57 research outputs found
Constraint-Based Abstraction of a Model Checker for Infinite State Systems
Abstract. Abstract interpretation-based model checking provides an approach to verifying properties of infinite-state systems. In practice, most previous work on abstract model checking is either restricted to verifying universal properties, or develops special techniques for temporal logics such as modal transition sys-tems or other dual transition systems. By contrast we apply completely standard techniques for constructing abstract interpretations to the abstraction of a CTL semantic function, without restricting the kind of properties that can be verified. Furthermore we show that this leads directly to implementation of abstract model checking algorithms for abstract domains based on constraints, making use of an SMT solver.
Towards Parameterized Regular Type Inference Using Set Constraints
We propose a method for inferring \emph{parameterized regular types} for
logic programs as solutions for systems of constraints over sets of finite
ground Herbrand terms (set constraint systems). Such parameterized regular
types generalize \emph{parametric} regular types by extending the scope of the
parameters in the type definitions so that such parameters can relate the types
of different predicates. We propose a number of enhancements to the procedure
for solving the constraint systems that improve the precision of the type
descriptions inferred. The resulting algorithm, together with a procedure to
establish a set constraint system from a logic program, yields a program
analysis that infers tighter safe approximations of the success types of the
program than previous comparable work, offering a new and useful efficiency vs.
precision trade-off. This is supported by experimental results, which show the
feasibility of our analysis
Parallel backtracking with answer memoing for independent and-parallelism
Goal-level Independent and-parallelism (IAP) is exploited by scheduling for simultaneous execution two or more goals which will not interfere with each other at run time. This can be done safely even if such goals can produce múltiple answers. The most successful IAP implementations to date have used recomputation of answers and sequentially ordered backtracking. While in principie simplifying the
implementation, recomputation can be very inefficient if the granularity of the parallel goals is large enough and they produce several answers, while sequentially ordered backtracking limits parallelism.
And, despite the expected simplification, the implementation of the classic schemes has proved to involve complex engineering, with the consequent difficulty for system maintenance and extensión, while still frequently running into the well-known trapped goal and garbage slot problems. This work presents an alternative parallel backtracking model for IAP and its implementation. The model features parallel out-of-order (i.e., non-chronological) backtracking and relies on answer memoization to reuse and combine answers. We show that this approach can bring significant performance advantages.
Also, it can bring some simplification to the important engineering task involved in implementing the backtracking mechanism of previous approaches
Completeness of string analysis for dynamic languages
In Abstract Interpretation, completeness ensures that the analysis does not lose information with respect to the property of interest. In particular, for dynamic languages like JavaScript, completeness of string analysis is a key security issue, as poorly managed string manipulation code may easily lead to significant security flaws. In this paper, we provide a systematic and constructive approach for generating the completion of string domains for dynamic languages, and we apply it to the refinement of existing string abstractions. We also provide an effective procedure to measure the precision improvement obtained when lifting the analysis to complete domains
experimental evaluation of numerical domains for inferring ranges
Abstract Among the numerical abstract domains for detecting linear relationships between program variables, the polyhedra domain is, from a purely theoretical point of view, the most precise one. Other domains, such as intervals, octagons and parallelotopes, are less expressive but generally more efficient. We focus our attention on interval constraints and, using a suite of benchmarks, we experimentally show that, in practice, polyhedra may often compute results less precise than the other domains, due to the use of the widening operator
Timed Analysis of Security Protocols
We propose a method for engineering security protocols that are aware of
timing aspects. We study a simplified version of the well-known Needham
Schroeder protocol and the complete Yahalom protocol, where timing information
allows the study of different attack scenarios. We model check the protocols
using UPPAAL. Further, a taxonomy is obtained by studying and categorising
protocols from the well known Clark Jacob library and the Security Protocol
Open Repository (SPORE) library. Finally, we present some new challenges and
threats that arise when considering time in the analysis, by providing a novel
protocol that uses time challenges and exposing a timing attack over an
implementation of an existing security protocol
Non-Strict Independence-Based Program Parallelization Using Sharing and Freeness Information.
The current ubiquity of multi-core processors has brought renewed interest in program parallelization. Logic programs allow studying the parallelization of programs with complex, dynamic data structures with (declarative) pointers in a comparatively simple semantic setting. In this context, automatic parallelizers which exploit and-parallelism rely on notions of independence in order to ensure certain efficiency properties. “Non-strict” independence is a more relaxed notion than the traditional notion of “strict” independence which still ensures the relevant efficiency properties and can allow considerable more parallelism. Non-strict independence cannot be determined solely at run-time (“a priori”) and thus global analysis is a requirement. However, extracting non-strict independence information from available analyses and domains is non-trivial. This paper provides on one hand an extended presentation of our classic techniques for compile-time detection of non-strict independence based on extracting information from (abstract interpretation-based) analyses using the now well understood and popular Sharing + Freeness domain. This includes algorithms for combined compile-time/run-time detection which involve special run-time checks for this type of parallelism. In addition, we propose herein novel annotation (parallelization) algorithms, URLP and CRLP, which are specially suited to non-strict independence. We also propose new ways of using the Sharing + Freeness information to optimize how the run-time environments of goals are kept apart during parallel execution. Finally, we also describe the implementation of these techniques in our parallelizing compiler and recall some early performance results. We provide as well an extended description of our pictorial representation of sharing and freeness information
Verification of Imperative Programs by Constraint Logic Program Transformation
We present a method for verifying partial correctness properties of
imperative programs that manipulate integers and arrays by using techniques
based on the transformation of constraint logic programs (CLP). We use CLP as a
metalanguage for representing imperative programs, their executions, and their
properties. First, we encode the correctness of an imperative program, say
prog, as the negation of a predicate 'incorrect' defined by a CLP program T. By
construction, 'incorrect' holds in the least model of T if and only if the
execution of prog from an initial configuration eventually halts in an error
configuration. Then, we apply to program T a sequence of transformations that
preserve its least model semantics. These transformations are based on
well-known transformation rules, such as unfolding and folding, guided by
suitable transformation strategies, such as specialization and generalization.
The objective of the transformations is to derive a new CLP program TransfT
where the predicate 'incorrect' is defined either by (i) the fact 'incorrect.'
(and in this case prog is not correct), or by (ii) the empty set of clauses
(and in this case prog is correct). In the case where we derive a CLP program
such that neither (i) nor (ii) holds, we iterate the transformation. Since the
problem is undecidable, this process may not terminate. We show through
examples that our method can be applied in a rather systematic way, and is
amenable to automation by transferring to the field of program verification
many techniques developed in the field of program transformation.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455
- …