Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky
|
|
- Oliver Smith
- 5 years ago
- Views:
Transcription
1 Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv TAU IMDEA UMASS TAU IMDEA TAU
2 Motivation Proving presence (absence) of pointer paths between memory allocated objects in a given program Partial program correctness Memory safety Absence of memory leaks Data structure invariants Acylicity, Sortedness Total program correctness Program equivalence Reasoning about Reachability
3 Program Termination {x <n * > y} traverse(node x, Node y) { } for (t =x; t!= y ; t = t.n) { } x n n n n y null
4 Disjoint Parallelism { : null (h<n * > k<n * > )} h n n n n x null k n n n null for (x =h; x!= null; x = x.n) { } y for (y=k; y!= null; y = y.n) { }
5 Challenges Complexity of reasoning about reachability assertions Undecidability of reachability (not even RE) Modularity How to specify the behavior on reachability independent of the call [Inferring reachability properties from the code and some assertions]
6 Link list manipulations are simple Simple to reason about correctness Small counterexamples Even for doubly/circular/nested lists Simple invariants Alternation Free + Reachability * *
7 EA( * * ) formulas Bernays-Schönfinkel-Ramsey t ::= var constant (Terms) ap ::= t 1 = t 2 r(t 1,t 2,, t n ) qf ::= ap qf 1 qf 2 qf 1 qf 2 qf ea ::= 1, 2, n : 1, 2, m : qf Effectively Propositional Skolimization yields finite models EQ-satisfiable to a propositional formula Support from Z3
8 EA( ) formulas Bernays-Schönfinkel-Ramsey 1, 2, : 1 : r( 1, 1 ) r( 1, 2 ) = sat 1 : r(c 1, 1 ) r( 1, c 2 ) = sat (r(c 1, c 1 ) r(c 1, c 2 )) (r(c 1, c 2 ) r(c 2, c 2 )) = sat (P 11 P 12 ) (P 12 P 22 )
9 Alternation Free Reachability (AF R ) Extended subset of EA Closed under negation t ::= var constant (Terms) ap ::= t 1 = t 2 r(t 1,t 2,, t n ) t 1 <f * > t 2 (Reachability via sequences of f s) (exists k: f k (t 1 )=t 2 ) qf ::= qf qf 1 qf 2 qf 1 qf 2 qf e ::= 1, 2,, n : qf a: ::= 1, 2,, m : qf af R ::= e a af R 1 af R 2 af R 1 af R 2
10 AF R Program Properties Acylicity (>2), : <n * > <n * > = n * n * Acyclic list with a head h, : h<n * > h<n * > <n * > <n * > = h n * n * Sorted segment, : <n * > data u n * u v v
11 AF R Program Properties Doubly linked acyclic lists f *, : <f * > <b * > b * Disjoint lists with heads h and k : null (h<n * > k<n * > ) h n * 1 k 2
12 List Reversal (isolated) {ac [h] : h <n * > } Node reverse(node h) { Node c = h; Node d = null; while {I} (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d } I=, : <n * > <n * > c <n * > ( <n * > <n * > ) {ac[d], : <n * > <n * > : d <n * > } d<n * > d<n * >
13 Why AF R? Represent invariants of simple linked list manipulations Closed under,,,, wp x.n :=y Finite model property Decidable for satisfiability/validity AF R AF Can be reduced to a propositional formula SAT solver is complete for verification/falsification
14 AF R AF Introduce an auxiliary relation n* t[ <n * > ] =n * (, ) Axiomatize n* by an AF formula linord =, : n * (, ) n * (, ) = : n * (, ),, : n * (, ) n * (, ) n * (, ),, : n * (, ) n * (, ) (n * (, ) n * (, )) Completeness is satisfiable ( linord t[ ]) is satisfiable AF formulas have finite model
15 Inverting n* n Every finite model in which n* satisfies the order requirements:, : n * (, ) n * (, ) = : n*(, ),, : n * (, ) n * (, ) n * (, ),, : n * (, ) n * (, ) (n * (, ) n * (, )) n * uniquely determines n
16 Inverting n* n n * n * u n * n * n * y n * n * n * n * n * v x n * w n * n * <n + > <n * >
17 Inverting n* n n u n v n + n + n + n + y n + n n + n + x n + n + n n( )= <n + > : <n + > <n * > w
18 Simple SAT Application Determine if two clients are identical Produce isomorphic reachable stores reverse(reverse(h)) = h, : <n 1* > <n 0* >, : <n 2* > <n 1* >, : <n 0* > <n 2* >
19 Verification Process Program P Assertions VC gen Verification Condition P SAT Solver Counterexample Proof
20 Modular Specification Every procedure mutates a limited part of the heap footprint Can we specify the effect of the procedure on the footprint only? Provide a general adaptation rule for the context Possible for second order logics Transitive closure Separation Logic Can this be done in a weak logic?
