Results 1  10
of
103
Linear ranking with reachability
 In CAV
, 2005
"... Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thu ..."
Abstract

Cited by 73 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thus, we describe a technique that discovers just the invariants necessary for proving termination. Finally, we describe an implementation of the method and provide extensive experimental evidence of its effectiveness for proving termination of C loops. 1 Introduction Guaranteed termination of program loops is necessary in many settings, suchas embedded systems and safety critical software. Additionally, proving general temporal properties of infinite state programs requires termination proofs, forwhich automatic methods are welcome [19, 11, 15]. We propose a termination analysis of linear loops based on the synthesis of lexicographic linear rankingfunctions supported by linear invariants.
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1
The octahedron abstract domain
 In Static Analysis Symposium (2004
, 2004
"... NOTICE: This is the author’s version of a work that was accepted for publication in Science of Computer Programming. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this docu ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
(Show Context)
NOTICE: This is the author’s version of a work that was accepted for publication in Science of Computer Programming. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. A definitive version was subsequently published in Science of Computer Programming, 64(2007):115139.
Program analysis as constraint solving
 In PLDI
, 2008
"... A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program ana ..."
Abstract

Cited by 53 (12 self)
 Add to MetaCart
(Show Context)
A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program analyses in an expressive domain containing disjunctions and conjunctions of linear inequalities. In particular, we show how to model the problem of contextsensitive interprocedural program verification. We also present the first constraintbased approach to weakest precondition and strongest postcondition inference. The constraints we generate are boolean combinations of quadratic inequalities over integer variables. We reduce these constraints to SAT formulae using bitvector modeling and use offtheshelf SAT solvers to solve them. Furthermore, we present interesting applications of the above analyses, namely bounds analysis and generation of mostgeneral counterexamples for both safety and termination properties. We also present encouraging preliminary experimental results demonstrating the feasibility of our technique on a variety of challenging examples.
Path invariants
 In PLDI
, 2007
"... The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is i ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
(Show Context)
The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is identified as an infeasible error path, and the abstraction is refined in order to remove that path. By contrast, we view the cause of a false alarm —the spurious counterexample — as a fullfledged program, namely, a fragment of the original program whose controlflow graph may contain loops and represent unbounded computations. There are two advantages to using such path programs as counterexamples for abstraction refinement. First, we can bring the whole machinery of program analysis to bear on path programs, which are typically small compared to the original program. Specifically, we use constraintbased invariant generation to automatically infer invariants of path programs —socalled path invariants. Second, we use path invariants for abstraction refinement in order to remove not one infeasibility at a time, but at once all (possibly infinitely many) infeasible error computations that are represented by a path program. Unlike previous predicate discovery schemes, our method handles loops without unrolling them; it infers abstractions that involve universal quantification and naturally incorporates disjunctive reasoning.
ConstraintBased Approach for Analysis of Hybrid Systems
 of Lecture Notes in Computer Science
, 2008
"... Abstract. This paper presents a constraintbased technique for discovering a rich class of inductive invariants (disjunctions of polynomial inequalities of bounded degree) for verification of hybrid systems. The key idea is to introduce a template for the unknown invariants and then translate the ve ..."
Abstract

Cited by 44 (12 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a constraintbased technique for discovering a rich class of inductive invariants (disjunctions of polynomial inequalities of bounded degree) for verification of hybrid systems. The key idea is to introduce a template for the unknown invariants and then translate the verification condition of the hybrid system into an ∃ ∀ constraint over the template unknowns (which are variables over reals) by making use of the fact that vector fields must point inwards at the boundary. These constraints are then solved using Farkas lemma. We also present preliminary experimental results that demonstrate the feasibility of our approach of solving the ∃ ∀ constraints generated from models of realworld hybrid systems. 1
Static analysis in disjunctive numerical domains
 In SAS ’06: Proceedings of the 13th International Symposium on Static Analysis
, 2006
"... Abstract. The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powers ..."
Abstract

Cited by 41 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an “elaboration ” of the program’s CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an “elaboration ” on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a lightweight static analyzer as a part of the FSoft project with encouraging initial results. 1
Invariant synthesis for combined theories
 In Proc. VMCAI, LNCS 4349
, 2007
"... Abstract. We present a constraintbased algorithm for the synthesis of invariants expressed in the combined theory of linear arithmetic and uninterpreted function symbols. Given a set of programmerspecified invariant templates, our algorithm reduces the invariant synthesis problem to a sequence of ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We present a constraintbased algorithm for the synthesis of invariants expressed in the combined theory of linear arithmetic and uninterpreted function symbols. Given a set of programmerspecified invariant templates, our algorithm reduces the invariant synthesis problem to a sequence of arithmetic constraint satisfaction queries. Since the combination of linear arithmetic and uninterpreted functions is a widely applied predicate domain for program verification, our algorithm provides a powerful tool to statically and automatically reason about program correctness. The algorithm can also be used for the synthesis of invariants over arrays and set data structures, because satisfiability questions for the theories of sets and arrays can be reduced to the theory of linear arithmetic with uninterpreted functions. We have implemented our algorithm and used it to find invariants for a lowlevel memory allocator writteninC. 1
Precise relational invariants through strategy iteration
 In CSL
, 2007
"... Abstract. We present a practical algorithm for computing exact least solutions of systems of equations over the rationals with addition, multiplication with positive constants, minimum and maximum. The algorithm is based on strategy improvement combined with solving linear programming problems for ..."
Abstract

Cited by 32 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We present a practical algorithm for computing exact least solutions of systems of equations over the rationals with addition, multiplication with positive constants, minimum and maximum. The algorithm is based on strategy improvement combined with solving linear programming problems for each selected strategy. We apply our technique to compute the abstract least fixpoint semantics of affine programs over the relational template constraint matrix domain [20]. In particular, we thus obtain practical algorithms for computing the abstract least fixpoint semantics over the zone and octagon abstract domain. 1
Static analysis by policy iteration on relational domains
 IN: ESOP’07. LNCS
, 2007
"... We give a new practical algorithm to compute, in finite time, a fixpoint (and often the least fixpoint) of a system of equations in the abstract numerical domains of zones and templates used for static analysis of programs by abstract interpretation. This paper extends previous work on the nonrelat ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
(Show Context)
We give a new practical algorithm to compute, in finite time, a fixpoint (and often the least fixpoint) of a system of equations in the abstract numerical domains of zones and templates used for static analysis of programs by abstract interpretation. This paper extends previous work on the nonrelational domain of intervals to relational domains. The algorithm is based on policy iteration techniques – rather than Kleene iterations as used classically in static analysis – and generates from the system of equations a finite set of simpler systems that we call policies. This set of policies satisfies a selection property which ensures that the minimal fixpoint of the original system of equations is the minimum of the fixpoints of the policies. Computing a fixpoint of a policy is done by linear programming. It is shown, through experiments made on a prototype analyzer, compared in particular to analyzers such as LPInv or the Octagon Analyzer, to be in general more precise and faster than the usual Kleene iteration combined with widening and narrowing techniques.