Results 1 
9 of
9
From Invariant Checking to Invariant Inference Using Randomized Search
"... Abstract. We describe a general framework c2i for generating an invariant inference procedure from an invariant checking procedure. Given a checker and a language of possible invariants, c2i generates an inference procedure that iteratively invokes two phases. The search phase uses randomized sear ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a general framework c2i for generating an invariant inference procedure from an invariant checking procedure. Given a checker and a language of possible invariants, c2i generates an inference procedure that iteratively invokes two phases. The search phase uses randomized search to discover candidate invariants and the validate phase uses the checker to either prove or refute that the candidate is an actual invariant. To demonstrate the applicability of c2i, we use it to generate inference procedures that prove safety properties of numerical programs, prove nontermination of numerical programs, prove functional specifications of array manipulating programs, prove safety properties of string manipulating programs, and prove functional specifications of heap manipulating programs that use linked list data structures. 1
Natural Proofs for Data Structure Manipulation in C using Separation Logic
"... The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking c ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking common patterns found in human proofs. However, these proofs are known to work only for a simple toy language [32]. In this work, we develop a framework called VCDRYAD that extends the VCC framework [9] to provide an automated deductive framework against separation logic specifications for C programs based on natural proofs. We develop several new techniques to build this framework, including (a) a novel tool architecture that allows encoding natural proofs at a higher level in order to use the existing VCC framework (including its intricate memory model, the underlying typechecker, and the SMTbased verification infrastructure), and (b) a synthesis of ghostcode annotations that captures natural proof tactics, in essence forcing VCC to find natural proofs using primarily decidable theories. We evaluate our tool extensively, on more than 150 programs, ranging from code manipulating standard data structures, wellknown open source library routines (Glib, OpenBSD), Linux kernel routines, customized OS data structures, etc. We show that all these C programs can be fully automatically verified using natural proofs (given pre/post conditions and loop invariants) without any userprovided proof tactics. VCDRYAD is perhaps the first deductive verification framework for heapmanipulating programs in a real language that can prove such a wide variety of programs automatically.
Propertydirected shape analysis
, 2014
"... This paper addresses the problem of automatically generating quantified invariants for programs that manipulate singly and doubly linkedlist data structures. Our algorithm is propertydirected—i.e., its choices are driven by the properties to be proven. The algorithm is able to establish that a cor ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This paper addresses the problem of automatically generating quantified invariants for programs that manipulate singly and doubly linkedlist data structures. Our algorithm is propertydirected—i.e., its choices are driven by the properties to be proven. The algorithm is able to establish that a correct program has no memorysafety violations—e.g., nullpointer dereferences, double frees—and that datastructure invariants are preserved. For programs with errors, the algorithm produces concrete counterexamples. More broadly, the paper describes how to integrate IC3 with full predicate abstraction. The analysis method is complete in the following sense: if an inductive invariant that proves that the program satisfies a given property is expressible as a Boolean combination of a given set of predicates, then the analysis will find such an invariant. To the best of our knowledge, this method represents the first shapeanalysis algorithm that is capable of (i) reporting concrete counterexamples, or alternatively (ii) establishing that the predicates in use are not capable of proving the property in question.
On automating separation logic with trees and data.
, 2014
"... Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristic ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for listlike structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristics. While complete decision procedures for reasoning about trees have been proposed, these procedures suffer from high complexity, or make global assumptions about the heap that contradict the separation logic philosophy of local reasoning. In this paper, we present a fragment of classical firstorder logic for local reasoning about treelike data structures. The logic is decidable in NP and the decision procedure allows for combinations with other decidable firstorder theories for reasoning about data. Such extensions are essential for proving functional correctness properties. We have implemented our decision procedure and, building on earlier work on translating SL proof obligations into classical logic, integrated it into an SLbased verification tool. We successfully used the tool to verify functional correctness of treebased data structure implementations.
