Results 1  10
of
58
A decision procedure for bitvectors and arrays
 IN COMPUTER AIDED VERIFICATION, NUMBER 4590 IN LNCS
, 2007
"... STP is a decision procedure for the satisfiability of quantifierfree formulas in the theory of bitvectors and arrays that has been optimized for large problems encountered in software analysis applications. The basic architecture of the procedure consists of wordlevel preprocessing algorithms fo ..."
Abstract

Cited by 191 (11 self)
 Add to MetaCart
STP is a decision procedure for the satisfiability of quantifierfree formulas in the theory of bitvectors and arrays that has been optimized for large problems encountered in software analysis applications. The basic architecture of the procedure consists of wordlevel preprocessing algorithms followed by translation to SAT. The primary bottlenecks in software verification and bug finding applications are large arrays and linear bitvector arithmetic. New algorithms based on the abstractionrefinement paradigm are presented for reasoning about large arrays. A solver for bitvector linear arithmetic is presented that eliminates variables and parts of variables to enable other transformations, and reduce the size of the problem that is eventually received by the SAT solver. These and other algorithms have been implemented in STP, which has been heavily tested over thousands of examples obtained from several realworld applications. Experimental results indicate that the above mix of algorithms along with the overall architecture is far more effective, for a variety of applications, than a direct translation of the original formula to SAT or other comparable decision procedures.
Lazy Satisfiability Modulo Theories
 JOURNAL ON SATISFIABILITY, BOOLEAN MODELING AND COMPUTATION 3 (2007) 141Â224
, 2007
"... Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingl ..."
Abstract

Cited by 181 (47 self)
 Add to MetaCart
(Show Context)
Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingly important due to its applications in many domains in different communities, in particular in formal verification. An amount of papers with novel and very efficient techniques for SMT has been published in the last years, and some very efficient SMT tools are now available. Typical SMT (T) problems require testing the satisfiability of formulas which are Boolean combinations of atomic propositions and atomic expressions in T, so that heavy Boolean reasoning must be efficiently combined with expressive theoryspecific reasoning. The dominating approach to SMT (T), called lazy approach, is based on the integration of a SAT solver and of a decision procedure able to handle sets of atomic constraints in T (Tsolver), handling respectively the Boolean and the theoryspecific components of reasoning. Unfortunately, neither the problem of building an efficient SMT solver, nor even that
Picosat essentials
 Journal on Satisfiability, Boolean Modeling and Computation (JSAT
"... In this article we describe and evaluate optimized compact data structures for watching literals. Experiments with our SAT solver PicoSAT show that this lowlevel optimization not only saves memory, but also turns out to speed up the SAT solver considerably. We also discuss how to store proof traces ..."
Abstract

Cited by 137 (15 self)
 Add to MetaCart
(Show Context)
In this article we describe and evaluate optimized compact data structures for watching literals. Experiments with our SAT solver PicoSAT show that this lowlevel optimization not only saves memory, but also turns out to speed up the SAT solver considerably. We also discuss how to store proof traces compactly in memory and further unique features of PicoSAT including an aggressive restart schedule. Keywords: SAT solver, watched literals, occurrence lists, proof traces, restarts
A Survey of Automated Techniques for Formal Software Verification
 TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
A Decision Procedure for Subset Constraints over Regular Languages
 PLDI'09
, 2009
"... Reasoning about string variables, in particular program inputs, is an important aspect of many program analyses and testing frameworks. Program inputs invariably arrive as strings, and are often manipulated using highlevel string operations such as equality checks, regular expression matching, and ..."
Abstract

Cited by 49 (12 self)
 Add to MetaCart
(Show Context)
Reasoning about string variables, in particular program inputs, is an important aspect of many program analyses and testing frameworks. Program inputs invariably arrive as strings, and are often manipulated using highlevel string operations such as equality checks, regular expression matching, and string concatenation. It is difficult to reason about these operations because they are not wellintegrated into current constraint solvers. We present a decision procedure that solves systems of equations over regular language variables. Given such a system of constraints, our algorithm finds satisfying assignments for the variables in the system. We define this problem formally and render a mechanized correctness proof of the core of the algorithm. We evaluate its scalability and practical utility by applying it to the problem of automatically finding inputs that cause SQL injection vulnerabilities.
Sketching Stencils
"... Performance of stencil computations can be significantly improved through smart implementations that improve memory locality, computation reuse, or parallelize the computation. Unfortunately, efficient implementations are hard to obtain because they often involve nontraditional transformations, whi ..."
Abstract

