Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control
|
|
- Ethel Sullivan
- 5 years ago
- Views:
Transcription
1 Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
2 Parameterized concurrent programs Goal Compute numerical invariants (e.g. intervals, octagons, polyhedra) for parameterized concurrent programs. Solution: annotation ι such that if some thread T s program counter is at v, then ι(v) holds over the globals & locals of T. Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
3 Parameterized concurrent programs Goal Compute numerical invariants (e.g. intervals, octagons, polyhedra) for parameterized concurrent programs. Solution: annotation ι such that if some thread T s program counter is at v, then ι(v) holds over the globals & locals of T. Our program model has: Unbounded concurrency: program is the parallel composition of n copies of some thread T, where n is a parameter Invariants must be sound for all n Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
4 Parameterized concurrent programs Goal Compute numerical invariants (e.g. intervals, octagons, polyhedra) for parameterized concurrent programs. Solution: annotation ι such that if some thread T s program counter is at v, then ι(v) holds over the globals & locals of T. Our program model has: Unbounded concurrency: program is the parallel composition of n copies of some thread T, where n is a parameter Invariants must be sound for all n Unbounded data domains Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
5 Parameterized concurrent programs Goal Compute numerical invariants (e.g. intervals, octagons, polyhedra) for parameterized concurrent programs. Solution: annotation ι such that if some thread T s program counter is at v, then ι(v) holds over the globals & locals of T. Our program model has: Unbounded concurrency: program is the parallel composition of n copies of some thread T, where n is a parameter Invariants must be sound for all n Unbounded data domains Natural model for device drivers, file systems, client/server-type programs,... Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
6 Contributions 1 We develop an attack on the parameterized verification problem based on separating it into a data module and a control module Data module computes numerical invariants Control module computes a program model Data module Control module Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
7 Contributions 1 We develop an attack on the parameterized verification problem based on separating it into a data module and a control module Data module computes numerical invariants Control module computes a program model Data module Control module 2 We propose data flow graphs as a program representation for (parameterized) concurrent programs Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
8 Contributions 1 We develop an attack on the parameterized verification problem based on separating it into a data module and a control module Data module computes numerical invariants Control module computes a program model Data module Control module 2 We propose data flow graphs as a program representation for (parameterized) concurrent programs 3 We give a semicompositional algorithm for constructing data flow graphs Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
9 Contributions 1 We develop an attack on the parameterized verification problem based on separating it into a data module and a control module Data module computes numerical invariants Control module computes a program model Data module Control module 2 We propose data flow graphs as a program representation for (parameterized) concurrent programs 3 We give a semicompositional algorithm for constructing data flow graphs Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
10 Sequential program analysis Flow analysis: solve a system of equations valued over some abstract domain For sequential programs, equations come from the control flow graph: IN(t) = t OUT (t) = t (IN(t)) IN(u) = OUT (t) OUT (w) OUT (u) = u (IN(u)) u v IN(v) = OUT (t) OUT (v) = v (IN(v)) w IN(w) = OUT (u) OUT (v) OUT (w) = w (IN(w)) Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
11 Sequential program analysis Flow analysis: solve a system of equations valued over some abstract domain For sequential programs, equations come from the control flow graph: IN(t) = t OUT (t) = t (IN(t)) IN(u) = OUT (t) OUT (w) OUT (u) = u (IN(u)) u v IN(v) = OUT (t) OUT (v) = v (IN(v)) w IN(w) = OUT (u) OUT (v) OUT (w) = w (IN(w)) How about parameterized programs? Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
