Results 1  10
of
26
Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming
 IN VMCAI’2005: VERIFICATION, MODEL CHECKING, AND ABSTRACT INTERPRETATION, VOLUME 3385 OF LNCS
, 2005
"... In order to verify semialgebraic programs, we automatize the Floyd/Naur/Hoare proof method. The main task is to automatically infer valid invariants and rank functions. First we express the program semantics in polynomial form. Then the unknown rank function and invariants are abstracted in parametr ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
In order to verify semialgebraic programs, we automatize the Floyd/Naur/Hoare proof method. The main task is to automatically infer valid invariants and rank functions. First we express the program semantics in polynomial form. Then the unknown rank function and invariants are abstracted in parametric form. The implication in the Floyd/Naur/Hoare verification conditions is handled by abstraction into numerical constraints by Lagrangian relaxation. The remaining universal quantification is handled by semidefinite programming relaxation. Finally the parameters are computed using semidefinite programming solvers. This new approach exploits the recent progress in the numerical resolution of linear or bilinear matrix inequalities by semidefinite programming using efficient polynomial primal/dual interior point methods generalizing those wellknown in linear programming to convex optimization. The framework is applied to invariance and termination proof of sequential, nondeterministic, concurrent, and fair parallel imperative polynomial programs and can easily be extended to other safety and liveness properties.
Precise Interprocedural Analysis through Linear Algebra
, 2004
"... We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment stateme ..."
Abstract

Cited by 62 (10 self)
 Add to MetaCart
We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment statements with affine expressions on the right hand side while considering other assignments as nondeterministic and ignoring conditions at branches. Under this abstraction, the analysis computes the set of all affine relations and, more generally, all polynomial relations of bounded degree precisely. The running time of our algorithms is linear in the program size and polynomial in the number of occurring variables. We also show how to deal with affine preconditions and local variables and indicate how to handle parameters and return values of procedures.
Loopextended symbolic execution on binary programs
 In Newsome, McCamant, and Song: Measuring Channel Capacity to Distinguish Undue Influence 12 2009/6/8 Symposium on Software Testing and Analysis (ISSTA
, 2009
"... Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including securityrelevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data de ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including securityrelevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data dependencies. We introduce loopextended symbolic execution, a generalization that broadens the coverage of symbolic results in programs with loops. It introduces symbolic variables for the number of times each loop executes, and links these with features of a known input grammar such as variablelength or repeating fields. This allows the symbolic constraints to cover a class of paths that includes different numbers of loop iterations, expressing loopdependent program values in terms of properties of the input. By performing more reasoning symbolically, instead of by undirected exploration, applications of loopextended symbolic execution can achieve better results and/or require fewer program executions. To demonstrate our technique, we apply it to the problem of discovering and diagnosing bufferoverflow vulnerabilities in software given only in binary form. Our tool finds vulnerabilities in both a standard benchmark suite and 3 realworld applications, after generating only a handful of candidate inputs, and also diagnoses general vulnerability conditions.
A Note on Karr’s Algorithm
 In 31st Int. Coll. on Automata, Languages and Programming (ICALP
"... Abstract. We give a simple formulation of Karr’s algorithm for computing all affine relationships in affine programs. This simplified algorithm runs in time O(nk 3) where n is the program size and k is the number of program variables assuming unit cost for arithmetic operations. This improves upon t ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
Abstract. We give a simple formulation of Karr’s algorithm for computing all affine relationships in affine programs. This simplified algorithm runs in time O(nk 3) where n is the program size and k is the number of program variables assuming unit cost for arithmetic operations. This improves upon the original formulation by a factor of k. Moreover, our reformulation avoids exponential growth of the lengths of intermediately occurring numbers (in binary representation) and uses less complicated elementary operations. We also describe a generalization that determines all polynomial relations up to degree d in time O(nk 3d). 1
Interprocedurally analyzing polynomial identities
 IN PROC. OF STACS 2006
, 2006
"... Since programming languages are Turing complete, it is impossible to decide for all programs whether a given nontrivial semantic property is valid or not. The wayout chosen by abstract interpretation is to provide approximate methods which may fail to certify a program property on some programs. ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Since programming languages are Turing complete, it is impossible to decide for all programs whether a given nontrivial semantic property is valid or not. The wayout chosen by abstract interpretation is to provide approximate methods which may fail to certify a program property on some programs. Precision of the analysis can be measured by providing classes of programs for which the analysis is complete, i.e., decides the property in question. Here, we consider analyses of polynomial identities between integer variables such as x1 · x2 − 2x3 = 0. We describe current approaches and clarify their completeness properties. We also present an extension of our approach based on weakest precondition computations to programs with procedures and equality guards.
