#### DMCA

## Automatically validating temporal safety properties of interfaces (2001)

### Cached

### Download Links

- [www.cs.sunysb.edu]
- [www.ece.cmu.edu]
- [www.research.microsoft.com]
- [www.research.microsoft.com]
- [pdf.aminer.org]
- [www.cs.virginia.edu]
- [www.cs.virginia.edu]
- [www.cs.virginia.edu]
- [users.ece.cmu.edu]
- [www.cse.msu.edu]
- [users.ece.cmu.edu]
- [swtv.kaist.ac.kr]
- [spinroot.com]
- DBLP

### Other Repositories/Bibliography

Citations: | 431 - 21 self |

### Citations

3471 | Graph-based algorithms for boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...ys. First, it computes over sets of bit vectors at each statement rather than single bit vectors. This is necessary to capture correlations between variables. Second, it uses binary decision diagrams =-=[5]-=- (BDDs) to implicitly represent the set of reachable states of a program, as well as the transfer functions for each statement in a boolean program. Bebop also differs from previous model checking alg... |

2292 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...l tolerate a false alarm rate in the range 25-50% depending on the application [29].120 T. Ball and S.K. Rajamani Boolean programs can be viewed as abstract interpretations of the underlying program =-=[9]-=-. The connections between model checking, dataflow analysis and abstract interpretation have been explored before [33] [10]. The model checker Bebop is based on earlier work on interprocedural dataflo... |

1692 |
A discipline of programming
- Dijkstra
- 1972
(Show Context)
Citation Context ...nditional is translated into an assume statement). The assume statement is the dual of assert: assume(e) never fails. Executions on which e does not hold at the point of the assume are simply ignored =-=[15]-=-. The internal state of Newton has three components: (1) store, which is a mapping from locations to symbolic expressions, (2) conditions, which is a set of predicates, and (3) a history which is a se... |

1248 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...g it, the property passed.Automatically Validating Temporal Safety Properties of Interfaces 119 7 Related Work SLAM seeks a sweet spot between tools based on verification condition generation(VCGen) =-=[14,25,26,6]-=- that operate directly on the concrete semantics, and model checking or data flow-analysis based tools [8,21,18,16] that operate on abstractions of the program. We use VCGen-based approach on finite (... |

836 | Counterexampleguided abstraction refinement for symbolic model checking
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...] [10]. The model checker Bebop is based on earlier work on interprocedural dataflow analysis [34,31]. Automatic iterative refinement based on error paths first appeared in [23], and more recently in =-=[7]-=-. Both efforts deal with finite state systems. An alternative approach to static validation of safety properties, is to provide a rich type system that allows users to encode both safety properties an... |

736 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...ata types. Predicate abstraction, as implemented in C2bp is more general, and can capture relationships between variables. The predicate abstraction in SLAM was inspired by the work of Graf and Saidi =-=[20]-=- in the model checking community. Efforts have been made to integrate predicate abstraction with theorem proving and model checking [32]. Though our use of predicate abstraction is related to these ef... |

647 | Bandera : Extracting Finite-state Models from Java Source Code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ...M seeks a sweet spot between tools based on verification condition generation(VCGen) [14,25,26,6] that operate directly on the concrete semantics, and model checking or data flow-analysis based tools =-=[8,21,18,16]-=- that operate on abstractions of the program. We use VCGen-based approach on finite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the... |

485 | Automatic predicate abstraction of C programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context .... We have developed tools to support each of these phases: – C2bp, a tool that transforms a C program P into a boolean program BP(P, E) with respect to a set of predicates E over the state space of P =-=[1, 2]-=-; – Bebop, a tool for model checking boolean programs [3], and – Newton, a tool that discovers additional predicates to refine the boolean program, by analyzing the feasibility of paths in the C progr... |

475 |
The SPIN Model Checker
- Holzmann
- 1997
(Show Context)
Citation Context ...M seeks a sweet spot between tools based on verification condition generation(VCGen) [14,25,26,6] that operate directly on the concrete semantics, and model checking or data flow-analysis based tools =-=[8,21,18,16]-=- that operate on abstractions of the program. We use VCGen-based approach on finite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the... |