12 Data flow Represent data flow, not control flow: ABC x := x + 1 y := 1 x := x + y x := -x Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
13 Data flow Represent data flow, not control flow: ABC x := x + 1 x y := 1 y x := x + y x x := -x Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
14 Data flow Represent data flow, not control flow: x uninit ABC x y x := x + 1 x y := 1 y x := x + y x x := -x y y Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
15 Why data flow? Invariant: x = 0 y := 0 acquire(lock) assert(x = 0) release(lock) x? acquire(lock) x := 1 x := 0 release(lock) Break invariant Restore invariant Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
16 Data flow graphs A DFG for a program P is a directed graph P = Loc,, where Loc V ars Loc is a set of directed edges labeled by program variables x x := x + 1 x := x + y Loc contains a distinguished uninit vertex Note: # of vertices does not depend on # of threads Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
17 Representing traces A program is represented by a DFG P if all its feasible traces are represented by P. Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
18 Representing traces A program is represented by a DFG P if all its feasible traces are represented by P. A trace is represented by a DFG P if all data flow edges it witnesses belong to P Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
19 Representing traces A program is represented by a DFG P if all its feasible traces are represented by P. A trace is represented by a DFG P if all data flow edges it witnesses belong to P A trace witnesses a data flow u x v iff it is of the form: Thread n executes u, u modifies x T n, u Thread m at v No modifications to x (x local requires n = m) Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
20 Representing traces A program is represented by a DFG P if all its feasible traces are represented by P. A trace is represented by a DFG P if all data flow edges it witnesses belong to P A trace witnesses a data flow u x v iff it is of the form: uninit ABC Thread n executes u, u modifies x T n, u Thread m at v x x y x := x + 1 x y := 1 y No modifications to x (x local requires n = m) y x := x + y y x x := -x Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
21 Computing invariants with DFGs DFGs induce a set of equations: IN(v) x = (V ars \ {x}).out (u) u x v IN(v) = IN(v) x x V ar OUT (v) = v (IN(v)) Define an inductive annotation to be a solution to these equations. Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
22 Computing invariants with DFGs DFGs induce a set of equations: IN(v) x = u x v IN(v) = IN(v) x x V ar OUT (v) = v (IN(v)) (V ars \ {x}).out (u) Define an inductive annotation to be a solution to these equations. Theorem (DFG soundness) If σ is a trace represented by a DFG P, and ι is an inductive annotation for P, then ι safely approximates the states reached by σ. Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
23 Overview Data module Control module Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
24 Overview Data module Control module Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
25 Constructing data flow graphs Goal Compute the set of all u, x, v such that there is some feasible trace that witnesses u x v Strategy: Overapproximate the set of feasible traces Compute dataflow edges witnessed by one of these traces Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
26 Precise DFG construction needs data (flag is initially 0) assume(flag) x? x := null assert(x!= null) x := alloc(...) flag := 1 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
27 Precise DFG construction needs data (flag is initially 0) assume(flag) x? x := null T 1,x := null assert(x!= null) x := alloc(...) x T 2,assume(flag) flag := 1 T 2,assert(x!= null) Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
28 Precise DFG construction needs data (flag is initially 0) assume(flag) assert(x!= null) x? x := null T 1,x := null x := alloc(...) x T 2,assume(flag) flag = 0 Cannot execute! flag := 1 T 2,assert(x!= null) Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
29 ι-feasible traces Use an annotation ι to rule out infeasible traces: a trace σ is ι-infeasible if there is some subtrace σ T n, v, some thread m, and some location u such that Thread m is at location u after executing σ Thread n may not execute v in any state satisfying ι(u). Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
