Results 1  10
of
35
Finding Loop Invariants for Programs over Arrays Using a Theorem Prover
 In Proc. of FASE
, 2009
"... Abstract. We present a new method for automatic generation of loop invariants for programs containing arrays. Unlike all previously known methods, our method allows one to generate firstorder invariants containing alternations of quantifiers. The method is based on the automatic analysis of the so ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new method for automatic generation of loop invariants for programs containing arrays. Unlike all previously known methods, our method allows one to generate firstorder invariants containing alternations of quantifiers. The method is based on the automatic analysis of the socalled update predicates of loops. An update predicate for an array A expresses updates made to A. We observe that many properties of update predicates can be extracted automatically from the loop description and loop properties obtained by other methods such as a simple analysis of counters occurring in the loop, recurrence solving and quantifier elimination over loop variables. We run the theorem prover Vampire on some examples and show that nontrivial loop invariants can be generated. 1
Symbolic string verification: Combining string analysis and size analysis
 in Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS
"... Abstract. We present an automatabased approach for symbolic verification of systems with unbounded string and integer variables. Particularly, we are interested in automatically discovering the relationships among the string and integer variables. The lengths of the strings in a regular language fo ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present an automatabased approach for symbolic verification of systems with unbounded string and integer variables. Particularly, we are interested in automatically discovering the relationships among the string and integer variables. The lengths of the strings in a regular language form a semilinear set. We present a novel construction for length automata that accept the unary or binary representations of the lengths of the strings in a regular language. These length automata can be integrated with an arithmetic automaton that recognizes the valuations of the integer variables at a program point. We propose a static analysis technique that uses these automata in a forward fixpoint computation with widening and is able to catch relationships among the lengths of the string variables and the values of the integer variables. This composite string and integer analysis enables us to verify properties that cannot be verified using string analysis or size analysis alone. 1
Fluid Updates: Beyond Strong vs. Weak Updates
"... We describe a symbolic heap abstraction that unifies reasoning about arrays, pointers, and scalars, and we define a fluid update operation on this symbolic heap that relaxes the dichotomy between strong and weak updates. Our technique is fully automatic, does not suffer from the kind of statespac ..."
Abstract

Cited by 23 (9 self)
 Add to MetaCart
We describe a symbolic heap abstraction that unifies reasoning about arrays, pointers, and scalars, and we define a fluid update operation on this symbolic heap that relaxes the dichotomy between strong and weak updates. Our technique is fully automatic, does not suffer from the kind of statespace explosion problem partitionbased approaches are prone to, and can naturally express properties that hold for noncontiguous array elements. We demonstrate the effectiveness of this technique by evaluating it on challenging array benchmarks and by automatically verifying buffer accesses and dereferences in five Unix Coreutils applications with no annotations or false alarms.
Program Verification using Templates over Predicate Abstraction
"... We address the problem of automatically generating invariants with quantified and boolean structure for proving the validity of given assertions or generating preconditions under which the assertions are valid. We present three novel algorithms, having different strengths, that combine template and ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We address the problem of automatically generating invariants with quantified and boolean structure for proving the validity of given assertions or generating preconditions under which the assertions are valid. We present three novel algorithms, having different strengths, that combine template and predicate abstraction based formalisms to discover required sophisticated program invariants using SMT solvers. Two of these algorithms use an iterative approach to compute fixedpoints (one computes a least fixedpoint and the other computes a greatest fixedpoint), while the third algorithm uses a constraint based approach to encode the fixedpoint. The key idea in all these algorithms is to reduce the problem of invariant discovery to that of finding optimal solutions for unknowns (over conjunctions of some predicates from a given set) in a template formula such that
Automatic Verification of Integer Array Programs
, 2009
"... Abstract. We provide a verification technique for a class of programs working on integer arrays of finite, but not a priori bounded length. We use the logic of integer arrays SIL [13] to specify pre and postconditions of programs and their parts. Effects of nonlooping parts of code are computed s ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a verification technique for a class of programs working on integer arrays of finite, but not a priori bounded length. We use the logic of integer arrays SIL [13] to specify pre and postconditions of programs and their parts. Effects of nonlooping parts of code are computed syntactically on the level of SIL. Loop preconditions derived during the computation in SIL are converted into counter automata (CA). Loops are automatically translated— purely on the syntactical level—to transducers. Precondition CA and transducers are composed, and the composition overapproximated by flat automata with difference bound constraints, which are next converted back into SIL formulae, thus inferring postconditions of the loops. Finally, validity of postconditions specified by the user in SIL may be checked as entailment is decidable for SIL. 1