462 |
Computer-aided verification of coordinating processes: the automata-theoretic approach
- Kurshan
- 1994
(Show Context)
Citation Context ...ve been explored before [33] [10]. The model checker Bebop is based on earlier work on interprocedural dataflow analysis [34,31]. Automatic iterative refinement based on error paths first appeared in =-=[23]-=-, and more recently in [7]. Both efforts deal with finite state systems. An alternative approach to static validation of safety properties, is to provide a rich type system that allows users to encode... |

446 | Precise interprocedural dataflow analysis via graph reachability
- Reps, Horowitz, et al.
- 1995
(Show Context)
Citation Context ... Bebop tool [3] computes the set of reachable states for each statement of a boolean program using an interprocedural dataflow analysis algorithm in the spirit of Sharir/Pnueli and Reps/Horwitz/Sagiv =-=[34,31]-=-. A state of a boolean program at a statement s is simply a valuation to the boolean variables that are in scope at statement s (in other words, a bit vector, with one bit for each variable in scope).... |

391 | Checking system rules using system-specific, programmer-written compiler extensions
- Engler, Chelf, et al.
- 2000
(Show Context)
Citation Context ...M seeks a sweet spot between tools based on verification condition generation(VCGen) [14,25,26,6] that operate directly on the concrete semantics, and model checking or data flow-analysis based tools =-=[8,21,18,16]-=- that operate on abstractions of the program. We use VCGen-based approach on finite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the... |

390 | Proving the correctness of multiprocess programs
- LAMPORT
- 1977
(Show Context)
Citation Context ...erfaces it uses. Safety properties are the class of properties that state that “something bad does not happen”. An example is requiring that a lock is never released without first being acquired (see =-=[24]-=- for a formal definition). Given a program and a safety property, we wish to either validate that the code respects the property, or find an execution path that shows how the code violates the propert... |

384 | Enforcing high-level protocols in low-level software
- DeLine, Fahndrich
- 2001
(Show Context)
Citation Context ... validation of safety properties, is to provide a rich type system that allows users to encode both safety properties and program annotations as types, and reduce property validation to type checking =-=[12]-=-. 8 Conclusions We have presented a fully automated methodology to validate/invalidate temporal safety properties of software interfaces. Our process does not require user supplied annotations, or use... |

321 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context ...g it, the property passed.Automatically Validating Temporal Safety Properties of Interfaces 119 7 Related Work SLAM seeks a sweet spot between tools based on verification condition generation(VCGen) =-=[14,25,26,6]-=- that operate directly on the concrete semantics, and model checking or data flow-analysis based tools [8,21,18,16] that operate on abstractions of the program. We use VCGen-based approach on finite (... |

307 |
A static analyzer for finding dynamic programming errors. Software Practice and Experience
- Bush, Pincus, et al.
- 2000
(Show Context)
Citation Context ...g it, the property passed.Automatically Validating Temporal Safety Properties of Interfaces 119 7 Related Work SLAM seeks a sweet spot between tools based on verification condition generation(VCGen) =-=[14,25,26,6]-=- that operate directly on the concrete semantics, and model checking or data flow-analysis based tools [8,21,18,16] that operate on abstractions of the program. We use VCGen-based approach on finite (... |

257 | A symbolic model checker for boolean programs
- Ball, Rajamani
- 2000
(Show Context)
Citation Context ...n initial abstraction from the property that needs to be checked, and (2) refining this abstraction using an automatic refinement algorithm. We model abstractions of C programs using boolean programs =-=[3]-=-. Boolean programs are C programs in which all variables have boolean type. Each boolean variable in a boolean program has an interpretation as a predicate over the infinite state space of the C progr... |