30 ι-feasible traces: example (flag is initially 0) assume(flag) x? x := null assert(x!= null) x := alloc(...) flag := 1 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
31 ι-feasible traces: example (flag is initially 0) assume(flag) T 1,x := null assert(x!= null) x? x := null x T 2,assume(flag) x := alloc(...) T 2,assert(x!= null) flag := 1 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
32 ι-feasible traces: example (flag is initially 0) assume(flag) T 1,x := null assert(x!= null) x? x := null x T 2,assume(flag) x := alloc(...) T 2,assert(x!= null) flag := 1 guard: flag 0 T 1 at x := alloc(...) T 2 at assume(flag) is ι(x := alloc(...)) flag 0 satisfiable? Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
33 ι-feasible traces: example (flag is initially 0) assume(flag) T 1,x := null assert(x!= null) x? x := null x T 2,assume(flag) x := alloc(...) T 2,assert(x!= null) flag := 1 guard: flag 0 T 1 at x := alloc(...) T 2 at assume(flag) is ι(x := alloc(...)) flag 0 satisfiable? ι(x := alloc(...)) : flag = 0 infeasible Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
34 ι-feasible traces: example (flag is initially 0) assume(flag) T 1,x := null assert(x!= null) x? x := null x T 2,assume(flag) x := alloc(...) T 2,assert(x!= null) flag := 1 guard: flag 0 T 1 at x := alloc(...) T 2 at assume(flag) is ι(x := alloc(...)) flag 0 satisfiable? ι(x := alloc(...)) : flag = 0 infeasible ι(x := alloc(...)) : true feasible Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
35 Constructing data flow graphs Goal Compute the set of all u, x, v such that there is some feasible trace that witnesses u x v Strategy: Overapproximate the set of feasible traces Compute dataflow edges witnessed by one of these traces Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
36 Constructing data flow graphs Goal Compute the set of all u, x, v such that there is some feasible trace that witnesses u x v Strategy: Overapproximate the set of feasible traces by ι-feasible traces Compute dataflow edges witnessed by one of these traces Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
37 Constructing data flow graphs Goal Compute the set of all u, x, v such that there is some feasible trace that witnesses u x v Strategy: Overapproximate the set of feasible traces by ι-feasible traces Compute dataflow edges witnessed by one of these traces Parameterization is still an obstacle Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
38 Constructing data flow graphs Goal Compute the set of all u, x, v such that there is some feasible trace that witnesses u x v Strategy: Overapproximate the set of feasible traces by ι-feasible traces Compute dataflow edges witnessed by one of these traces Parameterization is still an obstacle Data flow edges for 2-thread ι-feasible witnesses can be computed efficiently Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
39 Projection Lemma (projection) Let ι be an annotation, let σ be an ι-feasible trace, and let N be a set of threads. Then σ N, the projection of σ onto N, is also ι-feasible. Thread n executes u, u modifies x T n, u Thread m at v No modifications to x Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
40 Projection Lemma (projection) Let ι be an annotation, let σ be an ι-feasible trace, and let N be a set of threads. Then σ N, the projection of σ onto N, is also ι-feasible. Thread n executes u, u modifies x T n, u Thread m at v No modifications to x Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
41 Projection Lemma (projection) Let ι be an annotation, let σ be an ι-feasible trace, and let N be a set of threads. Then σ N, the projection of σ onto N, is also ι-feasible. Thread n executes u, u modifies x T n, u Thread m at v No modifications to x A data flow edge u x v has an ι-feasible witness iff it has a 2-thread ι-feasible witness Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
42 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data analysis DFG construction Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
43 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data analysis DFG construction Annotation Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
44 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data flow edges Data analysis DFG construction Annotation Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
45 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data flow edges Data analysis DFG construction Annotation Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
