Results 1  10
of
21
Efficiently Solving Quantified BitVector Formulas
"... Abstract—In recent years, bitprecise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifierfree fra ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Abstract—In recent years, bitprecise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifierfree fragment of bitvector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bitvector formulas to avoid an exponential blowup during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the wordlevel information in the formula. We present a new approach based on a set of effective wordlevel simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime. I.
Abstraction Refinement for Quantified Array Assertions
 IN: SAS, SPRINGERVERLAG (2009) 3
, 2009
"... We present an abstraction refinement technique for the verification of universally quantified array assertions such as “all elements in the array are sorted”. Our technique can be seamlessly combined with existing software model checking algorithms. We implemented our technique in the ACSAR softwar ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We present an abstraction refinement technique for the verification of universally quantified array assertions such as “all elements in the array are sorted”. Our technique can be seamlessly combined with existing software model checking algorithms. We implemented our technique in the ACSAR software model checker and successfully verified quantified array assertions for both text book examples and reallife examples taken from the Linux operating system kernel.
SMTBased Array Invariant Generation
, 2013
"... This paper presents a constraintbased method for generating universally quantified loop invariants over array and scalar variables. Constraints are solved by means of an SMT solver, thus leveraging recent advances in SMT solving for the theory of nonlinear arithmetic. The method has been implemen ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This paper presents a constraintbased method for generating universally quantified loop invariants over array and scalar variables. Constraints are solved by means of an SMT solver, thus leveraging recent advances in SMT solving for the theory of nonlinear arithmetic. The method has been implemented in a prototype of program analyzer, and a wide sample of examples illustrating its power is shown.
Generalizing the Template Polyhedral Domain
"... Template polyhedra generalize weakly relational domains by specifying arbitrary fixed linear expressions on the lefthand sides of inequalities and undetermined constants on the right. The domain operations required for analysis over template polyhedra can be computed in polynomial time using line ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Template polyhedra generalize weakly relational domains by specifying arbitrary fixed linear expressions on the lefthand sides of inequalities and undetermined constants on the right. The domain operations required for analysis over template polyhedra can be computed in polynomial time using linear programming. In this paper, we introduce the generalized template polyhedral domain that extends template polyhedra using fixed lefthand side expressions with bilinear forms involving program variables and unknown parameters to the right. We prove that the domain operations over generalized templates can be defined as the “best possible abstractions ” of the corresponding polyhedral domain operations. The resulting analysis can straddle the entire space of linear relation analysis starting from the template domain to the full polyhedral domain. We show that analysis in the generalized template domain can be performed by dualizing the join, postcondition and widening operations. We also investigate the special case of template polyhedra wherein each bilinear form has at most two parameters. For this domain, we use the special properties of two dimensional polyhedra and techniques from fractional linear programming to derive domain operations that can be implemented in polynomial time over the number of variables in the program and the size of the polyhedra. We present applications of generalized template polyhedra to strengthen previously obtained invariants by converting them into templates. We describe an experimental evaluation of an implementation over several benchmark systems.
