Results 1  10
of
35
Speed: Precise and efficient static estimation of program computational complexity
 In POPL’09
, 2009
"... This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually disjunctive, nonlinear, and involve numerical properties of heaps. We address the challenges of generating these bounds using two novel ideas. We introduce a proof methodology based on multiple counter instrumentation (each counter can be initialized and incremented at potentially multiple program locations) that allows a given linear invariant generation tool to compute linear bounds individually on these counter variables. The bounds on these counters are then composed together to generate total bounds that are nonlinear and disjunctive. We also give an algorithm for automating this proof
Proving that programs eventually do something good
 In POPL’06: Principles of Programming Languages
, 2007
"... In recent years we have seen great progress made in the area of automatic sourcelevel static analysis tools. However, most of today’s program verification tools are limited to properties that guarantee the absence of bad events (safety properties). Until now no formal software analysis tool has pro ..."
Abstract

Cited by 34 (13 self)
 Add to MetaCart
In recent years we have seen great progress made in the area of automatic sourcelevel static analysis tools. However, most of today’s program verification tools are limited to properties that guarantee the absence of bad events (safety properties). Until now no formal software analysis tool has provided fully automatic support for proving properties that ensure that good events eventually happen (liveness properties). In this paper we present such a tool, which handles liveness properties of large systems written in C. Liveness properties are described in an extension of the specification language used in the SDV system. We have used the tool to automatically prove critical liveness properties of Windows device drivers and found several previously unknown liveness bugs.
Program analysis as constraint solving
 In PLDI
, 2008
"... A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program ana ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program analyses in an expressive domain containing disjunctions and conjunctions of linear inequalities. In particular, we show how to model the problem of contextsensitive interprocedural program verification. We also present the first constraintbased approach to weakest precondition and strongest postcondition inference. The constraints we generate are boolean combinations of quadratic inequalities over integer variables. We reduce these constraints to SAT formulae using bitvector modeling and use offtheshelf SAT solvers to solve them. Furthermore, we present interesting applications of the above analyses, namely bounds analysis and generation of mostgeneral counterexamples for both safety and termination properties. We also present encouraging preliminary experimental results demonstrating the feasibility of our technique on a variety of challenging examples.
Controlflow refinement and progress invariants for bound analysis
 In PLDI
, 2009
"... Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop a ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop are challenging. In this paper we describe two techniques, controlflow refinement and progress invariants, that together enable estimation of precise bounds for procedures with nested and multipath loops. Controlflow refinement transforms a multipath loop into a semantically equivalent code fragment with simpler loops by making the structure of path interleaving explicit. We show that this enables nondisjunctive invariant generation tools to find a bound on many procedures for which previous techniques were unable to prove termination. Progress invariants characterize relationships between
The reachabilitybound problem
 In PLDI
, 2010
"... We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, me ..."
Abstract

Cited by 22 (6 self)
 Add to MetaCart
We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, memory, networktraffic, power, as well as estimating quantitative properties (as opposed to boolean properties) of data in programs, such as information leakage or uncertainty propagation. Our approach to solving the reachabilitybound problem brings together two different techniques for reasoning about loops in an effective manner. One of these techniques is an abstractinterpretation based iterative technique for computing precise disjunctive invariants (to summarize nested loops). The other technique is a noniterative proofrules based technique (for loop bound computation) that takes over the role of doing inductive reasoning, while deriving its power from the use of SMT solvers to reason about abstract loopfree fragments. Our solution to the reachabilitybound problem allows us to compute precise symbolic complexity bounds for several loops in.Net baseclass libraries for which earlier techniques fail. We also illustrate the precision of our algorithm for disjunctive invariant computation (which has a more general applicability beyond the reachabilitybound problem) on a set of benchmark examples.
