Results 1  10
of
34
Programs with Lists are Counter Automata
 In CAV’06, LNCS
, 2006
"... Abstract. We address the verification problem of programs manipulating oneselector linked data structures. We propose a new automated approach for checking safety and termination for these programs. Our approach is based on using heap graphs where list segments without sharing are collapsed, and cou ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We address the verification problem of programs manipulating oneselector linked data structures. We propose a new automated approach for checking safety and termination for these programs. Our approach is based on using heap graphs where list segments without sharing are collapsed, and counters are used to keep track of the number of elements in these segments. This allows to apply automatic analysis techniques and tools for counter automata in order to verify list programs. We show the effectiveness of our approach, in particular by verifying automatically termination of some sorting programs. 1
Speed: Precise and efficient static estimation of program computational complexity
 In POPL’09
, 2009
"... This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually ..."
Abstract

Cited by 68 (5 self)
 Add to MetaCart
(Show Context)
This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually disjunctive, nonlinear, and involve numerical properties of heaps. We address the challenges of generating these bounds using two novel ideas. We introduce a proof methodology based on multiple counter instrumentation (each counter can be initialized and incremented at potentially multiple program locations) that allows a given linear invariant generation tool to compute linear bounds individually on these counter variables. The bounds on these counters are then composed together to generate total bounds that are nonlinear and disjunctive. We also give an algorithm for automating this proof
Termination of integer linear programs
 In Proc. CAV’06, LNCS 4144
, 2006
"... Abstract. We show that termination of a simple class of linear loops over the integers is decidable. Namely we show that termination of deterministic linear loops is decidable over the integers in the homogeneous case, and over the rationals in the general case. This is done by analyzing the powers ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
Abstract. We show that termination of a simple class of linear loops over the integers is decidable. Namely we show that termination of deterministic linear loops is decidable over the integers in the homogeneous case, and over the rationals in the general case. This is done by analyzing the powers of a matrix symbolically using its eigenvalues. Our results generalize the work of Tiwari [Tiw04], where similar results were derived for termination over the reals. We also gain some insights into termination of nonhomogeneous integer programs, that are very common in practice. 1
Proving thread termination
 In PLDI
"... Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method of proving the termination of threads. In this paper we describe such a procedure. The procedure’s scalability is achieved through the use of environment models that abstract away the surrounding threads. The procedure’s accuracy is due to a novel method of incrementally constructing environment abstractions. Our method finds the conditions that a thread requires of its environment in order to establish termination by looking at the conditions necessary to prove that certain paths through the thread represent wellfounded relations if executed in isolation of the other threads. The paper gives a description of experimental results using an implementation of our procedure on Windows device drivers, and a description of a previously unknown bug found with the tool.
Ranking function synthesis for bitvector relations
 In Proceedings of the 16th international conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’10
, 2010
"... Abstract. Ranking function synthesis is a key aspect to the success of modern termination provers for imperative programs. While it is wellknown how to generate linear ranking functions for relations over (mathematical) integers or rationals, efficient synthesis of ranking functions for machinelev ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Ranking function synthesis is a key aspect to the success of modern termination provers for imperative programs. While it is wellknown how to generate linear ranking functions for relations over (mathematical) integers or rationals, efficient synthesis of ranking functions for machinelevel integers (bitvectors) is an open problem. This is particularly relevant for the verification of lowlevel code. We propose several novel algorithms to generate ranking functions for relations over machine integers: a complete method based on a reduction to Presburger arithmetic, and a templatematching approach for predefined classes of ranking functions based on reduction to SATand QBFsolving. The utility of our algorithms is demonstrated on examples drawn from Windows device drivers.
On the linear ranking problem for integer linearconstraint loops
 In POPL
, 2013
"... ar ..."
(Show Context)
PathLength Analysis for ObjectOriented Programs. Extended version with proofs
 IN PROC. EAAI
, 2006
"... This paper describes a new static analysis for finding approximations to the pathlength of variables in imperative, objectoriented programs. The pathlength of a variable v is the cardinality of the longest chain of pointers that can be followed from v. It is shown how such information may be used ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
This paper describes a new static analysis for finding approximations to the pathlength of variables in imperative, objectoriented programs. The pathlength of a variable v is the cardinality of the longest chain of pointers that can be followed from v. It is shown how such information may be used for automatic termination inference of programs dealing with dynamically created datastructures.
On the Termination of Integer Loops
, 2012
"... In this paper we study the decidability of termination of several variants of simple integer loops, without branching in the loop body and with affine constraints as the loop guard (and possibly a precondition). We show that termination of such loops is undecidable in some cases, in particular, when ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
In this paper we study the decidability of termination of several variants of simple integer loops, without branching in the loop body and with affine constraints as the loop guard (and possibly a precondition). We show that termination of such loops is undecidable in some cases, in particular, when the body of the loop is expressed by a set of linear inequalities where the coefficients are from Z∪{r} with r an arbitrary irrational; when the loop is a sequence of instructions, that compute either linear expressions or the step function; and when the loop body is a piecewise linear deterministic update with two pieces. The undecidability result is proven by a reduction from counter programs, whose termination is known to be undecidable. For the common case of integer linearconstraint loops with rational coefficients we have not succeeded in proving either decidability or undecidability of termination, but we show that a Petri net can be simulated with such a loop; this implies some interesting lower bounds. For example, termination for a partiallyspecified input is at least EXPSPACEhard.
Proving liveness by backwards reachability
 Proc. CONCUR 2006, 17 th Int. Conf. on Concurrency Theory, volume 4137 of Lecture Notes in Computer Science
, 2006
"... Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is guaranteed is computed by a backwards reachability analysis. A central technique for handling concurrency is a check for certain commutativity properties. The method is not complete. However, it can be seen as a complement to other methods for proving termination, in that it transforms a termination problem into a simpler one with a larger set of terminated states. We show the usefulness of our method by applying it to existing programs from the literature. We have also implemented it in the framework of Regular Model Checking, and used it to automatically verify nonstarvation for parameterized algorithms. 1
Verification constraint problems with strengthening
 In ICTAC, volume 3722 of LNCS
, 2006
"... Abstract. The deductive method reduces verification of safety properties of programs to, first, proposing inductive assertions and, second, proving the validity of the resulting set of firstorder verification conditions. We discuss the transition from verification conditions to verification constra ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The deductive method reduces verification of safety properties of programs to, first, proposing inductive assertions and, second, proving the validity of the resulting set of firstorder verification conditions. We discuss the transition from verification conditions to verification constraints that occurs when the deductive method is applied to parameterized assertions instead of fixed expressions (e.g., p0 +p1j +p2k> = 0, for parameters p0, p1, and p2, instead of 3+jk> = 0) in order to discover inductive assertions. We then introduce two new verification constraint forms that enable the incremental and propertydirected construction of inductive assertions. We describe an iterative method for solving the resulting constraint problems. The main advantage of this approach is that it uses offtheshelf constraint solvers and thus directly benefits from progress in constraint solving. 1 Introduction The deductive method of program verification reduces the verification of safetyand progress properties to proving the validity of a set of firstorder verification conditions [13]. In the safety case, the verification conditions assert thatthe given property is inductive: it holds initially ( initiation), and it is preservedby taking any transition ( consecution). Such an assertion is an invariant of theprogram. In the progress case, the verification conditions assert that a given