## Array abstractions from proofs (2007)

Venue: | CAV, volume 4590 of LNCS |

Citations: | 33 - 3 self |

### BibTeX

@INPROCEEDINGS{Jhala07arrayabstractions,

author = {Ranjit Jhala and Kenneth L. Mcmillan},

title = {Array abstractions from proofs},

booktitle = {CAV, volume 4590 of LNCS},

year = {2007},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the high-level (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a Counterexample-Guided Abstraction-Refinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program- and property-sensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of array-manipulating programs that were previously beyond automatic model checkers. 1

### Citations

604 | Construction of abstract state graphs with pvs
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ...es include those based on three-valued logic [28,22] and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction =-=[13]-=- based approaches for shape analysis [11,9,5,26,21,1] can also be viewed as an instance of abstract interpretation. In the approaches which work for unbounded structures an expert must supply appropri... |

603 | Counterexample-guided abstraction refinement, in
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...od suffices to prove a variety of array-manipulating programs that were previously beyond automatic model checkers. 1 Introduction Counterexample-guided Abstraction-Refinement(CEGAR)-based techniques =-=[8]-=- have proven to be effective in the verification of control-dominated properties of software [2,15,7,16], chiefly because they precisely track only the small set of facts required to prove the propert... |

540 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation based techniques for shape analysis. Examples include those based on three-valued logic =-=[28,22]-=- and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis [11,9,5,26,... |

445 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...tic model checkers. 1 Introduction Counterexample-guided Abstraction-Refinement(CEGAR)-based techniques [8] have proven to be effective in the verification of control-dominated properties of software =-=[2,15,7,16]-=-, chiefly because they precisely track only the small set of facts required to prove the property. However, CEGAR has not had success with data-sensitive properties which require the automatic discove... |

372 | The SLAM Project: Debugging System Software via Static Analysis
- Ball, Rajamani
- 2002
(Show Context)
Citation Context ...tic model checkers. 1 Introduction Counterexample-guided Abstraction-Refinement(CEGAR)-based techniques [8] have proven to be effective in the verification of control-dominated properties of software =-=[2,15,7,16]-=-, chiefly because they precisely track only the small set of facts required to prove the property. However, CEGAR has not had success with data-sensitive properties which require the automatic discove... |

213 | Abstractions from proofs
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ...tomatically inferring range predicates tailored to the property to be proved. Thus, the two ingredients are combined to obtain a predicate inference technique which, when embedded within a CEGAR loop =-=[14,18]-=-, results in automatic method for verifying datasensitive safety properties of array-manipulating programs. To address the challenge of computing range predicate interpolants instead of a divergent se... |

195 | Interpolation and SAT-Based Model Checking - McMillan - 2003 |

128 | A local shape analysis based on separation logic
- Distefano, O’Hearn, et al.
- 2006
(Show Context)
Citation Context ...uantified invariant is studied. A second line of work uses abstract interpretation based techniques for shape analysis. Examples include those based on three-valued logic [28,22] and Separation Logic =-=[10]-=-. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis [11,9,5,26,21,1] can also be viewed a... |

112 | TVLA: A system for implementing static analyses
- Lev-Ami, Sagiv
- 2000
(Show Context)
Citation Context ...problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation based techniques for shape analysis. Examples include those based on three-valued logic =-=[28,22]-=- and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis [11,9,5,26,... |

94 |
Predicate abstraction for software verification
- FLANAGAN, S
(Show Context)
Citation Context ...gic [28,22] and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis =-=[11,9,5,26,21,1]-=- can also be viewed as an instance of abstract interpretation. In the approaches which work for unbounded structures an expert must supply appropriate predicates or instrumentation predicates which ar... |

89 | What’s decidable about arrays
- Bradley, Manna, et al.
- 2006
(Show Context)
Citation Context ...ting families of candidate loop invariants (e.g. affine constraints over program variables) to generate loop invariants [3,4,29]. These approaches use a template of quantified invariants derived from =-=[6]-=-, where the problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation based techniques for shape analysis. Examples include those based on three-v... |

75 | Lazy Abstraction with Interpolants
- McMillan
- 2006
(Show Context)
Citation Context ... state formula over the values of the variables at time i. Thus, the interpolant corresponding to an infeasible path can be used to iteratively refine an abstract model of the program either directly =-=[24]-=-, or indirectly by predicate abstraction over the set of atomic predicates appearing in the interpolant [14]. This process is repeated until all paths are shown infeasible or a feasible path is found ... |

69 |
An interpolating theorem prover
- McMillan
- 2004
(Show Context)
Citation Context ...cedents, the consequence is implied by Ai. Second, we can convert the split proof into a set of propositional clauses (by converting each atom into a literal) and then use propositional interpolation =-=[23]-=- to find an interpolant. The latter operation is polynomial in the size of the split-proof and results in interpolants whose atoms appear in the split proof and are thus from the restriction language ... |

67 | Scalable analysis of linear systems using mathematical programming
- Sankaranarayanan, Sipma, et al.
- 2005
(Show Context)
Citation Context ...ctures has received much attention. One line of research uses templates representing families of candidate loop invariants (e.g. affine constraints over program variables) to generate loop invariants =-=[3,4,29]-=-. These approaches use a template of quantified invariants derived from [6], where the problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation b... |