Abstract Domains of Affine Relations ⋆
"... Abstract. This paper considers some known abstract domains for affinerelation analysis (ARA), along with several variants, and studies how they relate to each other. We show that the abstract domains of MüllerOlm/Seidl (MOS) and King/Søndergaard (KS) are, in general, incomparable, but give sound i ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
Abstract. This paper considers some known abstract domains for affinerelation analysis (ARA), along with several variants, and studies how they relate to each other. We show that the abstract domains of MüllerOlm/Seidl (MOS) and King/Søndergaard (KS) are, in general, incomparable, but give sound interconversion methods. We also show that the methods of King and Søndergaard can be applied without bitblasting—while still using a bitprecise concrete semantics. 1
Smooth interpretation
 In PLDI
, 2010
"... We present smooth interpretation, a method to systematically approximate numerical imperative programs by smooth mathematical functions. This approximation facilitates the use of numerical search techniques like gradient descent for program analysis and synthesis. The method extends to programs the ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
We present smooth interpretation, a method to systematically approximate numerical imperative programs by smooth mathematical functions. This approximation facilitates the use of numerical search techniques like gradient descent for program analysis and synthesis. The method extends to programs the notion of Gaussian smoothing, a popular signalprocessing technique that filters out noise and discontinuities from a signal by taking its convolution with a Gaussian function. In our setting, Gaussian smoothing executes a program according to a probabilistic semantics; the execution of program P on an input x after Gaussian smoothing can be summarized as follows: (1) Apply a Gaussian perturbation to x—the perturbed input is a random variable following a normal distribution with mean x. (2) Compute and return the expected output of P on this perturbed input.
Program verification as probabilistic inference
 In Proc. POPL
, 2007
"... In this paper, we propose a new algorithm for proving the validity or invalidity of a pre/postcondition pair for a program. The algorithm is motivated by the success of the algorithms for probabilistic inference developed in the machine learning community for reasoning in graphical models. The valid ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
In this paper, we propose a new algorithm for proving the validity or invalidity of a pre/postcondition pair for a program. The algorithm is motivated by the success of the algorithms for probabilistic inference developed in the machine learning community for reasoning in graphical models. The validity or invalidity proof consists of providing an invariant at each program point that can be locally verified. The algorithm works by iteratively randomly selecting a program point and updating the current abstract state representation to make it more locally consistent (with respect to the abstractions at the neighboring points). We show that this simple algorithm has some interesting aspects: (a) It brings together the complementary powers of forward and backward analyses; (b) The algorithm has the ability to recover itself from excessive underapproximation or overapproximation that it may make. (Because the algorithm does not distinguish between the forward and backward information, the information could get both underapproximated and overapproximated at any step.) (c) The randomness in the algorithm ensures that the correct choice of updates is eventually made as there is no single deterministic strategy that would provably work for any interesting class of programs. In our experiments we use this algorithm to produce the proof of correctness of a small (but nontrivial) example. In addition, we empirically illustrate several important properties of the algorithm.
Synthesis from examples: Interaction models and algorithms
 14th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing
, 2012
"... Abstract—Examples are often a natural way to specify various computational artifacts such as programs, queries, and sequences. Synthesizing such artifacts from example based specifications has various applications in the domains of enduser programming and intelligent tutoring systems. Synthesis from ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract—Examples are often a natural way to specify various computational artifacts such as programs, queries, and sequences. Synthesizing such artifacts from example based specifications has various applications in the domains of enduser programming and intelligent tutoring systems. Synthesis from examples involves addressing two key technical challenges: (i) design of a user interaction model to deal with the inherent ambiguity in the example based specification. (ii) design of an efficient search algorithm these algorithms have been based on paradigms from various communities including use of SAT/SMT solvers (formal methods community), version space algebras (machine learning community), and A*style goaldirected heuristics (AI community). This paper describes some effective user interaction models and algorithmic methodologies for synthesis from examples while discussing synthesizers for a variety of artifacts ranging from tricky bitvector algorithms, spreadsheet macros for automating repetitive data manipulation tasks, ruler/compass based geometry constructions, algebraic identities, and predictive intellisense for repetitive drawings and mathematical terms.