capturing the correspondence between call and return events, and the other for capturing higherorder control flow involving a function that is passed to or returned by a higherorder function. The two kinds of pointers are inspired by the notion of justification pointers from the game semantics of PCF [1, 2, 19, 20].
For the higherorder program \(D_{\mathtt {tw}}\), for \(\mathtt {r}=0\), we get the following HOT \(G_{\mathtt {tw}}\):^{1}
Here, \(\bullet \) represents some function value, \(\mathbf {call}(f,v)\) represents a call event of the function f with the argument v, and \(\mathbf {ret}(f,v)\) represents a return event of the function f with the return value v. This trace corresponds to the previous reduction sequence: the call events \(\mathbf {call}(\mathtt {tw},\bullet )\), \(\mathbf {call}(\bullet ,0)\), \(\mathbf {call}(\bullet ,0)\), and \(\mathbf {call}(\bullet ,1)\) that occur in the trace in this order correspond respectively to the redexes \(\mathtt {tw}\ \mathtt {inc}\), \((\lambda x.\mathtt {inc}\ (\mathtt {inc}\ x))\ 0\), \(\mathtt {inc}\ 0\), and \(\mathtt {inc}\ 1\). The three important points here are that (1) the call events have pointers labeled with Open image in new window to the corresponding return events \(\mathbf {ret}(\mathtt {tw},\bullet )\), \(\mathbf {ret}(\bullet ,2)\), \(\mathbf {ret}(\bullet ,1)\), and \(\mathbf {ret}(\bullet ,2)\), (2) the call event \(\mathbf {call}(\mathtt {tw},\bullet )\) has two pointers labeled with Open image in new window , where \(\bullet \) represents the function argument \(\mathtt {f}\) of \(\mathtt {tw}\) and the pointed call events \(\mathbf {call}(\bullet ,0)\) and \(\mathbf {call}(\bullet ,1)\) represent the two calls to \(\mathtt {f}\) in \(\mathtt {tw}\), and (3) the return event \(\mathbf {ret}(\mathtt {tw},\bullet )\) has a pointer labeled with Open image in new window , where \(\bullet \) represents the partiallyapplied function \(\lambda x.\mathtt {inc}\ (\mathtt {inc}\ x)\) and the pointed call event \(\mathbf {call}(\bullet ,0)\) represents the call to the function.
To allow traversal of the pointers, HOTPDL extends propositional dynamic logic with new path expressions (see Sect. 3 for details). The extension enables HOTPDL to specify interesting properties of higherorder programs, including stackbased access control properties and those definable using dependent refinement types. Here, stackbased access control is a security mechanism implemented in runtimes like JVM for ensuring secure execution of programs that have components with different levels of trust: the mechanism ensures that a securitycritical function (e.g., file access) is invoked only if all the (immediate and indirect) callers in the current call stack are trusted, or one of the callers is a privileged function and its callees are all trusted. We introduce a new variant of stackbased access control properties for higherorder programs, formalized in HOTPDL from the point of view of interactions among callers and callees.
 Prop.3.
The function yielded by applying \(\mathtt {tw}\) to a strictly increasing function is strictly increasing.
 Prop.4.
The function yielded by applying \(\mathtt {tw}\) to a terminating function is terminating.
This paper shows that HOTPDL can encode such dependent refinement types.
We also study HOTPDL model checking: given a higherorder program D over bounded integers and a HOTPDL formula \(\phi \), the problem is to decide whether \(\phi \) is satisfied by all the execution traces of D modeled as HOTs. We show the decidability of HOTPDL model checking via a reduction to modal \(\mu \)calculus model checking of higherorder recursion schemes [21, 28].
The rest of the paper is organized as follows. Section 2 formalizes HOTs and explains how to use them to model execution traces of higherorder functional programs. Section 3 defines the syntax and the semantics of HOTPDL and Sect. 4 shows how to encode stackbased access control properties and dependent refinement types in HOTPDL. Section 5 discusses HOTPDL model checking. We compare HOTPDL with related work in Sect. 6 and conclude the paper with remarks on future work in Sect. 7. Omitted proofs are given in the extended version of this paper [30].