Modular Reasoning about Heap Paths via Effectively Propositional Formulas
"... First order logic with transitive closure, and separation logic enable elegant interactive verification of heapmanipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invarian ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
First order logic with transitive closure, and separation logic enable elegant interactive verification of heapmanipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invariants and procedure contracts are specified as formulas in these logics. This paper tackles the problem of proceduremodular verification of reachability properties of heapmanipulating programs using efficient decision procedures that are complete: that is, a SAT solver must generate a counterexample whenever a program does not satisfy its specification. By (a) requiring each procedure modifies a fixed set of heap partitions and creates a bounded amount of heap sharing, and (b) restricting program contracts and loop invariants to use only deterministic paths in the heap, we show that heap reachability updates can be described in a simple manner. The restrictions force program specifications and verification conditions to lie within a fragment of firstorder logic with transitive closure that is reducible to effectively propositional logic, and hence facilitate sound, complete and efficient verification. We implemented a tool atop Z3 and report on preliminary experiments that establish the correctness of several programs that manipulate linked data structures.
Model and Proof Generation for HeapManipulating Programs?
"... Abstract. Existing heap analysis techniques lack the ability to supply counterexamples in case of property violations. This hinders diagnosis, prevents testcase generation and is a barrier to the use of these tools among nonexperts. We present a verification technique for reasoning about aliasing ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Existing heap analysis techniques lack the ability to supply counterexamples in case of property violations. This hinders diagnosis, prevents testcase generation and is a barrier to the use of these tools among nonexperts. We present a verification technique for reasoning about aliasing and reachability in the heap which uses ACDCL (a combination of the wellknown CDCL SAT algorithm and abstract interpretation) to perform interleaved proof generation and model construction. Abstraction provides us with a tractable way of reasoning about heaps; ACDCL adds the ability to search for a model in an efficient way. We present a prototype tool and demonstrate a number of examples for which we are able to obtain useful concrete counterexamples. 1
Learning to Verify the Heap
"... Abstract. We present a datadriven verification framework to automatically prove memory safety and functional correctness of heap programs. For this, we introduce a novel statistical machine learning technique that maps observed program states to (possibly disjunctive) separation logic formulas des ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We present a datadriven verification framework to automatically prove memory safety and functional correctness of heap programs. For this, we introduce a novel statistical machine learning technique that maps observed program states to (possibly disjunctive) separation logic formulas describing the invariant shape of (possibly nested) data structures at relevant program locations. We then attempt to verify these predictions using a theorem prover, where counterexamples to a predicted invariant are used as additional input to the shape predictor in a refinement loop. After obtaining valid shape invariants, we use a second learning algorithm to strengthen them with data invariants, again employing a refinement loop using the underlying theorem prover. We have implemented our techniques in Cricket, an extension of the GRASShopper verification tool. Cricket is able to automatically prove memory safety and correctness of implementations of a variety of classical heapmanipulating programs such as insertionsort, quicksort and traversals of nested data structures.
Propositional Reasoning about Safety and Termination of HeapManipulating Programs
"... Abstract. This paper shows that it is possible to reason about the safety and termination of programs handling potentially cyclic, singlylinked lists using propositional reasoning even when the safety invariants and termination arguments depend on constraints over the lengths of lists. For this pur ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. This paper shows that it is possible to reason about the safety and termination of programs handling potentially cyclic, singlylinked lists using propositional reasoning even when the safety invariants and termination arguments depend on constraints over the lengths of lists. For this purpose, we propose the theory SLH of singlylinked lists with length, which is able to capture nontrivial interactions between shape and arithmetic. When using the theory of bitvector arithmetic as background theory, SLH is efficiently decidable via a reduction to SAT. We show the utility of SLH for software verification by using it to express safety invariants and termination arguments for programs manipulating potentially cyclic, singlylinked lists with unrestricted, unspecified sharing. We also provide an implementation of the decision procedure and apply it to check safety and termination proofs for several heapmanipulating programs.
Instantiations, Zippers and EPR Interpolation
"... This paper describes interpolation procedures for EPR. In principle, interpolation for EPR is simple: It is a special case of firstorder interpolation. In practice, we would like procedures that take advantage of properties of EPR: EPR admits finite models and those models are sometimes possible to ..."
Abstract
 Add to MetaCart
(Show Context)
This paper describes interpolation procedures for EPR. In principle, interpolation for EPR is simple: It is a special case of firstorder interpolation. In practice, we would like procedures that take advantage of properties of EPR: EPR admits finite models and those models are sometimes possible to describe very compactly. Inspired by procedures for propositional logic that use models and cores, but not proofs, we develop a procedure for EPR that uses just models and cores. 1