Results 1  10
of
63
Parametric Shape Analysis via 3Valued Logic
, 2001
"... Shape Analysis concerns the problem of determining "shape invariants"... ..."
Abstract

Cited by 663 (80 self)
 Add to MetaCart
Shape Analysis concerns the problem of determining "shape invariants"...
The Pointer Assertion Logic Engine
 Proc. ACM PLDI
, 2001
"... We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted ..."
Abstract

Cited by 156 (3 self)
 Add to MetaCart
We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted to simple special cases such as lists or trees. Even so, our current implementation is as fast as the previous specialized tools. Programs are annotated with partial specifications expressed in Pointer Assertion Logic, a new notation for expressing properties of the program store. We work in the logical tradition by encoding the programs and partial specifications as formulas in monadic secondorder logic. Validity of these formulas is checked by the MONA tool, which also can provide explicit counterexamples to invalid formulas. To make verification decidable, the technique requires explicit loop and function call invariants. In return, the technique is highly modular: every statement of a given program is analyzed only once. The main target applications are safetycritical datatype algorithms, where the cost of annotating a program with invariants is justified by the value of being able to automatically verify complex properties of the program.
Putting static analysis to work for verification: A case study
 In Int. Symp. on Softw. Testing and Analysis
, 2000
"... Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algor ..."
Abstract

Cited by 89 (20 self)
 Add to MetaCart
(Show Context)
Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algorithm has been implemented. We show that the algorithm is sufficiently precise to discover that (correct versions) of bubblesort and insertionsort procedures do, in fact, produce correctly sorted lists as outputs, and that the invariant "issorted " is maintained by listmanipulation operations such as elementinsertion, elementdeletion, and even destructive list reversal and merging of two sorted lists. When we run the algorithm on erroneous versions of bubblesort and insertionsort procedures, it is able to discover and sometimes even locate and diagnose the error. 1 Introduction This paper shows that static analysis can be employed to* Automatically prove partial correctness of correct programs.*
MONA Implementation Secrets
, 2000
"... The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically nonelementary worstcase complexity. The implementation has matured over a p ..."
Abstract

Cited by 84 (6 self)
 Add to MetaCart
(Show Context)
The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically nonelementary worstcase complexity. The implementation has matured over a period of six years. Compared to the first naive version, the present tool is faster by several orders of magnitude. This speedup is obtained from many different contributions working on all levels of the compilation and execution of formulas. We present a selection of implementation "secrets" that have been discovered and tested over the years, including formula reductions, DAGification, guided tree automata, threevalued logic, eager minimization, BDDbased automata representations, and cacheconscious data structures. We describe these techniques and quantify their respective effects by experimenting with separate versions of the MONA tool that in turn omit each of them.
Proving Pointer Programs in HigherOrder Logic
 Information and Computation
, 2003
"... This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higherorder logic, its ..."
Abstract

Cited by 80 (1 self)
 Add to MetaCart
(Show Context)
This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higherorder logic, its Hoare logic is derived. The whole development is purely definitional and thus sound. The viability of this approach is demonstrated with a nontrivial case study. We show the correctness of the SchorrWaite graph marking algorithm and present part of the readable proof in Isabelle/HOL.
Mona Fido: The LogicAutomaton Connection in Practice
, 1998
"... We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. ..."
Abstract

Cited by 57 (10 self)
 Add to MetaCart
(Show Context)
We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. We explain how the logicautomaton connection is already exploited in a limited way for the case of Quantified Boolean Logic, where Binary Decision Diagrams act as automata. Next, we indicate how BDD data structures and algorithms can be extended to yield a practical decision procedure for a more general logic, namely WS1S, the Weak Secondorder theory of One Successor. Finally, we mention applications of the automatonlogic connection to software engineering and program verification. 1
Checking Cleanness in Linked Lists
 In SAS
, 2000
"... . A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report "false alarms". When applied to several intricate C programs manipul ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Show Context)
. A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report "false alarms". When applied to several intricate C programs manipulating singly linked lists, the new algorithm yields more accurate results, does not report any false alarm and usually runs even faster and consumes less space than a less precise algorithm. 1 Introduction Many nasty bugs result from misusing memory by NULL pointer dereference, access to freed storage, or memory leaks. We refer to these errors as memory cleanness errors since they should never occur in bugfree programs. No wonder that many academic and commercial projects are aimed at producing tools that detect classes of memory cleanness problems (see Section 4.1). This paper does not intend to introduce another shape analysis or pointer analysis algorithms. Instead, we focus on detecting clea...
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 43 (20 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Verifying Programs with Dynamic 1SelectorLinked Structures in Regular Model Checking
 In Proc. of TACAS ’05, volume 3440 of LNCS
, 2005
"... Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, nonrecursive programs manipulating 1selectorlinked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, nonrecursive programs manipulating 1selectorlinked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an automatabased approach for a symbolic verification of such programs using the regular model checking framework. Given a program, the configurations of the memory are systematically encoded as words over a suitable finite alphabet, potentially infinite sets of configurations are represented by finitestate automata, and statements of the program are automatically translated into finitestate transducers defining regular relations between configurations. Then, abstract regular model checking techniques are applied in order to automatically check safety properties concerning the shape of the computed configurations or relating the input and output configurations. For that, we introduce new techniques for the computation of abstractions of the set of reachable configurations, and to refine these abstractions if spurious counterexamples are detected. Finally, we present experimental results showing the applicability of the approach and its efficiency. 1