Results 1  10
of
31
Program analysis as constraint solving
 In PLDI
, 2008
"... A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program ana ..."
Abstract

Cited by 54 (11 self)
 Add to MetaCart
(Show Context)
A constraintbased approach to invariant generation in programs translates a program into constraints that are solved using offtheshelf constraint solvers to yield desired program invariants. In this paper we show how the constraintbased approach can be used to model a wide spectrum of program analyses in an expressive domain containing disjunctions and conjunctions of linear inequalities. In particular, we show how to model the problem of contextsensitive interprocedural program verification. We also present the first constraintbased approach to weakest precondition and strongest postcondition inference. The constraints we generate are boolean combinations of quadratic inequalities over integer variables. We reduce these constraints to SAT formulae using bitvector modeling and use offtheshelf SAT solvers to solve them. Furthermore, we present interesting applications of the above analyses, namely bounds analysis and generation of mostgeneral counterexamples for both safety and termination properties. We also present encouraging preliminary experimental results demonstrating the feasibility of our technique on a variety of challenging examples.
Controlflow refinement and progress invariants for bound analysis
 In PLDI
, 2009
"... Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop a ..."
Abstract

Cited by 43 (6 self)
 Add to MetaCart
(Show Context)
Symbolic complexity bounds help programmers understand the performance characteristics of their implementations. Existing work provides techniques for statically determining bounds of procedures with simple controlflow. However, procedures with nested loops or multiple paths through a single loop are challenging. In this paper we describe two techniques, controlflow refinement and progress invariants, that together enable estimation of precise bounds for procedures with nested and multipath loops. Controlflow refinement transforms a multipath loop into a semantically equivalent code fragment with simpler loops by making the structure of path interleaving explicit. We show that this enables nondisjunctive invariant generation tools to find a bound on many procedures for which previous techniques were unable to prove termination. Progress invariants characterize relationships between
The reachabilitybound problem
 In PLDI
, 2010
"... We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, me ..."
Abstract

