Results 1  10
of
15
Automatically validating temporal safety properties of interfaces
, 2001
"... We present a process for validating temporal safety properties of software that uses a welldefined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The pro ..."
Abstract

Cited by 385 (20 self)
 Add to MetaCart
We present a process for validating temporal safety properties of software that uses a welldefined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found that the process converges on a set of predicates powerful enough to validate properties in just a few iterations. 1 Introduction Largescale software has many components built by many programmers. Integration testing of these components is impossible or ineffective at best. Property checking of interface usage provides a way to partially validate such software. In this approach, an interface is augmented with a set of properties that all clients of the interface should respect. An automatic analysis of the client code then validates that it meets the properties, or provides examples of execution paths that violate the properties. The benefit of such an analysis is that errors can be caught early in the coding process. We are interested in checking that a program respects a set of temporal safety properties of the interfaces it uses. Safety properties are the class of properties that state that "something bad does not happen". An example is requiring that a lock is never released without first being acquired (see [24] for a formal definition). Given a program and a safety property, we wish to either validate that the code respects the property, or find an execution path that shows how the code violates the property.
RacerX: Effective, Static Detection of Race Conditions and Deadlocks
 SOSP'03
, 2003
"... This paper describes RacerX, a static tool that uses flowsensitive, interprocedural analysis to detect both race conditions and deadlocks. It is explicitly designed to find errors in large, complex multithreaded systems. It aggressively infers checking information such as which locks protect which o ..."
Abstract

Cited by 240 (2 self)
 Add to MetaCart
This paper describes RacerX, a static tool that uses flowsensitive, interprocedural analysis to detect both race conditions and deadlocks. It is explicitly designed to find errors in large, complex multithreaded systems. It aggressively infers checking information such as which locks protect which operations, which code contexts are multithreaded, and which shared accesses are dangerous. It tracks a set of code features which it uses to sort errors both from most to least severe. It uses novel techniques to counter the impact of analysis mistakes. The tool is fast, requiring between 214 minutes to analyze a 1.8 million line system. We have applied it to Linux, FreeBSD, and a large commercial code base, finding serious errors in all of them.
Boolean and Cartesian Abstraction for Model Checking C Programs
, 2001
"... The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemente ..."
Abstract

Cited by 160 (14 self)
 Add to MetaCart
The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a sourcetosource transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worstcase complexity but feasible in practice.
Visibly pushdown languages
, 2004
"... Abstract. We study congruences on words in order to characterize the class of visibly pushdown languages (Vpl), a subclass of contextfree languages. For any language L, we define a natural congruence on words that resembles the syntactic congruence for regular languages, such that this congruence i ..."
Abstract

Cited by 133 (15 self)
 Add to MetaCart
Abstract. We study congruences on words in order to characterize the class of visibly pushdown languages (Vpl), a subclass of contextfree languages. For any language L, we define a natural congruence on words that resembles the syntactic congruence for regular languages, such that this congruence is of finite index if, and only if, L is a Vpl. We then study the problem of finding canonical minimal deterministic automata for Vpls. Though Vpls in general do not have unique minimal automata, we consider a subclass of VPAs called kmodule singleentry VPAs that correspond to programs with recursive procedures without input parameters, and show that the class of wellmatched Vpls do indeed have unique minimal kmodule singleentry automata. We also give a polynomial time algorithm that minimizes such kmodule singleentry VPAs. 1 Introduction The class of visibly pushdown languages (Vpl), introduced in [1], is a subclassof contextfree languages accepted by pushdown automata in which the input letter determines the type of operation permitted on the stack. Visibly pushdown languages are closed under all boolean operations, and problems such as inclusion, that are undecidable for contextfree languages, are decidable for Vpl. Vpls are relevant to several applications that use contextfree languages suchas the modelchecking of software programs using their pushdown models [13]. Recent work has shown applications in other contexts: in modeling semanticsof effects in processing XML streams [4], in game semantics for programming languages [5], and in identifying larger classes of pushdown specifications thatadmit decidable problems for infinite games on pushdown graphs [6].
A Temporal Logic of Nested Calls and Returns
, 2004
"... Model checking of linear temporal logic (LTL) speci cations with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures wit ..."
Abstract

