Results 1  10
of
20
Omegaregular model checking
 In Proc. 10th TACAS. LNCS
, 2004
"... Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transi ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transitions. Among the acceleration techniques that have been proposed, one finds both specific and generic techniques. Specific techniques exploit the particular type of system being analyzed, e.g. a system manipulating queues or integers, whereas generic techniques only assume that the transition relation is represented by a finitestate transducer, which has to be iterated. In this paper, we investigate the possibility of using generic techniques in cases where only specific techniques have been exploited so far. Finding that existing generic techniques are often not applicable in cases easily handled by specific techniques, we have developed a new approach to iterating transducers. This new approach builds on earlier work, but exploits a number of new conceptual and algorithmic ideas, often induced with the help of experiments, that give it a broad scope, as well as good performances.
Counterexampleguided focus
 In POPL
, 2010
"... The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the universal quantifier. In the closely related setting of shape analysis one uses the focus operator in order to adapt the treatment of disjunction (and thus the efficiencyprecision tradeoff) to the individual program statement. One promising research direction is to design parameterized versions of the focus operator which allow the user to finetune the focus operator not only to the individual program statements but also to the specific verification task. We carry this research direction one step further. We finetune the focus operator to each individual step of the analysis (for a specific verification task). This finetuning must be done automatically. Our idea is to use counterexamples for this purpose. We realize this idea in a tool that automatically infers quantified invariants for the verification of a variety of heapmanipulating programs.
BottomUp Shape Analysis
"... Abstract. In this paper we present a new shape analysis algorithm. The key distinguishing aspect of our algorithm is that it is completely compositional, bottomup and noniterative. We present our algorithm as an inference system for computing Hoare triples summarizing heap manipulating programs. O ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In this paper we present a new shape analysis algorithm. The key distinguishing aspect of our algorithm is that it is completely compositional, bottomup and noniterative. We present our algorithm as an inference system for computing Hoare triples summarizing heap manipulating programs. Our inference rules are compositional: Hoare triples for a compound statement are computed from the Hoare triples of its component statements. These inference rules are used as the basis for a bottomup shape analysis of programs. Specifically, we present a logic of iterated separation formula (LISF) which uses the iterated separating conjunct of Reynolds [17] to represent program states. A key ingredient of our inference rules is a strong biabduction operation between two logical formulas. We describe sound strong biabduction and satisfiability decision procedures for LISF. We have built a prototype tool that implements these inference rules and have evaluated it on standard shape analysis benchmark programs. Preliminary results show that our tool can generate expressive summaries, which are complete functional specifications in many cases. 1
Static Analysis of Dynamic Communication Systems by Partner Abstraction
 In Proc. SAS 2007
, 2007
"... Abstract. Prominent examples of dynamic communication systems include traffic control systems and ad hoc networks. Dynamic communication systems are hard to verify due to inherent unboundedness. Unbounded creation and destruction of objects and a dynamically evolving communication topology are chara ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Prominent examples of dynamic communication systems include traffic control systems and ad hoc networks. Dynamic communication systems are hard to verify due to inherent unboundedness. Unbounded creation and destruction of objects and a dynamically evolving communication topology are characteristic features. Partner graph grammars are presented as an adequate specification formalism for dynamic communication systems. They are based on the single pushout approach to algebraic graph transformation and specifically tailored to dynamic communication systems. We propose a new verification technique based on abstract interpretation of partner graph grammars. It uses a novel twolayered abstraction, partner abstraction, that keeps precise information about objects and their communication partners. We identify statically checkable cases for which the abstract interpretation is even complete. In particular, applicability of transformation rules is preserved precisely. The analysis has been implemented in the hiralysis tool. It is evaluated on a complex case study, car platooning, for which many interesting properties can be proven automatically. 1
Proving Termination of Tree Manipulating Programs
"... Abstract. We consider the termination problem of programs manipulating treelike dynamic data structures. Our approach is based on a counterexample guided abstraction refinement loop. We use abstract regular tree modelchecking to infer invariants of the program. Then, we translate the program to a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. We consider the termination problem of programs manipulating treelike dynamic data structures. Our approach is based on a counterexample guided abstraction refinement loop. We use abstract regular tree modelchecking to infer invariants of the program. Then, we translate the program to a counter automaton (CA) which simulates it. If the CA can be shown to terminate using existing techniques, the program terminates. If not, we analyse the possible counterexample given by a CA termination checker and either conclude that the program does not terminate, or else refine the abstraction and repeat. We show that the spuriousness problem for lassoshaped counterexamples is decidable in some nontrivial cases. We applied the method successfully on several interesting case studies. 1