237 | Verification by Abstract Interpretation
- Cousot
(Show Context)
Citation Context ... programs can be viewed as abstract interpretations of the underlying program [9]. The connections between model checking, dataflow analysis and abstract interpretation have been explored before [33] =-=[10]-=-. The model checker Bebop is based on earlier work on interprocedural dataflow analysis [34,31]. Automatic iterative refinement based on error paths first appeared in [23], and more recently in [7]. B... |

227 | PVS: Combining specification, proof checking, and model checking
- Owre, Rajan, et al.
- 1996
(Show Context)
Citation Context ...peed. We currently use two automatic theorem provers Simplify [27,13] and Vampyre [4]. We are also investigating using other decision procedures, such as those embodied in the Omega test [30] and PVS =-=[28]-=-. Complexity. The runtime of C2bp is dominated by calls to the theorem prover. In the worst-case, the number of calls made to the theorem prover for computing BP(P, E) is linear in the size of P and e... |

214 | Unification-based pointer analysis with directional assignments
- Das
- 2000
(Show Context)
Citation Context ...to by p. That is, we treat pointers as references rather than as memory addresses. Note that this is the same basic assumption underlying most points-to analysis, including the one that our tools use =-=[11]-=-. 2.1 Property Specification We have created a low-level specification language called Slic (Specification Language for Interface Checking) in which the user states safety properties. A Slic specifica... |

196 | A Practical Algorithm for Exact Array Dependence Analysis
- Pugh
- 1992
(Show Context)
Citation Context ...computation speed. We currently use two automatic theorem provers Simplify [27,13] and Vampyre [4]. We are also investigating using other decision procedures, such as those embodied in the Omega test =-=[30]-=- and PVS [28]. Complexity. The runtime of C2bp is dominated by calls to the theorem prover. In the worst-case, the number of calls made to the theorem prover for computing BP(P, E) is linear in the si... |

195 | Boolean and cartesian abstractions for model checking C programs
- Ball, Podelski, et al.
- 2001
(Show Context)
Citation Context .... We have developed tools to support each of these phases: – C2bp, a tool that transforms a C program P into a boolean program BP(P, E) with respect to a set of predicates E over the state space of P =-=[1, 2]-=-; – Bebop, a tool for model checking boolean programs [3], and – Newton, a tool that discovers additional predicates to refine the boolean program, by analyzing the feasibility of paths in the C progr... |

192 |
Abstract interpretation: a uni lattice model for static analysis of programs by construction or approximation of
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...nditions, postconditions) and uses the ESC/Java checker to refute inconsistent annotations until convergence [19]. Boolean programs can be viewed as abstract interpretations of the underlying program =-=[9]-=-. The connections between model checking, data ow analysis and abstract interpretation have been explored before [33] [10]. The model checker Bebop is based on earlier work on interprocedural data ow ... |

173 | Flow analysis for verifying properties of concurrent software systems
- Dwyer, Clarke, et al.
(Show Context)
Citation Context |

125 |
Techniques for program verification
- Nelson
- 1981
(Show Context)
Citation Context ...m are removed. 4 Since underlying decision procedures in the theorem prover and our axiomatization of C are incomplete, “don’t know” is also a possible answer. In practice, the theorem provers we use =-=[27,13,4]-=- have been able to give a “yes” or “no” answer in every example we have seen so far.Automatically Validating Temporal Safety Properties of Interfaces 111 2.7 The Second Boolean Program In the second ... |

111 |
Data flow analysis is model checking of abstract interpretations
- Schmidt
- 1998
(Show Context)
Citation Context ...olean programs can be viewed as abstract interpretations of the underlying program [9]. The connections between model checking, dataflow analysis and abstract interpretation have been explored before =-=[33]-=- [10]. The model checker Bebop is based on earlier work on interprocedural dataflow analysis [34,31]. Automatic iterative refinement based on error paths first appeared in [23], and more recently in [... |

88 |
Abstract and Model Check while you Prove
- Saïdi, Shankar
- 1999
(Show Context)
Citation Context ... abstraction in SLAM was inspired by the work of Graf and Saidi [20] in the model checking community. Efforts have been made to integrate predicate abstraction with theorem proving and model checking =-=[32]-=-. Though our use of predicate abstraction is related to these efforts, our goal is to analyze software written in common programming languages. The SLAM tools C2bp and Bebop can be used in combination... |

