Results 1 - 10
of
23
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract
-
Cited by 52 (0 self)
- Add to MetaCart
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
InvGen: An efficient invariant generator
- In CAV
, 2009
"... Abstract. In this paper we present InvGen, an automatic linear arithmetic invariant generator for imperative programs. InvGen’s unique feature is in its use of dynamic analysis to make invariant generation order of magnitude more efficient. 1 ..."
Abstract
-
Cited by 31 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we present InvGen, an automatic linear arithmetic invariant generator for imperative programs. InvGen’s unique feature is in its use of dynamic analysis to make invariant generation order of magnitude more efficient. 1
Solving existentially quantified Horn clauses
- IN CAV
, 2013
"... Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multi-threaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with well-foundedness condit ..."
Abstract
-
Cited by 22 (5 self)
- Add to MetaCart
(Show Context)
Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multi-threaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with well-foundedness conditions. Dealing with existential properties (e.g., whether there exists a particular computation path), however, requires solving forall-exists quantified Horn clauses, where the conclusion part of some clauses contains existentially quantified variables. For example, a deductive approach to CTL verification reduces to solving such clauses. In this paper we present a method for solving forall-exists quantified Horn clauses extended with well-foundedness conditions. Our method is based on a counterexample-guided abstraction refinement scheme to discover witnesses for existentially quantified variables. We also present an application of our solving method to automation of CTL verification of software, as well as its experimental evaluation.
A data driven approach for algebraic loop invariants
, 2012
"... We describe a Guess-and-Check algorithm for computing algebraic equation invariants of the form ∧ifi(x1,..., xn) = 0, where each fi is a polynomial over the variables x1,..., xn of the program. The “guess” phase is data driven and derives a candidate invariant from data generated from concrete exe ..."
Abstract
-
Cited by 13 (6 self)
- Add to MetaCart
We describe a Guess-and-Check algorithm for computing algebraic equation invariants of the form ∧ifi(x1,..., xn) = 0, where each fi is a polynomial over the variables x1,..., xn of the program. The “guess” phase is data driven and derives a candidate invariant from data generated from concrete executions of the program. This candidate invariant is subsequently validated in a “check ” phase by an off-the-shelf SMT solver. Iterating between the two phases leads to a sound algorithm. Moreover, we are able to prove a bound on the number of decision procedure queries which Guess-and-Check requires to obtain a sound invariant. We show how Guess-and-Check can be extended to generate arbitrary boolean combinations of linear equalities as invariants, which enables us to generate expressive invariants to be consumed by tools that cannot handle non-linear arithmetic. We have evaluated our technique on a number of benchmark programs from recent papers on invariant generation. Our results are encouraging – we are able to efficiently compute algebraic invariants in all cases, with only a few tests.
Relational Abstractions For Continuous and Hybrid Systems
"... Abstract. There has been much recent progress on invariant generation techniques for continuous systems whose dynamics are described by Ordinary Differential Equations (ODE). In this paper, we present a simple abstraction scheme for hybrid systems that abstracts continuous dynamics by relating any s ..."
Abstract
-
Cited by 13 (5 self)
- Add to MetaCart
Abstract. There has been much recent progress on invariant generation techniques for continuous systems whose dynamics are described by Ordinary Differential Equations (ODE). In this paper, we present a simple abstraction scheme for hybrid systems that abstracts continuous dynamics by relating any state of the system to a state that can potentially be reached at some future time instant. Such relations are then interpreted as discrete transitions that model the continuous evolution of states over time. We adapt template-based invariant generation techniques for continuous dynamics to derive relational abstractions for continuous systems with linear as well as non-linear dynamics. Once a relational abstraction hasbeen derived,theresultingsystemis apurelydiscrete, infinite-statesystem. Therefore, techniquessuchas k-inductioncan be directly applied to this abstraction to prove properties, and bounded model-checking techniques applied to find potential falsifications. We present the basic underpinnings of our approach and demonstrate its use on many benchmark systems to derive simple and usable abstractions. 1
On inter-procedural analysis of programs with lists and data
- In PLDI
, 2011
"... We address the problem of automatic synthesis of assertions on sequential programs with singly-linked lists containing data over infinite domains such as integers or reals. Our approach is based on an accurate abstract inter-procedural analysis. Program configura-tions are represented by graphs wher ..."