2 HigherOrder Traces
This section defines the notion of HigherOrder Trace (HOT), which is used to model execution traces of higherorder programs. To this end, we first define \((\varSigma , \varGamma )\)labeled directed graphs and DAGs.
Definition 1
(\((\varSigma , \varGamma )\)labeled directed graphs). Let \(\varSigma \) be a finite set of node labels and \(\varGamma \) be a finite set of edge labels. A \((\varSigma , \varGamma )\)labeled directed graph is defined as a triple \((V, \lambda , \nu )\), where V is a countable set of nodes, \(\lambda : V \rightarrow \varSigma \) is a node labeling function, and \(\nu : V \times V \rightarrow 2^{\varGamma }\) is an edge labeling function. We call a \((\varSigma , \varGamma )\)labeled directed graph that has no directed cycle \((\varSigma , \varGamma )\)labeled DAG.
Note that an edge may have multiple labels. For nodes \(u,u'\in V\), \(\nu (u,u')=\emptyset \) means that there is no edge from u to \(u'\). We use \(\sigma \) and \(\gamma \) as metavariables ranging respectively over \(\varSigma \) and \(\varGamma \). We write \(V_{\sigma }\) for the set \(\left\{ u \in V \mid \sigma = \lambda (u)\right\} \) of all the nodes labeled with \(\sigma \). We also write \(V_{\varSigma }\) for the set \(\bigcup _{\sigma \in \varSigma } V_{\sigma }\). For \(u, u' \in V\), we write \(u \prec _{\gamma } u'\) if \(\gamma \in \nu (u, u')\). A binary relation \(\prec _{\gamma }^+\) (resp. \(\prec _{\gamma }^*\)) denotes the transitive (resp. reflexive and transitive) closure of \(\prec _{\gamma }\).
Definition 2
 1.
\(V \ne \emptyset \), Open image in new window , \(\varSigma =\varSigma _{\mathbf {call}}\uplus \varSigma _{\mathbf {ret}}\), and \(\varSigma _{\mathbf {call}}= \varSigma _{\mathbf {call}}^{T}\uplus \varSigma _{\mathbf {call}}^{A}\)
 2.
 3.
The elements of V are linearly ordered by \(\prec _{\mathbf {N}}\)
 4.
If Open image in new window and Open image in new window , then \(u'=u''\).
 5.
For all \(u'\in V_{\varSigma _{\mathbf {ret}}}\), there uniquely exists \(u\in V_{\varSigma _{\mathbf {call}}}\) such that Open image in new window holds.
 6.
For all \(u'\in V_{\varSigma _{\mathbf {call}}^{A}}\), there uniquely exists \(u\in V\) such that Open image in new window or Open image in new window holds.
Intuitively, \(\varSigma _{\mathbf {call}}\) (resp. \(\varSigma _{\mathbf {ret}}\)) represents a set of call (resp. return) events. \(\varSigma _{\mathbf {call}}^{T}\) (resp. \(\varSigma _{\mathbf {call}}^{A}\)) represents a set of call events of toplevel functions (resp. functions that are returned by or passed to (higherorder) functions). \(u \prec _{\mathbf {N}} u'\) means that \(u'\) is the next event of u in the trace. Open image in new window indicates that \(u'\) is the return event corresponding to the call event u. Open image in new window represents that \(u'\) is a call event of the function argument passed at the call event u. Open image in new window means that \(u'\) is a call event of the partiallyapplied function returned at the return event u. We call the minimum node of a HOT G with respect to \(\prec _{\mathbf {N}}\) the root node, denoted by \(0_G\). For HOTs \(G_1\) and \(G_2\), we say \(G_1\) is a prefix of \(G_2\) and write \(G_1 \preceq G_2\), if \(G_1\) is a subgraph of \(G_2\) such that \(0_{G_1} = 0_{G_2}\). Note that the HOT \(G_{\mathtt {tw}}\) in Sect. 1, where \(\mathbf {N}\)labeled edges are omitted, satisfies the above conditions, with \(\left\{ \mathbf {call}(\mathtt {tw},\bullet ), \mathbf {call}(\mathtt {inc},0), \mathbf {call}(\mathtt {inc},1)\right\} \subseteq \varSigma _{\mathbf {call}}^{T}\), \(\left\{ \mathbf {call}(\bullet ,0), \mathbf {call}(\bullet ,1)\right\} \subseteq \varSigma _{\mathbf {call}}^{A}\), and \(\left\{ \mathbf {ret}(\mathtt {tw},\bullet ), \mathbf {ret}(\mathtt {inc},1), \mathbf {ret}(\mathtt {inc},2), \mathbf {ret}(\bullet ,1), \mathbf {ret}(\bullet ,2)\right\} \subseteq \varSigma _{\mathbf {ret}}\).