77 | Program analysis as model checking of abstract interpretations
- Schmidt, Steffen
- 1998
(Show Context)
Citation Context ...oolean programs can be viewed as abstract interpretations of the underlying program [9]. The connections between model checking, data ow analysis and abstract interpretation have been explored before =-=[33]-=- [10]. The model checker Bebop is based on earlier work on interprocedural data ow analysis [34, 31]. Automatic iterative renement based on error pathssrst appeared in [23], and more recently in [7].... |

75 |
Implementation of an array bound checker
- Suzuki, Ishihata
- 1977
(Show Context)
Citation Context ...p using a fixpoint computation on the abstraction computed by C2bp. Prior work for generating loop invariants has used symbolic execution on the concrete semantics, augmented with widening heuristics =-=[35,36]-=-. The Houdini tool guesses a candidate set of annotations (invariants,preconditions, postconditions) and uses the ESC/Java checker to refute inconsistent annotations until convergence [19]. 6 Jon Pinc... |

72 | Tool-supported program abstraction for finite-state verification
- Dwyer, Hatcliff, et al.
- 2001
(Show Context)
Citation Context ...ed by [18] and [22] are based on specifying transitions in the abstract system using a pattern language, or as a table of rules. Automatic abstraction support has been built into the Bandera tool set =-=[17]-=-. They require the user to provides finite domain abstractions of data types. Predicate abstraction, as implemented in C2bp is more general, and can capture relationships between variables. The predic... |

57 | Safety checking of machine code
- Xu, Miller, et al.
(Show Context)
Citation Context ...p using a fixpoint computation on the abstraction computed by C2bp. Prior work for generating loop invariants has used symbolic execution on the concrete semantics, augmented with widening heuristics =-=[35,36]-=-. The Houdini tool guesses a candidate set of annotations (invariants,preconditions, postconditions) and uses the ESC/Java checker to refute inconsistent annotations until convergence [19]. 6 Jon Pinc... |

55 |
An Extended Static Checker for Modula-3
- Leino, Nelson
- 1998
(Show Context)
Citation Context |

49 | Logic verification of ANSI-C code with SPIN
- Holzmann
- 2000
(Show Context)
Citation Context ...LAM process is equivalent to performing Engler et al.’s approach interprocedurally. Constructing abstract models of programs has been studied in several contexts. Abstractions constructed by [18] and =-=[22]-=- are based on specifying transitions in the abstract system using a pattern language, or as a table of rules. Automatic abstraction support has been built into the Bandera tool set [17]. They require ... |

35 |
Bandera: extracting models from Java source code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ...G) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; } } Fig. 8. Slic specication for completing an IRP or marking it as pending. model checking or datasow-analysis based tools =-=[8, 21, 18, 16]-=- that operate on abstractions of the program. We use VCGen-based approach onsnite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the p... |

30 |
PVS: Combining speci proof checking, and model checking
- Owre, Rajan, et al.
(Show Context)
Citation Context ...eed. We currently use two automatic theorem provers Simplify [27, 13] and Vampyre [4]. We are also investigating using other decision procedures, such as those embodied in the Omega test [30] and PVS =-=[28]-=-. Complexity. The runtime of C2bp is dominated by calls to the theorem prover. In the worst-case, the number of calls made to the theorem prover for computing BP(P;E) is linear in the size of P and ex... |

28 |
Counterexample-guided abstraction re
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...[33] [10]. The model checker Bebop is based on earlier work on interprocedural data ow analysis [34, 31]. Automatic iterative renement based on error pathssrst appeared in [23], and more recently in =-=[7]-=-. Both eorts deal withsnite state systems. An alternative approach to static validation of safety properties, is to provide a rich type system that allows users to encode both safety properties and p... |