Inferring Synchronization under Limited Observability
"... Abstract. This paper addresses the problem of automatically inferring synchronization for concurrent programs. Given a program and a specification, we infer synchronization that avoids all interleavings violating the specification, but permits as many valid interleavings as possible. We let the user ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. This paper addresses the problem of automatically inferring synchronization for concurrent programs. Given a program and a specification, we infer synchronization that avoids all interleavings violating the specification, but permits as many valid interleavings as possible. We let the user specify an upper bound on the cost of synchronization, which may limit the observability — what observations on program state can be made by the synchronization code. We present an algorithm that infers, under certain conditions, the maximally permissive synchronization for a given cost. We implemented a prototype of our approach and applied it to infer synchronization in a number of small programs. 1
Cyclic proofs of program termination in separation logic. Forthcoming
"... We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a s ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a state satisfying a given precondition, which is expressed as a formula of separation logic. The proof rules of our system are of two types: logical rules that operate on preconditions; and symbolic execution rules that capture the effect of executing program commands. Our logical preconditions employ inductively defined predicates to describe heap properties, and proofs in our system are cyclic proofs: cyclic derivations in which some inductive predicate is unfolded infinitely often along every infinite path, thus allowing us to discard all infinite paths in the proof by an infinite descent argument. Moreover, the use of this soundness condition enables us to avoid the explicit construction and use of ranking functions for termination. We also give a completeness result for our system, which is relative in that it relies upon completeness of a proof system for logical implications in separation logic. We give examples illustrating our approach, including one example for which the corresponding ranking function is nonobvious: termination of the classical algorithm for inplace reversal of a (possibly cyclic) linked list.
Ranking abstractions
, 2008
"... Abstract. We propose an abstract interpretation algorithm for proving that a program terminates on all inputs. The algorithm uses a novel abstract domain which uses ranking relations to conservatively represent relations between intermediate program states. One of the attractive aspects of the algor ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Abstract. We propose an abstract interpretation algorithm for proving that a program terminates on all inputs. The algorithm uses a novel abstract domain which uses ranking relations to conservatively represent relations between intermediate program states. One of the attractive aspects of the algorithm is that it abstracts information that is usually not important for proving termination such as program invariants and yet it distinguishes between different reasons for termination which are not usually maintained in existing abstract domains. We have implemented a prototype of the algorithm and shown that in practice it is fast and precise. 1
Automatically proving program termination
 In CAV
, 2007
"... Our goal in this book is to build sofware tools that automatically search for proofs of program termination in mathematical logic. However, before delving directly into strategies for automation, we must first introduce some notation and establish a basic foundation in the areas of program semantics ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Our goal in this book is to build sofware tools that automatically search for proofs of program termination in mathematical logic. However, before delving directly into strategies for automation, we must first introduce some notation and establish a basic foundation in the areas of program semantics, logic and set theory. We must also discuss how programs can be proved terminating using manual techniques. The concepts and notation introduced in this chapter will be used throughout the remainder of the book. 1.1 Program termination and wellfounded relations For the purpose of this book it is convenient to think of the text of a computer program as representing a relation that specifies the possible transitions that the program can make between configurations during execution. We call this the program’s transition relation. Program executions can be thought of as traversals starting from a starting configuration and then moving from configuration to configuration as allowed by the transition relation. A program is called terminating if all the executions allowed by the transition relation are finite. We call a program nonterminating if the transition relation allows for at least one infinite execution. Treating programs as relations is conveinant for our purpose, as in this setting proving program termination is equivliant to proving the program’s transition relation wellfounded — thus giving us access to the numerous well established techniques from mathematical logic used to establish wellfoundedness. In the next few sections we define some notation, discuss our representation for program configurations, and give some basic results related 3 4
A Termination Analyser for Java Bytecode Based on PathLength
"... It is important to prove that supposedly terminating programs actually terminate, particularly if those programs must be run on critical systems or downloaded into a client such as a mobile phone. Although termination of computer programs is generally undecidable, it is possible and useful to prove ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
It is important to prove that supposedly terminating programs actually terminate, particularly if those programs must be run on critical systems or downloaded into a client such as a mobile phone. Although termination of computer programs is generally undecidable, it is possible and useful to prove termination of a large, nontrivial subset of the terminating programs. In this paper we present our termination analyser for sequential Java bytecode, based on a program property called pathlength. We describe the analyses which are needed before the pathlength can be computed, such as sharing, cyclicity and aliasing. Then we formally define the pathlength analysis and prove it correct w.r.t. a reference denotational semantics of the bytecode. We show that a constraint logic program PCLP can be built from the result of the pathlength analysis of a Java bytecode program P and formally prove that if PCLP terminates then also P terminates. Hence a termination prover for constraint logic programs can be applied to prove the termination of P. We conclude with some discussion of the possibilities and limitations of our approach. Ours is the first existing termination analyser for Java bytecode dealing with generic data structures dynamically allocated on the heap and which does not require any help or annotation on the part of the user.