Results 1  10
of
70
Linear ranking with reachability
 In CAV
, 2005
"... Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thu ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thus, we describe a technique that discovers just the invariants necessary for proving termination. Finally, we describe an implementation of the method and provide extensive experimental evidence of its effectiveness for proving termination of C loops. 1 Introduction Guaranteed termination of program loops is necessary in many settings, suchas embedded systems and safety critical software. Additionally, proving general temporal properties of infinite state programs requires termination proofs, forwhich automatic methods are welcome [19, 11, 15]. We propose a termination analysis of linear loops based on the synthesis of lexicographic linear rankingfunctions supported by linear invariants.
The octahedron abstract domain
 In Static Analysis Symposium (2004
, 2004
"... NOTICE: This is the author’s version of a work that was accepted for publication in Science of Computer Programming. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this docu ..."
Abstract

Cited by 47 (1 self)
 Add to MetaCart
NOTICE: This is the author’s version of a work that was accepted for publication in Science of Computer Programming. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. A definitive version was subsequently published in Science of Computer Programming, 64(2007):115139.
Program analysis as constraint solving
 In PLDI
, 2008
"... A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program ana ..."
Abstract

Cited by 34 (11 self)
 Add to MetaCart
A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program analyses in an expressive domain containing disjunctions and conjunctions of linear inequalities. In particular, we show how to model the problem of contextsensitive interprocedural program verification. We also present the first constraintbased approach to weakest precondition and strongest postcondition inference. The constraints we generate are boolean combinations of quadratic inequalities over integer variables. We reduce these constraints to SAT formulae using bitvector modeling and use offtheshelf SAT solvers to solve them. Furthermore, we present interesting applications of the above analyses, namely bounds analysis and generation of mostgeneral counterexamples for both safety and termination properties. We also present encouraging preliminary experimental results demonstrating the feasibility of our technique on a variety of challenging examples.
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1
Path invariants
 In PLDI
, 2007
"... The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is i ..."
Abstract

Cited by 32 (3 self)
 Add to MetaCart
The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is identified as an infeasible error path, and the abstraction is refined in order to remove that path. By contrast, we view the cause of a false alarm —the spurious counterexample — as a fullfledged program, namely, a fragment of the original program whose controlflow graph may contain loops and represent unbounded computations. There are two advantages to using such path programs as counterexamples for abstraction refinement. First, we can bring the whole machinery of program analysis to bear on path programs, which are typically small compared to the original program. Specifically, we use constraintbased invariant generation to automatically infer invariants of path programs —socalled path invariants. Second, we use path invariants for abstraction refinement in order to remove not one infeasibility at a time, but at once all (possibly infinitely many) infeasible error computations that are represented by a path program. Unlike previous predicate discovery schemes, our method handles loops without unrolling them; it infers abstractions that involve universal quantification and naturally incorporates disjunctive reasoning.
Static analysis in disjunctive numerical domains
 In SAS ’06: Proceedings of the 13th International Symposium on Static Analysis
, 2006
"... Abstract. The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powers ..."
Abstract

Cited by 29 (5 self)
 Add to MetaCart
Abstract. The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an “elaboration ” of the program’s CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an “elaboration ” on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a lightweight static analyzer as a part of the FSoft project with encouraging initial results. 1
Invariant synthesis for combined theories
 In Proc. VMCAI, LNCS 4349
, 2007
"... Abstract. We present a constraintbased algorithm for the synthesis of invariants expressed in the combined theory of linear arithmetic and uninterpreted function symbols. Given a set of programmerspecified invariant templates, our algorithm reduces the invariant synthesis problem to a sequence of ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Abstract. We present a constraintbased algorithm for the synthesis of invariants expressed in the combined theory of linear arithmetic and uninterpreted function symbols. Given a set of programmerspecified invariant templates, our algorithm reduces the invariant synthesis problem to a sequence of arithmetic constraint satisfaction queries. Since the combination of linear arithmetic and uninterpreted functions is a widely applied predicate domain for program verification, our algorithm provides a powerful tool to statically and automatically reason about program correctness. The algorithm can also be used for the synthesis of invariants over arrays and set data structures, because satisfiability questions for the theories of sets and arrays can be reduced to the theory of linear arithmetic with uninterpreted functions. We have implemented our algorithm and used it to find invariants for a lowlevel memory allocator writteninC. 1
ConstraintBased Approach for Analysis of Hybrid Systems
 of Lecture Notes in Computer Science
, 2008
"... Abstract. This paper presents a constraintbased technique for discovering a rich class of inductive invariants (disjunctions of polynomial inequalities of bounded degree) for verification of hybrid systems. The key idea is to introduce a template for the unknown invariants and then translate the ve ..."
Abstract

Cited by 21 (10 self)
 Add to MetaCart
Abstract. This paper presents a constraintbased technique for discovering a rich class of inductive invariants (disjunctions of polynomial inequalities of bounded degree) for verification of hybrid systems. The key idea is to introduce a template for the unknown invariants and then translate the verification condition of the hybrid system into an ∃ ∀ constraint over the template unknowns (which are variables over reals) by making use of the fact that vector fields must point inwards at the boundary. These constraints are then solved using Farkas lemma. We also present preliminary experimental results that demonstrate the feasibility of our approach of solving the ∃ ∀ constraints generated from models of realworld hybrid systems. 1
Efficient Strongly Relational Polyhedral Analysis
, 2006
"... Polyhedral analysis infers invariant linear equalities and inequalities of imperative programs. However, the exponential complexity of polyhedral operations such as image computation and convex hull limits the applicability of polyhedral analysis. Weakly relational domains such as intervals and octa ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
Polyhedral analysis infers invariant linear equalities and inequalities of imperative programs. However, the exponential complexity of polyhedral operations such as image computation and convex hull limits the applicability of polyhedral analysis. Weakly relational domains such as intervals and octagons address the scalability issue by considering polyhedra whose constraints are drawn from a restricted, userspecified class. On the other hand, these domains rely solely on candidate expressions provided by the user. Therefore, they often fail to produce strong invariants. We propose a polynomial time approach to strongly relational analysis. We provide efficient implementations of join and post condition operations, achieving a trade off between performance and accuracy. We have implemented a strongly relational polyhedral analyzer for a subset of the C language. Initial experimental results on benchmark examples are encouraging.
Pentagons: A weakly relational abstract domain for the efficient validation of array accesses
 In SAC’08
"... We introduce Pentagons (Pntg), a weakly relational numerical abstract domain useful for the validation of array accesses in bytecode and intermediate languages (IL). This abstract domain captures properties of the form of x ∈ [a, b] ∧ x < y. It is more precise than the well known Interval domai ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
We introduce Pentagons (Pntg), a weakly relational numerical abstract domain useful for the validation of array accesses in bytecode and intermediate languages (IL). This abstract domain captures properties of the form of x ∈ [a, b] ∧ x < y. It is more precise than the well known Interval domain, but it is less precise than the Octagon domain. The goal of Pntg is to be a lightweight numerical domain useful for adaptive static analysis, where Pntg is used to quickly prove the safety of most array accesses, restricting the use of more precise (but also more expensive) domains to only a small fraction of the code. We implemented the Pntg abstract domain in Clousot, a generic abstract interpreter for.NET assemblies. Using it, we were able to validate 83 % of array accesses in the core runtime library mscorlib.dll in a little bit more than 3 minutes.