Results 1  10
of
32
Counterexampleguided focus
 In POPL
, 2010
"... The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the universal quantifier. In the closely related setting of shape analysis one uses the focus operator in order to adapt the treatment of disjunction (and thus the efficiencyprecision tradeoff) to the individual program statement. One promising research direction is to design parameterized versions of the focus operator which allow the user to finetune the focus operator not only to the individual program statements but also to the specific verification task. We carry this research direction one step further. We finetune the focus operator to each individual step of the analysis (for a specific verification task). This finetuning must be done automatically. Our idea is to use counterexamples for this purpose. We realize this idea in a tool that automatically infers quantified invariants for the verification of a variety of heapmanipulating programs.
On (Omega)Regular Model Checking
, 2008
"... Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transi ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transitions. Among the acceleration techniques that have been proposed, one finds both specific and generic techniques. Specific techniques exploit the particular type of system being analyzed, e.g. a system manipulating queues or integers, whereas generic techniques only assume that the transition relation is represented by a finitestate transducer, which has to be iterated. In this paper, we investigate the possibility of using generic techniques in cases where only specific techniques have been exploited so far. Finding that existing generic techniques are often not applicable in cases easily handled by specific techniques, we have developed a new approach to iterating transducers. This new approach builds on earlier work, but exploits a number of new conceptual and algorithmic ideas, often induced with the help of experiments, that give it a broad scope, as well as good performances.
BottomUp Shape Analysis
"... Abstract. In this paper we present a new shape analysis algorithm. The key distinguishing aspect of our algorithm is that it is completely compositional, bottomup and noniterative. We present our algorithm as an inference system for computing Hoare triples summarizing heap manipulating programs. O ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a new shape analysis algorithm. The key distinguishing aspect of our algorithm is that it is completely compositional, bottomup and noniterative. We present our algorithm as an inference system for computing Hoare triples summarizing heap manipulating programs. Our inference rules are compositional: Hoare triples for a compound statement are computed from the Hoare triples of its component statements. These inference rules are used as the basis for a bottomup shape analysis of programs. Specifically, we present a logic of iterated separation formula (LISF) which uses the iterated separating conjunct of Reynolds [17] to represent program states. A key ingredient of our inference rules is a strong biabduction operation between two logical formulas. We describe sound strong biabduction and satisfiability decision procedures for LISF. We have built a prototype tool that implements these inference rules and have evaluated it on standard shape analysis benchmark programs. Preliminary results show that our tool can generate expressive summaries, which are complete functional specifications in many cases. 1
Static Analysis of Dynamic Communication Systems by Partner Abstraction
 In Proc. SAS 2007
, 2007
"... Abstract. Prominent examples of dynamic communication systems include traffic control systems and ad hoc networks. Dynamic communication systems are hard to verify due to inherent unboundedness. Unbounded creation and destruction of objects and a dynamically evolving communication topology are chara ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Abstract. Prominent examples of dynamic communication systems include traffic control systems and ad hoc networks. Dynamic communication systems are hard to verify due to inherent unboundedness. Unbounded creation and destruction of objects and a dynamically evolving communication topology are characteristic features. Partner graph grammars are presented as an adequate specification formalism for dynamic communication systems. They are based on the single pushout approach to algebraic graph transformation and specifically tailored to dynamic communication systems. We propose a new verification technique based on abstract interpretation of partner graph grammars. It uses a novel twolayered abstraction, partner abstraction, that keeps precise information about objects and their communication partners. We identify statically checkable cases for which the abstract interpretation is even complete. In particular, applicability of transformation rules is preserved precisely. The analysis has been implemented in the hiralysis tool. It is evaluated on a complex case study, car platooning, for which many interesting properties can be proven automatically. 1
Equational approximations for tree automata completion
 Journal of Symbolic Computation
"... In this paper we deal with the verification of safety properties of infinitestate systems modeled by termrewriting systems. An overapproximation of the set of reachable terms of a termrewriting system R is obtained by automatically constructing a finite tree automaton. The construction is paramet ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
In this paper we deal with the verification of safety properties of infinitestate systems modeled by termrewriting systems. An overapproximation of the set of reachable terms of a termrewriting system R is obtained by automatically constructing a finite tree automaton. The construction is parameterized by a set E of equations on terms, and we also show that the approximating automata recognize at most the set of R/Ereachable terms. Finally, we present some experiments carried out with the implementation of our algorithm. In particular, we show how some approximations from the literature can be defined using equational approximations.