21 An Adaptation Rule mod = the footprint New local path Old local path Old path New path
22 {ac [h] : h <n * > } List Reversal (isolated) Node reverse(node h) { Node c = h; Node d = null; while (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d } {?} reverse(i); {ac[i] ] i<n*>j} {ac[d], : <n * > <n * > : d <n * > }
23 {ac [h]} When ownership breaks Node reverse(node h) { Node c = h; Node d = null; while (c!= null) { Node t = c.next; c.next = d; d = c; c = t; } return d }, : <n * > h null <n * > h<n * > h<n * > <n * > h<n * > h<n * > false h<n * > h<n * > : <n * > h<n * > h<n * > h<n * > <n * >n( )
24 Unbounded Cutpoints Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } else i = x; return i; } x b c a accessed branch null d
25 Complicated Mutations c 6 h h n * c c n * k k c 6 h h n * c c n * k k
26 Limited Programming Model Type correct programs Recursion instead of loops Limited amount of new sharing per call Deterministic transitive closure Specified changes Uniform changes Fixed number of contiguous intervals of changed parts of the heap
27 Small Footprint Destructive Updates x.n := y x y x y x null x n null x n * y y n * x
28 Large Footprint x.n := y Destructive Updates n * n * ( n * x y n * )) x y
29 Small Footprint Destructive Updates x.n := null x s x s x null x n s x n * s s n * x
30 Large Footprint x.n := null n * n * ( n * x n * x)) x y x y x y x y
31 Small Footprint Reverse modifies mod = [h, null) [d, d] { : null (h<n * > d<n * > )} (disjoint lists h, d) Node reverse(node h, Node d) { if (h == null) return d; else { Node t = h.next; h.next = d; return reverse(t, h); } } {, mod : <n * > ( <n * > =d)}
32 Large Footprint Reverse h reverse(h, null) z 1 z 2 z h z 1 z 2 z 3
33 Modular Reasoning Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } else i = x; return i; } y x y x mod null find(x) null mod
34 Modular Reasoning y y x null null null mod union(x,y) void union(node x, Node y){ Node t = find(x); Node s = find(y); if (t!= s) t.p = s; } x mod
35 An Adaptation Rule Unchanged path New local path mod Old local path Becomes unreachable Becomes reachable
36 An FOTC Adaptation Rule Unmodified edges q s,t: s<q> t s<f> t s mod t mod Paths in post state s, t: s<f*>t s<q*>t, mod : s<q*> <f*> <q*> t
37 An Adaptable Heap Logic Extend AF R with an idempotent function en mod Maps nodes into footprint entrance points Reducible to effectively propositional Even with nested recursive calls
38 Large Footprint Adaptation s en mod mod en mod (s) = min ([s,null) mod) s mod, t mod: s<f * >t en mod (s)<f * >t
39 An Adaptation Rule (Simplified) en mod (s 1 ) = null Unchanged path s 1 en mod (s 2 ) mod t 1 Old local path t 2 s 2 New local path ex 2 ex 1 Becomes unreachable s 2 <q * > <f * > <q * >t 3 en mod (s 2 )<f * > <f * >ex i ex i <f * >t 3 ex i t 3 Becomes reachable
40 An AE R Adaptation Rule s,t: s<f * >t en mod (s) = null s<f * >t t mod en mod (s)<f * >t ex i en mod (s)<f * >ex i ex i <f * >t * *
41 Small Footprint Specification in AF R Node find(node x) requires: x!= null ensures:,β: <p * >β =β β=r y x mod null find(x) where r = max p [x, null) y x null mod
42 Verification Time (Z3) Formula Size Solving Benchmark P,Q mod VC time # # # (Z3) SLL: filter s SLL: quicksort s SLL: insert-sort s UF:find s UF:union s
43 Disproving with SAT Formula Size Solving C.e. Size Benchmark Nature of defect P,Q mod VC time # # (Z3) (vertices) UF: find Incorrect handling of s 2 corner case UF: union Incorrect s 8 specification SLL: filter Uncontrolled sharing s 14 SLL: insert-sort Violating call precondition s 8
44 Example Bug x r = max p [x, null) Node find(node x) { Node i = x.p; if (i!= null) { i = find(i); x.p = i; } // else i = x; return i; } Bug: missing else branch x null find(x) null violates spec : x<p*> <p * >r (for =x)