27 | Annotation inference for modular checkers
- Flanagan, Joshi, et al.
- 2001
(Show Context)
Citation Context ...s, augmented with widening heuristics [30, 32]. The Houdini tool guesses a candidate set of annotations (invariants) and uses the ESC/Java checker to refute inconsistent annotations until convergence =-=[15]-=-. Boolean programs can be viewed as abstract interpretations of the underlying program [8]. The connections between model checking, data ow analysis and abstract interpretation have been explored befo... |

24 | Using Predicate Abstraction to Reduce Object-Oriented Programs for Model Checking
- Visser, Park, et al.
- 2000
(Show Context)
Citation Context ...r use of predicate abstraction is related to these eorts, our goal is to analyze software written in common programming languages. A predicate abstraction tool for Java has recently been reported in =-=[31]-=-. The SLAM toolsC2bp andBebop can be used in combination tosnd loop-invariants expressible as boolean functions over a given set of predicates. The loop-invariant is computed by the model checker Bebo... |

23 |
Checking system rules using systemspeci programmer-written compiler extensions
- Engler, Chelf, et al.
- 2000
(Show Context)
Citation Context ...G) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; } } Fig. 8. Slic specication for completing an IRP or marking it as pending. model checking or datasow-analysis based tools =-=[8, 21, 18, 16]-=- that operate on abstractions of the program. We use VCGen-based approach onsnite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the p... |

21 |
Precise interprocedural data analysis via graph reachability
- Reps, Horwitz, et al.
- 1995
(Show Context)
Citation Context ...e Bebop tool [3] computes the set of reachable states for each statement of a boolean program using an interprocedural data ow analysis algorithm in the spirit of Sharir/Pnueli and Reps/Horwitz/Sagiv =-=[34, 31]-=-. A state of a boolean program at a statement s is simply a valuation to the boolean variables that are in scope at statement s (in other words, a bit vector, with one bit for each variable in scope).... |

19 |
Computer-Aided Veri of Coordinating Processes
- Kurshan
- 1994
(Show Context)
Citation Context ... have been explored before [33] [10]. The model checker Bebop is based on earlier work on interprocedural data ow analysis [34, 31]. Automatic iterative renement based on error pathssrst appeared in =-=[23]-=-, and more recently in [7]. Both eorts deal withsnite state systems. An alternative approach to static validation of safety properties, is to provide a rich type system that allows users to encode bo... |

15 |
Techniques for Program Veri
- Nelson
(Show Context)
Citation Context ...m are removed. 4 Since underlying decision procedures in the theorem prover and our axiomatization of C are incomplete, \don't know" is also a possible answer. In practice, the theorem provers we use =-=[27, 13, 4]-=- have been able to give a \yes" or \no" answer in every example we have seen so far. If the answer is \yes", then an error path has been found, and we report it to the user. If the answer is \no" then... |

10 |
Data analysis for verifying properties of concurrent programs
- Dwyer, Clarke
- 1994
(Show Context)
Citation Context ...G) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; } } Fig. 8. Slic specication for completing an IRP or marking it as pending. model checking or datasow-analysis based tools =-=[8, 21, 18, 16]-=- that operate on abstractions of the program. We use VCGen-based approach onsnite (potentially interprocedural) paths of the program, and use the knowledge gained to construct abstract models of the p... |

10 |
Logic veri of ansi-c code with spin
- Holzmann
- 2000
(Show Context)
Citation Context ... tolerate a false alarm rate in the range 25-50% depending on the application [29]. Constructing abstract models of programs has been studied in several contexts. Abstractions constructed by [18] and =-=[22]-=- are based on specifying transitions in the abstract system using a pattern language, or as a table of rules. Automatic abstraction support has been built into the Bandera tool set [17]. They require ... |

10 |
Two approaches to interprocedural data dalow analysis
- Sharir, Pnueli
- 1981
(Show Context)
Citation Context ... Bebop tool [3] computes the set of reachable states for each statement of a boolean program using an interprocedural dataflow analysis algorithm in the spirit of Sharir/Pnueli and Reps/Horwitz/Sagiv =-=[34,31]-=-. A state of a boolean program at a statement s is simply a valuation to the boolean variables that are in scope at statement s (in other words, a bit vector, with one bit for each variable in scope).... |

