Results 1  10
of
28
Dynamically discovering likely program invariants to support program evolution
 IEEE Transactions on Software Engineering
, 2001
"... Explicitly stated program invariants can help programmers by identifying program properties that must be preserved when modifying code. In practice, however, these invariants are usually implicit. An alternative to expecting programmers to fully annotate code with invariants is to automatically i ..."
Abstract

Cited by 544 (66 self)
 Add to MetaCart
Explicitly stated program invariants can help programmers by identifying program properties that must be preserved when modifying code. In practice, however, these invariants are usually implicit. An alternative to expecting programmers to fully annotate code with invariants is to automatically infer invariants from the program itself. This research focuses on dynamic techniques for discovering invariants from execution traces. This paper reports two results. First, it describes techniques for dynamically discovering invariants, along with an instrumenter and an inference engine that embody these techniques. Second, it reports on the application of the engine to two sets of target programs. In programs from Gries’s work on program derivation, we rediscovered predefined invariants. In a C program lacking explicit invariants, we discovered invariants that assisted a software evolution task.
Termination of polynomial programs
 In VMCAI’2005: Verification, Model Checking, and Abstract Interpretation, volume 3385 of LNCS
, 2005
"... Abstract. We present a technique to prove termination of multipath polynomial programs, an expressive class of loops that enables practical code abstraction and analysis. The technique is based on finite differences of expressions over transition systems. Although no complete method exists for deter ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
Abstract. We present a technique to prove termination of multipath polynomial programs, an expressive class of loops that enables practical code abstraction and analysis. The technique is based on finite differences of expressions over transition systems. Although no complete method exists for determining termination for this class of loops, we show that our technique is useful in practice. We demonstrate that our prototype implementation for C source code readily scales to large software projects, proving termination for a high percentage of targeted loops. 1 Introduction Guaranteed termination of program loops is necessary for many applications,especially those for which unexpected behavior can be catastrophic. Even for applications that are not considered "safety critical, " applying automatic methodsfor proving loop termination would certainly do no harm. Additionally, proving general temporal properties of infinite state programs requires terminationproofs, for which automatic methods are welcome [4, 7, 10]. We present a method of nonlinear termination analysis for imperative loopswith multiple paths, polynomial guards, and polynomial assignments. The method is nonlinear, first, because the guards and assignments need not be linear and, second, because it can prove the termination of terminating loops that do not have linear ranking functions. The method is sound, but not complete.Indeed, we show that no complete method for this class of programs exists. In practical programs, however, our method proves termination of a high percentageof the targeted loops at low computation cost, and hence is useful.
Automatic Generation of Invariants and Intermediate Assertions
, 1995
"... Verifying temporal specifications of reactive and concurrent systems commonly relies on generating auxiliary assertions and strengthening given properties of the system. Two dual approaches find solutions to these problems: the bottomup method performs an abstract forward propagation of the system, ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
Verifying temporal specifications of reactive and concurrent systems commonly relies on generating auxiliary assertions and strengthening given properties of the system. Two dual approaches find solutions to these problems: the bottomup method performs an abstract forward propagation of the system, generating auxiliary assertions; the topdown method performs an abstract backward propagation to strengthen given properties. Exact application of these methods is complete but is usually infeasible for largescale verification. An approximate analysis can often supply enough information to complete the verification. The paper overviews some of the exact and approximate analysis methods to generate and strengthen assertions for the verification of invariance properties. By formulating and analyzing a generic safety verification rule, we extend these methods to the verification of general temporal safety properties.
Automatic Generation of Polynomial Loop Invariants: Algebraic Foundations
 In International Symposium on Symbolic and Algebraic Computation 2004 (ISSAC04
, 2004
"... This paper presents the algebraic foundation for an approach for generating polynomial loop invariants in imperative programs. It is first shown that the set of polynomials serving as loop invariants has the algebraic structure of an ideal. Using this connection, a procedure for finding loop invaria ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
This paper presents the algebraic foundation for an approach for generating polynomial loop invariants in imperative programs. It is first shown that the set of polynomials serving as loop invariants has the algebraic structure of an ideal. Using this connection, a procedure for finding loop invariants is given in terms of operations on ideals, for which Gröbner basis constructions can be employed. Most importantly, it is proved that if the assignment statements in a loop are solvable (in particular, affine) mappings with positive eigenvalues, then the procedure terminates in at most 2m + 1 iterations, where m is the number of variables in the loop. The proof is done by showing that the irreducible subvarieties of the variety associated with the polynomial ideal approximating the invariant polynomial ideal of the loop either stay the same or increase their dimension in every iteration. This yields a correct and complete algorithm for inferring conjunctions of polynomial equations as invariants. The method has been implemented in Maple using the Groebner package. The implementation has been used to automatically discover nontrivial invariants for several examples to illustrate the power of the techniques.