2.1 Trace Semantics for HigherOrder Functional Programs
We now introduce a trace semantics of the language \(\mathcal {L}\), which will be used in Sect. 5 to define our model checking problems of higherorder programs. In the trace semantics, a program execution trace is represented by a sequence of function call and return events without an explicit representation of pointers but with enough information to construct them. We will explain how to model traces of \(\mathcal {L}\) as HOTs by presenting a translation.
We now define the translation from traces \(\mathbin {[\![D]\!]}_{\mathtt {fin}}\) to HOTs with Open image in new window , Open image in new window , and \(\varSigma _{\mathbf {ret}}=\left\{ \mathbf {ret}(f,n),\mathbf {ret}(f,\bullet ),\mathbf {ret}(\bullet ,n),\mathbf {ret}(\bullet ,\bullet ) \mid f \in \mathrm {dom}(D),n \in \mathbb {Z}_{b}\right\} \). We shall write \(\varSigma (D)\) for \(\varSigma _{\mathbf {call}}^{T}\cup \varSigma _{\mathbf {call}}^{A}\cup \varSigma _{\mathbf {ret}}\). Note that \(\varSigma (D)\) is finite because \(\mathrm {dom}(D)\) and \(\mathbb {Z}_{b}\) are finite. We write \(\alpha \) for the element of \(\varSigma (D)\) obtained from the event \(\alpha \) by dropping the second argument and replacing \(\left\lfloor h\right\rfloor _{i}\) and \(\left\lceil h\right\rceil _{i}\) by \(\bullet \). For example, we get \(\mathbf {call}(\mathtt {tw}, 0, \left\lfloor \mathtt {tw}\right\rfloor _{0}) = \mathbf {call}(\mathtt {tw},\bullet )\).
Definition 3

\(V_{\varpi } = \left\{ 1, \dots ,m\right\} \),

\(\lambda _{\varpi } = \left\{ j \mapsto \alpha _j \mid j \in V_{\varpi }\right\} \), and
 \(\nu _{\varpi }\) is the smallest relation that satisfies: for any \(j_1,j_2 \in V_{\varpi }\),

\(j_1 \prec _{\mathbf {N}} j_2\) if \(j_2=j_1+1\),

Open image in new window if \(\exists h,h',h'',i.\ \alpha _{j_1}=\mathbf {call}(h, i, h') \wedge \alpha _{j_2}=\mathbf {ret}(h, i, h'')\),

Open image in new window if \(\exists h,h',h'',i,i'.\ \alpha _{j_1}=\mathbf {call}(h', i, h) \wedge \alpha _{j_2}=\mathbf {call}(h, i', h'')\),

Open image in new window if \(\exists h,h',h'',i,i'.\ \alpha _{j_1}=\mathbf {ret}(h', i, h) \wedge \alpha _{j_2}=\mathbf {call}(h, i', h'')\).

For example, the HOT \(G_{\mathtt {tw}}\) in Sect. 1 is translated from the finite trace \(\varpi _{\mathtt {tw}}\) defined above (with the call and return events of \(\mathtt {main}\) omitted).