46 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data flow edges Data analysis DFG construction Annotation Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
47 Feedback loop Given a DFG, we know how to compute numerical invariants Given numerical invariants, we know how to compute a DFG Sequential reaching definitions Sequential DFG Data flow edges Data analysis DFG construction Annotation Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
48 Experimental results We implemented our algorithm in a tool, DUET Integer overflow & array bounds checks for 15 Linux device drivers DUET proves 1312/1597 (82%) assertions correct in 13m9s Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
49 Experimental results: Boolean programs Boolean abstractions of Linux device drivers: Suite 1 DUET Linear interfaces 1 Improvement Assertions proved % increase Average time 3.4s 16.9s 5x speedup Suite 2 DUET Dynamic cutoff detection 2 Improvement Assertions proved % increase Average time 8.2s 24.9s 3x speedup 1 S. La Torre, P. Madhusudan, and G. Parlato. Model-checking parameterized concurrent programs using linear interfaces. In CAV, pages A. Kaiser, D. Kroening, and T. Wahl. Dynamic cutoff detection in parameterized concurrent programs. In CAV, pages Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
50 Conclusion Separate reasoning into a data module and a control module Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
51 Conclusion Separate reasoning into a data module and a control module Data flow graphs represent parameterized programs Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
52 Conclusion Separate reasoning into a data module and a control module Data flow graphs represent parameterized programs Semi-compositional DFG construction algorithm Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
53 Questions? Thank you for your attention. Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
54 Bonus slide: future work Improved algorithms for inferring groups of related variables to improve DFGs analyses over relational domains (e.g., octagons, polyhedra) Extension to handle aliasing Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18, / 22
Duet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationVerifying Recursive Programs using Intra-procedural Analyzers
Verifying Recursive Programs using Intra-procedural Analyzers Yu-Fang Chen, Academia Sinica, Taiwan joint work with Chiao Hsieh, Ming-Hsien Tsai, Bow-Yaw Wang and Farn Wang First of all Thanks for the
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationthe complexity of predicting atomicity violations
the complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign. Motivation: Interleaving explosion problem Testing is the main technique
More informationLocal Verification of Global Invariants in
Local Verification of Global Invariants in 1 Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1, Michal Moskal 2, Wolfram Schulte 2, Stephan Tobies 1 1 European Microsoft Innovation
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationA CRASH COURSE IN SEMANTICS
LAST TIME Recdef More induction NICTA Advanced Course Well founded orders Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Well founded recursion Calculations: also/finally {P}... {Q}
More informationInterrupt-driven Software
Interrupt-driven Software 2 3 Interrupt 1 Interrupt 3 Interrupt 2 Interrupt?? 4 5 6 7 T1() { a = 1; x = a; T2() { a = 2; T1() { a = 1; x = a; T2() { a = 2; 8 9 10 Interrupt-driven programs Abstract Interpretation
More informationSplitting the Control Flow with Boolean Flags
École Normale Supérieure, Paris, France A.Simon@ens.fr July 2008 Good States are Usually Convex Declare C variable int array[12];. 0 1 2 3 4 5 6 7 8 9 10 11 i Access array[i] within bound if 0 i and i
More informationModel-checking Parameterized Concurrent Programs using Linear Interfaces
Model-checking Parameterized Concurrent Programs using Linear Interfaces S. La Torre 1, P. Madhusudan 2, G. Parlato 2 1 Università degli Studi di Salerno, Italy 2 University of Illinois at Urbana-Champaign,
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationFinding heap-bounds for hardware synthesis
Finding heap-bounds for hardware synthesis B. Cook + A. Gupta # S. Magill* A. Rybalchenko # J. Simsa* S. Singh + V. Vafeiadis + *CMU # MPI-SWS + MSR Coding hardware in advanced languages Use of advanced
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationLock-sensitive Interference Analysis for Java: Combining Program Dependence Graphs with Dynamic Pushdown Networks
