Results 11  20
of
120
Compositional MayMust Program Analysis: Unleashing the Power of Alternation
"... Program analysis tools typically compute two types of information: (1) may information that is true of all program executions and is used to prove the absence of bugs in the program, and (2) must information that is true of some program executions and is used to prove the existence of bugs in the pr ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
Program analysis tools typically compute two types of information: (1) may information that is true of all program executions and is used to prove the absence of bugs in the program, and (2) must information that is true of some program executions and is used to prove the existence of bugs in the program. In this paper, we propose a new algorithm, dubbed SMASH, which computes both may and must information compositionally. At each procedure boundary, may and must information is represented and stored as may and must summaries, respectively. Those summaries are computed in a demanddriven manner and possibly using summaries of the opposite type. We have implemented SMASH using predicate abstraction (as in SLAM) for the may part and using dynamic test generation (as in DART) for the must part. Results of experiments with 69 Microsoft Windows Vista device drivers show that SMASH can significantly outperform mayonly, mustonly and noncompositional maymust algorithms. Indeed, our empirical results indicate that most complex code fragments in large programs are actually often either easy to prove irrelevant to the specific property of interest using may analysis or easy to traverse using directed testing. The finegrained coupling and alternation of may (universal) and must (existential) summaries allows SMASH to easily navigate through these code fragments while traditional mayonly, mustonly or noncompositional maymust algorithms are stuck in their specific analyses. 1.
Termination Analysis of Java Bytecode
"... The state of the art in termination analysis includes advanced techniques developed for logic and functional programming [12, 4, 9, 11, 10] and imperative languages [2, 5, 8, 6, 10], as well as for term rewriting systems [10]. In [6, 5] tools for proving termination of large industrial code are pres ..."
Abstract

Cited by 30 (15 self)
 Add to MetaCart
The state of the art in termination analysis includes advanced techniques developed for logic and functional programming [12, 4, 9, 11, 10] and imperative languages [2, 5, 8, 6, 10], as well as for term rewriting systems [10]. In [6, 5] tools for proving termination of large industrial code are presented. However, termination of lowlevel languages, such as Java bytecode, has received little
Expressive declassification policies and modular static enforcement
 IEEE Symposium on Security and Privacy
, 2008
"... This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an endtoend semantic property is introduced, based on a model that allows observations of intermediate low ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an endtoend semantic property is introduced, based on a model that allows observations of intermediate low states as well as termination. An attacker’s knowledge only increases at explicit declassification steps, and within limits set by policy. Thirdly, static enforcement is provided by combining typechecking with program verification techniques applied to the small subprograms that carry out declassifications. Enforcement is proved sound for a simple programming language and the extension to objectoriented programs is described. 1.
Controlflow refinement and progress invariants for bound analysis
 In PLDI
, 2009
"... Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop a ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop are challenging. In this paper we describe two techniques, controlflow refinement and progress invariants, that together enable estimation of precise bounds for procedures with nested and multipath loops. Controlflow refinement transforms a multipath loop into a semantically equivalent code fragment with simpler loops by making the structure of path interleaving explicit. We show that this enables nondisjunctive invariant generation tools to find a bound on many procedures for which previous techniques were unable to prove termination. Progress invariants characterize relationships between
The reachabilitybound problem
 In PLDI
, 2010
"... We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, me ..."
Abstract