Cited by 43 (9 self)
 Add to MetaCart
(Show Context)
We define the reachabilitybound problem to be the problem of finding a symbolic worstcase bound on the number of times a given control location inside a procedure is visited in terms of the inputs to that procedure. This has applications in bounding resources consumed by a program such as time, memory, networktraffic, power, as well as estimating quantitative properties (as opposed to boolean properties) of data in programs, such as information leakage or uncertainty propagation. Our approach to solving the reachabilitybound problem brings together two different techniques for reasoning about loops in an effective manner. One of these techniques is an abstractinterpretation based iterative technique for computing precise disjunctive invariants (to summarize nested loops). The other technique is a noniterative proofrules based technique (for loop bound computation) that takes over the role of doing inductive reasoning, while deriving its power from the use of SMT solvers to reason about abstract loopfree fragments. Our solution to the reachabilitybound problem allows us to compute precise symbolic complexity bounds for several loops in.Net baseclass libraries for which earlier techniques fail. We also illustrate the precision of our algorithm for disjunctive invariant computation (which has a more general applicability beyond the reachabilitybound problem) on a set of benchmark examples.
Simplifying loop invariant generation using splitter predicates
 In Proceedings of the 23rd International Conference on Computer Aided Verification, CAV ’11
, 2011
"... Abstract. We present a novel static analysis technique that substantially improves the quality of invariants inferred by standard loop invariant generation techniques. Our technique decomposes multiphase loops, which require disjunctive invariants, into a semantically equivalent sequence of single ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a novel static analysis technique that substantially improves the quality of invariants inferred by standard loop invariant generation techniques. Our technique decomposes multiphase loops, which require disjunctive invariants, into a semantically equivalent sequence of singlephase loops, each of which requires simple, conjunctive invariants. We define splitter predicates which are used to identify phase transitions in loops, and we present an algorithm to find useful splitter predicates that enable the phasereducing transformation. We show experimentally on a set of representative benchmarks from the literature and real code examples that our technique substantially increases the quality of invariants inferred by standard invariant generation techniques. Our technique is conceptually simple, easy to implement, and can be integrated into any automatic loop invariant generator.
Relational interprocedural verification of concurrent programs
 In: SEFM, IEEE (2009
"... Abstract We ..."
(Show Context)
When the decreasing sequence fails
 Static Analysis, 19th International Symposium, SAS 2012
"... Abstract. The classical method for program analysis by abstract interpretation consists in computing a increasing sequence with widening, which converges towards a correct solution, then computing a decreasing sequence of correct solutions without widening. It is generally admitted that, when the ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. The classical method for program analysis by abstract interpretation consists in computing a increasing sequence with widening, which converges towards a correct solution, then computing a decreasing sequence of correct solutions without widening. It is generally admitted that, when the decreasing sequence reaches a fixpoint, it cannot be improved further. As a consequence, all efforts for improving the precision of an analysis have been devoted to improving the limit of the increasing sequence. In this paper, we propose a method to improve a fixpoint after its computation. The method consists in projecting the solution onto wellchosen components and to start again increasing and decreasing sequences from the result of the projection. 1
Verification as Learning Geometric Concepts
"... Abstract. We formalize the problem of program verification as a learning problem, showing that invariants in program verification can be regarded as geometric concepts in machine learning. Safety properties define bad states: states a program should not reach. Program verification explains why a pro ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We formalize the problem of program verification as a learning problem, showing that invariants in program verification can be regarded as geometric concepts in machine learning. Safety properties define bad states: states a program should not reach. Program verification explains why a program’s set of reachable states is disjoint from the set of bad states. In Hoare Logic, these explanations are predicates that form inductive assertions. Using samples for reachable and bad states and by applying well known machine learning algorithms for classification, we are able to generate inductive assertions. By relaxing the search for an exact proof to classifiers, we obtain complexity theoretic improvements. Further, we extend the learning algorithm to obtain a sound procedure that can generate proofs containing invariants that are arbitrary boolean combinations of polynomial inequalities. We have evaluated our approach on a number of challenging benchmarks and the results are promising.
Succinct representations for abstract interpretation
 In Static analysis (SAS
, 2012
"... Abstract. Abstract interpretation techniques can be made more precise by distinguishing paths inside loops, at the expense of possibly exponential complexity. SMTsolving techniques and sparse representations of paths and sets of paths avoid this pitfall. We improve previously proposed techniques fo ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Abstract interpretation techniques can be made more precise by distinguishing paths inside loops, at the expense of possibly exponential complexity. SMTsolving techniques and sparse representations of paths and sets of paths avoid this pitfall. We improve previously proposed techniques for guided static analysis and the generation of disjunctive invariants by combining them with techniques for succinct representations of paths and symbolic representations for transitions based on static single assignment. Because of the nonmonotonicity of the results of abstract interpretation with widening operators, it is difficult to conclude that some abstraction is more precise than another based on theoretical local precision results. We thus conducted extensive comparisons between our new techniques and previous ones, on a variety of opensource packages. 1.
Refining the control structure of loops using static analysis
 IN: EMSOFT
, 2009
"... We present a simple yet useful technique for refining the control structure of loops that occur in imperative programs. Loops containing complex control flow are common in synchronous embedded controllers derived from modeling languages such as Lustre, Esterel, and Simulink/Stateflow. Our approach u ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We present a simple yet useful technique for refining the control structure of loops that occur in imperative programs. Loops containing complex control flow are common in synchronous embedded controllers derived from modeling languages such as Lustre, Esterel, and Simulink/Stateflow. Our approach uses a set of labels to distinguish different control paths inside a given loop. The iterations of the loop are abstracted as a finite state automaton over these labels. Subsequently, we use static analysis techniques to identify infeasible iteration sequences and subtract such forbidden sequences from the initial language to obtain a refinement. In practice, the refinement of control flow sequences often simplifies the control flow patterns in the loop. We have applied the refinement technique to improve the precision of abstract interpretation in the presence of widening. Our experiments on a set of complex reactive loop benchmarks clearly show the utility of our refinement techniques. Abstraction interpretation with our refinement technique was able to verify all the properties for 10 out of the 13 benchmarks, while abstraction interpretation without refinement was able to verify only four. Other potentially useful applications include termination analysis and reverse engineering models from source code.