45 Data Structures outside AF R Lists with the same lengths Trees General DAGs Grids
46 Mutations outside our adaptable logic Creation of unbounded sharing Changing multiple fields Nested linked lists
47 Property Guided Shape Analysis N. Bjorner, T. Reps, A.Thakur, T. Weiss Predictable Shape Analysis Simple fixed Predicate Abstraction Infer propositional invariants guided by the verification problem When the analysis fails: Concrete counterexamples A trace showing overly coarse abstraction Programmer can define new predicates using AF R Employ IC3/PDR
48 Related Work First Order Rechability Axioms [Nelson POPL 83] Useful axioms [Lev-Ami 09] Useful axioms + completeness study Incremental Methods [Hesse 03, Reps 03, Lahiri&Qadeer POPL 06] Decidable Logics [Mona, STRAND, LRP, Berdine 2004,Lahiri&Qadeer POPL 08, Wies, Muñiz,Kuncak 2011,12 ]
49 Summary Reduction to SAT Support modularity Works for many programs Principles Restricted invariants Inversion n* Uniform mutations Two logics
Efficiently Reasoning about Programs
Efficiently Reasoning about Programs Neil Immerman College of Computer and Information Sciences University of Massachusetts, Amherst Amherst, MA, USA people.cs.umass.edu/ immerman co-r.e. complete Halt
More informationReasoning about Reachability at Tom Rep s 60th Birthday Celebration
Reasoning about Reachability at Tom Rep s 60th Birthday Celebration Neil Immerman College of Information and Computer Sciences UMass Amherst people.cs.umass.edu/ immerman/ 1978: Tom 22 Neil 24 @Cornell
More informationProperty-Directed Shape Analysis
Property-Directed Shape Analysis S. Itzhaky 1, N. Bjørner 2, T. Reps 3,4, M. Sagiv 1, and A. Thakur 3 1 Tel Aviv University, Tel Aviv, Israel 2 Microsoft Research, USA 3 University of Wisconsin Madison,
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationPutting Static Analysis to Work for Verification
Putting Static Analysis to Work for Verification A Case Study Tomasz Dudziak Based on a paper by T. Lev-Ami, T. Reps, M. Sagiv, and R. Wilhelm 23 June 2010 Topic Goal A very capable shape analysis that
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationVerifying Data Structure Invariants in Device Drivers
Verifying Data Structure Invariants in Device Drivers Scott McPeak (smcpeak@cs) George Necula (necula@cs) Chess Review May 10, 2004 Berkeley, CA Motivation Want to verify programs that use pointers Need
More informationBackward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction
Backward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction Alexey Bakhirkin 1 Josh Berdine 2 Nir Piterman 1 1 University of Leicester, Department of Computer Science 2 Microsoft
More informationShape Analysis. CS252r Spring 2011
Shape Analysis CS252r Spring 2011 Outline Motivation for shape analysis Three-valued logic Region-based with tracked locations 2 Shape analysis [Wilhelm, Sagiv, and Reps, CC 2000] Shape analysis: static
More informationAutomated Reasoning in Separation Logic. Thomas Wies New York University
Automated Reasoning in Separation Logic Thomas Wies New York University Automated Reasoning in Separation Logic Permission-based Logics Thomas Wies New York University A Motivating Example procedure delete(x:
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationIvy: Safety Verification by Interactive Generalization
Consistent * Complete * Well Documented * Easy to Reuse * * Evaluated * PLDI * Artifact * AEC Ivy: Safety Verification by Interactive Generalization Oded Padon Tel Aviv University, Israel odedp@mail.tau.ac.il
More informationProperty-Directed Shape Analysis