Abstract
-
Cited by 11 (2 self)
- Add to MetaCart
(Show Context)
We address the problem of automatic synthesis of assertions on sequential programs with singly-linked lists containing data over infinite domains such as integers or reals. Our approach is based on an accurate abstract inter-procedural analysis. Program configura-tions are represented by graphs where nodes represent list segments without sharing. The data in these list segments are characterized by constraints in abstract domains. We consider a domain where constraints are in a universally quantified fragment of the first-order logic over sequences, as well as a domain constraining the multisets of data in sequences. Our analysis computes the effect of each procedure in a local manner, by considering only the reachable part of the heap from its actual parameters. In order to avoid losses of information, we intro-duce a mechanism based on unfolding/folding operations allowing to strengthen the analysis in the domain of first-order formulas by the analysis in the multisets domain. The same mechanism is used for strengthening the sound (but incomplete) entailment operator of the domain of first-order formu-las. We have implemented our techniques in a prototype tool and we have shown that our approach is powerful enough for automatic (1) generation of non-trivial procedure summaries, (2) pre/post-condition reasoning, and (3) procedure equivalence checking. 1.
Verification as Learning Geometric Concepts
"... Abstract. We formalize the problem of program verification as a learning problem, showing that invariants in program verification can be regarded as geometric concepts in machine learning. Safety properties define bad states: states a program should not reach. Program verification explains why a pro ..."
Abstract
-
Cited by 8 (4 self)
- Add to MetaCart
(Show Context)
Abstract. We formalize the problem of program verification as a learning problem, showing that invariants in program verification can be regarded as geometric concepts in machine learning. Safety properties define bad states: states a program should not reach. Program verification explains why a program’s set of reachable states is disjoint from the set of bad states. In Hoare Logic, these explanations are predicates that form inductive assertions. Using samples for reachable and bad states and by applying well known machine learning algorithms for classification, we are able to generate inductive assertions. By relaxing the search for an exact proof to classifiers, we obtain complexity theoretic improvements. Further, we extend the learning algorithm to obtain a sound procedure that can generate proofs containing invariants that are arbitrary boolean combinations of polynomial inequalities. We have evaluated our approach on a number of challenging benchmarks and the results are promising.
From Invariant Checking to Invariant Inference Using Randomized Search
"... Abstract. We describe a general framework c2i for generating an in-variant inference procedure from an invariant checking procedure. Given a checker and a language of possible invariants, c2i generates an inference procedure that iteratively invokes two phases. The search phase uses ran-domized sear ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
Abstract. We describe a general framework c2i for generating an in-variant inference procedure from an invariant checking procedure. Given a checker and a language of possible invariants, c2i generates an inference procedure that iteratively invokes two phases. The search phase uses ran-domized search to discover candidate invariants and the validate phase uses the checker to either prove or refute that the candidate is an actual invariant. To demonstrate the applicability of c2i, we use it to generate inference procedures that prove safety properties of numerical programs, prove non-termination of numerical programs, prove functional specifi-cations of array manipulating programs, prove safety properties of string manipulating programs, and prove functional specifications of heap ma-nipulating programs that use linked list data structures. 1
ICE: A Robust Framework for Learning Invariants
"... Abstract. We introduce ICE, a robust learning paradigm for synthesizing invari-ants, that learns using examples, counter-examples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for black-box a ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
Abstract. We introduce ICE, a robust learning paradigm for synthesizing invari-ants, that learns using examples, counter-examples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for black-box abstract interpre-tation can be interpreted as ICE-learning algorithms. We develop new strongly convergent ICE-learning algorithms for two domains, one for learning Boolean combinations of numerical invariants for scalar variables and one for quantified invariants for arrays and dynamic lists. We implement these ICE-learning algo-rithms in a verification tool and show they are robust, practical, and efficient. 1