Cited by 22 (6 self)
 Add to MetaCart
We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, memory, networktraffic, power, as well as estimating quantitative properties (as opposed to boolean properties) of data in programs, such as information leakage or uncertainty propagation. Our approach to solving the reachabilitybound problem brings together two different techniques for reasoning about loops in an effective manner. One of these techniques is an abstractinterpretation based iterative technique for computing precise disjunctive invariants (to summarize nested loops). The other technique is a noniterative proofrules based technique (for loop bound computation) that takes over the role of doing inductive reasoning, while deriving its power from the use of SMT solvers to reason about abstract loopfree fragments. Our solution to the reachabilitybound problem allows us to compute precise symbolic complexity bounds for several loops in.Net baseclass libraries for which earlier techniques fail. We also illustrate the precision of our algorithm for disjunctive invariant computation (which has a more general applicability beyond the reachabilitybound problem) on a set of benchmark examples.
AUTOMATED TERMINATION ANALYSIS OF JAVA BYTECODE BY TERM REWRITING
, 2010
"... We present an automated approach to prove termination of Java Bytecode (JBC) programs by automatically transforming them to term rewrite systems (TRSs). In this way, the numerous techniques and tools developed for TRS termination can now be used for imperative objectoriented languages like Java, ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
We present an automated approach to prove termination of Java Bytecode (JBC) programs by automatically transforming them to term rewrite systems (TRSs). In this way, the numerous techniques and tools developed for TRS termination can now be used for imperative objectoriented languages like Java, which can be compiled into JBC.
A SATBased Approach to Size Change Termination with Global Ranking Functions
"... Abstract. We describe a new approach to proving termination with size change graphs. This is the first decision procedure for size change termination (SCT) which makes direct use of global ranking functions. It handles a welldefined and significant subset of SCT instances, designed to be amenable t ..."
Abstract

Cited by 18 (7 self)
 Add to MetaCart
Abstract. We describe a new approach to proving termination with size change graphs. This is the first decision procedure for size change termination (SCT) which makes direct use of global ranking functions. It handles a welldefined and significant subset of SCT instances, designed to be amenable to a SATbased solution. We have implemented the approach using a stateoftheart Boolean satisfaction solver. Experimentation indicates that the approach is a viable alternative to the complete SCT decision procedure based on closure computation and local ranking functions. Our approach has the extra benefit of producing an explicit witness to prove termination in the form of a global ranking function. 1
Operating System Verification — An Overview
"... Abstract. This paper gives a highlevel introduction to the topic of formal, interactive, machinechecked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machinechecked code proofs, and ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
Abstract. This paper gives a highlevel introduction to the topic of formal, interactive, machinechecked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machinechecked code proofs, and describe two specific ongoing largerscale verification projects in more detail.
Proving termination of integer term rewriting
 In Proc. RTA ’09, LNCS 5595
, 2009
"... Abstract. When using rewrite techniques for termination analysis of programs, a main problem are predefined data types like integers. We extend term rewriting by builtin integers and adapt the dependency pair framework to prove termination of integer term rewriting automatically. 1 ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
Abstract. When using rewrite techniques for termination analysis of programs, a main problem are predefined data types like integers. We extend term rewriting by builtin integers and adapt the dependency pair framework to prove termination of integer term rewriting automatically. 1
Pathbased Inductive Synthesis for Program Inversion
"... In this paper, we investigate the problem of semiautomated inversion of imperative programs, which has the potential to make it much easier and less error prone to write programs that naturally pair as inverses, such as insert/delete operations, compressors/decompressors, and so on. Viewing inversi ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
In this paper, we investigate the problem of semiautomated inversion of imperative programs, which has the potential to make it much easier and less error prone to write programs that naturally pair as inverses, such as insert/delete operations, compressors/decompressors, and so on. Viewing inversion as a subproblem of program synthesis, we propose a novel synthesis technique called Pathbased Inductive Synthesis (PINS) and apply it to inversion. PINS starts from a program P and a template T for its inverse. PINS then iteratively refines the space of template instantiations by exploring paths in the composition of P and T with symbolic execution. PINS uses an SMT solver to intelligently guide the refinement process, based on the paths explored so far. The key idea motivating this approach is the small pathbound hypothesis: that the behavior of a program can be summarized with a small, carefully chosen set of its program paths. We evaluated PINS by using it to invert 14 programs such as compressors (e.g., LempelZivWelch), encoders (e.g., UUEncode), and arithmetic operations (e.g., vector rotation). Most of these examples are difficult or impossible to invert using prior techniques, but PINS was able to invert all of them. We also found that a semiautomated technique we developed to mine a template from the program to be inverted worked well. In our experiments, PINS takes between one second to thirty minutes to synthesize inverses. We believe this proofofconcept implementation demonstrates the viability of the PINS approach to program synthesis.