A technique for invariant generation
 In TACAS 2001 (2001), vol. 2031 of LNCS
, 2001
"... Abstract. Most of the properties established during verification are either invariants or depend crucially on invariants. The effectiveness of automated formal verification is therefore sensitive to the ease with which invariants, even trivial ones, can be automatically deduced. While the strongest ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Abstract. Most of the properties established during verification are either invariants or depend crucially on invariants. The effectiveness of automated formal verification is therefore sensitive to the ease with which invariants, even trivial ones, can be automatically deduced. While the strongest invariant can be defined as the least fixed point of the strongest postcondition of a transition system starting with the set of initial states, this symbolic computation rarely converges. We present a method for invariant generation and strengthening that relies on the simultaneous construction of least and greatest fixed points, restricted widening and narrowing, and quantifier elimination. The effectiveness of the method is demonstrated on a number of examples. 1 Introduction The majority of properties established during the verification of programs are either invariants or depend crucially on invariants. Indeed, safety properties can be reduced to invariant properties, and to prove progress one usually needs to establish auxiliary invariance properties too. Consequently, the discovery and strengthening of invariants is a central technique in the analysis and verification of both sequential programs and reactive systems, especially for infinite state systems.
Automatically generating loop invariants using quantifier elimination
 In Deduction and Applications
, 2005
"... Abstract. An approach for automatically generating loop invariants using quantifierelimination is proposed. An invariant of a loop is hypothesized as a parameterized formula. Parameters in the invariant are discovered by generating constraints on the parameters by ensuring that the formula is indee ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. An approach for automatically generating loop invariants using quantifierelimination is proposed. An invariant of a loop is hypothesized as a parameterized formula. Parameters in the invariant are discovered by generating constraints on the parameters by ensuring that the formula is indeed preserved by the execution path corresponding to every basic cycle of the loop. The parameterized formula can be successively refined by considering execution paths one by one; heuristics can be developed for determining the order in which the paths are considered. Initialization of program variables as well as the precondition and postcondition of the loop, if available, can also be used to further refine the hypothesized invariant. Constraints on parameters generated in this way are solved for possible values of parameters. If no solution is possible, this means that an invariant of the hypothesized form does not exist for the loop. Otherwise, if the parametric constraints are solvable, then under certain conditions on methods for generating these constraints, the strongest possible invariant of the hypothesized form can be generated from most general solutions of the parametric constraints. The approach is illustrated using the firstorder theory of polynomial equations as well as Presburger arithmetic. 1.
Combining Theorem Proving and Model Checking through Symbolic Analysis
 In CONCUR 2000: Concurrency Theory, number 1877 in Lecture
, 2000
"... Automated verification of concurrent systems is hindered by the fact that the state spaces are either infinite or too large for model checking, and the case analysis usually defeats theorem proving. Combinations of the two techniques have been tried with varying degrees of success. We argue for a sp ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
Automated verification of concurrent systems is hindered by the fact that the state spaces are either infinite or too large for model checking, and the case analysis usually defeats theorem proving. Combinations of the two techniques have been tried with varying degrees of success. We argue for a specific combination where theorem proving is used to reduce verification problems to finitestate form, and model checking is used to explore properties of these reductions. This decomposition of the verification task forms the basis of the Symbolic Analysis Laboratory (SAL), a framework for combining different analysis tools for transition systems via a common intermediate language. We demonstrate how symbolic analysis can be an effective methodology for combining deduction and exploration.
Strongest Postcondition Semantics as the Formal Basis for Reverse Engineering
 Journal of Automated Software Engineering
, 1996
"... Reverse engineering of program code is the process of constructing a higher level abstraction of an implementation in order to facilitate the understanding of a system that may be in a "legacy" or "geriatric" state. Changing architectures and improvements in programming methods, including formal met ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Reverse engineering of program code is the process of constructing a higher level abstraction of an implementation in order to facilitate the understanding of a system that may be in a "legacy" or "geriatric" state. Changing architectures and improvements in programming methods, including formal methods in software development and objectoriented programming, have prompted a need to reverse engineer and reengineer program code. This paper describes the application of the strongest postcondition predicate transformer (strongest postcondition) as the formal basis for the reverse engineering of imperative program code. 1 Introduction The demand for software correctness becomes more evident when accidents, sometimes fatal, are due to software errors. For example, recently it was reported that the software of a medical diagnostic system was the major source of a number of potentially fatal doses of radiation [1]. Other problems caused by or due to software failure have been well document...
A generic annotation inference algorithm for the safety certification of automatically generated code
 IN: GPCE 2006
, 2006
"... Code generators for realistic application domains are not directly verifiable in practice. In the certifiable code generation approach the generator is extended to generate logical annotations (i.e., preand postconditions and loop invariants) along with the programs, allowing fully automated program ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
Code generators for realistic application domains are not directly verifiable in practice. In the certifiable code generation approach the generator is extended to generate logical annotations (i.e., preand postconditions and loop invariants) along with the programs, allowing fully automated program proofs of different safety properties. However, this requires access to the generator sources, and remains difficult to implement and maintain because the annotations are crosscutting concerns, both on the objectlevel (i.e., in the generated code) and on the metalevel (i.e., in the generator). Here we describe a new generic postgeneration annotation inference algorithm that circumvents these problems. We exploit the fact that the output of a code generator is highly idiomatic, so that patterns can be used to describe all code constructs that require annotations. The patterns are specific to the idioms of the targeted code generator and to the safety property to be shown, but the algorithm itself remains generic. It is based on a pattern matcher used to identify instances of the idioms and build a propertyspecific abstracted control flow graph, and a graph traversal that follows the paths from the use nodes backwards to all corresponding definitions, annotating the statements along these paths. This core is instantiated for two generators and successfully applied to automatically certify initialization safety for a range of generated programs.