Results 1  10
of
11
Execution generated test cases: How to make systems code crash itself
, 2005
"... This paper presents a technique that uses code to automatically generate its own test cases at runtime by using a combination of symbolic and concrete (i.e., regular) execution. The input values to a program (or software component) provide the standard interface of any testing framework with the pr ..."
Abstract

Cited by 94 (8 self)
 Add to MetaCart
This paper presents a technique that uses code to automatically generate its own test cases at runtime by using a combination of symbolic and concrete (i.e., regular) execution. The input values to a program (or software component) provide the standard interface of any testing framework with the program it is testing, and generating input values that will explore all the “interesting” behavior in the tested program remains an important open problem in software testing research. Our approach works by turning the problem on its head: we lazily generate, from within the program itself, the input values to the program (and values derived from input values) as needed. We applied the technique to real code and found numerous cornercase errors ranging from simple memory overflows and infinite loops to subtle issues in the interpretation of language standards.
Deciding bitvector arithmetic with abstraction
 IN PROC. TACAS 2007
, 2007
"... We present a new decision procedure for finiteprecision bitvector arithmetic with arbitrary bitvector operations. Our procedure alternates between generating under and overapproximations of the original bitvector formula. An underapproximation is obtained by a translation to propositional log ..."
Abstract

Cited by 44 (17 self)
 Add to MetaCart
We present a new decision procedure for finiteprecision bitvector arithmetic with arbitrary bitvector operations. Our procedure alternates between generating under and overapproximations of the original bitvector formula. An underapproximation is obtained by a translation to propositional logic in which some bitvector variables are encoded with fewer Boolean variables than their width. If the underapproximation is unsatisfiable, we use the unsatisfiable core to derive an overapproximation based on the subset of predicates that participated in the proof of unsatisfiability. If this overapproximation is satisfiable, the satisfying assignment guides the refinement of the previous underapproximation by increasing, for some bitvector variables, the number of Boolean variables that encode them. We present experimental results that suggest that this abstractionbased approach can be considerably more efficient than directly invoking the SAT solver on the original formula as well as other competing decision procedures.
A lazy and layered SMT(BV) solver for hard industrial verification problems
 In Computer Aided Verification (CAV), LNCS
, 2007
"... Abstract. Rarely verification problems originate from bitlevel descriptions. Yet, most of the verification technologies are based on bit blasting, i.e., reduction to boolean reasoning. In this paper we advocate reasoning at higher level of abstraction, within the theory of bit vectors (BV), where s ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
Abstract. Rarely verification problems originate from bitlevel descriptions. Yet, most of the verification technologies are based on bit blasting, i.e., reduction to boolean reasoning. In this paper we advocate reasoning at higher level of abstraction, within the theory of bit vectors (BV), where structural information (e.g. equalities, arithmetic functions) is not blasted into bits. Our approach relies on the lazy Satisfiability Modulo Theories (SMT) paradigm. We developed a satisfiability procedure for reasoning about bit vectors that carefully leverages on the power of boolean SAT solver to deal with components that are more naturally “boolean”, and activates bitvector reasoning whenever possible. The procedure has two distinguishing features. First, it relies on the online integration of a SAT solver with an incremental and backtrackable solver for BV that enables dynamical optimization of the reasoning about bit vectors; for instance, this is an improvement over static encoding methods which may generate smaller slices of bitvector variables. Second, the solver for BV is layered (i.e., it privileges cheaper forms of reasoning), and it is based on a flexible use of term rewriting techniques. We evaluate our approach on a set of realistic industrial benchmarks, and demonstrate substantial improvements with respect to stateoftheart boolean satisfiability solvers, as well as other decision procedures for SMT(BV). 1
A Scalable Decision Procedure for FixedWidth BitVectors
 IN ICCAD
, 2009
"... Efficient decision procedures for bitvectors are essential for modern verification frameworks. This paper describes a new decision procedure for the core theory of bitvectors that exploits a reduction to equality reasoning. The procedure is embedded in a congruence closure algorithm, whose data st ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Efficient decision procedures for bitvectors are essential for modern verification frameworks. This paper describes a new decision procedure for the core theory of bitvectors that exploits a reduction to equality reasoning. The procedure is embedded in a congruence closure algorithm, whose data structures are extended in order to efficiently manage the relations between bitvector slicings, modulo equivalence classes. The resulting procedure is incremental, backtrackable, and proof producing: it can be used as a theorysolver for a lazy SMT schema. Experiments show that our approach is comparable and often superior to bitblasting on the core fragment, and that it also helps as a theory layer when applied over the full bitvector theory.
Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation
, 2008
"... not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsoring institutions, the U.S. Government or any other entity. Keywords: Formal methods, model checking, abstraction, refinement, bounded model checking, Boolean satisfiabilit ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsoring institutions, the U.S. Government or any other entity. Keywords: Formal methods, model checking, abstraction, refinement, bounded model checking, Boolean satisfiability, nonclausal SAT solvers, DPLL, general matings, unsatisfiable core, craig interpolation, proofs of unsatisfiability, linear diophantine equations, linear modular equations (linear congruences), linear diophantine Automatic verification of hardware and software implementations is crucial for building reliable computer systems. Most verification tools rely on decision procedures to check the satisfiability of various formulas that are generated during the verification process. This thesis develops new techniques for building efficient decision procedures and adds new capabilities to the existing decision procedures for certain logics. Boolean satisfiability (SAT) solvers are used heavily in verification tools as decision procedures for propositional logic. Most stateoftheart SAT solvers are
Formal Verification at Higher Levels of Abstraction
"... Abstract — Most formal verification tools on the market convert a highlevel register transfer level (RTL) design into a bitlevel model. Algorithms that operate at the bitlevel are unable to exploit the structure provided by the higher abstraction levels, and thus, are less scalable. This tutorial ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract — Most formal verification tools on the market convert a highlevel register transfer level (RTL) design into a bitlevel model. Algorithms that operate at the bitlevel are unable to exploit the structure provided by the higher abstraction levels, and thus, are less scalable. This tutorial surveys recent advances in formal verification using highlevel models. We present wordlevel verification with predicate abstraction and satisfiability modulo theories (SMT) solvers. We then describe techniques for termlevel modeling and ways to combine wordlevel and termlevel approaches for scalable verification. I.
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Special section on Advances in Reachability Analysis and Decision Procedures Contributions to abstractionbased system verification
, 2009
"... Abstract. Reachability analysis asks whether a system can evolve from legitimate initial states to unsafe states. It is thus a fundamental tool in the validation of computational systems – be they software, hardware or a combination thereof. We recall a standard approach for reachability analysis, w ..."
Abstract
 Add to MetaCart
Abstract. Reachability analysis asks whether a system can evolve from legitimate initial states to unsafe states. It is thus a fundamental tool in the validation of computational systems – be they software, hardware or a combination thereof. We recall a standard approach for reachability analysis, which captures the system in a transition system, forms another transition system as an overapproximation, and performs an incremental fixedpoint computation on that overapproximation to determine whether unsafe states can be reached. We show this method to be sound for proving the absence of errors, and discuss its limitations for proving the presence of errors, as well as some means of addressing this limitation. We then sketch how program annotations for data integrity constraints and interface specifications – as in
Execution Generated Test Cases: How to Make Systems Code Crash Itself
"... This paper presents a technique that uses code to automatically generate its own test cases at runtime by using a combination of symbolic and concrete (i.e., regular) execution. The input values to a program (or software component) provide the standard interface of any testing framework with the pr ..."
Abstract
 Add to MetaCart
This paper presents a technique that uses code to automatically generate its own test cases at runtime by using a combination of symbolic and concrete (i.e., regular) execution. The input values to a program (or software component) provide the standard interface of any testing framework with the program it is testing, and generating input values that will explore all the “interesting” behavior in the tested program remains an important open problem in software testing research. Our approach works by turning the problem on its head: we lazily generate, from within the program itself, the input values to the program (and values derived from input values) as needed. We applied the technique to real code and found numerous cornercase errors ranging from simple memory overflows and infinite loops to subtle issues in the interpretation of language standards. 1
Sketching with Partial Programs
, 2006
"... Sketching is a software synthesis approach where the programmer develops a partial implementation — a sketch — and a separate specification of the desired functionality. The synthesizer then completes the sketch to behave like the specification. The synthesized implementation is correct by construct ..."
Abstract
 Add to MetaCart
Sketching is a software synthesis approach where the programmer develops a partial implementation — a sketch — and a separate specification of the desired functionality. The synthesizer then completes the sketch to behave like the specification. The synthesized implementation is correct by construction, which allows, among other benefits, rapid sketching of many implementations without the fear of introducing bugs. We develop SKETCH, a language for finite programs with linguistic support for sketching. Finite programs include many highperformance kernels, including cryptocodes. In contrast to prior work, where sketches were metalevel rewrite rules, our sketches are simpletounderstand partial programs. Partial programs are programs with “holes ” that are filled by the synthesizer. The unspecified behavior of partial programs is modeled with a single nondeterministic operator that we show to be surprisingly versatile. We also develop a synthesizer that is complete for the class of finite programs: it is guaranteed to complete any sketch in theory, and in practice has scaled to complex realworld programming problems.