Results 1  10
of
26
Lazy Satisfiability Modulo Theories
 JOURNAL ON SATISFIABILITY, BOOLEAN MODELING AND COMPUTATION 3 (2007) 141Â224
, 2007
"... Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingl ..."
Abstract

Cited by 189 (50 self)
 Add to MetaCart
(Show Context)
Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingly important due to its applications in many domains in different communities, in particular in formal verification. An amount of papers with novel and very efficient techniques for SMT has been published in the last years, and some very efficient SMT tools are now available. Typical SMT (T) problems require testing the satisfiability of formulas which are Boolean combinations of atomic propositions and atomic expressions in T, so that heavy Boolean reasoning must be efficiently combined with expressive theoryspecific reasoning. The dominating approach to SMT (T), called lazy approach, is based on the integration of a SAT solver and of a decision procedure able to handle sets of atomic constraints in T (Tsolver), handling respectively the Boolean and the theoryspecific components of reasoning. Unfortunately, neither the problem of building an efficient SMT solver, nor even that
Automatic analysis of scratchpad memory code for heterogeneous multicore processors.
 In TACAS,
, 2010
"... Abstract. Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small "scratchpad" memories. The price for increased performance is higher programming complexity the programmer must manually orchestrate data movement ..."
Abstract

Cited by 13 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small "scratchpad" memories. The price for increased performance is higher programming complexity the programmer must manually orchestrate data movement using direct memory access (DMA) operations. Programming using asynchronous DMAs is errorprone, and DMA races can lead to nondeterministic bugs which are hard to reproduce and fix. We present a method for DMA race analysis which automatically instruments the program with assertions modelling the semantics of a memory flow controller. To enable automatic verification of instrumented programs, we present a new formulation of kinduction geared towards software, as a proof rule operating on loops. We present a tool, SCRATCH, which we apply to a large set of programs supplied with the IBM Cell SDK, in which we discover a previously unknown bug. Our experimental results indicate that our kinduction method performs extremely well on this problem class. To our knowledge, this marks both the first application of kinduction to software verification, and the first example of software model checking for heterogeneous multicore processors.
Instantiationbased invariant discovery
 In NFM, volume 6617 of LNCS
, 2011
"... Abstract. We present a general scheme for automated instantiationbased invariant discovery. Given a transition system, the scheme produces kinductive invariants from templates representing decidable predicates over the system’s data types. The proposed scheme relies on efficient reasoning engine ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a general scheme for automated instantiationbased invariant discovery. Given a transition system, the scheme produces kinductive invariants from templates representing decidable predicates over the system’s data types. The proposed scheme relies on efficient reasoning engines such as SAT and SMT solvers, and capitalizes on their ability to quickly generate countermodels of noninvariant conjectures. We discuss in detail two practical specializations of the general scheme in which templates represent partial orders. Our experimental results show that both specializations are able to quickly produce invariants from a variety of synchronous systems which prove quite useful in proving safety properties for these systems. 1
P.: Software verification using kinduction
 Berlin / Heidelberg
, 2011
"... Abstract. We present combinedcase kinduction, a novel technique for verifying software programs. This technique draws on the strengths of the classical inductiveinvariant method and a recent application of kinduction to program verification. In previous work, correctness of programs was establi ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present combinedcase kinduction, a novel technique for verifying software programs. This technique draws on the strengths of the classical inductiveinvariant method and a recent application of kinduction to program verification. In previous work, correctness of programs was established by separately proving a base case and inductive step. We present a new kinduction rule that takes an unstructured, reducible control flow graph (CFG), a natural loop occurring in the CFG, and a positive integer k, and constructs a single CFG in which the given loop is eliminated via an unwinding proportional to k. Recursively applying the proof rule eventually yields a loopfree CFG, which can be checked using SAT/SMTbased techniques. We state soundness of the rule, and investigate its theoretical properties. We then present two implementations of our technique: KINDUCTOR, a verifier for C programs built on top of the CBMC model checker, and KBOOGIE, an extension of the Boogie tool. Our experiments, using a large set of benchmarks, demonstrate that our kinduction technique frequently allows program verification to succeed using significantly weaker loop invariants than are required with the standard inductive invariant approach.
Logiconumerical abstract acceleration and application to the verification of dataflow programs
 In Static Analysis Symposium
, 2011
"... Abstract. Accelerationmethodsarecommonlyusedforspeedingupthe convergence of loops in reachability analysis of counter machine models. Applying these methods to synchronous dataflow programs with Boolean and numerical variables, e.g., Lustre programs, requires the enumeration of the Boolean states i ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Accelerationmethodsarecommonlyusedforspeedingupthe convergence of loops in reachability analysis of counter machine models. Applying these methods to synchronous dataflow programs with Boolean and numerical variables, e.g., Lustre programs, requires the enumeration of the Boolean states in order to obtain a control flow graph (CFG) with numerical variables only. Our goal is to apply acceleration techniques to dataflow programs without resorting to this exhaustive enumeration. To this end, we present (1) logiconumerical abstract acceleration methods for CFGs with Boolean and numerical variables and (2) partitioning techniquesthatmake logicalnumerical abstract acceleration effective. Experimental results show that incorporating these methods in a verification tool based on abstract interpretation provides not only significant advantage in terms of accuracy, but also a gain in performance in comparison to standard techniques.
D.: Strengthening inductionbased race checking with lightweight static analysis
 In: Verification, Model Checking, and Abstract Interpretation (VMCAI). LNCS
, 2011
"... Abstract. Direct Memory Access (DMA) is key to achieving high performance in systemlevel software for multicore processors such as the Cell Broadband Engine. Incorrectly orchestrated DMAs cause DMA races, leading to subtle bugs that are hard to reproduce and fix. In previous work, we have shown th ..."
Abstract

