Citation Context

...s in transforming a quantified formula into an equivalent quantifier-free formula. For instance, the formulas ∀y (y − z ≥ x ⇒ x + z ≥ 1) and x ≥ 1 − z are equivalent (they have the same models for (x, z)), whether considered over the reals or integers. Quantifier elimination subsumes both satisfiability testing for quantifier-free formulas, and the decision of quantified formulas without free variables. In program analysis, quantifier elimination has been applied to obtain optimal invariants and optimal abstract transformers [22, 21], and to obtain preconditions for modular assertion checking [23]. Unfortunately, quantifier elimination tends to be slow; as recalled in §4, worst-case complexities for useful theories tend to be towers of exponentials. Yet, high worst-case complexity does not preclude exploring procedures that perform fast on most examples, as shown by the high success of SAT solving. This motivates our work on new quantifier elimination algorithms. Many interesting mathematical theories admit quantifier elimination. In order to introduce better elimination schemes, we shall first describe a naive, but inefficient algorithm (§2.2) which works by calling a projection opera...

Citation Context

... of our abstraction. For instance, it could be directly integrated in non-disjunctive array predicate abstractions (e.g. [33]), and help to automatically discover preconditions on C library functions =-=[35]-=- without disjunction. Moreover, when analyzing sorting algorithms, in order to prove that the resulting array is correctly ordered (and not infer information over its first and last elements only), on...

Citation Context

...e statically proven by cccheck [16](or similar tools). We will use the assertions in A to infer necessary preconditions. This consists in propagating these conditions backwards to the origin of the traces of the semantics S, at the entry control point. The inference of termination preconditions is a separate problem [10], so we ignore the non-terminating behaviors I, or equivalently, assume termination i.e. I = ∅. 3 Sufficient Preconditions The weakest (liberal) preconditions provide sufficient preconditions which guarantee the (partial) correctness, i.e., the absence of errors in the program [2,5,9,22,29,31]: 2 public static void Example(object[] a) { Contract.Requires(a != null); for (var i = 0; i <= a.Length; i++) { a[i] = ...f(a[i])... ; // (*) if (NonDet()) return; } } Fig. 1. The weakest precondition for this code is false, which rules out good executions. Our technique only excludes bad runs, inferring the necessary precondition 0 < a.Length. ∀s ∈ Σ : wlp(P, true)(s) , (E(s) = ∅). The main drawbacks preventing the use of the weakest (liberal) preconditions calculus for automatic precondition inference are: (i) in the presence of loops, there is no algorithm that computes weakest (liberal) p...

Citation Context

...r automatic generation. There are several competing approaches for WLP synthesis. These include, for example, precondition templates and constraint solving (e.g., [15]), quantifier elimination (e.g., =-=[27]-=-), abstract interpretation (e.g., [9]), and CEGAR, predicate abstraction, and interpolation for predicate generation (e.g., [33]). Some algorithms combine multiple techniques to achieve better perform...

Citation Context

...esents a general scheme for extending the previously mentioned tools to infer preconditions, as it uses ingredients that are common to all of them. Moy has proposed a technique to infer preconditions =-=[23]-=- using a combination of state-of-the-art techniques such as abstract interpretation, weakest preconditions and quantifier elimination. While his technique is stronger than many existing ones, it is un...

Citation Context

...on fixed abstractions which cannot be refined at analysis time, thus leading to false alarms. Tools based on deductive verification typically require an inference procedure to provide loop invariants =-=[20]-=-. Denney and Fischer [21] have applied a pattern-based approach which is similar in spirit to ours to deductive verification, but not for the problem of array bounds checking, and their scope is restr...

Citation Context

... sufficient) condition on the particular API, and then automatically insert in the next version of the program. Several authors addressed the problem of under-approximating sufficient conditions—even if they did not explicitly state it in the terms of this paper. For instance, previous work in specification mining [2] and interface inference [1, 20] under-approximates sufficient history conditions ~S: their goal is to describe safe API usage by inferring sequences of API calls that are sufficient to prevent crashes in library code. Similarly, works on the inference of sufficient preconditions [5, 32] under-approximate our method call sufficient conditions S. In the worst case, such approximations result in the sufficient condition false. Few authors addressed the inference of necessary condition. For instance, Bouaziz et al. [6] used necessary history conditions to infer a sequences of method calls that inevitably lead to a crash, and Cousot et al. [10] used them in the context of modular analysis. In the worst case, such approximations yield the necessary condition true. 10. Conclusion In this paper, we addressed the problem of reducing the number of warnings, yet providing soundness gua...

Citation Context

...pre). He also mentions that classic domains, such as intervals, are inadequate to express underapproximations as they are not closed under complementation, but he does not propose an alternative. Moy =-=[15]-=- solves this issue by allowing disjunctions of abstract states (they correspond to path enumerations and can grow arbitrarily large). Lev-Ami et al. [11] derive under-approximations from overapproxima...