Property-Directed Shape Analysis Shachar Itzhaky 1, Nikolaj Bjørner 2, Thomas Reps 3,4, Mooly Sagiv 1, and Aditya Thakur 3 1 Tel Aviv University, Tel Aviv, Israel 2 Microsoft Research, USA 3 University
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationAutomatic Assume/Guarantee Reasoning for Heap-Manipulating Programs (Ongoing Work)
Automatic Assume/Guarantee Reasoning for Heap-Manipulating Programs (Ongoing Work) Greta Yorsh a Alexey Skidanov a Thomas Reps b Mooly Sagiv a a School of Comp. Sci., Tel-Aviv Univ., {gretay,skidanov,msagiv}@post.tau.ac.il
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationA short manual for the tool Accumulator
A short manual for the tool Accumulator ZHAO Jianhua State Key Laboratory of Novel Software Technology Dept. of Computer Sci. and Tech. Nanjing University Nanjing, Jiangsu, P.R.China 210093 zhaojh@nju.edu.cn
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationSMT-Based Modular Analysis of Sequential Systems Code
SMT-Based Modular Analysis of Sequential Systems Code Shuvendu K. Lahiri Microsoft Research Abstract. In this paper, we describe a few challenges that accompany SMTbased precise verification of systems
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationLecture 4. First order logic is a formal notation for mathematics which involves:
0368.4435 Automatic Software Verification April 14, 2015 Lecture 4 Lecturer: Mooly Sagiv Scribe: Nimrod Busany, Yotam Frank Lesson Plan 1. First order logic recap. 2. The SMT decision problem. 3. Basic
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationAutomatic termination proofs for programs with shape-shifting heaps
To appear in: CAV 2006. Automatic termination proofs for programs with shape-shifting heaps Josh Berdine 1, Byron Cook 1, Dino Distefano 2, and Peter W. O Hearn 1,2 1 Microsoft Research 2 Queen Mary, University
More informationCompilation and Program Analysis (#11) : Hoare triples and shape analysis
Compilation and Program Analysis (#11) : Hoare triples and shape analysis Laure Gonnord http://laure.gonnord.org/pro/teaching/capm1.html Laure.Gonnord@ens-lyon.fr Master 1, ENS de Lyon dec 2017 Inspiration
More informationVerifying Properties of Well-Founded Linked Lists
Verifying Properties of Well-Founded Linked Lists Shuvendu K. Lahiri shuvendu@microsoft.com Microsoft Research Shaz Qadeer qadeer@microsoft.com Microsoft Research July 27, 2005 Technical Report MSR-TR-2005-97
More informationModel Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).
Sérgio Campos scampos@dcc.ufmg.br Why? Imagine the implementation of a complex hardware or software system: A 100K gate ASIC perhaps 100 concurrent modules; A flight control system dozens of concurrent
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationTel Aviv University Raymond and Beverly Sackler Faculty of Exact Sciences The Blavatnik School of Computer Science. Asya Frumkin
Tel Aviv University Raymond and Beverly Sackler Faculty of Exact Sciences The Blavatnik School of Computer Science PROPERTY DIRECTED REACHABILITY FOR PROVING ABSENCE OF CONCURRENT MODIFICATION ERRORS by
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationProgram Verification. Program Verification 307/434
Program Verification Program Verification 307/434 Outline Introduction: What and Why? Pre- and Postconditions Conditionals while-loops and Total Correctness Arrays Program Verification Introduction 308/434
More informationFinite State Verification. CSCE Lecture 14-02/25/2016
Finite State Verification CSCE 747 - Lecture 14-02/25/2016 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationAlternation for Termination
Alternation for Termination William R. Harris 1, Akash Lal 2, Aditya V. Nori 2, and Sriram K. Rajamani 2 1 University of Wisconsin; Madison, WI, USA 2 Microsoft Research India; Bangalore, India Abstract.
