Results 1 - 10
of
63
Parametric Shape Analysis via 3-Valued Logic
, 2001
"... Shape Analysis concerns the problem of determining "shape invariants"... ..."
Abstract
-
Cited by 663 (80 self)
- Add to MetaCart
Shape Analysis concerns the problem of determining "shape invariants"...
The Pointer Assertion Logic Engine
- Proc. ACM PLDI
, 2001
"... We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted ..."
Abstract
-
Cited by 156 (3 self)
- Add to MetaCart
We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted to simple special cases such as lists or trees. Even so, our current implementation is as fast as the previous specialized tools. Programs are annotated with partial specifications expressed in Pointer Assertion Logic, a new notation for expressing properties of the program store. We work in the logical tradition by encoding the programs and partial specifications as formulas in monadic second-order logic. Validity of these formulas is checked by the MONA tool, which also can provide explicit counterexamples to invalid formulas. To make verification decidable, the technique requires explicit loop and function call invariants. In return, the technique is highly modular: every statement of a given program is analyzed only once. The main target applications are safety-critical data-type algorithms, where the cost of annotating a program with invariants is justified by the value of being able to automatically verify complex properties of the program.
Putting static analysis to work for verification: A case study
- In Int. Symp. on Softw. Testing and Analysis
, 2000
"... Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algor ..."
Abstract
-
Cited by 89 (20 self)
- Add to MetaCart
(Show Context)
Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algorithm has been implemented. We show that the algorithm is sufficiently precise to discover that (correct versions) of bubble-sort and insertion-sort procedures do, in fact, produce correctly sorted lists as outputs, and that the invariant "is-sorted " is maintained by listmanipulation operations such as element-insertion, elementdeletion, and even destructive list reversal and merging of two sorted lists. When we run the algorithm on erroneous versions of bubble-sort and insertion-sort procedures, it is able to discover and sometimes even locate and diagnose the error. 1 Introduction This paper shows that static analysis can be employed to* Automatically prove partial correctness of correct programs.*
MONA Implementation Secrets
, 2000
"... The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically non-elementary worst-case complexity. The implementation has matured over a p ..."
Abstract
-
Cited by 84 (6 self)
- Add to MetaCart
(Show Context)
The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically non-elementary worst-case complexity. The implementation has matured over a period of six years. Compared to the first naive version, the present tool is faster by several orders of magnitude. This speedup is obtained from many different contributions working on all levels of the compilation and execution of formulas. We present a selection of implementation "secrets" that have been discovered and tested over the years, including formula reductions, DAGification, guided tree automata, three-valued logic, eager minimization, BDD-based automata representations, and cache-conscious data structures. We describe these techniques and quantify their respective effects by experimenting with separate versions of the MONA tool that in turn omit each of them.
Proving Pointer Programs in Higher-Order Logic
- Information and Computation
, 2003
"... This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higher-order logic, its ..."
Abstract
-
Cited by 80 (1 self)
- Add to MetaCart
(Show Context)
This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higher-order logic, its Hoare logic is derived. The whole development is purely definitional and thus sound. The viability of this approach is demonstrated with a non-trivial case study. We show the correctness of the Schorr-Waite graph marking algorithm and present part of the readable proof in Isabelle/HOL.
Mona Fido: The Logic-Automaton Connection in Practice
, 1998
"... We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. ..."
Abstract
-
Cited by 57 (10 self)
- Add to MetaCart
(Show Context)
We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. We explain how the logic-automaton connection is already exploited in a limited way for the case of Quantified Boolean Logic, where Binary Decision Diagrams act as automata. Next, we indicate how BDD data structures and algorithms can be extended to yield a practical decision procedure for a more general logic, namely WS1S, the Weak Secondorder theory of One Successor. Finally, we mention applications of the automaton-logic connection to software engineering and program verification. 1
Checking Cleanness in Linked Lists
- In SAS
, 2000
"... . A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report "false alarms". When applied to several intricate C programs manipul ..."
Abstract
-
Cited by 47 (10 self)
- Add to MetaCart
(Show Context)
. A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report "false alarms". When applied to several intricate C programs manipulating singly linked lists, the new algorithm yields more accurate results, does not report any false alarm and usually runs even faster and consumes less space than a less precise algorithm. 1 Introduction Many nasty bugs result from misusing memory by NULL pointer dereference, access to freed storage, or memory leaks. We refer to these errors as memory cleanness errors since they should never occur in bug-free programs. No wonder that many academic and commercial projects are aimed at producing tools that detect classes of memory cleanness problems (see Section 4.1). This paper does not intend to introduce another shape analysis or pointer analysis algorithms. Instead, we focus on detecting clea...
Modular Data Structure Verification
- EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract
-
Cited by 43 (20 self)
- Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higher-order logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to first-order logic, which enables the use of existing resolution-based theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Verifying Programs with Dynamic 1Selector-Linked Structures in Regular Model Checking
- In Proc. of TACAS ’05, volume 3440 of LNCS
, 2005
"... Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, non-recursive pro-grams manipulating 1-selector-linked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an ..."
Abstract
-
Cited by 41 (9 self)
- Add to MetaCart
(Show Context)
Abstract. We address the problem of automatic verification of programs with dynamic data structures. We consider the case of sequential, non-recursive pro-grams manipulating 1-selector-linked structures such as traditional linked lists (possibly sharing their tails) and circular lists. We propose an automata-based approach for a symbolic verification of such programs using the regular model checking framework. Given a program, the configurations of the memory are systematically encoded as words over a suitable finite alphabet, potentially infi-nite sets of configurations are represented by finite-state automata, and statements of the program are automatically translated into finite-state transducers defining regular relations between configurations. Then, abstract regular model checking techniques are applied in order to automatically check safety properties concern-ing the shape of the computed configurations or relating the input and output configurations. For that, we introduce new techniques for the computation of ab-stractions of the set of reachable configurations, and to refine these abstractions if spurious counterexamples are detected. Finally, we present experimental results showing the applicability of the approach and its efficiency. 1
