Results 1  10
of
19
Verifying properties of wellfounded linked lists
, 2005
"... We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a ..."
Abstract

Cited by 44 (5 self)
 Add to MetaCart
We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a circular list invariably contains a distinguished head cell that provides a handle on the list. This observation suggests a programming methodology that requires the heap of the program at each step to be wellfounded, i.e., for any field f in the program, every sequence u.f,u.f.f,... contains at least one head cell. We believe that our methodology captures the most common idiom of programming with linked data structures. We enforce our methodology by automatically instrumenting the program with updates to two auxiliary variables representing these predicates and adding assertions in terms of these auxiliary variables. To prove program properties and the instrumented assertions, we provide a firstorder axiomatization of our two predicates. We also introduce a novel induction principle made possible by the wellfoundedness of the heap. We use our induction principle to derive from two basic axioms a small set of additional firstorder axioms that are useful for proving the correctness of several programs. We have implemented our method in a tool and used it to verify the correctness of a variety of nontrivial programs manipulating both acyclic and cyclic singlylinked lists and doublylinked lists. We also demonstrate the use of indexed predicate abstraction to automatically synthesize loop invariants for these examples.
Boolean heaps
 In SAS
, 2005
"... Abstract. We show that the idea of predicates on heap objects can be cast in the framework of predicate abstraction. This leads to an alternative view on the underlying concepts of threevalued shape analysis by Sagiv, Reps and Wilhelm. Our construction of the abstract post operator is analogous to ..."
Abstract

Cited by 39 (9 self)
 Add to MetaCart
Abstract. We show that the idea of predicates on heap objects can be cast in the framework of predicate abstraction. This leads to an alternative view on the underlying concepts of threevalued shape analysis by Sagiv, Reps and Wilhelm. Our construction of the abstract post operator is analogous to the corresponding construction for classical predicate abstraction, except that predicates over objects on the heap take the place of state predicates, and boolean heaps (sets of bitvectors) take the place of boolean states (bitvectors). A program is abstracted to a program over boolean heaps. For each command of the program, the corresponding abstract command is effectively constructed by deductive reasoning, namely by the application of the weakest precondition operator and an entailment test. We thus obtain a symbolic framework for shape analysis. 1
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Field constraint analysis
 In Proc. Int. Conf. Verification, Model Checking, and Abstract Interpratation
, 2006
"... ..."
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1
Predicate Abstraction with Minimum Predicates
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2003
"... Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requiremen ..."
Abstract

Cited by 30 (8 self)
 Add to MetaCart
Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requirements) in the number of predicates involved. If a property can be proven to hold or not hold based on a given finite set of predicates P, the procedure we propose in this paper finds automatically a minimal subset of P that is sufficient for the proof. We explain how our technique can be used for more efficient verification of C programs. Our experiments show that predicate minimization can result in a significant reduction of both verification time and memory usage compared to earlier methods.
Efficient Verification of Sequential and Concurrent C Programs
, 2003
"... There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model c ..."
Abstract

Cited by 27 (11 self)
 Add to MetaCart
There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model checking remains the chief obstacle to the practical veri cation of realworld distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction eective is to use as few predicates as possible. This is because, in the worst case, the state space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.
A logic and decision procedure for predicate abstraction of heapmanipulating programs
 UBC Dept. Comp. Sci
, 2005
"... Abstract. An important and ubiquitous class of programs are heapmanipulating programs (HMP), which manipulate unbounded linked data structures by following pointers and updating links. Predicate abstraction hasprovedtobeaninvaluable technique in the field of software model checking; this technique ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
Abstract. An important and ubiquitous class of programs are heapmanipulating programs (HMP), which manipulate unbounded linked data structures by following pointers and updating links. Predicate abstraction hasprovedtobeaninvaluable technique in the field of software model checking; this technique relies on an efficient decision procedure for the underlying logic. The expression and proof of many interesting HMP safety properties require transitive closure predicates; such predicates express that some node can be reached from another node by following a sequence of (zero or more) links in the data structure. Unfortunately, adding support for transitive closure often yields undecidability, so one must be careful in defining such a logic. Our primary contributions are the definition of a simple transitive closure logic for use in predicate abstraction of HMPs, and a decision procedure for this logic. Through several experimental examples, we demonstrate that our logic is expressive enough to prove interesting properties with predicate abstraction, and that our decision procedure provides us with both a time and space advantage over previous approaches. 1
On the Boolean Algebra of Shape Analysis Constraints
, 2003
"... Shape analysis is a promising technique for statically verifying and extracting properties of programs that manipulate complex data structures. We introduce a new characterization of constraints that arise in parametric shape analysis based on manipulation of threevalued structures as dataflow fact ..."
Abstract

Cited by 18 (10 self)
 Add to MetaCart
Shape analysis is a promising technique for statically verifying and extracting properties of programs that manipulate complex data structures. We introduce a new characterization of constraints that arise in parametric shape analysis based on manipulation of threevalued structures as dataflow facts. We identify an interesting syntactic class of firstorder logic formulas that captures the meaning of threevalued structures under concretization. This class is broader than previously introduced classes, allowing for a greater flexibility in the formulation of shape analysis constraints in program annotations and internal analysis representations. Threevalued structures can be viewed as one possible normal form of the formulas in our class. Moreover, we characterize the meaning of threevalued
Automated Compositional Abstraction Refinement for Concurrent C Programs: A TwoLevel Approach
, 2003
"... The state space explosion problem in model checking remains the chief obstacle to the practical verification of realworld distributed systems. We attempt to address this problem in the context of verifying concurrent (messagepassing) C programs against safety specifications. More specifically, we ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
The state space explosion problem in model checking remains the chief obstacle to the practical verification of realworld distributed systems. We attempt to address this problem in the context of verifying concurrent (messagepassing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (operating respectively on data and events) within a counterexampleguided abstraction refinement (CEGAR) scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Our explicit use of compositionality delays the onset of state space explosion for as long as possible. To our knowledge, this is the first compositional use of CEGAR in the context of model checking concurrent C programs. We describe our approach in detail, and report on some very encouraging preliminary experimental results obtained with our tool MAGIC.