For an infinite trace \(\uppi = \alpha _1\cdot \alpha _2\cdots \in \mathbin {[\![D]\!]}_{\mathtt {inf}}\), the HOT \(G_{\uppi } = (V_{\uppi }, \lambda _{\uppi }, \nu _{\uppi })\) is defined similarly for Open image in new window and \(\lambda _{\uppi } = \left\{ j \mapsto \alpha _j \mid j \in V_{\uppi }\right\} \).
3 Propositional Dynamic Logic over HigherOrder Traces
 Prop.1.:
 Prop.2.:
In Sect. 4, we show further examples that express interesting properties of higherorder programs, including stack based access control properties and those definable using dependent refinement types. We here prepare notations used there. First, we overload the symbols \(\varSigma _{\mathbf {call}}\), \(\varSigma _{\mathbf {ret}}\), and \(\varSigma _{\mathbf {call}}^{T}\) to denote the path expressions \(\left\{ \bigvee \varSigma _{\mathbf {call}}\right\} ?\), \(\left\{ \bigvee \varSigma _{\mathbf {ret}}\right\} ?\), and \(\left\{ \bigvee \varSigma _{\mathbf {call}}^{T}\right\} ?\), respectively. We write \(\rightarrow _F\) for the path expression Open image in new window , which is used to move from a call event to the next event of the caller (by skipping to the next event of the corresponding return event). We also write \(\nearrow _F\) for the path expression \(\varSigma _{\mathbf {call}}\cdot \rightarrow \cdot \rightarrow _F^* \cdot \varSigma _{\mathbf {call}}\), which is used to move from a call event to any call event invoked by the callee. Figure 3 illustrates the pairs of nodes in \(G_{\mathtt {tw}}\) related by \(\nearrow _F\). To capture control flow of higherorder programs, where function callers and callees may exchange functions as values, we need to use Open image in new window  and Open image in new window labeled edges. For example, an event raised by the function argument \(f_{ arg }\) of a higherorder function f could be regarded as an event of the caller g of f, because \(f_{ arg }\) is constructed by g. Similarly, an event raised by the (partiallyapplied) function \(f_{ ret }\) returned by a function f could be regarded as an event of f. To formalize the idea, we introduce variants \(\rightarrow _H\) and \(\nearrow _H\) of \(\rightarrow _F\) and \(\nearrow _F\) with higherorder control flow taken into consideration: \(\rightarrow _H\) denotes Open image in new window and \(\nearrow _F\) denotes \(\varSigma _{\mathbf {call}}^{T}\cdot \rightarrow \cdot \rightarrow _H^* \cdot \varSigma _{\mathbf {call}}^{T}\). Note that the source and the target of \(\nearrow _H\) are restricted to call events of toplevel functions. Figure 4 illustrates the pairs of nodes in \(G_{\mathtt {tw}}\) related by \(\nearrow _H\), where nodes labeled with events of the same function (in the sense discussed above) are arranged in the same horizontal line.
4 Applications of HOTPDL
We show how to encode dependent refinement types and stackbased access control properties using HOTPDL.
4.1 Dependent Refinement Types
 Prop.3.:
 Prop.4.:
\( (f:(x:\mathtt {int}) \rightarrow \mathtt {int}^{\exists }) \rightarrow \left( (x : \mathtt {int}) \rightarrow \mathtt {int}^{\exists }\right) ^{\forall } \)
 Prop.3.:
 Prop.4.:
4.2 StackBased Access Control Properties
5 HOTPDL Model Checking
In this section, we define HOTPDL model checking problems for higherorder functional programs over bounded integers and sketch a proof of the decidability.
Definition 4
(HOTPDL model checking). Given a program D and a HOTPDL formula \(\phi \) with \(\mathcal {AP}=\varSigma (D)\), HOTPDL model checking is the problem of deciding whether \(G_{\varpi } \models \phi \) and \(G_{\uppi } \models \phi \) for all \(\varpi \in \mathbin {[\![D]\!]}_{\mathtt {fin}}\) and \(\uppi \in \mathbin {[\![D]\!]}_{\mathtt {inf}}\).
