Results 1  10
of
13
Compositional MayMust Program Analysis: Unleashing the Power of Alternation
"... Program analysis tools typically compute two types of information: (1) may information that is true of all program executions and is used to prove the absence of bugs in the program, and (2) must information that is true of some program executions and is used to prove the existence of bugs in the pr ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
Program analysis tools typically compute two types of information: (1) may information that is true of all program executions and is used to prove the absence of bugs in the program, and (2) must information that is true of some program executions and is used to prove the existence of bugs in the program. In this paper, we propose a new algorithm, dubbed SMASH, which computes both may and must information compositionally. At each procedure boundary, may and must information is represented and stored as may and must summaries, respectively. Those summaries are computed in a demanddriven manner and possibly using summaries of the opposite type. We have implemented SMASH using predicate abstraction (as in SLAM) for the may part and using dynamic test generation (as in DART) for the must part. Results of experiments with 69 Microsoft Windows Vista device drivers show that SMASH can significantly outperform mayonly, mustonly and noncompositional maymust algorithms. Indeed, our empirical results indicate that most complex code fragments in large programs are actually often either easy to prove irrelevant to the specific property of interest using may analysis or easy to traverse using directed testing. The finegrained coupling and alternation of may (universal) and must (existential) summaries allows SMASH to easily navigate through these code fragments while traditional mayonly, mustonly or noncompositional maymust algorithms are stuck in their specific analyses. 1.
Multivalued model checking games
 In Proc. 3rd ATVA, LNCS 3707
, 2005
"... Abstract. This work extends the gamebased framework of µcalculus model checking to the multivalued setting. In multivalued model checking a formula is interpreted over a Kripke structure defined over a lattice. The value of the formula is also an element of the lattice. We define a new game for ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. This work extends the gamebased framework of µcalculus model checking to the multivalued setting. In multivalued model checking a formula is interpreted over a Kripke structure defined over a lattice. The value of the formula is also an element of the lattice. We define a new game for this problem and derive from it a direct model checking algorithm that handles the multivalued structure without any reduction. We investigate the properties of the new game, both independently, and in comparison to the automatabased approach. We show that the usual resemblance between the two approaches does not hold in the multivalued setting and show how it can be regained by changing the nature of the game. 1
Reducing the Cost of Path Property Monitoring Through Sampling
"... Runtime monitoring can provide important insights about a program’s behavior and, for simple properties, it can be done efficiently. Monitoring properties describing sequences of program states and events, however, can result in significant runtime overhead. In this paper we present a novel approa ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Runtime monitoring can provide important insights about a program’s behavior and, for simple properties, it can be done efficiently. Monitoring properties describing sequences of program states and events, however, can result in significant runtime overhead. In this paper we present a novel approach to reducing the cost of runtime monitoring of path properties. Properties are composed to form a single integrated property that is then systematically decomposed into a set of properties that encode necessary conditions for property violations. The resulting set of properties forms a lattice whose structure is exploited to select a sample of properties that can lower monitoring cost, while preserving violation detection power relative to the original properties. Preliminary studies for a widely used Java API reveal that our approach produces a rich, structured set of properties that enables control of monitoring overhead, while detecting more violations than alternative techniques 1. I.
Better underapproximation of programs by hiding of variables
 In: Proc. 7th VMCAI (2006
, 2006
"... Abstract. Abstraction frameworks use underapproximating transitions in order to prove existential properties of concrete systems. Underapproximating transitions refer to the concrete states that correspond to a particular abstract state in a universal manner. For example, there is a must transitio ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Abstraction frameworks use underapproximating transitions in order to prove existential properties of concrete systems. Underapproximating transitions refer to the concrete states that correspond to a particular abstract state in a universal manner. For example, there is a must transition from abstract state a to abstract state a ′ only if all the concrete states in a have successors in a ′. The universal nature of underapproximating transitions makes them closed under transitivity. Consequently, reachability queries about the concrete system, which have applications in falsification and testing, can be answered by reasoning about its abstraction. On the negative side, the universal nature of underapproximating transitions makes them dependent on all the variables of the program. The abstraction, on the other hand, often hides some of the variables. Since the universal quantification in must transitions ranges over all variables, this often prevents the abstraction from associating a must transition with statements that refer to hidden variables. We introduce and study partitionedmust transitions. The idea is to partition the program variables to relevant and irrelevant ones, and restrict the universal quantification inside must transitions to the relevant variables. Usual must transitions are a special case of partitionedmust transitions in which all variables are relevant. Partitionedmust transitions exist in many realistic settings in which usual must transitions do not exist. As we show, they retain the advantages of must transitions: they are closed under transitivity, their calculation can be automated, and the threevalued semantics induced by usual must transitions is refined to a multivalued semantics that takes into an account the set of relevant variables. 1
Model checking recursive programs with exact predicate abstraction
 In ATVA ’08: Automated Technology for Verification and Analysis
, 2008
"... Abstract. We propose an approach for analyzing nontermination and reachability properties of recursive programs using a combination of over and underapproximating abstractions. First, we define a new concrete program semantics, mixed, that combines both natural and operational semantics, and use i ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We propose an approach for analyzing nontermination and reachability properties of recursive programs using a combination of over and underapproximating abstractions. First, we define a new concrete program semantics, mixed, that combines both natural and operational semantics, and use it to design an onthefly symbolic algorithm. Second, we combine this algorithm with abstraction by following classical fixpoint abstraction techniques. This makes our approach parametrized by different approximating semantics of predicate abstraction and enables a uniform solution for over and underapproximating semantics. The algorithm is implemented in YASM, and we show that it can establish nontermination of nontrivial C programs completely automatically. 1
Abstract Analysis of Symbolic Executions
"... Multicore technology has moved concurrent programming to the forefront of computer science. In this paper, we look at the problem of reasoning about concurrent systems with infinite data domains and nondeterministic input, and develop a method for verification and falsification of safety propertie ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Multicore technology has moved concurrent programming to the forefront of computer science. In this paper, we look at the problem of reasoning about concurrent systems with infinite data domains and nondeterministic input, and develop a method for verification and falsification of safety properties of such systems. Novel characteristics of this method are (a) constructing underapproximating models via symbolic execution with abstract matching and (b) proving safety using underapproximating models.