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationProperty Directed Reachability for Proving Absence of Concurrent Modification Errors
Property Directed Reachability for Proving Absence of Concurrent Modification Errors Asya Frumkin 1, Yotam M. Y. Feldman 1, Ondřej Lhoták 2, Oded Padon 1, Mooly Sagiv 1, and Sharon Shoham 1 1 Tel Aviv
More informationTree Interpolation in Vampire
Tree Interpolation in Vampire Régis Blanc 1, Ashutosh Gupta 2, Laura Kovács 3, and Bernhard Kragl 4 1 EPFL 2 IST Austria 3 Chalmers 4 TU Vienna Abstract. We describe new extensions of the Vampire theorem
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationABC basics (compilation from different articles)
1. AIG construction 2. AIG optimization 3. Technology mapping ABC basics (compilation from different articles) 1. BACKGROUND An And-Inverter Graph (AIG) is a directed acyclic graph (DAG), in which a node
More informationProgram Verification Using Separation Logic
Program Verification Using eparation Logic Dino Distefano Queen Mary University of London Lecture 5 Today s plan Adaptive hape Analysis Bi-Abduction and compositional analysis Part I Adaptive shape analysis
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More information22c:31 Algorithms. Kruskal s Algorithm for MST Union-Find for Disjoint Sets
22c:1 Algorithms Kruskal s Algorithm for MST Union-Find for Disjoint Sets 1 Kruskal s Algorithm for MST Work with edges, rather than nodes Two steps: Sort edges by increasing edge weight Select the first
More informationSeparation Logic Tutorial
Separation Logic Tutorial (To appear in Proceedings of ICLP 08) Peter O Hearn Queen Mary, University of London Separation logic is an extension of Hoare s logic for reasoning about programs that manipulate
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationModel Checking and Its Applications
Model Checking and Its Applications Orna Grumberg Technion, Israel Verification and Deduction Mentoring Workshop July 13, 2018 1 Personal data Ph.d. in (non-automated) verification Postdoc in Model Checking
More informationA Combination Framework for Tracking Partition Sizes
A Combination Framework for Tracking Partition Sizes Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University msagiv@post.tau.ac.il
More informationBOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH
BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which
More informationObject Ownership in Program Verification
Object Ownership in Program Verification Werner Dietl 1 and Peter Müller 2 1 University of Washington wmdietl@cs.washington.edu 2 ETH Zurich peter.mueller@inf.ethz.ch Abstract. Dealing with aliasing is
More informationPointers. Chapter 8. Decision Procedures. An Algorithmic Point of View. Revision 1.0
Pointers Chapter 8 Decision Procedures An Algorithmic Point of View D.Kroening O.Strichman Revision 1.0 Outline 1 Introduction Pointers and Their Applications Dynamic Memory Allocation Analysis of Programs
More informationCall invariants. Shuvendu K. Lahiri and Shaz Qadeer. Microsoft Research
Call invariants Shuvendu K. Lahiri and Shaz Qadeer Microsoft Research Abstract. Program verifiers based on first-order theorem provers model the program heap as a collection of mutable maps. In such verifiers,
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationComputer Science Technical Report
Computer Science Technical Report Feasibility of Stepwise Addition of Multitolerance to High Atomicity Programs Ali Ebnenasir and Sandeep S. Kulkarni Michigan Technological University Computer Science
More informationComplete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar
Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge Leonardo de Moura ACSys Seminar 2008.12 Motivation SMT solvers have been successful Quantified smt formulas are
More informationThe Boogie Intermediate Language
The Boogie Intermediate Language What is BoogiePL? A simplified C-like language that s structured for verification tasks Has constructs that allow specification of assumptions and axioms, as well as assertions
More informationCompiler Construction
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ss-14/cc14/
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationLaboratory for Automated Reasoning and Analysis