Heap assumptions on demand
, 2008
"... Abstract. Termination of a heapmanipulating program generally depends on preconditions that express heap assumptions (i.e., assertions describing reachability, aliasing, separation and sharing in the heap). We present an algorithm for the inference of such preconditions. The algorithm exploits a un ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Termination of a heapmanipulating program generally depends on preconditions that express heap assumptions (i.e., assertions describing reachability, aliasing, separation and sharing in the heap). We present an algorithm for the inference of such preconditions. The algorithm exploits a unique interplay between counterexampleproducing abstract termination checker and shape analysis. The shape analysis produces heap assumptions on demand to eliminate counterexamples, i.e., nonterminating abstract computations. The experiments with our prototype implementation indicate its practical potential. 1
Formal Verification of a Flash Memory Device Driver an Experience Report
"... Abstract. Flash memory has become virtually indispensable in most mobile devices. In order for mobile devices to operate successfully, it is essential that flash memory be controlled correctly through the device driver software. However, as is typical for embedded software, conventional testing meth ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Flash memory has become virtually indispensable in most mobile devices. In order for mobile devices to operate successfully, it is essential that flash memory be controlled correctly through the device driver software. However, as is typical for embedded software, conventional testing methods often fail to detect hidden flaws in the complex device driver software. This deficiency incurs significant development and operation overhead to the manufacturers. In order to compensate for the weaknesses of conventional testing, we have applied NuSMV, Spin, and CBMC to verify the correctness of a multisector read operation of the Samsung OneNAND TM flash device driver and studied their relative strengths and weaknesses empirically. Through this project, we verified the correctness of the multisector read operation on a small scale. The results demonstrate the feasibility of using model checking techniques to verify the control algorithm of a device driver in an industrial setting. 1
Proving Termination of Tree Manipulating Programs
"... Abstract. We consider the termination problem of programs manipulating treelike dynamic data structures. Our approach is based on a counterexample guided abstraction refinement loop. We use abstract regular tree modelchecking to infer invariants of the program. Then, we translate the program to a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the termination problem of programs manipulating treelike dynamic data structures. Our approach is based on a counterexample guided abstraction refinement loop. We use abstract regular tree modelchecking to infer invariants of the program. Then, we translate the program to a counter automaton (CA) which simulates it. If the CA can be shown to terminate using existing techniques, the program terminates. If not, we analyse the possible counterexample given by a CA termination checker and either conclude that the program does not terminate, or else refine the abstraction and repeat. We show that the spuriousness problem for lassoshaped counterexamples is decidable in some nontrivial cases. We applied the method successfully on several interesting case studies. 1
Towards modelchecking programs with lists
 In ILC’07, volume 5489 of LNCS
, 2009
"... Abstract. We aim at checking safety and temporal properties over models representing the behavior of programs manipulating dynamic singlylinked lists. The properties we consider not only allow to perform a classical shape analysis, but we also want to check quantitative aspect on the manipulated m ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We aim at checking safety and temporal properties over models representing the behavior of programs manipulating dynamic singlylinked lists. The properties we consider not only allow to perform a classical shape analysis, but we also want to check quantitative aspect on the manipulated memory heap. We first explain how a translation of programs into counter systems can be used to check safety problems and temporal properties. We then study the decidability of these two problems considering some restricted classes of programs, namely flat programs without destructive update. We obtain the following results: (1) the modelchecking problem is decidable if the considered program works over acyclic lists (2) the safety problem is decidable for programs without alias test. We finally explain the limit of our decidability results, showing that relaxing one of the hypothesis leads to undecidability results. 1
An Efficient Decision Procedure for Imperative Tree Data Structures ⋆
"... Abstract. We present a new decidable logic called TREX for expressing constraints about imperative tree data structures. In particular, TREX supports a transitive closure operator that can express reachability constraints, which often appear in data structure invariants. We show that our logic is cl ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new decidable logic called TREX for expressing constraints about imperative tree data structures. In particular, TREX supports a transitive closure operator that can express reachability constraints, which often appear in data structure invariants. We show that our logic is closed under weakest precondition computation, which enables its use for automated software verification. We further show that satisfiability of formulas in TREX is decidable in NP. The low complexity makes it an attractive alternative to more expensive logics such as monadic secondorder logic (MSOL) over trees, which have been traditionally used for reasoning about tree data structures. 1