Lock-sensitive Interference Analysis for Java: Combining Program Dependence Graphs with Dynamic Pushdown Networks Jürgen Graf 1, Martin Hecker 1, Martin Mohr 1, and Benedikt Nordhoff 2 1 Karlsruhe Institute
More informationComputing Approximate Happens-Before Order with Static and Dynamic Analysis
Department of Distributed and Dependable Systems Technical report no. D3S-TR-2013-06 May 7, 2018 Computing Approximate Happens-Before Order with Static and Dynamic Analysis Pavel Parízek, Pavel Jančík
More informationA Combination Framework for Tracking Partition Sizes (Full Version)
A Combination Framework for Tracking Partition Sizes (Full Version) Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationA Combination Framework for Tracking Partition Sizes
A Combination Framework for Tracking Partition Sizes Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University msagiv@post.tau.ac.il
More informationAutomatic synthesis of switching controllers for linear hybrid systems: Reachability control
Automatic synthesis of switching controllers for linear hybrid systems: Reachability control Massimo Benerecetti and Marco Faella Università di Napoli Federico II, Italy Abstract. We consider the problem
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationLearning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses
Noname manuscript No. (will be inserted by the editor) Learning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses Kihong Heo Hakjoo Oh Hongseok Yang
More informationA New Abstraction Framework for Affine Transformers
A New Abstraction Framework for Affine Transformers Tushar Sharma and Thomas Reps SAS 17 Motivations Prove Program Assertions Function and loop summaries Sound with respect to bitvectors A NEW ABSTRACTION
More informationSoftwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24
Softwaretechnik Program verification Albert-Ludwigs-Universität Freiburg June 28, 2012 Softwaretechnik June 28, 2012 1 / 24 Road Map Program verification Automatic program verification Programs with loops
More informationType Theory meets Effects. Greg Morrisett
Type Theory meets Effects Greg Morrisett A Famous Phrase: Well typed programs won t go wrong. 1. Describe abstract machine: M ::= 2. Give transition relation: M 1 M 2
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationLost in Abstraction: Monotonicity in Multi-threaded Programs
Lost in Abstraction: Monotonicity in Multi-threaded Programs Alexander Kaiser 1, Daniel Kroening 1, and Thomas Wahl 2 1 University of Oxford, United Kingdom 2 Northeastern University, Boston, United States
More informationSoftwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011
Softwaretechnik Program verification Software Engineering Albert-Ludwigs-University Freiburg June 30, 2011 (Software Engineering) Softwaretechnik June 30, 2011 1 / 28 Road Map Program verification Automatic
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationRATCOP: Relational Analysis Tool for Concurrent Programs
RATCOP: Relational Analysis Tool for Concurrent Programs Suvam Mukherjee 1, Oded Padon 2, Sharon Shoham 2, Deepak D Souza 1, and Noam Rinetzky 2 1 Indian Institute of Science, India 2 Tel Aviv University,
More informationBOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH
BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which
More informationEFFECTIVE HEURISTIC-BASED TEST GENERATION TECHNIQUES FOR CONCURRENT SOFTWARE. Niloofar Razavi
EFFECTIVE HEURISTIC-BASED TEST GENERATION TECHNIQUES FOR CONCURRENT SOFTWARE by Niloofar Razavi A thesis submitted in conformity with the requirements for the degree of Doctor of Philosophy Graduate Department
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationStatic Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Characteristics of! System to be! built must! match required! characteristics!
Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Requirements Spec.! Design! Test Results must! match required behavior! Characteristics of! System to be! built must! match required! characteristics!
More informationMore on Operational Semantics
More on Operational Semantics (Slides modified from those created by Xinyu Feng) 1 / 23 Outline Various formulations Extensions Going wrong Local variable declaration Heap Big-step operational semantics
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationVerasco: a Formally Verified C Static Analyzer