Automated Test Generation And Verified Software ⋆
"... Abstract. Testing remains the principal means of verification in commercial practice and in many certification regimes. Formal methods of verification will coexist with testing and should be developed in ways that improve, supplement, and exploit the value of testing. I describe automated test gener ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Testing remains the principal means of verification in commercial practice and in many certification regimes. Formal methods of verification will coexist with testing and should be developed in ways that improve, supplement, and exploit the value of testing. I describe automated test generation, which uses technology from formal methods to mechanize the construction of test cases, and discuss some of the research challenges in this area. 1
A Framework For Compositional Verification of MultiValued Systems Via AbstractionRefinement ⋆
"... Abstract. We present a framework for fully automated compositional verification of µcalculus specifications over multivalued systems, based on multivalued abstraction and refinement. Multivalued models are widely used in many applications of model checking. They enable a more precise modeling of ..."
Abstract
 Add to MetaCart
Abstract. We present a framework for fully automated compositional verification of µcalculus specifications over multivalued systems, based on multivalued abstraction and refinement. Multivalued models are widely used in many applications of model checking. They enable a more precise modeling of systems by distinguishing several levels of uncertainty and inconsistency. Successful verification tools such as STE (for hardware) and YASM (for software) are based on multivalued models. Our compositional approach model checks individual components of a system. Only if all individual checks return indefinite values, the parts of the components which are responsible for these values, are composed and checked. Thus the construction of the full system is avoided. If the latter check is still indefinite, then a refinement is needed. We formalize our framework based on bilattices, consisting of a truth lattice and an information lattice. Formulas interpreted over a multivalued model are evaluated w.r.t. to the truth lattice. On the other hand, refinement is now aimed at increasing the information level of model details, thus also increasing the information level of the model checking result. Based on the two lattices, we suggest how multivalued models should be composed, checked, and refined. 1
State focusing: Lazy abstraction for the mucalculus ⋆
"... Abstract. A key technique for the verification of programs is counterexampleguided abstraction refinement (CEGAR). In a previous approach, we developed a CEGARbased algorithm for the modal µcalculus, where refinement applies only locally, i.e. lazy abstraction techniques are used. Unfortunately, o ..."
Abstract
 Add to MetaCart
Abstract. A key technique for the verification of programs is counterexampleguided abstraction refinement (CEGAR). In a previous approach, we developed a CEGARbased algorithm for the modal µcalculus, where refinement applies only locally, i.e. lazy abstraction techniques are used. Unfortunately, our previous algorithm was not completely lazy and had some further drawbacks, like a possible local state explosion. In this paper, we present an improved algorithm that maintains all advantages of our previous algorithm but eliminates all its drawbacks. The improvements were only possible by changing the philosophy of refinement from state splitting into the new philosophy of state focusing, where the states that are about to be split are not removed. 1
An AbstractionRefinement Framework for Trigger Querying
"... Abstract. Trigger querying is the problem of finding, given a system M and an LTL formula ϕ, the set of scenarios that trigger ϕ in M; that is, the language L of finite computations of M such that all infinite computations that have a prefix in L continue with a suffix that satisfies ϕ. For example, ..."
Abstract
 Add to MetaCart
Abstract. Trigger querying is the problem of finding, given a system M and an LTL formula ϕ, the set of scenarios that trigger ϕ in M; that is, the language L of finite computations of M such that all infinite computations that have a prefix in L continue with a suffix that satisfies ϕ. For example, the trigger query M =? ↦ → F err asks for the set of scenarios after which err aught to eventually happen. Trigger querying thus significantly extends query checking, which seeks propositional solutions, and is an extremely useful methodology for system exploration and understanding. The weakness of trigger querying lies in the fact that the size of the solution is linear in the size of the system. For trigger querying to become feasible in practice, we must offer solutions to cope with systems of big, and possibly infinite, state spaces. In this paper we describe an abstractionrefinement framework for trigger querying. The general idea is to replace the reasoning about M by reasoning about an abstraction MA of M, and return to the user two languages, Ll and Lu, that under and overapproximate L, respectively. We consider predicate abstraction, and the languages Ll and Lu are defined with respect to the set of predicates. The challenge in defining the approximating languages is that trigger querying does not have a clear polarity, and the definition of Ll and Lu has to combine the upper and overapproximations of M. We describe an automatatheoretic approach for refining and reducing Lu \ Ll. While refinement for model checking is lengthwise, in the sense that it is based on counterexamples, here we suggest both lengthwise and widthwise refinement, where the latter is based on cuts in an automaton for Lu \Ll and thus can symbolically handle batches of counterexamples. We show that our framework is robust and can be applied also for classical query checking as well as variants and extensions of trigger querying. 1