Automatically Refining Partial Specification for Program Verification
, 2010
"... Abstract. Automatically verifying heapmanipulating programs is a challenging task, especially when dealing with complex data structures with strong invariants, such as sorted lists and AVL/redblack trees. The verification process can greatly benefit from human assistance through specification anno ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Automatically verifying heapmanipulating programs is a challenging task, especially when dealing with complex data structures with strong invariants, such as sorted lists and AVL/redblack trees. The verification process can greatly benefit from human assistance through specification annotations, but this process requires intellectual effort from users and is errorprone. In this paper, we propose a new approach to program verification that allows users to provide only partial specification to methods. Our approach will then refine the given annotation into a more complete specification by discovering missing constraints. The discovered constraints may involve both numerical and multiset properties that could be later confirmed or revised by users. We further augment our approach by requiring only partial specification to be given for primary methods. Specifications for loops and auxiliary methods can then be systematically discovered by our augmented mechanism, with the help of information propagated from the primary methods. Our work is aimed at verifying beyond shape properties, with the eventual goal of analysing fullfunctional properties forpointerbased data structures.Initial experiments have confirmed that we can automatically refine partial specifications with nontrivial constraints, thus making it easier for users to handle specifications with richer properties. 1
D.: Learning universally quantified invariants of linear data structures
 CoRR
, 2013
"... Abstract. We propose a new automaton model, called quantified data automata over words, that can model quantified invariants over linear data structures, and build polytime active learning algorithms for them, where the learner is allowed to query the teacher with membership and equivalence queries ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We propose a new automaton model, called quantified data automata over words, that can model quantified invariants over linear data structures, and build polytime active learning algorithms for them, where the learner is allowed to query the teacher with membership and equivalence queries. In order to express invariants in decidable logics, we invent a decidable subclass of QDAs, called elastic QDAs, and prove that every QDA has a unique minimallyoverapproximating elastic QDA. We then give an application of these theoretically sound and efficient active learning algorithms in a passive learning framework and show that we can efficiently learn quantified linear data structure invariants from samples obtained from dynamic runs for a large class of programs. 1
2011): Synthesis of firstorder dynamic programming algorithms
 In: OOPSLA
"... To solve a problem with a dynamic programming algorithm, one must reformulate the problem such that its solution can be formed from solutions to overlapping subproblems. Because overlapping subproblems may not be apparent in the specification, it is desirable to obtain the algorithm directly from th ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
To solve a problem with a dynamic programming algorithm, one must reformulate the problem such that its solution can be formed from solutions to overlapping subproblems. Because overlapping subproblems may not be apparent in the specification, it is desirable to obtain the algorithm directly from the specification. We describe a semiautomatic synthesizer of lineartime dynamic programming algorithms. The programmer supplies a declarative specification of the problem and the operators that might appear in the solution. The synthesizer obtains the algorithm by searching a space of candidate algorithms; internally, the search is implemented with constraint solving. The space of candidate algorithms is defined with a program template reusable across all lineartime dynamic programming algorithms, which we characterize as firstorder recurrences. This paper focuses on how to write the template so that the constraint solving process scales to realworld lineartime dynamic programming algorithms. We show how to reduce the space with (i) symmetry reduction and (ii) domain knowledge of dynamic programming algorithms. We have synthesized algorithms for variants of maximal substring matching, an assemblyline optimization, and the extended Euclid algorithm. We have also synthesized a problem outside the class of firstorder recurrences, by composing three instances of the algorithm template.
Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development
"... Symbolic reasoning is in the core of many software development tools such as: bugfinders, testcase generators, and verifiers. Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability Modulo Theories (SMT) solvers have been the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Symbolic reasoning is in the core of many software development tools such as: bugfinders, testcase generators, and verifiers. Of renewed interest is the use of symbolic reasoning for synthesing code, loop invariants and ranking functions. Satisfiability Modulo Theories (SMT) solvers have been the focus of increased recent attention thanks to technological advances and an increasing number of applications. In this paper we review some of these applications that use software verifiers as bugfinders “on steroids” and suggest that new model finding techniques are needed to increase the set of applications supported by these solvers.
Solving existentially quantified Horn clauses
 IN CAV
, 2013
"... Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multithreaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with wellfoundedness condit ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multithreaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with wellfoundedness conditions. Dealing with existential properties (e.g., whether there exists a particular computation path), however, requires solving forallexists quantified Horn clauses, where the conclusion part of some clauses contains existentially quantified variables. For example, a deductive approach to CTL verification reduces to solving such clauses. In this paper we present a method for solving forallexists quantified Horn clauses extended with wellfoundedness conditions. Our method is based on a counterexampleguided abstraction refinement scheme to discover witnesses for existentially quantified variables. We also present an application of our solving method to automation of CTL verification of software, as well as its experimental evaluation.
Automatic Verification of Loop Invariants
"... Abstract—Loop invariants play a major role in program verification. Though various techniques have been applied to automatic loop invariants generation, most interesting ones often generate only candidate invariants. Thus, a key issue to take advantage of these invariants in a verification process i ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract—Loop invariants play a major role in program verification. Though various techniques have been applied to automatic loop invariants generation, most interesting ones often generate only candidate invariants. Thus, a key issue to take advantage of these invariants in a verification process is to check that these candidate loop invariants are actual invariants. This paper introduces a new technique based on constraint programming for automatic verification of inductive loop invariants. This approach is efficient to detect spurious invariants and is also able to verify valid invariants under boundedness restrictions. First experiments on classical benchmarks are very promising. I.