Results 1  10
of
22
A practical and complete approach to predicate refinement
 In Tools and Algorithms for the Construction and Analysis of Systems, LNCS 3920
, 2006
"... Abstract. Predicate abstraction is a method of synthesizing the strongest inductive invariant of a system expressible as a Boolean combination of a given set of atomic predicates. A predicate selection method can be said to be complete for a given theory if it is guaranteed to eventually find atomic ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
Abstract. Predicate abstraction is a method of synthesizing the strongest inductive invariant of a system expressible as a Boolean combination of a given set of atomic predicates. A predicate selection method can be said to be complete for a given theory if it is guaranteed to eventually find atomic predicates sufficient to prove a given property, when such exist. Current heuristics are incomplete, and often diverge on simple examples. We present a practical method of predicate selection that is complete in the above sense. The method is based on interpolation and uses a “split prover”, somewhat in the style of structurebased provers used in artificial intelligence. We show that it allows the verification of a variety of simple programs that cannot be verified by existing software model checkers. 1
Cogent: Accurate theorem proving for program verification
 Proceedings of CAV 2005, volume 3576 of Lecture Notes in Computer Science
, 2005
"... Abstract. Many symbolic software verification engines such as Slam and ESC/Java rely on automatic theorem provers. The existing theorem provers, such as Simplify, lack precise support for important programming language constructs such as pointers, structures and unions. This paper describes a theore ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
Abstract. Many symbolic software verification engines such as Slam and ESC/Java rely on automatic theorem provers. The existing theorem provers, such as Simplify, lack precise support for important programming language constructs such as pointers, structures and unions. This paper describes a theorem prover, Cogent, that accurately supports all ANSIC expressions. The prover’s implementation is based on a machinelevel interpretation of expressions into propositional logic, and supports finite machinelevel variables, bit operations, structures, unions, references, pointers and pointer arithmetic. When used by Slam during the model checking of over 300 benchmarks, Cogent’s improved accuracy reduced the number of Slam timeouts by half, increased the number of true errors found, and decreased the number of false errors. 1
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1
Refining Approximations in Software Predicate Abstraction
 In: TACAS 04: Tools and Algorithms for Construction and Analysis of Systems, SpringerVerlag
, 2004
"... Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of comp ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates.
Explaining abstract counterexamples
 In Proc. of the International Symposium on Foundations of Software Engineering
, 2004
"... When a program violates its specification a model checker produces a counterexample that shows an example of undesirable behavior. It is up to the user to understand the error, locate it, and fix the problem. Previous work introduced a technique for explaining and localizing errors based on finding ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
When a program violates its specification a model checker produces a counterexample that shows an example of undesirable behavior. It is up to the user to understand the error, locate it, and fix the problem. Previous work introduced a technique for explaining and localizing errors based on finding the closest execution to a counterexample, with respect to a distance metric. That approach was applied only to concrete executions of programs. This paper extends and generalizes the approach by combining it with predicate abstraction. Using an abstract statespace increases scalability and makes explanations more informative. Differences between executions are presented in terms of predicates derived from the specification and program, rather than specific changes to variable values. Reasoning to the cause of an error from the fact that in the failing run x < y, but in the successful execution x = y is easier than reasoning from the information that in the failing run y = 239, but in the successful execution y = 232. An abstract explanation is automatically generalized. Predicate abstraction has previously been used in model checking purely as a statespace reduction technique. However, an abstraction good enough to enable a model checking tool to find an error is also likely to be useful as an automatically generated highlevel description of a state space — suitable for use by programmers. Results demonstrating the effectiveness of abstract explanations support this claim.
Efficient Verification of Sequential and Concurrent C Programs
, 2003
"... There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model c ..."
Abstract

Cited by 27 (11 self)
 Add to MetaCart
There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model checking remains the chief obstacle to the practical veri cation of realworld distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction eective is to use as few predicates as possible. This is because, in the worst case, the state space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.
Program analysis with dynamic precision adjustment
 IN: PROC. ASE
, 2008
"... We present and evaluate a framework and tool for combining multiple program analyses which allows the dynamic (online) adjustment of the precision of each analysis depending on the accumulated results. For example, the explicit tracking of the values of a variable may be switched off in favor of a ..."
Abstract

