Results 1  10
of
55
A Framework for Numeric Analysis of Array Operations
"... Automatic discovery of relationships among values of array elements is a challenging problem due to the unbounded nature of arrays. We present a framework for analyzing array operations that is capable of capturing numeric properties of array elements. In particular, the analysis is able to establis ..."
Abstract

Cited by 67 (10 self)
 Add to MetaCart
Automatic discovery of relationships among values of array elements is a challenging problem due to the unbounded nature of arrays. We present a framework for analyzing array operations that is capable of capturing numeric properties of array elements. In particular, the analysis is able to establish that all array elements are initialized by an arrayinitialization loop, as well as to discover numeric constraints on the values of initialized elements.
Lifting abstract interpreters to quantified logical domains
 In POPL
, 2008
"... Today, abstract interpretation is capable of inferring a wide variety of quantifierfree program invariants. In this paper, we describe a general technique for building powerful quantified abstract domains that leverage existing quantifierfree domains. For example, from a domain that abstracts fact ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
(Show Context)
Today, abstract interpretation is capable of inferring a wide variety of quantifierfree program invariants. In this paper, we describe a general technique for building powerful quantified abstract domains that leverage existing quantifierfree domains. For example, from a domain that abstracts facts like a[1] = 0, we automatically construct a domain that can represent universally quantified facts like ∀i(0 ≤ i < n ⇒ a[i] = 0). The principal challenge in building such a domain is that, while most domains supply overapproximations of operations like join, meet, and variable elimination, working with the guards of quantified facts requires underapproximation. A crucial component of our approach is an automatic technique to convert the standard overapproximation operations provided with all domains into sound underapproximations. The correctness of our abstract interpreters is established by identifying two lattices–one that establishes the soundness of the abstract interpreter and another that defines its precision, or completeness. Despite the computational intractability of inferring quantified facts in general, we prove that the analyses we generate are complete relative to a very natural partial order. interpreters on top of domains for linear arithmetic, uninterpreted function symbols (used to model heap accesses), and pointer reachability. Our experiments on a variety of programs using arrays and pointers (including several sorting algorithms) demonstrate the feasibility of the approach on challenging examples. 1.
Path invariants
 In PLDI
, 2007
"... The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is i ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
(Show Context)
The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is identified as an infeasible error path, and the abstraction is refined in order to remove that path. By contrast, we view the cause of a false alarm —the spurious counterexample — as a fullfledged program, namely, a fragment of the original program whose controlflow graph may contain loops and represent unbounded computations. There are two advantages to using such path programs as counterexamples for abstraction refinement. First, we can bring the whole machinery of program analysis to bear on path programs, which are typically small compared to the original program. Specifically, we use constraintbased invariant generation to automatically infer invariants of path programs —socalled path invariants. Second, we use path invariants for abstraction refinement in order to remove not one infeasibility at a time, but at once all (possibly infinitely many) infeasible error computations that are represented by a path program. Unlike previous predicate discovery schemes, our method handles loops without unrolling them; it infers abstractions that involve universal quantification and naturally incorporates disjunctive reasoning.
Discovering properties about arrays in simple programs
 PLDI’2008
, 2008
"... Array bound checking and array dependency analysis (for parallelization) have been widely studied. However, there are much less results about analyzing properties of array contents. In this paper, we propose a way of using abstract interpretation for discovering properties about array contents in so ..."
Abstract