Theorem 1
(Decidability). HOTPDL model checking is decidable.
We show this by a reduction to modal \(\mu \)calculus (\(\mu \)ML) model checking of higherorder recursion schemes (HORSs), which is known decidable [21, 28]. A HORS is a grammar for generating a (possibly infinite) ranked tree, and HORSs are essentially simplytyped lambda calculus with general recursion, tree constructors, and finite data domains such as booleans and bounded integers.
It is also worth mentioning here that we are allowed to expand DAGs into trees because the truth value of a HOTPDL formula is not affected by nodesharing in the given HOT. This nice property is lost if we extend the path expressions of HOTPDL, for example, with intersections. Thus, the decidability of model checking for extensions of HOTPDL is an open problem.
 \(m_{\mathbf {N}}\): The handler always creates and links two new nodes \(u_{\mathbf {N}}\) and \(u_{\alpha }\) labeled respectively with \(\mathbf {N}\) and the event \(\alpha \) observed. The handler then continues as follows, depending on the form of the event \(\alpha \):

\(\mathbf {call}(g,n)\): Spawns a new handler with the mode Open image in new window . Then, the two handlers of the modes \(m_{\mathbf {N}}\) and Open image in new window continue to create subtrees of \(u_{\alpha }\).

\(\mathbf {call}(g,\bullet )\): Spawns two new handlers with the modes Open image in new window and Open image in new window . The three handlers of \(m_{\mathbf {N}}\), Open image in new window , and Open image in new window continue to create subtrees of \(u_{\alpha }\).

\(\mathbf {ret}(g,n)\): The handler of the mode \(m_{\mathbf {N}}\) continues to create a subtree of \(u_{\alpha }\).

\(\mathbf {ret}(g,\bullet )\): Spawns a new handler with the mode Open image in new window . Then, the two handlers of the modes \(m_{\mathbf {N}}\) and Open image in new window continue to create subtrees of \(u_{\alpha }\).


Open image in new window : The handler ignores all events but the return event corresponding to the call event that caused the spawn of the handler. If not ignored, the handler creates and links new nodes Open image in new window and \(u_{\alpha }\) labeled with Open image in new window and the event \(\alpha \). The handler changes its mode to \(m_{\mathbf {N}}\) and continues creating a subtree of \(u_{\alpha }\).

Open image in new window : The handler ignores all events but the call event of the function passed to or returned by the call or return event that caused the spawn of the handler. If not ignored, the handler creates and links new nodes u and \(u_{\alpha }\) labeled respectively with Open image in new window or Open image in new window and the event \(\alpha \), duplicates itself, and changes the mode of the original to \(m_{\mathbf {N}}\). The handler of the mode \(m_{\mathbf {N}}\) (resp. Open image in new window ) continues to create a subtree of \(u_{\alpha }\) (resp. the parent of u).
For simplicity of the construction, we assume that D is in the ContinuationPassing Style (CPS). This does not lose generality because we can enforce this form by the CPS transformation. Because CPS explicates the order of function call and return events, it simplifies event monitoring, handling, and tracking of the current mode of the monitors, which often changes as monitoring proceeds.
6 Related Work
HOTPDL can specify temporal trace properties of higherorder programs. An extension for specifying branching properties, however, remains a future work.
