Results 1  10
of
119
Linear ranking with reachability
 In CAV
, 2005
"... Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thu ..."
Abstract

Cited by 76 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We present a complete method for synthesizing lexicographic linear ranking functions supported by inductive linear invariants for loops with linear guards and transitions. Proving termination via linear ranking functions often requires invariants; yet invariant generation is expensive. Thus, we describe a technique that discovers just the invariants necessary for proving termination. Finally, we describe an implementation of the method and provide extensive experimental evidence of its effectiveness for proving termination of C loops. 1 Introduction Guaranteed termination of program loops is necessary in many settings, suchas embedded systems and safety critical software. Additionally, proving general temporal properties of infinite state programs requires termination proofs, forwhich automatic methods are welcome [19, 11, 15]. We propose a termination analysis of linear loops based on the synthesis of lexicographic linear rankingfunctions supported by linear invariants.
Speed: Precise and efficient static estimation of program computational complexity
 In POPL’09
, 2009
"... This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually ..."
Abstract

Cited by 68 (5 self)
 Add to MetaCart
(Show Context)
This paper describes an interprocedural technique for computing symbolic bounds on the number of statements a procedure executes in terms of its scalar inputs and userdefined quantitative functions of input datastructures. Such computational complexity bounds for even simple programs are usually disjunctive, nonlinear, and involve numerical properties of heaps. We address the challenges of generating these bounds using two novel ideas. We introduce a proof methodology based on multiple counter instrumentation (each counter can be initialized and incremented at potentially multiple program locations) that allows a given linear invariant generation tool to compute linear bounds individually on these counter variables. The bounds on these counters are then composed together to generate total bounds that are nonlinear and disjunctive. We also give an algorithm for automating this proof
Abstraction refinement for termination
 In Proceedings of the 12 th International Static Analysis Symposium
"... Abstract. Abstraction can often lead to spurious counterexamples. Counterexampleguided abstraction refinement is a method of strengthening abstractions based on the analysis of these spurious counterexamples. For invariance properties, a counterexample is a finite trace that violates the invariant; ..."
Abstract

Cited by 65 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Abstraction can often lead to spurious counterexamples. Counterexampleguided abstraction refinement is a method of strengthening abstractions based on the analysis of these spurious counterexamples. For invariance properties, a counterexample is a finite trace that violates the invariant; it is spurious if it is possible in the abstraction but not in the original system. When proving termination or other liveness properties of infinitestate systems, a useful notion of spurious counterexamples has remained an open problem. For this reason, no counterexampleguided abstraction refinement algorithm was known for termination. In this paper, we address this problem and present the first known automatic counterexampleguided abstraction refinement algorithm for termination proofs. We exploit recent results on transition invariants and transition predicate abstraction. We identify two reasons for spuriousness: abstractions that are too coarse, and candidate transition invariants that are too strong. Our counterexampleguided abstraction refinement algorithm successively weakens candidate transition invariants and refines the abstraction. 1
Transition predicate abstraction and fair termination
 POPL'05
, 2005
"... ..."
(Show Context)
Termination of Linear Programs
 In CAV’2004: Computer Aided Verification, volume 3114 of LNCS
, 2004
"... We show that termination of a class of linear loop programs is decidable. Linear loop programs are discretetime linear systems with a loop condition governing termination, that is, a while loop with linear assignments. We relate the termination of such a simple loop, on all initial values, to t ..."
Abstract

Cited by 54 (0 self)
 Add to MetaCart
(Show Context)
We show that termination of a class of linear loop programs is decidable. Linear loop programs are discretetime linear systems with a loop condition governing termination, that is, a while loop with linear assignments. We relate the termination of such a simple loop, on all initial values, to the eigenvectors corresponding to only the positive real eigenvalues of the matrix defining the loop assignments. This characterization of termination is reminiscent of the famous stability theorems in control theory that characterize stability in terms of eigenvalues.
Terminator: Beyond safety
 In CAV’06: International Conference on Computer Aided Verification
, 2006
"... ..."
The polyranking principle
 In ICALP
, 2005
"... Abstract. Although every terminating loop has a ranking function, not every loop has a ranking function of a restricted form, such as a lexicographic tuple of polynomials over program variables. The polyranking principle is proposed as a generalization of polynomial ranking for analyzing termination ..."
Abstract

Cited by 50 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Although every terminating loop has a ranking function, not every loop has a ranking function of a restricted form, such as a lexicographic tuple of polynomials over program variables. The polyranking principle is proposed as a generalization of polynomial ranking for analyzing termination of loops. We define lexicographic polyranking functions in the context of loops with parallel transitions consisting of polynomial assertions, including inequalities, over primed and unprimed variables. Next, we address synthesis of these functions with a complete and automatic method for synthesizing lexicographic linear polyranking functions with supporting linear invariants over linear loops. 1
Synthesizing software verifiers from proof rules
 IN PLDI
, 2012
"... Automatically generated tools can significantly improve programmer productivity. For example, parsers and dataflow analyzers can be automatically generated from declarative specifications in the form of grammars, which tremendously simplifies the task of implementing a compiler. In this paper, we pr ..."
Abstract

Cited by 46 (11 self)
 Add to MetaCart
(Show Context)
Automatically generated tools can significantly improve programmer productivity. For example, parsers and dataflow analyzers can be automatically generated from declarative specifications in the form of grammars, which tremendously simplifies the task of implementing a compiler. In this paper, we present a method for the automatic synthesis of software verification tools. Our synthesis procedure takes as input a description of the employed proof rule, e.g., program safety checking via inductive invariants, and produces a tool that automatically discovers the auxiliary assertions required by the proof rule, e.g., inductive loop invariants and procedure summaries. We rely on a (standard) representation of proof rules using recursive equations over the auxiliary assertions. The discovery of auxiliary assertions, i.e., solving the equations, is based on an iterative process that extrapolates solutions obtained for finitary unrollings of equations. We show how our method synthesizes automatic safety and liveness verifiers for programs with procedures, multithreaded programs, and functional programs. Our experimental comparison of the resulting verifiers with existing stateoftheart verification tools confirms the practicality of the approach.
Proving that programs eventually do something good
 In POPL’06: Principles of Programming Languages
, 2007
"... In recent years we have seen great progress made in the area of automatic sourcelevel static analysis tools. However, most of today’s program verification tools are limited to properties that guarantee the absence of bad events (safety properties). Until now no formal software analysis tool has pro ..."
Abstract

Cited by 45 (16 self)
 Add to MetaCart
(Show Context)
In recent years we have seen great progress made in the area of automatic sourcelevel static analysis tools. However, most of today’s program verification tools are limited to properties that guarantee the absence of bad events (safety properties). Until now no formal software analysis tool has provided fully automatic support for proving properties that ensure that good events eventually happen (liveness properties). In this paper we present such a tool, which handles liveness properties of large systems written in C. Liveness properties are described in an extension of the specification language used in the SDV system. We have used the tool to automatically prove critical liveness properties of Windows device drivers and found several previously unknown liveness bugs.