http://lara.epfl.ch Laboratory for Automated Reasoning and Analysis Viktor Kuncak Assistant Professor, IC a project: http://javaverification.org ongoing class: http://richmodels.org/lat Spring, will be
More informationVeriCon: Towards Verifying Controller Programs in SDNs
VeriCon: Towards Verifying Controller Programs in SDNs Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv, Michael Schapira, Asaf Valadarsky 1 Guaranteeing network
More informationModel Checking with Abstract State Matching
Model Checking with Abstract State Matching Corina Păsăreanu QSS, NASA Ames Research Center Joint work with Saswat Anand (Georgia Institute of Technology) Radek Pelánek (Masaryk University) Willem Visser
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationStatic Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions
Static Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions Liqian Chen 1,2 Renjian Li 1 Xueguang Wu 1 Ji Wang 1 1 National University of Defense Technology, Changsha, China
More informationIntroduction to Permission-Based Program Logics. Thomas Wies New York University
Introduction to Permission-Based Program Logics Thomas Wies New York University A Motivating Example procedure delete(x: Node) { if (x!= null) { var y := [x]; delete(y); free(x); } } x y null Proof by
More informationDISCRETE MATHEMATICS
DISCRETE MATHEMATICS WITH APPLICATIONS THIRD EDITION SUSANNA S. EPP DePaul University THOIVISON * BROOKS/COLE Australia Canada Mexico Singapore Spain United Kingdom United States CONTENTS Chapter 1 The
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions
More informationLecture 4. Towards a Verifying Compiler: Data Abstraction
Lecture 4 Towards a Verifying Compiler: Data Abstraction W olfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency Joint work with Rustan Leino, Mike Barnett, Manuel Fähndrich,
More informationInterprocedural Shape Analysis with Separated Heap Abstractions
Interprocedural Shape Analysis with Separated Heap Abstractions Alexey Gotsman 1, Josh Berdine 2, and Byron Cook 2 1 University of Cambridge Alexey.Gotsman@cl.cam.ac.uk 2 Microsoft Research Cambridge {jjb,bycook}@microsoft.com
More informationRun-time Environments -Part 3
Run-time Environments -Part 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Outline of the Lecture Part 3 What is run-time support?
More informationOn Proof Systems Behind Efficient SAT Solvers. DoRon B. Motter and Igor L. Markov University of Michigan, Ann Arbor
On Proof Systems Behind Efficient SAT Solvers DoRon B. Motter and Igor L. Markov University of Michigan, Ann Arbor Motivation Best complete SAT solvers are based on DLL Runtime (on unsat instances) is
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationLecture 18 Restoring Invariants
Lecture 18 Restoring Invariants 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In this lecture we will implement heaps and operations on them. The theme of this lecture is reasoning
More informationA Combination Framework for Tracking Partition Sizes (Full Version)
A Combination Framework for Tracking Partition Sizes (Full Version) Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University
More informationSchool of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne
Principles of Dependable Systems Building Reliable Software School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne Winter 2006-2007 Outline Class Projects: mtgs next week
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationLogic-Flow Analysis of Higher-Order Programs
Logic-Flow Analysis of Higher-Order Programs Matt Might http://matt.might.net/ POPL 2007 Why? Tim Sweeney, POPL 2006 Static array-bounds checking. Example... a[i]... Will 0 i < a.length always hold? 3
More informationSMT-based Verification of Heap-manipulating Programs
SMT-based Verification of Heap-manipulating Programs Ruzica Piskac VTSA 2016 A Motivating Example procedure delete(x: Node) { if (x!= null) { delete(x.next); free(x); } } x null next next next From Hand-Waving
More informationCompiler Construction
Compiler Construction Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-16/cc/ Recap: Static Data Structures Outline of Lecture 18 Recap:
More information