Results 1  10
of
12
Automatically generating loop invariants using quantifier elimination
 In Deduction and Applications
, 2005
"... Abstract. An approach for automatically generating loop invariants using quantifierelimination is proposed. An invariant of a loop is hypothesized as a parameterized formula. Parameters in the invariant are discovered by generating constraints on the parameters by ensuring that the formula is indee ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. An approach for automatically generating loop invariants using quantifierelimination is proposed. An invariant of a loop is hypothesized as a parameterized formula. Parameters in the invariant are discovered by generating constraints on the parameters by ensuring that the formula is indeed preserved by the execution path corresponding to every basic cycle of the loop. The parameterized formula can be successively refined by considering execution paths one by one; heuristics can be developed for determining the order in which the paths are considered. Initialization of program variables as well as the precondition and postcondition of the loop, if available, can also be used to further refine the hypothesized invariant. Constraints on parameters generated in this way are solved for possible values of parameters. If no solution is possible, this means that an invariant of the hypothesized form does not exist for the loop. Otherwise, if the parametric constraints are solvable, then under certain conditions on methods for generating these constraints, the strongest possible invariant of the hypothesized form can be generated from most general solutions of the parametric constraints. The approach is illustrated using the firstorder theory of polynomial equations as well as Presburger arithmetic. 1.
Interprocedurally analyzing polynomial identities
 IN PROC. OF STACS 2006
, 2006
"... Since programming languages are Turing complete, it is impossible to decide for all programs whether a given nontrivial semantic property is valid or not. The wayout chosen by abstract interpretation is to provide approximate methods which may fail to certify a program property on some programs. ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Since programming languages are Turing complete, it is impossible to decide for all programs whether a given nontrivial semantic property is valid or not. The wayout chosen by abstract interpretation is to provide approximate methods which may fail to certify a program property on some programs. Precision of the analysis can be measured by providing classes of programs for which the analysis is complete, i.e., decides the property in question. Here, we consider analyses of polynomial identities between integer variables such as x1 · x2 − 2x3 = 0. We describe current approaches and clarify their completeness properties. We also present an extension of our approach based on weakest precondition computations to programs with procedures and equality guards.
Generating Polynomial Invariants for Hybrid Systems
, 2005
"... We present a powerful computational method for automatically generating polynomial invariants of hybrid systems with linear continuous dynamics. When restricted to linear continuous dynamical systems, our method generates a set of polynomial equations (algebraic set) that is the best such overappro ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
We present a powerful computational method for automatically generating polynomial invariants of hybrid systems with linear continuous dynamics. When restricted to linear continuous dynamical systems, our method generates a set of polynomial equations (algebraic set) that is the best such overapproximation of the reach set. This shows that the set of algebraic invariants of a linear system is computable. The extension to hybrid systems is achieved using the abstract interpretation framework over the lattice defined by algebraic sets. Algebraic sets are represented using canonical Gröbner bases and the lattice operations are effectively computed via appropriate Gr"obner basis manipulations.