Cited by 47 (2 self)
 Add to MetaCart
(Show Context)
Array bound checking and array dependency analysis (for parallelization) have been widely studied. However, there are much less results about analyzing properties of array contents. In this paper, we propose a way of using abstract interpretation for discovering properties about array contents in some restricted cases: onedimensional arrays, traversed by simple “for ” loops. The basic idea, borrowed from [15], consists in partitioning arrays into symbolic intervals (e.g., [1, i−1], [i, i], [i + 1, n]), and in associating with each such interval I and each array A an abstract variable AI; the new idea is to consider relational abstract properties ψ(AI, BI,...) about these abstract variables, and to interpret such a property pointwise on the interval I: ∀ℓ ∈ I, ψ(A[ℓ], B[ℓ],...). The abstract semantics properties has been defined and implemented in a prototype tool. The method is able, for instance, to discover that the result of an insertion sort is a sorted array, or that, in an array traversal guarded by a “sentinel”, the index stays within the bounds.
Verifying properties of wellfounded linked lists
, 2005
"... We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
(Show Context)
We describe a novel method for verifying programs that manipulate linked lists, based on two new predicates that characterize reachability of heap cells. These predicates allow reasoning about both acyclic and cyclic lists uniformly with equal ease. The crucial insight behind our approach is that a circular list invariably contains a distinguished head cell that provides a handle on the list. This observation suggests a programming methodology that requires the heap of the program at each step to be wellfounded, i.e., for any field f in the program, every sequence u.f,u.f.f,... contains at least one head cell. We believe that our methodology captures the most common idiom of programming with linked data structures. We enforce our methodology by automatically instrumenting the program with updates to two auxiliary variables representing these predicates and adding assertions in terms of these auxiliary variables. To prove program properties and the instrumented assertions, we provide a firstorder axiomatization of our two predicates. We also introduce a novel induction principle made possible by the wellfoundedness of the heap. We use our induction principle to derive from two basic axioms a small set of additional firstorder axioms that are useful for proving the correctness of several programs. We have implemented our method in a tool and used it to verify the correctness of a variety of nontrivial programs manipulating both acyclic and cyclic singlylinked lists and doublylinked lists. We also demonstrate the use of indexed predicate abstraction to automatically synthesize loop invariants for these examples.
Finding Loop Invariants for Programs over Arrays Using a Theorem Prover
 In Proc. of FASE
, 2009
"... Abstract. We present a new method for automatic generation of loop invariants for programs containing arrays. Unlike all previously known methods, our method allows one to generate firstorder invariants containing alternations of quantifiers. The method is based on the automatic analysis of the so ..."
Abstract

Cited by 44 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new method for automatic generation of loop invariants for programs containing arrays. Unlike all previously known methods, our method allows one to generate firstorder invariants containing alternations of quantifiers. The method is based on the automatic analysis of the socalled update predicates of loops. An update predicate for an array A expresses updates made to A. We observe that many properties of update predicates can be extracted automatically from the loop description and loop properties obtained by other methods such as a simple analysis of counters occurring in the loop, recurrence solving and quantifier elimination over loop variables. We run the theorem prover Vampire on some examples and show that nontrivial loop invariants can be generated. 1
Regular model checking without transducers
, 2006
"... Abstract. We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvou ..."
Abstract

Cited by 41 (18 self)
 Add to MetaCart
(Show Context)
Abstract. We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvous and shared variables. The method derives an overapproximation of the induced transition system, which allows the use of a simple class of regular expressions as a symbolic representation. Compared to traditional regular model checking methods, the analysis does not require the manipulation of transducers, and hence its simplicity and efficiency. We have implemented a prototype which works well on several mutual exclusion algorithms and cache coherence protocols. 1
Parameterized verification of infinitestate processes with global conditions
 In Proc. 19Ø�Int. Conf. on Computer Aided Verification
"... Abstract. We present a simple and effective approximated backward reachability algorithm for parameterized systems with existentially and universally quantified global conditions. The individual processes operate on unbounded local variables ranging over the natural numbers. In addition, processes m ..."
Abstract

Cited by 38 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We present a simple and effective approximated backward reachability algorithm for parameterized systems with existentially and universally quantified global conditions. The individual processes operate on unbounded local variables ranging over the natural numbers. In addition, processes may communicate via broadcast, rendezvous and shared variables. We apply the algorithm to verify mutual exclusion for complex protocols such as Lamport’s bakery algorithm both with and without atomicity conditions, a distributed version of the bakery algorithm, and RicartAgrawala’s distributed mutual exclusion algorithm. 1
Environment abstraction for parameterized verification
 In 7 th VMCAI, LNCS 3855
, 2006
"... Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which ..."
Abstract

Cited by 37 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which run the same distributed algorithm. In this paper, we introduce environment abstraction as a tool for the verification of such concurrent parameterized systems. Environment abstraction enriches predicate abstraction by ideas from counter abstraction; it enables us to reduce concurrent parameterized systems with unbounded variables to precise abstract finite state transition systems which can be verified by a finite state model checker. We demonstrate the feasibility of our approach by verifying the safety and liveness properties of Lamport’s bakery algorithm and Szymanski’s mutual exclusion algorithm. To the best of our knowledge, this is the first time both safety and liveness properties of the bakery algorithm have been verified at this level of automation. 1
Predicate Abstraction with Indexed Predicates
, 2007
"... Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models containing firstorder state v ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models containing firstorder state variables, where the system state includes mutable functions and predicates. Such a model can describe systems containing arbitrarily large memories, buffers, and arrays of identical processes. We describe a form of predicate abstraction that constructs a formula over a set of universally quantified variables to describe invariant properties of the firstorder state variables. We provide a formal justification of the soundness of our approach and describe how it has been used to verify several hardware and software designs, including a directorybased cache coherence protocol.