There have been proposed logics and formal languages on richer structures than words. Regular languages of nested words, or equivalently, Visibly Pushdown Languages (VPLs) have been introduced by Alur and Madhusudan [7]. An (\(\omega \))nested word is a (possibly infinite) word with additional wellnested pointers from call events to the corresponding return events. Compared to temporal logics CaRet [5] and NWTL [4] over (\(\omega \))nested words, HOTPDL is defined over HOTs that have richer structures. Recall that a HOT is equipped with two kinds of pointers: one kind with the label Open image in new window , which is the same as the pointers of nested words, and the other kind with the label Open image in new window or Open image in new window , which is newly introduced to capture higherorder control flow. Bollig et al. proposed nested traces as a generalization of nested words for modeling traces of concurrent (firstorder) recursive programs, and presented temporal logics over nested traces [8]. Nested traces, however, cannot model traces of higherorder programs. We expect a combination of our work with theirs enables us to specify temporal trace properties of concurrent and higherorder recursive programs. Cyriac et al. have recently introduced an extension of PDL defined over traces of order2 collapsible pushdown systems (CPDS) [3]. Interestingly, their traces are also equipped with two kinds of pointers: one kind of pointers captures the correspondence between ordinary push and pop stack operations, and the other captures the correspondence between order2 push and pop operations for secondorder stacks. Our work deals with higherorder programs that correspond to ordern CPDS for arbitrary n.
Finally, we compare HOTPDL with existing logics defined over words. It is well known that LTL is less expressive than \(\omega \)regular languages [38]. To remedy the limitation of LTL, Wolper introduced ETL [38] that allows users to define new temporal operators using rightlinear grammars. Henriksen and Thiagarajan proposed DLTL [17] that generalizes the until operator of LTL using regular expressions. Leucker and Sánchez proposed RLTL [25] that combines LTL and regular expressions. Vardi and Giacomo have introduced Linear Dynamic Logic (LDL), a variant of PDL interpreted over infinite words [15, 35]. \(\mathrm {LDL}_f\), a variant of PDL interpreted over finite words, has also been studied in [15]. ETL, DLTL, RLTL, and LDL are as expressive as \(\omega \)regular languages. Note that HOTPDL subsumes (\(\omega \))regular languages because LDL and \(\mathrm {LDL}_f\) can be naturally embedded in HOTPDL. (\(\omega \))VPLs strictly subsume (\(\omega \))regular languages. Though CaRet [5] and NWTL [4] are defined over nested words, they do not capture the full class of VPLs [10]. To remedy the limitation, VLTL [10] combines LTL and VRE [9] in the style of RLTL, where VRE is a generalization of regular expressions for VPLs. VLDL [37] extends LDL by replacing the path expressions with VPLs over finite words. VLTL and VLDL exactly characterize \(\omega \)VPLs. Because VPLs and HOTPDL are incomparable, it remains future work to extend HOTPDL to subsume (\(\omega \))VPLs.
7 Conclusion and Future Work
We have presented HOTPDL, an extension of PDL defined over HOTs that model execution traces of callbyvalue and higherorder programs. HOTPDL enables a precise specification of temporal trace properties of higherorder programs and consequently provides a foundation for specification in various application domains including stackbased access control and dependent refinement types. We have also studied HOTPDL model checking and presented a reduction method to modal \(\mu \)calculus model checking of higherorder recursion schemes.
To further widen the scope of our approach, it is worth investigating how to adapt HOTs and HOTPDL to callbyname and/or effectful languages. To this end, it is natural to incorporate more ideas from achievements of game semantics [1, 20, 32] and extend HOTs with new kinds of events and pointers for capturing callbyname and/or effectful computations.
Footnotes
 1.
The symbol \(\cdots \) indicates the omission of a subsequence. The two omitted subsequences are Open image in new window and Open image in new window in this order.
 2.
We do not compare with the other variants in [13] because they are too syntactic to be preserved by simple program transformations like inlining.
 3.
There, for simplicity, we illustrate an unranked tree and omit the label of branching nodes. In the formalization, we express an unranked tree as a binary tree using a special node label \(\mathbf {br}\) of the arity 2 representing a binary branching.
Notes
Acknowledgments
We would like to thank anonymous referees for their useful comments. This work was supported by JSPS KAKENHI Grant Numbers 15H05706, 16H05856, 17H01720, and 17H01723.