Separating Shape Graphs
"... Abstract. Detailed memory models that expose individual fields are necessary to precisely analyze code that makes use of lowlevel aspects such as, pointers to fields and untagged unions. Yet, higherlevel representations that collect fields into records are often used because they are typically mor ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Detailed memory models that expose individual fields are necessary to precisely analyze code that makes use of lowlevel aspects such as, pointers to fields and untagged unions. Yet, higherlevel representations that collect fields into records are often used because they are typically more convenient and efficient in modeling the program heap. In this paper, we present a shape graph representation of memory that exposes individual fields while largely retaining the convenience of an objectlevel model. This representation has a close connection to particular kinds of formulas in separation logic. Then, with this representation, we show how to extend the Xisa shape analyzer for lowlevel aspects, including pointers to fields, Cstyle nested structures and unions, malloc and free, and array values, with minimal changes to the core algorithms (e.g., materialization and summarization). 1
Symbolic heap abstraction with demanddriven axiomatization of memory invariants
 In OOPSLA
, 2010
"... Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that ev ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that every concrete memory location stores one unique value directly on the heap abstraction. Our technique combines the strengths of analyses for precise reasoning about heap contents with approaches that prioritize axiomatization of memory invariants, such as the theory of arrays. Furthermore, by avoiding an explicit case analysis, our technique is scalable and powerful enough to analyze realworld programs with intricate use of arrays and pointers; in particular, we verify the absence of buffer overruns, incorrect casts, and null pointer dereferences in OpenSSH (over 26,000 lines of code) after fixing 4 previously undiscovered bugs found by our system. Our experiments also show that the combination of reasoning about heap contents and enforcing existence and uniqueness invariants is crucial for this level of precision.
What’s Decidable About Sequences?
, 2010
"... We present a firstorder theory of sequences with integer elements, Presburger arithmetic, and regular constraints, which can model significant properties of data structures such as arrays and lists. We give a decision procedure for the quantifierfree fragment, based on an encoding into the firsto ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
We present a firstorder theory of sequences with integer elements, Presburger arithmetic, and regular constraints, which can model significant properties of data structures such as arrays and lists. We give a decision procedure for the quantifierfree fragment, based on an encoding into the firstorder theory of concatenation; the procedure has PSPACE complexity. The quantifierfree fragment of the theory of sequences can express properties such as sortedness and injectivity, as well as Boolean combinations of periodic and arithmetic facts relating the elements of the sequence and their positions (e.g., “for all even i’s, the element at position i has value i + 3 or 2i”). The resulting expressive power is orthogonal to that of the most expressive decidable logics for arrays. Some examples demonstrate that the fragment is also suitable to reason about sequencemanipulating programs within the standard framework of axiomatic
SMTBased Array Invariant Generation
, 2013
"... This paper presents a constraintbased method for generating universally quantified loop invariants over array and scalar variables. Constraints are solved by means of an SMT solver, thus leveraging recent advances in SMT solving for the theory of nonlinear arithmetic. The method has been implemen ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
This paper presents a constraintbased method for generating universally quantified loop invariants over array and scalar variables. Constraints are solved by means of an SMT solver, thus leveraging recent advances in SMT solving for the theory of nonlinear arithmetic. The method has been implemented in a prototype of program analyzer, and a wide sample of examples illustrating its power is shown.
QUIC Graphs: Relational Invariant Generation for Containers
"... Abstract. Programs written in modern languages perform intricate manipulations of containers such as arrays, lists, dictionaries, and sets. We present an abstract interpretationbased framework for automatically inferring relations between the set of values stored in these containers. Relations incl ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Programs written in modern languages perform intricate manipulations of containers such as arrays, lists, dictionaries, and sets. We present an abstract interpretationbased framework for automatically inferring relations between the set of values stored in these containers. Relations include inclusion relations over unions and intersections, as well as quantified relationships with scalar variables. We develop an abstract domain constructor that builds a container domain out of a Quantified UnionIntersection Constraint (QUIC) graph parameterized by an arbitrary base domain. We instantiate our domain with a polyhedral base domain and evaluate it on programs extracted from the Python test suite. Over traditional, nonrelational domains, we find significant precision improvements with minimal performance cost. 1