Cited by 15 (9 self)
 Add to MetaCart
We present and evaluate a framework and tool for combining multiple program analyses which allows the dynamic (online) adjustment of the precision of each analysis depending on the accumulated results. For example, the explicit tracking of the values of a variable may be switched off in favor of a predicate abstraction when and where the number of different variable values that have been encountered has exceeded a specified threshold. The method is evaluated on verifying the SSH client/server software and shows significant gains compared with predicate abstractionbased model checking.
Model checking software at compile time
 IN: PROC. OF THE 1ST IEEE & IFIP INTERNATIONAL SYMPOSIUM ON THEORETICAL ASPECTS OF SOFTWARE ENGINEERING (TASE
, 2007
"... Software has been under scrutiny by the verification community from various angles in the recent past. There are two major algorithmic approaches to ensure the correctness of and to eliminate bugs from such systems: software model checking and static analysis. Those approaches are typically compleme ..."
Abstract

Cited by 11 (10 self)
 Add to MetaCart
Software has been under scrutiny by the verification community from various angles in the recent past. There are two major algorithmic approaches to ensure the correctness of and to eliminate bugs from such systems: software model checking and static analysis. Those approaches are typically complementary. In this paper we use a model checking approach to solve static analysis problems. This not only avoids the scalability and abstraction issues typically associated with model checking, it allows for specifying new properties in a concise and elegant way, scales well to large code bases, and the builtin optimizations of modern model checkers enable scalability also in terms of numbers of properties to be checked. In particular, we present Goanna, the first C/C++ static source code analyzer using the offtheshelf model checker NuSMV, and we demonstrate Goanna’s suitability for developer machines by evaluating its runtime performance, memory consumption and scalability using the source code of OpenSSL as a test bed.
Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction
"... Abstract. Procedures for analysis of linear hybrid automata (LHA) do not scale well with the number of continuous state variables in the model. This paper introduces iterative relaxation abstraction (IRA), a new method for reachability analysis of LHA that aims to improve scalability by combining th ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Procedures for analysis of linear hybrid automata (LHA) do not scale well with the number of continuous state variables in the model. This paper introduces iterative relaxation abstraction (IRA), a new method for reachability analysis of LHA that aims to improve scalability by combining the capabilities of current tools for analysis of lowdimensional LHA with the power of linear programming (LP) for large numbers of constraints and variables. IRA is inspired by the success of counterexample guided abstraction refinement (CEGAR) techniques in verification of discrete systems. On each iteration, a lowdimensional LHA called a relaxation abstraction is constructed using a subset of the continuous variables from the original LHA. Hybrid system reachability analysis then generates a regular language called the discrete path abstraction representing all possible counterexamples (paths to the bad locations) in the relaxation abstraction. If the discrete path abstraction is nonempty, a particular counterexample is selected and LP infeasibility
Approximating predicate images for bitvector logic
 In TACAS
, 2006
"... Abstract. Predicate abstraction refinement is a successful technique for verifying large ANSIC programs. However, computing the image of the predicates with respect to the transition relation is computationally expensive. Recent results have shown that predicate images can be computed by transformi ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. Predicate abstraction refinement is a successful technique for verifying large ANSIC programs. However, computing the image of the predicates with respect to the transition relation is computationally expensive. Recent results have shown that predicate images can be computed by transforming a proof of a formula over integers into a Boolean formula that is satisfiable if and only if the original formula is satisfiable. However, the existing algorithms compute the closure of the proof rules that are used to axiomatize the logic, and thus, rely on the fact that the set of axioms is small. They are therefore limited to logics of low complexity, such as difference logic. We describe a proofbased algorithm that computes an overapproximation of the predicate image but in turn allows a rich set of axioms. The algorithm can be used to compute images of predicates using a combination of bitvector logic, the theory of arrays, and pointer arithmetic. The proofbased approach can also be used to refine the image. We quantify the performance of the algorithm in comparison with a Das/Dilllike greedy incremental refinement of the image and a proofbased incremental refinement. 1