References
 1.Abramsky, S., Jagadeesan, R., Malacaria, P.: Full abstraction for PCF. Inf. Comput. 163, 409–470 (2000)MathSciNetCrossRefGoogle Scholar
 2.Abramsky, S., McCusker, G.: Callbyvalue games. In: Nielsen, M., Thomas, W. (eds.) CSL 1997. LNCS, vol. 1414, pp. 1–17. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028004CrossRefGoogle Scholar
 3.Aiswarya, C., Gastin, P., Saivasan, P.: Nested words for order2 pushdown systems. arXiv:1609.06290 (2016)
 4.Alur, R., Arenas, M., Barcelo, P., Etessami, K., Immerman, N., Libkin, L.: Firstorder and temporal logics for nested words. Log. Methods Comput. Sci. 4(4), 1–44 (2008)MathSciNetCrossRefGoogle Scholar
 5.Alur, R., Etessami, K., Madhusudan, P.: A temporal logic of nested calls and returns. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 467–481. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540247302_35CrossRefzbMATHGoogle Scholar
 6.Alur, R., Madhusudan, P.: Visibly pushdown languages. In: STOC 2004, pp. 202–211. ACM (2004)Google Scholar
 7.Alur, R., Madhusudan, P.: Adding nesting structure to words. J. ACM 56(3), 16:1–16:43 (2009)MathSciNetCrossRefGoogle Scholar
 8.Bollig, B., Cyriac, A., Gastin, P., Zeitoun, M.: Temporal logics for concurrent recursive programs: satisfiability and model checking. J. Appl. Log. 12(4), 395–416 (2014)MathSciNetCrossRefGoogle Scholar
 9.Bozzelli, L., Sánchez, C.: Visibly rational expressions. In: FSTTCS 2012. LIPIcs, vol. 18, pp. 211–223. Schloss DagstuhlLeibnizZentrum fuer Informatik (2012)Google Scholar
 10.Bozzelli, L., Sánchez, C.: Visibly linear temporal logic. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) IJCAR 2014. LNCS (LNAI), vol. 8562, pp. 418–433. Springer, Cham (2014). https://doi.org/10.1007/9783319085876_33CrossRefGoogle Scholar
 11.Carreiro, F., Venema, Y.: PDL inside the \(\mu \)calculus: a syntactic and an automatatheoretic characterization. Adv. Modal Log. 10, 74–93 (2014)Google Scholar
 12.Disney, T., Flanagan, C., McCarthy, J.: Temporal higherorder contracts. In: ICFP 2011, pp. 176–188. ACM (2011)Google Scholar
 13.Fournet, C., Gordon, A.D.: Stack inspection: theory and variants. In: POPL 2002, pp. 307–318. ACM (2002)Google Scholar
 14.Fujima, K., Ito, S., Kobayashi, N.: Practical alternating parity tree automata model checking of higherorder recursion schemes. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 17–32. Springer, Cham (2013). https://doi.org/10.1007/9783319035420_2CrossRefGoogle Scholar
 15.Giacomo, G.D., Vardi, M.Y.: Linear temporal logic and linear dynamic logic on finite traces. In: IJCAI 2013, pp. 854–860. AAAI Press (2013)Google Scholar
 16.Harel, D., Tiuryn, J., Kozen, D.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
 17.Henriksen, J.G., Thiagarajan, P.: Dynamic linear time temporal logic. Ann. Pure Appl. Log. 96(1), 187–207 (1999)MathSciNetCrossRefGoogle Scholar
 18.Hofmann, M., Chen, W.: Abstract interpretation from Büchi automata. In: CSLLICS 2014, pp. 51:1–51:10. ACM (2014)Google Scholar
 19.Honda, K., Yoshida, N.: Game theoretic analysis of callbyvalue computation. In: Degano, P., Gorrieri, R., MarchettiSpaccamela, A. (eds.) ICALP 1997. LNCS, vol. 1256, pp. 225–236. Springer, Heidelberg (1997). https://doi.org/10.1007/3540631658_180CrossRefGoogle Scholar
