Results 1  10
of
47
Program Verification using Templates over Predicate Abstraction
"... We address the problem of automatically generating invariants with quantified and boolean structure for proving the validity of given assertions or generating preconditions under which the assertions are valid. We present three novel algorithms, having different strengths, that combine template and ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
We address the problem of automatically generating invariants with quantified and boolean structure for proving the validity of given assertions or generating preconditions under which the assertions are valid. We present three novel algorithms, having different strengths, that combine template and predicate abstraction based formalisms to discover required sophisticated program invariants using SMT solvers. Two of these algorithms use an iterative approach to compute fixedpoints (one computes a least fixedpoint and the other computes a greatest fixedpoint), while the third algorithm uses a constraint based approach to encode the fixedpoint. The key idea in all these algorithms is to reduce the problem of invariant discovery to that of finding optimal solutions for unknowns (over conjunctions of some predicates from a given set) in a template formula such that
Local Verification of Global Invariants in Concurrent Programs
, 2010
"... We describe a practical method for reasoning about realistic concurrent programs. Our method allows global twostate invariants that restrict update of shared state. We provide simple, sufficient conditions for checking those global invariants modularly. The method has been implemented in VCC 3, an ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We describe a practical method for reasoning about realistic concurrent programs. Our method allows global twostate invariants that restrict update of shared state. We provide simple, sufficient conditions for checking those global invariants modularly. The method has been implemented in VCC 3, an automatic, sound, modular verifier for concurrent C programs. VCC has been used to verify functional correctness of tens of thousands of lines of Microsoft’s HyperV virtualization platform 4 and of SYSGO’s embedded realtime operating system PikeOS.
A simple inductive synthesis methodology and its applications
, 2010
"... Given a highlevel specification and a lowlevel programming language, our goal is to automatically synthesize an efficient program that meets the specification. In this paper, we present a new algorithmic methodology for inductive synthesis that allows us to do this. We use Second Order logic as ou ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
Given a highlevel specification and a lowlevel programming language, our goal is to automatically synthesize an efficient program that meets the specification. In this paper, we present a new algorithmic methodology for inductive synthesis that allows us to do this. We use Second Order logic as our generic high level specification logic. For our lowlevel languages we choose small applicationspecific logics that can be immediately translated into code that runs in expected linear time in the worst case. We explain our methodology and provide examples of the synthesis of several graph classifiers, e.g, lineartime tests of whether the input graph is connected, acyclic, etc. In another set of applications we automatically derive many finite differencing expressions equivalent to ones that Paige built by hand in his thesis [Pai81]. Finally we describe directions for automatically combining such automatically generated building blocks to synthesize efficient code implementing more complicated specifications. The methods in this paper have been implemented in Python using the SMT solver Z3 [dMB].
Directed symbolic execution
, 2011
"... Abstract. In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true po ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Abstract. In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortestdistance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and callchainbackward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, MixCCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, MixCCBSE performed best on average, combining to good effect the features of its constituent components. 1
Using the Spec# Language, Methodology, and Tools to Write BugFree Programs
, 2009
"... Spec# is a programming system for the development of correct programs. It consists of a programming language, a verification methodology, and tools. The Spec # language extends C# with contracts, which allow programmers to document their design decisions in the code. The verification methodology pro ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Spec# is a programming system for the development of correct programs. It consists of a programming language, a verification methodology, and tools. The Spec # language extends C# with contracts, which allow programmers to document their design decisions in the code. The verification methodology provides rules and guidelines for how to use the Spec# features to express and check properties of interesting implementations. Finally, the tool support consists of a compiler that emits runtime checks for many contracts and a static program verifier that attempts to prove automatically that an implementation satisfies its specification. These lecture notes teach the use of the Spec# system, focusing on specification and static verification.