Cited by 54 (11 self)
 Add to MetaCart
Model checking of linear temporal logic (LTL) speci cations with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures with respect to pre and post conditions, that require matching of calls and returns, are not regular. We introduce a temporal logic of calls and returns (CaRet) for speci cation and algorithmic veri cation of correctness requirements of structured programs. The formulas of CaRet are interpreted over sequences of propositional valuations tagged with special symbols call and ret. Besides the standard global temporal modalities, CaRet admits the abstractnext operator that allows a path to jump from a call to the matching return. This operator can be used to specify a variety of nonregular properties such as partial and total correctness of program blocks with respect to pre and post conditions. The abstract versions of the other temporal modalities can be used to specify regular properties of local paths within a procedure that skip over calls to other procedures. CaRet also admits the caller modality that jumps to the most recent pending call, and such caller modalities allow speci cation of a variety of security properties that involve inspection of the callstack. Even though verifying contextfree properties of pushdown systems is undecidable, we show that model checking CaRet formulas against a pushdown model is decidable. We present a tableau construction that reduces our model checking problem to the emptiness problem for a Buchi pushdown system. The complexity of model checking CaRet formulas is the same as that of checking LTL formulas, namely, ...
Polynomial Constants are Decidable
 In 9th Static Analysis Symposium (SAS
, 2002
"... Abstract. Constant propagation aims at identifying expressions that always yield a unique constant value at runtime. It is wellknown that constant propagation is undecidable for programs working on integers even if guards are ignored as in nondeterministic flow graphs. We show that polynomial con ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Abstract. Constant propagation aims at identifying expressions that always yield a unique constant value at runtime. It is wellknown that constant propagation is undecidable for programs working on integers even if guards are ignored as in nondeterministic flow graphs. We show that polynomial constants are decidable in nondeterministic flow graphs. In polynomial constant propagation, assignment statements that use the operators +, −, ∗ are interpreted exactly but all assignments that use other operators are conservatively interpreted as nondeterministic assignments. We present a generic algorithm for constant propagation via a symbolic weakest precondition computation and show how this generic algorithm can be instantiated for polynomial constant propagation by exploiting techniques from computable ring theory. 1
Checking Temporal Properties of Software with Boolean Programs
 In Proceedings of the Workshop on Advances in Verification
, 2000
"... A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs us ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs using contextfreelanguage reachability. The model checking algorithm allows procedure calls with unbounded recursion, exploits locality of variable scopes, and gives short error traces. Furthermore, we give a process for incrementally re ning an initial skeletal boolean program B (representing a source program P ) with respect to a particular reachability query in P . The presence of infeasible paths in P may lead to the model checker reporting false positive errors in B. We show how to re ne B by introducing boolean variables to rule out the infeasible paths. The process uses ideas from model checking and symbolic execution to automatically perform predicate abstraction.
Graph Rewrite Systems for Program Optimization
, 2000
"... Graph rewrite systems can be used to specify and generate program optimizations. For termination of the systems... ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Graph rewrite systems can be used to specify and generate program optimizations. For termination of the systems...
Resourceconstrained model checking for recursive programs
 In International Conference on Tools and Algorithms for the Construction and Analysis of Systems
, 2002
"... 1 Introduction Model checking is a widely used technique for verifying whether a system specification possesses a property expressed as a temporal logic formula [7, 8, 14]. Most early works on model checking have restricted system specifications to be finite state. A number of recent works have addr ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
1 Introduction Model checking is a widely used technique for verifying whether a system specification possesses a property expressed as a temporal logic formula [7, 8, 14]. Most early works on model checking have restricted system specifications to be finite state. A number of recent works have addressed the problem of model checking pushdown processes with finite alphabets, which are natural models for recursive programs operating on finite data structures (e.g. [12, 4, 10, 5, 3]).
Watchpoint Semantics: A Tool for Compositional and Focussed Static Analyses
 Proc. of the Static Analysis Symposium, SAS'01
, 2001
"... We abstract a denotational trace semantics for an imperative language into a compositional and focussed watchpoint semantics. ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
We abstract a denotational trace semantics for an imperative language into a compositional and focussed watchpoint semantics.