Results 1  10
of
10
EXE: Automatically generating inputs of death
 In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS
, 2006
"... This article presents EXE, an effective bugfinding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on ea ..."
Abstract

Cited by 226 (14 self)
 Add to MetaCart
This article presents EXE, an effective bugfinding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., inputderived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an inputconstraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow any value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own codesigned constraint solver, STP. Because EXE’s constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).
An abstract decision procedure for satisfiability in the theory of recursive data types
 In Proceedings of PDPAR
, 2006
"... Abstract The theory of recursive data types is a valuable modeling tool for software verification. In the past, decision procedures have been proposed for both the full theory and its universal fragment. However, previous work has been limited in various ways, including an inability to deal with mul ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract The theory of recursive data types is a valuable modeling tool for software verification. In the past, decision procedures have been proposed for both the full theory and its universal fragment. However, previous work has been limited in various ways, including an inability to deal with multiple constructors, multisorted logic, and mutually recursive data types. More significantly, previous algorithms for the universal case have been based on inefficient nondeterministic guesses and have been described in fairly complex procedural terms. We present an algorithm which addresses these issues for the universal theory. The algorithm is presented declaratively as a set of abstract rules which are terminating, sound, and complete. We also describe strategies for applying the rules and explain why our recommended strategy is more efficient than those used by previous algorithms. Finally, we discuss how the algorithm can be used within a broader framework of cooperating decision procedures. 1 Introduction Recursive data types are commonly used in programming. In particular, functional languages support such structures explicitly. The same notion is also a convenient abstraction for common data types such as records and data structures such as linked lists used in more conventional programming languages. The ability to reason automatically and efficiently about recursive data types thus provides an important tool for the analysis and verification of programs. Perhaps the bestknown example of a simple recursive data type is the list type used in LISP. Lists are either the null list or are constructed from other lists using the constructor cons. This constructor takes two arguments and returns the result of prepending its first argument to the list in its second argument. In order to retrieve the elements of a list, a pair of selectors is provided: car returns the first element of a list and cdr returns the rest of the list.
Checking wellformedness of puremethod specifications
 Eds.): Proc. Int. Symp. Formal Methods. Vol. 5014 of LNCS (SpringerVerlag
, 2008
"... Abstract. Contract languages such as JML and Spec # specify invariants and pre and postconditions using sideeffect free expressions of the programming language, in particular, pure methods. For such contracts to be meaningful, they must be wellformed: First, they must respect the partiality of op ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract. Contract languages such as JML and Spec # specify invariants and pre and postconditions using sideeffect free expressions of the programming language, in particular, pure methods. For such contracts to be meaningful, they must be wellformed: First, they must respect the partiality of operations, for instance, the preconditions of pure methods used in the contract. Second, they must enable a consistent encoding of pure methods in a program logic, which requires that their specifications are satisfiable and that recursive specifications are wellfounded. This paper presents a technique to check wellformedness of contracts. We give proof obligations that are sufficient to guarantee the existence of a model for the specification of pure methods. We improve over earlier work by providing a systematic solution including a soundness result and by supporting more forms of recursive specifications. Our technique has been implemented in the Spec # programming system. 1
Efficient Well‐Definedness Checking
 Proceedings of the International Joint Conference on Automated Reasoning (IJCAR
, 2008
"... Abstract. Formal specifications often contain partial functions that may lead to illdefined terms. A common technique to eliminate illdefined terms is to require welldefinedness conditions to be proven. The main advantage of this technique is that it allows us to reason in a twovalued logic even i ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Formal specifications often contain partial functions that may lead to illdefined terms. A common technique to eliminate illdefined terms is to require welldefinedness conditions to be proven. The main advantage of this technique is that it allows us to reason in a twovalued logic even if the underlying specification language has a threevalued semantics. Current approaches generate welldefinedness conditions that grow exponentially with respect to the input formula. As a result, many tools prove shorter, but stronger approximations of these welldefinedness conditions instead. We present a procedure which generates welldefinedness conditions that grow linearly with respect to the input formula. The procedure has been implemented in the Spec # verification tool. We also present empirical results that demonstrate the improvements made. 1
Classical Logic with Partial Functions Hans
"... Abstract. We introduce a semantics for classical logic with partial functions. We believe that the semantics is natural. When a formula contains a subterm in which a function is applied outside of its domain, our semantics ensures that the formula has no truthvalue, so that it cannot be used for re ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We introduce a semantics for classical logic with partial functions. We believe that the semantics is natural. When a formula contains a subterm in which a function is applied outside of its domain, our semantics ensures that the formula has no truthvalue, so that it cannot be used for reasoning. The semantics relies on order of formulas. In this way, it is able to ensure that functions and predicates are properly declared before they are used. We define a sequent calculus for the semantics, and prove that this calculus is sound and complete for the semantics. 1
Using BitVector Decision Procedures for Analysis of Protein Folding Pathways
"... Abstract. We explore the use of bitvector decision procedures for the analysis of protein folding pathways. We argue that the protein folding problem is not identical to the classical probabilistic model checking problem in verification. Motivated by the different nature of the protein folding prob ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We explore the use of bitvector decision procedures for the analysis of protein folding pathways. We argue that the protein folding problem is not identical to the classical probabilistic model checking problem in verification. Motivated by the different nature of the protein folding problem, we present a translation of the protein folding pathways analysis problem into a bounded model checking framework with bit vector decision procedures. We also present initial results of our experiments using the UCLID bitvector decision procedure. 1
An Abstract Decision Procedure for a Theory of Inductive Data Types
, 2006
"... Inductive data types are a valuable modeling tool for software verification. In the past, decision procedures have been proposed for various theories of inductive data types, some focused on the universal fragment, and some focused on handling arbitrary quantifiers. Because of the complexity of the ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Inductive data types are a valuable modeling tool for software verification. In the past, decision procedures have been proposed for various theories of inductive data types, some focused on the universal fragment, and some focused on handling arbitrary quantifiers. Because of the complexity of the full theory, previous work on the full theory has not focused on strategies for practical implementation. However, even for the universal fragment, previous work has been limited in several significant ways. In this paper, we present a general and practical algorithm for the universal fragment. The algorithm is presented declaratively as a set of abstract rules which we show to be terminating, sound, and complete. We show how other algorithms can be realized as strategies within our general framework, and we propose a new strategy and give experimental results indicating that it performs well in practice. We conclude with a discussion of several useful ways the algorithm can be extended.
