Results 1  10
of
35
HAMPI: A Solver for String Constraints
, 2009
"... Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf ..."
Abstract

Cited by 69 (19 self)
 Add to MetaCart
(Show Context)
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive offtheshelf solvers for string constraints generated by analysis techniques for stringmanipulating programs. We designed and implemented Hampi, a solver for string constraints over fixedsize string variables. Hampi constraints express membership in regular languages and fixedsize contextfree languages. Hampi constraints may contain contextfreelanguage definitions, regularlanguage definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable. Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi’s source code, documentation, and the experimental data are available at
SATURN: A Scalable Framework for Error Detection Using Boolean Satisfiability
"... This article presents SATURN, a general framework for building precise and scalable static error detection systems. SATURN exploits recent advances in Boolean satisfiability (SAT) solvers and is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also hi ..."
Abstract

Cited by 33 (0 self)
 Add to MetaCart
(Show Context)
This article presents SATURN, a general framework for building precise and scalable static error detection systems. SATURN exploits recent advances in Boolean satisfiability (SAT) solvers and is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, which we achieve using two techniques. First, for each program function, several optimizations compress the size of the Boolean formulas that model the control flow and data flow and the heap locations accessed by a function. Second, summaries in the spirit of type signatures are computed for each function, allowing interprocedural analysis without a dramatic increase in the size of the Boolean constraints to be solved. We have experimentally validated our approach by conducting two case studies involving a Linux lock checker and a memory leak checker. Results from the experiments show that our system scales well, parallelizes well, and finds more errors with fewer false positives than previous static
Formal Verification of SystemC by Automatic Hardware/Software Partitioning
 In MEMOCODE
, 2005
"... Variants of generalpurpose programming languages, like SystemC, are increasingly used to specify system designs that have both hardware and software parts. The systemlevel languages allow a flexible partitioning in the design of the hardware and software. Moreover, many properties depend on the co ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
Variants of generalpurpose programming languages, like SystemC, are increasingly used to specify system designs that have both hardware and software parts. The systemlevel languages allow a flexible partitioning in the design of the hardware and software. Moreover, many properties depend on the combination of hardware and software and cannot be verified on either part alone. Existing tools either apply nonformal approaches or handle only the lowlevel parts of the language. This papers presents a new technique that handles both hardware and software parts of a system description. This is done by automatically partitioning the uniform system description into synchronous (hardware) and asynchronous (software) parts. This technique has been implemented and applied to system level descriptions of several industrial examples. The hardware/software partitioning improves the performance of the verification compared to the monolithic approach. 1
A Survey of Automated Techniques for Formal Software Verification
 TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
Using statically computed invariants inside the predicate abstraction and refinement loop
 In CAV’06: International Conference on Computer Aided Verification
, 2006
"... Abstract. Predicate abstraction is a powerful technique for extracting finitestate models from often complex source code. This paper reports on the usage of statically computed invariants inside the predicate abstraction and refinement loop. The main idea is to selectively strengthen (conjoin) the ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Predicate abstraction is a powerful technique for extracting finitestate models from often complex source code. This paper reports on the usage of statically computed invariants inside the predicate abstraction and refinement loop. The main idea is to selectively strengthen (conjoin) the concrete transition relation at a given program location by efficiently computed invariants that hold at that program location. We experimentally demonstrate the usefulness of transition relation strengthening in the predicate abstraction and refinement loop. We use invariants of the form ±x ± y ≤ c where c is a constant and x,y are program variables. These invariants can be discovered efficiently at each program location using the octagon abstract domain. We observe that the abstract models produced by predicate abstraction of strengthened transition relation are more precise leading to fewer spurious counterexamples, thus, decreasing the total number of abstraction refinement iterations. Furthermore, the length of relevant fragments of spurious traces needing refinement shortens. This leads to an addition of fewer predicates for refinement. We found a consistent reduction in the total number of predicates, maximum number of predicates tracked at a given program location, and the overall verification time. 1
Predicate Abstraction via Symbolic Decision Procedures
, 2005
"... We present a new approach for performing predicate abstraction based on symbolic decision procedures. A symbolic decision procedure for a theory T (SDPT) takes sets of predicates G and E and symbolically executes a decision procedure for T on G ′ ∪ {¬e  e ∈ E}, for all the subsets G ′ of G. The r ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
We present a new approach for performing predicate abstraction based on symbolic decision procedures. A symbolic decision procedure for a theory T (SDPT) takes sets of predicates G and E and symbolically executes a decision procedure for T on G ′ ∪ {¬e  e ∈ E}, for all the subsets G ′ of G. The result of SDPT is a shared expression (represented by a directed acyclic graph) that implicitly represents the answer to a predicate abstraction query. We present symbolic decision procedures for the logic of Equality and Uninterpreted Functions(EUF) and Difference logic (DIF) and show that these procedures run in pseudopolynomial (rather than exponential) time. We then provide a method to construct SDP’s for simple mixed theories (including EUF + DIF) using an extension of the NelsonOppen combination method. We present preliminary evaluation of our procedure on predicate abstraction benchmarks from device driver verification in SLAM.
Counterexample guided abstraction refinement via program execution
 Formal Methods and Software Engineering: 6th International Conference on Formal Engineering Methods
, 2004
"... ..."
(Show Context)
Abstraction refinement for probabilistic software
 Proc. 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’09), volume 5403 of LNCS
, 2009
"... Abstract. We present a methodology and implementation for verifying ANSIC programs that exhibit probabilistic behaviour, such as failures or randomisation. We use abstractionrefinement techniques that represent probabilistic programs as Markov decision processes and their abstractions as stochasti ..."
Abstract