57 |
Shape analysis by predicate abstraction
- Balaban, Pnueli, et al.
(Show Context)
Citation Context ...gic [28,22] and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis =-=[11,9,5,26,21,1]-=- can also be viewed as an instance of abstract interpretation. In the approaches which work for unbounded structures an expert must supply appropriate predicates or instrumentation predicates which ar... |

57 | A practical and complete approach to predicate refinement
- Jhala, McMillan
- 2006
(Show Context)
Citation Context ...edicate interpolants instead of a divergent sequence of atomic predicates describing individual array cells, our axiom-based algorithm builds upon our previous technique of L-restricted Interpolation =-=[17]-=-. Consider the family of languages L0 ⊆ L1 ⊆ . . ., where Li is the language of predicates containing numeric constants with absolute value at most i. We set k to 0 and for each candidate counterexamp... |

47 | A framework for numeric analysis of array operations
- Gopan, Reps, et al.
- 2005
(Show Context)
Citation Context ...ork uses abstract interpretation based techniques for shape analysis. Examples include those based on three-valued logic [28,22] and Separation Logic [10]. The abstract domain for arrays presented in =-=[12]-=- captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis [11,9,5,26,21,1] can also be viewed as an instance of abstract interpretation. In the a... |

45 | Demand interprocedural program analysis using logic databases
- Reps
- 1993
(Show Context)
Citation Context ...are combined via a fixpoint computation to obtain an inductive invariant. Several authors have proposed using specialized rules to build decision procedures [26], and more generally, program analyses =-=[27]-=-. 2 Overview We begin with an overview of safety verification via interpolant-based abstraction refinement. Notation. In this paper, we use standard first-order logic (FOL). By L(Σ) we refer to the se... |

38 | Interpolant-Based Transition Relation Approximation
- Jhala, McMillan
- 2005
(Show Context)
Citation Context ... prover. The extended prover is integrated with Blast [14]. As the predicates found require disjunctive images, we use Foci to iteratively refine the transition relation using the method presented in =-=[18]-=-. Experiments. In preliminary experiments, we have applied the model checker extended with range predicates to a variety of small array-intensive programs hitherto beyond the grasp of automatic refine... |

31 | Path invariants
- Beyer, Henzinger, et al.
- 2007
(Show Context)
Citation Context ...ctures has received much attention. One line of research uses templates representing families of candidate loop invariants (e.g. affine constraints over program variables) to generate loop invariants =-=[3,4,27]-=-. These approaches use a template of quantified invariants derived from [6], where the problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation b... |

30 | Predicate abstraction with minimum predicates
- Chaki, Clarke, et al.
- 2003
(Show Context)
Citation Context ...tic model checkers. 1 Introduction Counterexample-guided Abstraction-Refinement(CEGAR)-based techniques [8] have proven to be effective in the verification of control-dominated properties of software =-=[2,15,7,16]-=-, chiefly because they precisely track only the small set of facts required to prove the property. However, CEGAR has not had success with data-sensitive properties which require the automatic discove... |

29 | Shape Analysis through Predicate Abstraction and Model Checking
- Dams, Namjoshi
(Show Context)
Citation Context ...gic [28,22] and Separation Logic [10]. The abstract domain for arrays presented in [12] captures properties similar to range predicates. Predicate abstraction [13] based approaches for shape analysis =-=[11,9,5,26,21,1]-=- can also be viewed as an instance of abstract interpretation. In the approaches which work for unbounded structures an expert must supply appropriate predicates or instrumentation predicates which ar... |

23 | Predicate abstraction via symbolic decision procedures
- Lahiri, Ball, et al.
- 2005
(Show Context)
Citation Context ... in the variable indexed, and a split proof pf whose vertices correspond to all the facts that have been deduced. The overall structure of the algorithm is similar to that of saturation-based provers =-=[20]-=-. First (line 4), it seeds the set of indexed formulas using the formulas that the ground procedure derives from Γ . Next, (lines 5–13) it goes into a loop where it repeatedly selects a set of index f... |

22 | Invariant synthesis for combined theories
- Beyer, Henzinger, et al.
- 2007
(Show Context)
Citation Context ...ctures has received much attention. One line of research uses templates representing families of candidate loop invariants (e.g. affine constraints over program variables) to generate loop invariants =-=[3,4,27]-=-. These approaches use a template of quantified invariants derived from [6], where the problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation b... |

21 | Using first-order theorem provers in the Jahob data structure verification system
- Bouillaguet, Kuncak, et al.
- 2007
(Show Context)
Citation Context |

18 |
Rupak Majumdar, and Andrey Rybalchenko. Invariant synthesis for combined theories
- Beyer, Henzinger
- 2007
(Show Context)
Citation Context ...ctures has received much attention. One line of research uses templates representing families of candidate loop invariants (e.g. affine constraints over program variables) to generate loop invariants =-=[3,4,29]-=-. These approaches use a template of quantified invariants derived from [6], where the problem of checking a given quantified invariant is studied. A second line of work uses abstract interpretation b... |

14 | Localization and register sharing for predicate abstraction
- Ivancic, Jain, et al.
- 2005
(Show Context)
Citation Context |

14 | An inference-rule-based decision procedure for verification of heap-manipulating programs with mutable data and cyclic data structures
- Rakamaric, Bingham, et al.
- 2007
(Show Context)
Citation Context |

6 |
Lahiri and Shaz Qadeer. Verifying properties of well-founded linked lists
- Shuvendu
- 2006
(Show Context)
Citation Context |

4 | Approximating predicate images for bit-vector logic - Kroening, Sharygina - 2006 |