Cv
 Liberal Studies; B.A., The Colorado College
, 1971
"... ls. Many past breakthroughs in practical applications of formal methods were possible only due to the creation of efficient programs like SMV, PVS, ACL2, SVC, and others which automated the extremely tedious mathematical reasonings that arise in formal verification. I am one of the main developers ..."
Abstract
 Add to MetaCart
ls. Many past breakthroughs in practical applications of formal methods were possible only due to the creation of efficient programs like SMV, PVS, ACL2, SVC, and others which automated the extremely tedious mathematical reasonings that arise in formal verification. I am one of the main developers of CVC Lite, a new formal verification tool which improves on its predecessors, CVC and SVC. Both SVC and CVC proved to be extremely useful in formal verification and had a significant impact in the field. The design of CVC Lite is expected to have a similar, or even greater impact in the research community. Previously, during my Ph.D. program at Carnegie Mellon University, I have developed a theorem prover SyMP (Symbolic Model Prover), which combines two large branches of formal methods: model checking and theorem proving. This tool also serves as a programmer's kit for writing new theorem provers specialized to various problem domains within formal verification. This tool was used to crea
0429894. REGION LOGIC: LOCAL REASONING FOR JAVA PROGRAMS AND ITS AUTOMATION
, 2011
"... Shared mutable objects are a cornerstone of the objectoriented paradigm. The ability to share mutable data eliminates unnecessary cloning and gives rise to efficient data structures. Yet, formal reasoning about partial correctness of objectoriented programs is notoriously difficult due to the very ..."
Abstract
 Add to MetaCart
Shared mutable objects are a cornerstone of the objectoriented paradigm. The ability to share mutable data eliminates unnecessary cloning and gives rise to efficient data structures. Yet, formal reasoning about partial correctness of objectoriented programs is notoriously difficult due to the very same features, viz., sharing and mutable objects. The core problem is aliasing, and one of the contributions of this thesis is a program logic designed to control aliasing through explicit use of effects and disjointedness assertions. We propose a straightforward adaptation of Hoare logic to reason about (sequential) Java programs. The logic employs regions (sets of references) in a novel way, by using them in ghost state, effects and assertions. The aptly named—region logic—embodies “local reasoning ” as witnessed by separation logic, without resorting to nonstandard semantics or higherorder constructs. Region logic is formalized (and proven sound) with respect to a core subset of Java. Several illustrative examples including subject/observer and composite design patterns are specified and proven partially correct. The assertion language of region
Journal of Automated Reasoning manuscript No. (will be inserted by the editor) Classical Logic with Partial Functions
"... the date of receipt and acceptance should be inserted later Abstract We introduce a semantics for classical logic with partial functions, in which illtyped formulas are guaranteed to have no truth value, so that they cannot be used in any form of reasoning. The semantics makes it possible to mix rea ..."
Abstract
 Add to MetaCart
the date of receipt and acceptance should be inserted later Abstract We introduce a semantics for classical logic with partial functions, in which illtyped formulas are guaranteed to have no truth value, so that they cannot be used in any form of reasoning. The semantics makes it possible to mix reasoning about types and preconditions with reasoning about other properties. This makes it possible to deal with partial functions with preconditions of unlimited complexity. We show that, in spite of its increased complexity, the semantics is still a natural generalization of firstorder logic with simple types. If one does not use the increased expressivity, the type system is not stronger than classical logic with simple types. We will define two sequent calculi for our semantics, and prove that they are sound and complete. The first calculus follows the semantics closely, and hence its completeness proof is fairly straightforward. The second calculus is further away from the semantics, but more suitable for practical use because it has better proof theoretic properties. Its completeness can be shown by proving that proofs from the first calculus can be translated.