Cited by 8 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Direct Memory Access (DMA) is key to achieving high performance in systemlevel software for multicore processors such as the Cell Broadband Engine. Incorrectly orchestrated DMAs cause DMA races, leading to subtle bugs that are hard to reproduce and fix. In previous work, we have shown that kinduction yields an effective method for proving absence of a restricted class of DMA races. We extend this work to handle a larger class of DMA races. We show that the applicability of kinduction can be significantly improved when combined with three inexpensive static analyses: 1) abstractinterpretationbased static analysis; 2) chunking, a domainspecific invariant generation technique; and 3) code transformations based on statement independence. Our techniques are implemented in the SCRATCH tool. We evaluate our work on industrial benchmarks. 1
The nuxmv symbolic model checker
 IN CAV
, 2014
"... This paper describes the NUXMV symbolic model checker for finite and infinitestate synchronous transition systems. NUXMV is the evolution of the NUSMV open source model checker. It builds on and extends NUSMV along two main directions. For finitestate systems it complements the basic verification ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
This paper describes the NUXMV symbolic model checker for finite and infinitestate synchronous transition systems. NUXMV is the evolution of the NUSMV open source model checker. It builds on and extends NUSMV along two main directions. For finitestate systems it complements the basic verification techniques of NUSMV with stateoftheart verification algorithms. For infinitestate systems, it extends the NUSMV language with new data types, namely Integers and Reals, and it provides advanced SMTbased model checking techniques. Besides extended functionalities, NUXMV has been optimized in terms of performance to be competitive with the state of the art. NUXMV has been used in several industrial projects as verification backend, and it is the basis for several extensions to cope with requirements analysis, contract based design, model checking of hybrid systems, safety assessment, and software model checking.
S.: Ic3 modulo theories via implicit predicate abstraction
 In: Proc. TACAS. (2014
"... Abstract. We present a novel approach for generalizing the IC3 algorithm for invariant checking from finitestate to infinitestate transition systems, expressed over some background theories. The procedure is based on a tight integration of IC3 with Implicit (predicate) Abstraction, a technique th ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a novel approach for generalizing the IC3 algorithm for invariant checking from finitestate to infinitestate transition systems, expressed over some background theories. The procedure is based on a tight integration of IC3 with Implicit (predicate) Abstraction, a technique that expresses abstract transitions without computing explicitly the abstract system and is incremental with respect to the addition of predicates. In this scenario, IC3 operates only at the Boolean level of the abstract state space, discovering inductive clauses over the abstraction predicates. Theory reasoning is confined within the underlying SMT solver, and applied transparently when performing satisfiability checks. When the current abstraction allows for a spurious counterexample, it is refined by discovering and adding a sufficient set of new predicates. Importantly, this can be done in a completely incremental manner, without discarding the clauses found in the previous search. The proposed approach has two key advantages. First, unlike current SMT generalizations of IC3, it allows to handle a wide range of background theories without relying on adhoc extensions, such as quantifier elimination or theoryspecific clause generalization procedures, which might not always be available, and can moreover be inefficient. Second, compared to a direct exploration of the concrete transition system, the use of abstraction gives a significant performance improvement, as our experiments demonstrate.
versat: A Verified Modern SAT Solver
"... Abstract. This paper presents versat, a formally verified SAT solver incorporating the essential features of modern SAT solvers, including clause learning, watched literals, optimized conflict analysis, nonchronological backtracking, and decision heuristics. Unlike previous related work on SATs ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents versat, a formally verified SAT solver incorporating the essential features of modern SAT solvers, including clause learning, watched literals, optimized conflict analysis, nonchronological backtracking, and decision heuristics. Unlike previous related work on SATsolver verification, our implementation uses efficient lowlevel data structures like mutable C arrays for clauses and other solver state, and machine integers for literals. The implementation and proofs are written in GURU, a verifiedprogramming language. We compare versat to a stateoftheart SAT solver that produces certified “unsat ” answers. We also show through an empirical evaluation that versat can solve SAT problems on the modern scale. 1
Modular Abstractions of Reactive Nodes using Disjunctive Invariants ∗
, 2011
"... We wish to abstract nodes in a reactive programming language, such as Lustre, into nodes with a simpler control structure, with a bound on the number of control states. In order to do so, we compute disjunctive invariants in predicate abstraction, with a bounded number of disjuncts, then we abstract ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We wish to abstract nodes in a reactive programming language, such as Lustre, into nodes with a simpler control structure, with a bound on the number of control states. In order to do so, we compute disjunctive invariants in predicate abstraction, with a bounded number of disjuncts, then we abstract the node, each disjunct representing an abstract state. The computation of the disjunctive invariant is performed by a form of quantifier elimination expressed using SMTsolving. The same method can also be used to obtain disjunctive loop invariants. 1