Automatic modular abstractions for template numerical constraints
 Logical Methods in Computer Science
, 2010
"... We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floatingpoint variables and containing linear assignments and tests. Given the specification of a ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floatingpoint variables and containing linear assignments and tests. Given the specification of an abstract domain, and a program block, our method transformer. It is thus a form of program transformation. In addition to loopfree code, the same method also applies for obtaining least fixed points as functions of the precondition, which permits the analysis of loops and recursive functions. The motivation of our work is dataflow synchronous programming languages, used for building controlcommand embedded systems, but it also applies to imperative and functional programming. Our algorithms are based on quantifier elimination and symbolic manipulation techniques over linear arithmetic formulas. We also give less general results for nonlinear constraints and nonlinear program constructs. 1
Automating Induction with an SMT Solver
, 2011
"... Mechanical proof assistants have always had support for inductive proofs. Sometimes an alternative to proof assistants, satisfiability modulo theories (SMT) solvers bring the hope of a higher degree of automation. However, SMT solvers do not natively support induction, so inductive proofs require s ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Mechanical proof assistants have always had support for inductive proofs. Sometimes an alternative to proof assistants, satisfiability modulo theories (SMT) solvers bring the hope of a higher degree of automation. However, SMT solvers do not natively support induction, so inductive proofs require some encoding into the SMT solver’s input. This paper shows a surprisingly simple tactic—a rewriting strategy and a heuristic for when to apply it—that has shown to be useful in verifying simple inductive theorems, like those that can occur during program verification. The paper describes the tactic and its implementation in a program verifier, and reports on the positive experience with using the tactic.
VeriFast: Imperative Programs as Proofs
"... Abstract. We propose an approach for the verification of imperative programs based on the toolsupported, interactive insertion of annotations into the source code. Annotations include routine preconditions and postconditions and loop invariants in a form of separation logic, as well as inductive da ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. We propose an approach for the verification of imperative programs based on the toolsupported, interactive insertion of annotations into the source code. Annotations include routine preconditions and postconditions and loop invariants in a form of separation logic, as well as inductive datatype definitions and recursive function and predicate definitions to enable rich specifications. To enable verification of these rich specifications, annotations also include lemma routines, which are like ordinary routines of the programming language, except that it is checked that they do not have sideeffects and that they terminate. Recursive lemma routines serve as inductive proofs that their precondition implies their postcondition. Verification proceeds by symbolic execution, using a separation logicbased representation of memory, and using firstorder terms constrained by a firstorder theory as symbolic data values. Data value queries are delegated to an SMT solver; since memory framing issues are eliminated from these queries and only wellbehaved quantification is used, SMT solver queries perform much better than in verification condition based approaches. Annotation insertion is supported by an integrated development environment where the user may invoke the verification tool. If verification fails, the user can step through the symbolic execution trace and inspect the symbolic state at each step. Since verification typically takes less than a second, this enables an efficient iterative annotateandverify process. Furthermore, it is hoped that by offering proof technology in a form recognizable to programmers, the approach brings interactive program verification to a wider audience. 1
Proofs and Refutations, and Z3
"... Z3 [3] is a stateoftheart Satisfiability Modulo Theories (SMT) solver freely available from Microsoft Research. It solves the decision problem for quantifierfree formulas with respect to combinations of theories, such as arithmetic, bitvectors, arrays, and uninterpreted functions. Z3 is used in ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Z3 [3] is a stateoftheart Satisfiability Modulo Theories (SMT) solver freely available from Microsoft Research. It solves the decision problem for quantifierfree formulas with respect to combinations of theories, such as arithmetic, bitvectors, arrays, and uninterpreted functions. Z3 is used in various software analysis and testcase generation projects at Microsoft Research and elsewhere. The requirements from the userbase range from establishing validity, dually unsatisfiability, of firstorder formulas; to identify invalid, dually satisfiable, formulas. In both cases, there is often a need for more than just a yes/no answer from the prover. A model can exhibit why an invalid formula is not provable, and a proofobject can certify the validity of a formula. This paper describes the proofproducing internals of Z3. We also briefly introduce the modelproducing facilities. We emphasize two features that can be of general interest: (1) we introduce a notion of implicit quotation to avoid introducing auxiliary variables, it simplifies the creation of proof objects considerably; (2) we produce natural deduction style proofs to facilitate modular proof reconstruction.
Dafny meets the Verification Benchmarks Challenge
"... A suite of verification benchmarks for software verification tools and techniques, presented at VSTTE 2008 [11], provides an initial catalogue of benchmark challenges for the Verified Software Initiative. This paper presents solutions to these eight benchmarks using the language and verifier Dafny. ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
A suite of verification benchmarks for software verification tools and techniques, presented at VSTTE 2008 [11], provides an initial catalogue of benchmark challenges for the Verified Software Initiative. This paper presents solutions to these eight benchmarks using the language and verifier Dafny. A Dafny program includes specifications, code, inductive invariants, and termination metrics. Each of the eight programs is fed to the Dafny verifier, which without further user interaction automatically performs the verification in a few seconds.