Verasco: a Formally Verified C Static Analyzer Jacques-Henri Jourdan Joint work with: Vincent Laporte, Sandrine Blazy, Xavier Leroy, David Pichardie,... June 13, 2017, Montpellier GdR GPL thesis prize
More informationInterval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships
Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships Liqian Chen 1,2 Antoine Miné 3,2 Ji Wang 1 Patrick Cousot 2,4 1 National Lab. for Parallel and Distributed Processing, Changsha,
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationReading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis
Reading Assignment Symbolic Evaluation/Execution *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationA Verified Implementation of the Bounded List Container
A Verified Implementation of the Bounded List Container Raphaël Cauderlier, Mihaela Sighireanu March 26, 2018 1 / 32 Outline 1 Introduction 2 Bounded Doubly-Linked Lists 3 Verification 4 Conclusion 2 /
More informationSymbolic Evaluation/Execution
Symbolic Evaluation/Execution Reading Assignment *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationLecture. DM510 - Operating Systems, Weekly Notes, Week 11/12, 2018
Lecture In the lecture on March 13 we will mainly discuss Chapter 6 (Process Scheduling). Examples will be be shown for the simulation of the Dining Philosopher problem, a solution with monitors will also
More informationPush-button verification of Files Systems via Crash Refinement
Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare
More informationStatic Lock Capabilities for Deadlock-Freedom
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationOutline. software testing: search bugs black-box and white-box testing static and dynamic testing
Outline 1 Verification Techniques software testing: search bugs black-box and white-box testing static and dynamic testing 2 Programming by Contract assert statements in Python using preconditions and
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationStatic Analysis in Practice
in Practice 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich 1 Quick Poll Who is familiar and comfortable with design patterns? e.g. what is a Factory and why use it? 2 1 Outline: in Practice
More informationCompilation and Program Analysis (#11) : Hoare triples and shape analysis
Compilation and Program Analysis (#11) : Hoare triples and shape analysis Laure Gonnord http://laure.gonnord.org/pro/teaching/capm1.html Laure.Gonnord@ens-lyon.fr Master 1, ENS de Lyon dec 2017 Inspiration
More informationTiming Analysis of Parallel Software Using Abstract Execution
Timing Analysis of Parallel Software Using Abstract Execution Björn Lisper School of Innovation, Design, and Engineering Mälardalen University bjorn.lisper@mdh.se 2014-09-10 EACO Workshop 2014 Motivation
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationSpark verification features
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether
More informationCompiler Construction 2016/2017 Loop Optimizations
Compiler Construction 2016/2017 Loop Optimizations Peter Thiemann January 16, 2017 Outline 1 Loops 2 Dominators 3 Loop-Invariant Computations 4 Induction Variables 5 Array-Bounds Checks 6 Loop Unrolling
More informationPrecise Thread-Modular Abstract Interpretation of Concurrent Programs using Relational Interference Abstractions
Precise Thread-Modular Abstract Interpretation of Concurrent Programs using Relational Interference Abstractions Raphaël Monat 1 and Antoine Miné 2 1 École Normale Supérieure de Lyon and École Normale
More informationDIRECTED PROGRAMS GEOMETRIC MODELS OF CONCURRENT. Samuel Mimram. École Polytechnique
DIRECTED GEOMETRIC MODELS OF CONCURRENT PROGRAMS Samuel Mimram École Polytechnique Applied and Computational Algebraic Topology Spring School April 24th, 2017 2 / 117 Models of concurrent programs We are
More informationReal-Time and Embedded Systems (M) Lecture 19
Low-Level/Embedded Programming Real-Time and Embedded Systems (M) Lecture 19 Lecture Outline Hardware developments Implications on system design Low-level programming Automatic memory management Timing
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Recap: Taking Conditional Branches into Account Extending
More informationTree Interpolation in Vampire
Tree Interpolation in Vampire Régis Blanc 1, Ashutosh Gupta 2, Laura Kovács 3, and Bernhard Kragl 4 1 EPFL 2 IST Austria 3 Chalmers 4 TU Vienna Abstract. We describe new extensions of the Vampire theorem
More informationVertex Cover is Fixed-Parameter Tractable