Cited by 41 (6 self)
 Add to MetaCart
(Show Context)
Performance of stencil computations can be significantly improved through smart implementations that improve memory locality, computation reuse, or parallelize the computation. Unfortunately, efficient implementations are hard to obtain because they often involve nontraditional transformations, which means that they cannot be produced by optimizing the reference stencil with a compiler. In fact, many stencils are produced by code generators that were tediously handcrafted. In this paper, we show how stencil implementations can be produced with sketching. Sketching is a software synthesis approach where the programmer develops a partial implementation— a sketch—and a separate specification of the desired functionality given by a reference (unoptimized) stencil. The synthesizer then completes the sketch to behave like the specification, filling in code fragments that are difficult to develop manually. Existing sketching systems work only for small finite programs, i.e., programs that can be represented as small Boolean circuits. In this paper, we develop a sketching synthesizer that works for stencil computations, a large class of programs that, unlike circuits, have unbounded inputs and outputs, as well as an unbounded number of computations. The key contribution is a reduction algorithm that turns a stencil into a circuit, allowing us to synthesize stencils using an existing sketching synthesizer.
Mixed abstractions for floatingpoint arithmetic
 In FMCAD
, 2009
"... Abstract—Floatingpoint arithmetic is essential for many embedded and safetycritical systems, such as in the avionics industry. Inaccuracies in floatingpoint calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
(Show Context)
Abstract—Floatingpoint arithmetic is essential for many embedded and safetycritical systems, such as in the avionics industry. Inaccuracies in floatingpoint calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and general, yet powerful framework for building abstractions from formulas, and instantiate this framework to a bitaccurate, sound and complete decision procedure for IEEEcompliant binary floatingpoint arithmetic. Our procedure benefits in practice from its ability to flexibly harness both over and underapproximations in the abstraction process. We demonstrate the potency of the procedure for the formal analysis of floatingpoint software. I.
Lemmas on Demand for the Extensional Theory of Arrays
 In Proc. SMT’08. ACM
, 2008
"... The quantifierfree extensional theory of arrays TA plays an important role in hardware and software verification. In this article we present a novel decision procedure that refines formula abstractions with lemmas on demand. We consider the case where TA is combined with a decidable quantifierfree ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
The quantifierfree extensional theory of arrays TA plays an important role in hardware and software verification. In this article we present a novel decision procedure that refines formula abstractions with lemmas on demand. We consider the case where TA is combined with a decidable quantifierfree firstorder theory TB. Unlike traditional lazy SMT approaches, where lemmas are added on the boolean abstraction layer, our decision procedure adds lemmas in TB. We discuss our decision procedure in detail. In particular, we prove soundness and completeness, and discuss complexity. We present our decision procedure in a generic context and provide implementation details and optimizations, in particular for bitvectors. Finally, we report on experiments and discuss related work. Keywords: SMT, arrays, bitvectors, decision procedures
Symbolic reachability analysis of lazy linear hybrid automata
 in FORMATS, ser. Lecture Notes in Computer Science, J.F. Raskin and
, 2007
"... Abstract. Lazy linear hybrid automata (LLHA) model the discrete time behavior of control systems containing finiteprecision sensors and actuators interacting with their environment under bounded inertial delays. In this paper, we present a symbolic technique for reachability analysis of lazy linear ..."
Abstract

Cited by 13 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Lazy linear hybrid automata (LLHA) model the discrete time behavior of control systems containing finiteprecision sensors and actuators interacting with their environment under bounded inertial delays. In this paper, we present a symbolic technique for reachability analysis of lazy linear hybrid automata. The model permits invariants and guards to be nonlinear predicates but requires flow values to be constants. Assuming finite precision, flows represented by uniform linear predicates can be reduced to those containing values from a finite set of constants. We present an abstraction hierarchy for LLHA. Our verification technique is based on bounded model checking and kinduction for reachability analysis at different levels of the abstraction hierarchy within an abstractionrefinement framework. The counterexamples obtained during BMC are used to construct refinements in each iteration. Our technique is practical and compares favorably with stateoftheart tools, as demonstrated on examples that include the Air Traffic Alert and Collision Avoidance System (TCAS). 1