61 research outputs found
Interpolant-Based Transition Relation Approximation
In predicate abstraction, exact image computation is problematic, requiring
in the worst case an exponential number of calls to a decision procedure. For
this reason, software model checkers typically use a weak approximation of the
image. This can result in a failure to prove a property, even given an adequate
set of predicates. We present an interpolant-based method for strengthening the
abstract transition relation in case of such failures. This approach guarantees
convergence given an adequate set of predicates, without requiring an exact
image computation. We show empirically that the method converges more rapidly
than an earlier method based on counterexample analysis.Comment: Conference Version at CAV 2005. 17 Pages, 9 Figure
The software model checker BLAST: Applications to software engineering
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use BLAST to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs
Abstraction refinement with craig interpolation and symbolic pushdown systems
Counterexample-guided abstraction refinement (CEGAR) has proven to be a powerful method for software model-checking. In this paper, we investigate this concept in the context of sequential (possibly recursive) programs whose statements are given as BDDs. We examine how Craig interpolants can be computed efficiently in this case and propose a new, special type of interpolants. Moreover, we show how to treat multiple counterexamples in one refinement cycle. We have implemented this approach within the model-checker Moped and report on experiments
Interpolation Properties and SAT-based Model Checking
Craig interpolation is a widespread method in verification, with important
applications such as Predicate Abstraction, CounterExample Guided Abstraction
Refinement and Lazy Abstraction With Interpolants. Most state-of-the-art model
checking techniques based on interpolation require collections of interpolants
to satisfy particular properties, to which we refer as "collectives"; they do
not hold in general for all interpolation systems and have to be established
for each particular system and verification environment. Nevertheless, no
systematic approach exists that correlates the individual interpolation systems
and compares the necessary collectives. This paper proposes a uniform
framework, which encompasses (and generalizes) the most common collectives
exploited in verification. We use it for a systematic study of the collectives
and of the constraints they pose on propositional interpolation systems used in
SAT-based model checking
- …