Cited by 18 (8 self)
 Add to MetaCart
Abstract. We present a methodology and implementation for verifying ANSIC programs that exhibit probabilistic behaviour, such as failures or randomisation. We use abstractionrefinement techniques that represent probabilistic programs as Markov decision processes and their abstractions as stochastic twoplayer games. Our techniques target quantitative properties of software such as “the maximum probability of filetransfer failure ” or “the minimum expected number of loop iterations ” and the abstractions we construct yield lower and upper bounds on these properties, which then guide the refinement process. We build upon stateoftheart techniques and tools, using SATbased predicate abstraction, symbolic implementations of probabilistic model checking and components from GOTOCC, SATABS and PRISM. Experimental results show that our approach performs very well in practice, successfully verifying actual networking software whose complexity is significantly beyond the scope of existing probabilistic verification tools. 1
The ComFoRT reasoning framework
 In Proceedings of Computer Aided Verification (CAV
, 2005
"... Model checking is a promising technology for verifying critical behavior of software. However, software model checking is hamstrung by scalability issues and is difficult for software engineers to use directly. The second challenge arises ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
(Show Context)
Model checking is a promising technology for verifying critical behavior of software. However, software model checking is hamstrung by scalability issues and is difficult for software engineers to use directly. The second challenge arises
Localization and register sharing for predicate abstraction
 In TACAS
, 2005
"... Abstract. In the domain of software verification, predicate abstraction has emerged to be a powerful and popular technique for extracting finitestate models from often complex source code. In this paper, we report on the application of three techniques for improving the performance of the predicate ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
Abstract. In the domain of software verification, predicate abstraction has emerged to be a powerful and popular technique for extracting finitestate models from often complex source code. In this paper, we report on the application of three techniques for improving the performance of the predicate abstraction refinement loop. The first technique allows faster computation of the abstraction. Instead of maintaining a global set of predicates, we find predicates relevant to various basic blocks of the program by weakest precondition propagation along spurious program traces. The second technique enables faster model checking of the abstraction by reducing the number of state variables in the abstraction. This is done by reusing Boolean variables to represent different predicates in the abstraction in a safe way. However, some predicates are useful at many program locations and discovering them lazily in various parts of the program leads to a large number of abstraction refinement iterations. The third technique attempts to identify such predicates early in the abstraction refinement loop and handles them separately by introducing dedicated state variables for such predicates. We have incorporated these techniques into NEC’s software verification tool FSoft, and present promising experimental results for various case studies using these techniques. 1