 20.Hyland, J.M.E., Ong, C.H.L.: On full abstraction for PCF: I, II, and III. Inf. Comput. 163, 285–408 (2000)MathSciNetCrossRefGoogle Scholar
 21.Kobayashi, N., Ong, C.H.L.: A type system equivalent to the modal Mucalculus model checking of higherorder recursion schemes. In: LICS 2009, pp. 179–188. IEEE (2009)Google Scholar
 22.Kobayashi, N., Tsukada, T., Watanabe, K.: Higherorder program verification via HFL model checking. In: Ahmed, A. (ed.) ESOP 2018. LNCS, vol. 10801, pp. 711–738. Springer, Cham (2018). https://doi.org/10.1007/9783319898841_25CrossRefGoogle Scholar
 23.Koskinen, E., Terauchi, T.: Local temporal reasoning. In: CSLLICS 2014, pp. 59:1–59:10. ACM (2014)Google Scholar
 24.Lester, M.M., Neatherway, R.P., Ong, C.H.L., Ramsay, S.J.: Model checking liveness properties of higherorder functional programs (2011). http://mjolnir.comlab.ox.ac.uk/papers/thors.pdf
 25.Leucker, M., Sánchez, C.: Regular linear temporal logic. In: Jones, C.B., Liu, Z., Woodcock, J. (eds.) ICTAC 2007. LNCS, vol. 4711, pp. 291–305. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540752929_20CrossRefGoogle Scholar
 26.Murase, A., Terauchi, T., Kobayashi, N., Sato, R., Unno, H.: Temporal verification of higherorder functional programs. In: POPL 2016, pp. 57–68. ACM (2016)Google Scholar
 27.Nanjo, Y., Unno, H., Koskinen, E., Terauchi, T.: A fixpoint logic and dependent effects for temporal property verification. In: LICS 2018. ACM (2018)Google Scholar
 28.Ong, C.H.L.: On modelchecking trees generated by higherorder recursion schemes. In: LICS 2006, pp. 81–90. IEEE (2006)Google Scholar
 29.Rondon, P., Kawaguchi, M., Jhala, R.: Liquid types. In: PLDI 2008, pp. 159–169. ACM (2008)Google Scholar
 30.Satake, Y., Unno, H.: Propositional dynamic logic for higherorder functional programs (2018). http://www.cs.tsukuba.ac.jp/~uhiro/
 31.Suzuki, R., Fujima, K., Kobayashi, N., Tsukada, T.: Streett automata model checking of higherorder recursion schemes. In: FSCD 2017. LIPIcs, vol. 84, pp. 32:1–32:18. Schloss DagstuhlLeibnizZentrum fuer Informatik (2017)Google Scholar
 32.Tzevelekos, N.: Nominal game semantics. Ph.D. thesis, University of Oxford (2008)Google Scholar
 33.Unno, H., Kobayashi, N.: Dependent type inference with interpolants. In: PPDP 2009, pp. 277–288. ACM (2009)Google Scholar
 34.Unno, H., Satake, Y., Terauchi, T.: Relatively complete refinement type system for verification of higherorder nondeterministic programs. Proc. ACM Program. Lang. 2(POPL), 12:1–12:29 (2017)CrossRefGoogle Scholar
 35.Vardi, M.Y.: The rise and fall of LTL. GandALF (2011)Google Scholar
 36.Vazou, N., Seidel, E.L., Jhala, R., Vytiniotis, D., Peyton Jones, S.L.: Refinement types for Haskell. In: ICFP 2014, pp. 269–282. ACM (2014)Google Scholar
 37.Weinert, A., Zimmermann, M.: Visibly linear dynamic logic. In: FSTTCS 2016. LIPIcs, vol. 65, pp. 28:1–28:14. Schloss DagstuhlLeibnizZentrum fuer Informatik (2016)Google Scholar
 38.Wolper, P.: Temporal logic can be more expressive. Inf. Control 56(1), 72–99 (1983)MathSciNetCrossRefGoogle Scholar
 39.Xi, H.: Dependent types for program termination verification. In: LICS 2001, pp. 231–242. IEEE (2001)Google Scholar
 40.Xi, H., Pfenning, F.: Dependent types in practical programming. In: POPL 1999, pp. 214–227. ACM (1999)Google Scholar
Copyright information
<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>