Results 1  10
of
13
Simulating reachability using firstorder logic with applications to verification of linked data structures
 In CADE20
, 2005
"... This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper shows how to harness existing theorem provers for firstorder logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointervalued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using firstorder formulas—the formulas describe a superset of the set of program states that can actually arise. These methods are employed for semiautomatic program verification (i.e., using programmersupplied loop invariants) on programs such as markandsweep garbage collection and destructive reversal of a singly linked list. (The markandsweep example has been previously reported as being beyond the capabilities of ESC/Java.) 1
Finite differencing of logical formulas for static analysis
 IN PROC. 12TH ESOP
, 2003
"... This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation p ..."
Abstract

Cited by 35 (18 self)
 Add to MetaCart
This paper concerns mechanisms for maintaining the value of an instrumentationpredicate (a.k.a. derived predicate or view), defined via a logical formula over core predicates, in response to changes in the values of the core predicates. It presents an algorithm fortransforming the instrumentation predicate's defining formula into a predicatemaintenance formula that captures what the instrumentation predicate's new value should be.This technique applies to programanalysis problems in which the semantics of statements is expressed using logical formulas that describe changes to corepredicate values,and provides a way to reflect those changes in the values of the instrumentation predicates.
A Logic of Reachable Patterns in Linked DataStructures
, 2007
"... We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
We define a new decidable logic for expressing and checking invariants of programs that manipulate dynamicallyallocated objects via pointers and destructive pointer updates. The main feature of this logic is the ability to limit the neighborhood of a node that is reachable via a regular expression from a designated node. The logic is closed under boolean operations (entailment, negation) and has a finite model property. The key technical result is the proof of decidability. We show how to express preconditions, postconditions, and loop invariants for some interesting programs. It is also possible to express properties such as disjointness of datastructures, and lowlevel heap mutations. Moreover, our logic can express properties of arbitrary datastructures and of an arbitrary number of pointer fields. The latter provides a way to naturally specify postconditions that relate the fields on the entry of a procedure to the field on the exit of a procedure. Therefore, it is possible to use the logic to automatically prove partial correctness of programs performing lowlevel heap mutations.
Why Waste a Perfectly Good Abstraction
 In Proceedings of the 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’06
, 2006
"... Abstract. Software modelchecking based on the CEGAR framework can be made more precise by separating nondeterminism from the lack of information due to abstraction. The two can be modeled individually using fourvalued Belnap logic. In addition, this logic allows reasoning about negations effectiv ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
Abstract. Software modelchecking based on the CEGAR framework can be made more precise by separating nondeterminism from the lack of information due to abstraction. The two can be modeled individually using fourvalued Belnap logic. In addition, this logic allows reasoning about negations effectively and thus enables checking of full CTL. In this paper, we present YASM – a new symbolic software modelchecker. Preliminary experience with YASM shows that our implementation can effectively construct and analyze Belnap models without a substantial overhead when compared to its classical counterparts. 1
Automatic modular abstractions for template numerical constraints
 Logical Methods in Computer Science
, 2010
"... We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floatingpoint variables and containing linear assignments and tests. Given the specification of a ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floatingpoint variables and containing linear assignments and tests. Given the specification of an abstract domain, and a program block, our method transformer. It is thus a form of program transformation. In addition to loopfree code, the same method also applies for obtaining least fixed points as functions of the precondition, which permits the analysis of loops and recursive functions. The motivation of our work is dataflow synchronous programming languages, used for building controlcommand embedded systems, but it also applies to imperative and functional programming. Our algorithms are based on quantifier elimination and symbolic manipulation techniques over linear arithmetic formulas. We also give less general results for nonlinear constraints and nonlinear program constructs. 1
Symbolic heap abstraction with demanddriven axiomatization of memory invariants
 In OOPSLA
, 2010
"... Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that ev ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that every concrete memory location stores one unique value directly on the heap abstraction. Our technique combines the strengths of analyses for precise reasoning about heap contents with approaches that prioritize axiomatization of memory invariants, such as the theory of arrays. Furthermore, by avoiding an explicit case analysis, our technique is scalable and powerful enough to analyze realworld programs with intricate use of arrays and pointers; in particular, we verify the absence of buffer overruns, incorrect casts, and null pointer dereferences in OpenSSH (over 26,000 lines of code) after fixing 4 previously undiscovered bugs found by our system. Our experiments also show that the combination of reasoning about heap contents and enforcing existence and uniqueness invariants is crucial for this level of precision.