10 |
Simplify theorem prover - http://research.compaq.com/src/esc/simplify.html
- Detlefs, Nelson, et al.
(Show Context)
Citation Context ...m are removed. 4 Since underlying decision procedures in the theorem prover and our axiomatization of C are incomplete, “don’t know” is also a possible answer. In practice, the theorem provers we use =-=[27,13,4]-=- have been able to give a “yes” or “no” answer in every example we have seen so far.Automatically Validating Temporal Safety Properties of Interfaces 111 2.7 The Second Boolean Program In the second ... |

8 | A static analyzer for dynamic programming errors. Software: Practice and Experience - Bush, Pincus, et al. - 2000 |

6 |
Annotation inference for modular checkers. Information Processing Letters (to appear
- Flanagan, Joshi, et al.
- 2001
(Show Context)
Citation Context ...uristics [35,36]. The Houdini tool guesses a candidate set of annotations (invariants,preconditions, postconditions) and uses the ESC/Java checker to refute inconsistent annotations until convergence =-=[19]-=-. 6 Jon Pincus, who led the development of an industrial-strength error detection tool for C called PREfix [6], observes that users of PREfix will tolerate a false alarm rate in the range 25-50% depen... |

5 |
Tool-supported program abstraction for veri
- Dwyer, Hatcli, et al.
- 2001
(Show Context)
Citation Context ...ed by [18] and [22] are based on specifying transitions in the abstract system using a pattern language, or as a table of rules. Automatic abstraction support has been built into the Bandera tool set =-=[17]-=-. They require the user to providessnite domain abstractions of data types. Predicate abstraction, as implemented in C2bp is more general, and can capture relationships between variables. The predicat... |

4 |
Vampyre: A Proof Generating Theorem Prover. http://www.cs.ucla.edu/˜rupak/Vampyre
- Blei, Harrelson, et al.
(Show Context)
Citation Context ...m are removed. 4 Since underlying decision procedures in the theorem prover and our axiomatization of C are incomplete, “don’t know” is also a possible answer. In practice, the theorem provers we use =-=[27,13,4]-=- have been able to give a “yes” or “no” answer in every example we have seen so far.Automatically Validating Temporal Safety Properties of Interfaces 111 2.7 The Second Boolean Program In the second ... |

4 |
A static analyzer for dynamic programming errors
- Bush, Pincus, et al.
- 2000
(Show Context)
Citation Context ...ch turned out to be due to an error in the Slic specication. Aftersxing it, the property passed. 7 Related Work SLAM seeks a sweet spot between tools based on verication condition generation(VCGen) =-=[14, 25, 26, 6]-=- that operate directly on the concrete semantics, and state { enum {Init, Complete, Pending} s = Init; PIRP gIrp = 0; } Dispatch.entry { s, gIrp = Init, $2; } IoCompleteRequest.call{ if(gIrp == $1) { ... |

1 |
Generating compact veri conditions
- Flanagan, Saxe
(Show Context)
Citation Context ...he fourth iteration, but it turned out to be a cut-and-paste error in our instrumentation process. Aftersxing it, the property passed. 7 Related Work SLAM seeks a sweet spot between VCGen-based tools =-=[16, 22, 5]-=- that operate directly on the concrete semantics and model checking or datasow-analysis based tools [7, 18, 13, 11] that operate on abstractions of the program. We use VCGen-based approach onsnite (po... |

1 |
personal communication
- Pincus
- 2000
(Show Context)
Citation Context ...the development of an industrial-strength error detection tool for C called PREfix [6], observes that users of PREfix will tolerate a false alarm rate in the range 25-50% depending on the application =-=[29]-=-.120 T. Ball and S.K. Rajamani Boolean programs can be viewed as abstract interpretations of the underlying program [9]. The connections between model checking, dataflow analysis and abstract interpr... |