Heap assumptions on demand
, 2008
"... Abstract. Termination of a heapmanipulating program generally depends on preconditions that express heap assumptions (i.e., assertions describing reachability, aliasing, separation and sharing in the heap). We present an algorithm for the inference of such preconditions. The algorithm exploits a un ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. Termination of a heapmanipulating program generally depends on preconditions that express heap assumptions (i.e., assertions describing reachability, aliasing, separation and sharing in the heap). We present an algorithm for the inference of such preconditions. The algorithm exploits a unique interplay between counterexampleproducing abstract termination checker and shape analysis. The shape analysis produces heap assumptions on demand to eliminate counterexamples, i.e., nonterminating abstract computations. The experiments with our prototype implementation indicate its practical potential. 1
Computing Simulations over Tree Automata: Efficient Techniques for Reducing Tree Automata
 In Proc. of TACAS’08, LNCS
, 2008
"... Abstract. We address the problem of computing simulation relations over tree automata. In particular, we consider downward and upward simulations on tree automata, which are, loosely speaking, analogous to forward and backward relations over word automata. We provide simple and efficient algorithms ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. We address the problem of computing simulation relations over tree automata. In particular, we consider downward and upward simulations on tree automata, which are, loosely speaking, analogous to forward and backward relations over word automata. We provide simple and efficient algorithms for computing these relations based on a reduction to the problem of computing simulations on labelled transition systems. Furthermore, we show that downward and upward relations can be combined to get relations compatible with the tree language equivalence, which can subsequently be used for an efficient size reduction of nondeterministic tree automata. This is of a very high interest, for instance, for symbolic verification methods such as regular model checking, which use tree automata to represent infinite sets of reachable configurations. We provide experimental results showing the efficiency of our algorithms on examples of tree automata taken from regular model checking computations. 1
An Efficient Decision Procedure for Imperative Tree Data Structures ⋆
"... Abstract. We present a new decidable logic called TREX for expressing constraints about imperative tree data structures. In particular, TREX supports a transitive closure operator that can express reachability constraints, which often appear in data structure invariants. We show that our logic is cl ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. We present a new decidable logic called TREX for expressing constraints about imperative tree data structures. In particular, TREX supports a transitive closure operator that can express reachability constraints, which often appear in data structure invariants. We show that our logic is closed under weakest precondition computation, which enables its use for automated software verification. We further show that satisfiability of formulas in TREX is decidable in NP. The low complexity makes it an attractive alternative to more expensive logics such as monadic secondorder logic (MSOL) over trees, which have been traditionally used for reasoning about tree data structures. 1
Monotonic Abstraction for Programs with MultiplyLinked Structures
 In Proc. of RP, volume 6945 of LNCS
, 2011
"... Abstract. We investigate the use of monotonic abstraction and backward reachability analysis as means of performing shape analysis on programs with multiply pointed structures. By encoding the heap as a vertex and edgelabeled graph, we can model the low level behaviour exhibited by programs writte ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We investigate the use of monotonic abstraction and backward reachability analysis as means of performing shape analysis on programs with multiply pointed structures. By encoding the heap as a vertex and edgelabeled graph, we can model the low level behaviour exhibited by programs written in the C programming language. Using the notion of signatures, which are predicates that define sets of heaps, we can check properties such as absence of null pointer dereference and shape invariants. We report on the results from running a prototype based on the method on several programs such as insertion into and merging of doublylinked lists. 1
Equational approximations for tree automata completion
 Journal of Symbolic Computation
"... In this paper we deal with the verification of safety properties of infinitestate systems modeled by termrewriting systems. An overapproximation of the set of reachable terms of a termrewriting system R is obtained by automatically constructing a finite tree automaton. The construction is paramet ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
In this paper we deal with the verification of safety properties of infinitestate systems modeled by termrewriting systems. An overapproximation of the set of reachable terms of a termrewriting system R is obtained by automatically constructing a finite tree automaton. The construction is parameterized by a set E of equations on terms, and we also show that the approximating automata recognize at most the set of R/Ereachable terms. Finally, we present some experiments carried out with the implementation of our algorithm. In particular, we show how some approximations from the literature can be defined using equational approximations.