Using ThreeValued Logic to Specify and Verify Algorithms Of Computational Geometry
, 2005
"... Many safetycritical systems deal with geometric objects. Reasoning about the correctness of such systems is mandatory and requires the use of basic definitions of geometry for the specification of these systems. Despite the intuitive meaning of such definitions, their formalisation is not at all ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Many safetycritical systems deal with geometric objects. Reasoning about the correctness of such systems is mandatory and requires the use of basic definitions of geometry for the specification of these systems. Despite the intuitive meaning of such definitions, their formalisation is not at all straightforward: In particular, degeneracies lead to situations where none of the Boolean truth values adequately defines a geometric primitive. Therefore, we use a threevalued logic for the definition of geometric primitives to explicitly handle such degenerate cases. We have implemented a threevalued library of linear geometry in an interactive theorem prover for higher order logic which allows us to specify and verify entire algorithms of computational geometry.
Data Structures for Symbolic MultiValued ModelChecking
, 2006
"... Multivalued logics provide an interesting alternative to classical boolean logic for modeling and reasoning about systems. Such logics can be used for reasoning about partiallyspecified systems, effectively encode vacuity detection and querychecking problems, help in detecting inconsistencies, an ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Multivalued logics provide an interesting alternative to classical boolean logic for modeling and reasoning about systems. Such logics can be used for reasoning about partiallyspecified systems, effectively encode vacuity detection and querychecking problems, help in detecting inconsistencies, and many others. In our earlier work, we identified a useful family of multivalued logics: those specified over finite distributive lattices where negation preserves involution, i.e., �¦������ � for every element � of the logic. Such structures are called quasiboolean algebras, and modelchecking over these not only extends the domain of applicability of automated reasoning to new problems, but can also speed up solutions to some classical verification problems. Symbolic modelchecking over quasiboolean algebras can be cast in terms of operations over multivalued sets: sets whose membership functions are multivalued. In this paper, we propose and empirically evaluate several choices for implementing multivalued sets with decision diagrams. In particular, we describe two major approaches: (1) representing the multivalued membership function canonically, using MDDs or ADDs; (2) representing multivalued sets as a collection of classical sets, using a vector of either MBTDDs or BDDs. The naive implementation of (2) includes having a classical set for each value of the algebra. We exploit a result of lattice theory to reduce the number of such sets that need to be represented. The major contribution of this paper is the evaluation of the different implementations of multivalued sets, done via a series of experiments and using several case studies. 1
Nearconcrete program interpretation
, 2006
"... Abstract. We develop a nearconcrete interpretation, a program analysis that aims to cut very close to program execution while retaining interpretation, but models heaps with possibly recursive strucure, is path sensitive, and applies in a fully higherorder setting. The main technical contribution ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We develop a nearconcrete interpretation, a program analysis that aims to cut very close to program execution while retaining interpretation, but models heaps with possibly recursive strucure, is path sensitive, and applies in a fully higherorder setting. The main technical contribution is a prunererun technique for analyzing higherorder recursive functions. To illustrate the expressiveness and usefulness of the system, we show how it can be used to enforce temporal program safety properties and information flow security, and show how it betters stateoftheart systems on some examples. 1
Dependable PolygonProcessing Algorithms for SafetyCritical Embedded Systems
 In International Conference on Embedded And Ubiquitous Computing (EUC), LNCS
, 2005
"... Algorithms that process geometric objects become more and more important for many safetycritical embedded systems, e.g. for motion planning or collision detection, where correctness is indispensable. The main challenge to demonstrating correctness is the consistent handling of degenerate cases l ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Algorithms that process geometric objects become more and more important for many safetycritical embedded systems, e.g. for motion planning or collision detection, where correctness is indispensable. The main challenge to demonstrating correctness is the consistent handling of degenerate cases like collinear line segments. In this paper, we therefore propose the use of an interactive theorem prover to develop dependable geometry algorithms for safetycritical embedded systems. Our solution is based on the use of a threevalued logic to make degenerate cases explicit. Using the theorem prover, we are not only able to prove the correctness of the obtained algorithms, but also to directly derive a software library of provably correct geometry algorithms for safetycritical applications.