Generation of basic semialgebraic invariants using convex polyhedra
 Static Analysis: Proceedings of the 12th International Symposium, volume 3672 of Lecture Notes in Computer Science
"... Abstract. A technique for generating invariant polynomial inequalities of bounded degree is presented using the abstract interpretation framework. It is based on overapproximating basic semialgebraic sets, i.e., sets defined by conjunctions of polynomial inequalities, by means of convex polyhedra. ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. A technique for generating invariant polynomial inequalities of bounded degree is presented using the abstract interpretation framework. It is based on overapproximating basic semialgebraic sets, i.e., sets defined by conjunctions of polynomial inequalities, by means of convex polyhedra. While improving on the existing methods for generating invariant polynomial equalities, since polynomial inequalities are allowed in the guards of the transition system, the approach does not suffer from the prohibitive complexity of the methods based on quantifierelimination. The application of our implementation to benchmark programs shows that the method produces nontrivial invariants in reasonable time. In some cases the generated invariants are essential to verify safety properties that cannot be proved with classical linear invariants. 1
Customised induction rules for proving correctness of imperative programs
, 2004
"... This thesis is aimed at simplifying the userinteraction in semiinteractive theorem proving for imperative programs. More specifically, we describe the creation of customised induction rules that are tailormade for the specific program to verify and thus make the resulting proof simpler. The conce ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
This thesis is aimed at simplifying the userinteraction in semiinteractive theorem proving for imperative programs. More specifically, we describe the creation of customised induction rules that are tailormade for the specific program to verify and thus make the resulting proof simpler. The concern is in user interaction, rather than in proof strength. To achieve this, two different verification techniques are used. In the first approach, we develop an idea where a software testing technique, partition analysis, is used to compute a partition of the domain of the induction variable, based on the branch predicates in the program we wish to prove correct. Based on this partition we derive mechanically a partitioned induction rule, which then inherits the divideandconquer style of partition analysis, and (hopefully) is easier to use than the standard (Peano) induction rule. The second part of the thesis continues with a more thorough development of the method. Here the connection to software testing is completely removed
Logical interpretation: Static program analysis using theorem proving
 IN: CADE21. VOLUME 4603 OF LNAI., SPRINGERVERLAG
, 2007
"... This paper presents the foundations for using automated deduction technology in static program analysis. The central principle is the use of logical lattices – a class of lattices defined on logical formulas in a logical theory – in an abstract interpretation framework. Abstract interpretation over ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
This paper presents the foundations for using automated deduction technology in static program analysis. The central principle is the use of logical lattices – a class of lattices defined on logical formulas in a logical theory – in an abstract interpretation framework. Abstract interpretation over logical lattices, called logical interpretation, raises new challenges for theorem proving. We present an overview of some of the existing results in the field of logical interpretation and outline some requirements for building expressive and scalable logical interpreters.
Join algorithms for the theory of uninterpreted functions
 IN 24TH CONFERENCE ON FOUNDATIONS OF SOFTWARE TECHNOLOGY AND THEORETICAL COMPUTER SCIENCE (FSTTCS
, 2004
"... ..."
Generating Polynomial Invariants with DISCOVERER and QEPCAD ⋆ Dedicated to Prof. Chaochen Zhou on his 70th Birthday
"... Abstract. This paper investigates how to apply the techniques on solving semialgebraic systems to invariant generation of polynomial programs. By our approach, the generated invariants represented as a semialgebraic system are more expressive than those generated with the wellestablished approaches ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. This paper investigates how to apply the techniques on solving semialgebraic systems to invariant generation of polynomial programs. By our approach, the generated invariants represented as a semialgebraic system are more expressive than those generated with the wellestablished approaches in the literature, which are normally represented as a conjunction of polynomial equations. We implement this approach with the computer algebra tools DISCOVERER and QEPCAD 1. We also explain, through the complexity analysis, why our approach is more efficient and practical than the one of [17] which directly applies firstorder quantifier elimination.
Degree and dimension estimates for invariant ideals of Psolvable recurrences
"... Abstract. Motivated by the generation of polynomial loop invariants of computer programs, we study Psolvable recurrences. While these recurrences may contain nonlinear terms, we show that the solutions of any such relation can be obtained by solving a system of linear recurrences. We also study in ..."
Abstract
 Add to MetaCart
Abstract. Motivated by the generation of polynomial loop invariants of computer programs, we study Psolvable recurrences. While these recurrences may contain nonlinear terms, we show that the solutions of any such relation can be obtained by solving a system of linear recurrences. We also study invariant ideals of Psolvable recurrences (or equivalently of while loops with no branches). We establish sharp degree and dimension estimates of those invariant ideals. 1
Range Analysis of Binaries with Minimal Effort
"... Abstract. COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. interpretation ..."
Abstract
 Add to MetaCart
Abstract. COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and buffer overflows. Yet the lack of structure in binaries limits the effectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention. 1