Vertex Cover is Fixed-Parameter Tractable CS 511 Iowa State University November 28, 2010 CS 511 (Iowa State University) Vertex Cover is Fixed-Parameter Tractable November 28, 2010 1 / 18 The Vertex Cover
More informationModel Requirements and JAVA Programs MVP 2 1
Model Requirements and JAVA Programs MVP 2 1 Traditional Software The Waterfall Model Problem Area Development Analysis REVIEWS Design Implementation Costly wrt time and money. Errors are found too late
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationContents. Program 1. Java s Integral Types in PVS (p.4 of 37)
Java s Integral Types in PVS Bart Jacobs bart@cs.kun.nl www.cs.kun.nl/ bart www.verificard.org. Dep. Computer Science, Univ. Nijmegen, NL Contents I. Example programs II. Integral types in Java (implementations)
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationSYNERGY : A New Algorithm for Property Checking
SYNERGY : A New Algorithm for Property Checking Bhargav S. Gulavani Thomas A. Henzinger Yamini Kannan Aditya V. Nori Sriram K. Rajamani bhargav@cse.iitb.ernet.in tah@epfl.ch yaminik@microsoft.com adityan@microsoft.com
More informationSymbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)
Symbolic Execution and Verification Conditions Survey from Homework 4 Time spent: 7.1 hrs (mean), 6 hrs (median) Meeting 13, CSCI 5535, Spring 2009 2 Survey from Homework 4 Fun facts about your classmates:
More informationDual-fitting analysis of Greedy for Set Cover
Dual-fitting analysis of Greedy for Set Cover We showed earlier that the greedy algorithm for set cover gives a H n approximation We will show that greedy produces a solution of cost at most H n OPT LP
More informationAdvances in Programming Languages
O T Y H Advances in Programming Languages APL8: ESC/Java2 David Aspinall (including slides by Ian Stark and material adapted from ESC/Java2 tutorial by David Cok, Joe Kiniry and Erik Poll) School of Informatics
More informationMinimal Dominating Sets in Graphs: Enumeration, Combinatorial Bounds and Graph Classes
Minimal Dominating Sets in Graphs: Enumeration, Combinatorial Bounds and Graph Classes J.-F. Couturier 1 P. Heggernes 2 D. Kratsch 1 P. van t Hof 2 1 LITA Université de Lorraine F-57045 Metz France 2 University
More informationExtended Static Checking for Java
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems Research Center What is Static Checking? Annotated
More informationModel Checking and Its Applications
Model Checking and Its Applications Orna Grumberg Technion, Israel Verification and Deduction Mentoring Workshop July 13, 2018 1 Personal data Ph.d. in (non-automated) verification Postdoc in Model Checking
More informationDiagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline
More informationHaving a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationAbstract Semantic Differencing for Numerical Programs
Abstract Semantic Differencing for Numerical Programs Nimrod Partush Eran Yahav Technion, Israel Semantic differencing Characterize semantic difference between similar programs 2 Motivating example 1.
More informationPredicate Abstraction Daniel Kroening 1
Predicate Abstraction 20.1.2005 Daniel Kroening 1 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationA Non-Blocking Concurrent Queue Algorithm
A Non-Blocking Concurrent Queue Algorithm Bruno Didot bruno.didot@epfl.ch June 2012 Abstract This report presents a new non-blocking concurrent FIFO queue backed by an unrolled linked list. Enqueue and
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationPetri Nets ee249 Fall 2000
Petri Nets ee249 Fall 2000 Marco Sgroi Most slides borrowed from Luciano Lavagno s lecture ee249 (1998) 1 Models Of Computation for reactive systems Main MOCs: Communicating Finite State Machines Dataflow
More informationMulti-Clock Timed Networks
Multi-Clock Timed Networks arosh Aziz Abdulla, Johann Deneux, and ritha Mahata Dept of Information Technology Uppsala University Sweden parosh,johannd,pritha @ituuse Abstract We consider verification of
More informationLOGICAL CONCURRENCY CONTROL FROM SEQUENTIAL PROOFS. address:
Logical Methods in Computer Science Vol. 7 (3:10) 2011, pp. 1 29 www.lmcs-online.org Submitted Jun.26, 2010 Published Sep. 2, 2011 LOGICAL CONCURRENCY CONTROL FROM SEQUENTIAL PROOFS JYOTIRMOY DESHMUKH
More informationCSE101: Design and Analysis of Algorithms. Ragesh Jaiswal, CSE, UCSD
Recap. Growth rates: Arrange the following functions in ascending order of growth rate: n 2 log n n log n 2 log n n/ log n n n Introduction Algorithm: A step-by-step way of solving a problem. Design of
More information