Counterexample-guided abstraction refinement for linear programs with arrays

Predicate abstraction refinement is one of the leading approaches to software verification. The key idea is to abstract the input program into a Boolean Program (i.e. a program whose variables range over the Boolean values only and model the truth values of predicates corresponding to properties of the program state), and refinement searches for new predicates in order to build a new, more refined abstraction. Thus Boolean programs are commonly employed as a simple, yet useful abstraction. However, the effectiveness of predicate abstraction refinement on programs that involve a tight interplay between data-flow and control-flow is still to be ascertained. We present a novel counterexample guided abstraction refinement procedure for Linear Programs with arrays, a fragment of the C programming language where variables and array elements range over a numeric domain and expressions involve linear combinations of variables and array elements. In our procedure the input program is abstracted w.r.t. a family of sets of array indices, the abstraction is a Linear Program (without arrays), and refinement searches for new array indices. We use Linear Programs as the target of the abstraction (instead of Boolean programs) as they allow to express complex correlations between data and control. Thus, unlike the approaches based on predicate abstraction, our approach treats arrays precisely. This is an important feature as arrays are ubiquitous in programming. We provide a precise account of the abstraction, Model Checking, and refinement processes, discuss their implementation in the EUREKA tool, and present a detailed analysis of the experimental results confirming the effectiveness of our approach on a number of programs of interest

Single-assignment program verification

Programa de Doutoramento em Informática (MAP-i)No contexto da verificação de programas, são várias as ferramentas que assentam na tradução de programas numa forma single-assignment (umas implicitamente e outras explicitamente), e depois num algoritmo que gera condições de verificação. Nesta tese, revisitamos dois grandes métodos tipicamente utilizados para a geração de condições de verificação a partir de programas single-assignment: predicate transformers (utilizados maioritariamente por ferramentas dedutivas) e a transformação baseada em conditional normal form (utilizados em bounded model checking de software). Com isto, identificamos vários aspetos nos quais estes métodos diferem e mostramos como estes podem ser combinados para produzir novos geradores de condições de verificação. Os métodos resultantes, juntamente com os iniciais, formam aquilo que designamos por VCGen cube e que propomos como uma framework para sintetizar e comparar a geração de condições de verificação. A nível teórico, propomos duas abordagens para a verificação baseada na tradução de programas em single-assignment e subsequente geração de condições de verificação. Por um lado, formalizamos uma técnica assente na tradução de programas While, anotados com invariantes de ciclo, em programas single-assignment contendo um comando especial para captar os respetivos ciclos e invariantes. Provas sobre a soundness e completeness do fluxo completo da técnica são apresentadas. A formalização da técnica é baseada numa lógica de programas que é adaptation-complete. Numa segunda abordagem, definimos formalmente a noção de programa single-assignment (sem ciclos) contendo os comandos assume e assert, e também exceções, e introduzimos uma lógica para estes programas que nos permite mostrar que o VCGen cube é sound e complete. Uma técnica de verificação que assenta na tradução de programas em single-assignment é então proposta e mais uma vez, o fluxo completo da framework é provado como sendo sound e complete. Em particular, a tradução concreta (esta também provada correta) traduz programas contendo ciclos em programas sem ciclos. Para a avaliação empírica dos geradores de condições de verificação, recorremos a duas abordagens, uma no contexto da linguagem intermédia LLVM, e outra no contexto da ferramenta de verificação dedutiva Why3. Embora os resultados não indiquem superioridade absoluta de nenhum método, estes revelam tendências interessantes.Many program veri cation tools rely on the translation of code annotated with properties into an intermediate single-assignment form (in a more or less explicit way), and then on an algorithm that generates veri cation conditions from it. In this thesis, we revisit two major methods that are widely used to produce veri cation conditions for single-assignment programs: predicate transformers (used mostly by deductive veri cation tools) and the conditional normal form transformation (used in bounded model checking of software). We identify different aspects in which the methods differ and show that they can be combined to produce new hybrid veri cation condition generators; together with the initial algorithms they form what we call the VCGen cube, which we propose as a framework for synthesizing and comparing veri cation condition generators. Optimizations implemented by veri cation tools are then integrated into the cube. At the theoretical level we propose two fully proved veri cation frameworks based on the translation into single-assignment and subsequent generation of veri cation conditions. On one hand we formalize program veri cation based on the translation of While programs annotated with loop invariants into an iterating single-assignment language with a dedicated iterating construct. Soundness and completeness proofs are given for the entire workflow, including the translation of annotated programs into iterating single-assignment form. The formalization is based on a program logic that we show to be adaptation-complete. On the other hand we formally de fine an iteration-free single-assignment language with assume, assert, and exceptions, and introduce a program logic for this language which allows us to prove the soundness and completeness of the VCGen cube. A veri cation framework based on the translation of programs into (iteration-free) single-assignment form is then proposed, and the entire workflow is proved to be sound and complete. We also suggest a concrete singleassignment translation that transforms annotated loops into assumes and asserts to check that the annotated invariants are valid and preserved during the iterations. Finally, we compare the veri cation condition generators empirically, both for programs of the LLVM intermediate representation (a concrete popular intermediate language that is based on SA form), and in the context of the Why3 deductive veri cation tool. Although the results do not indicate absolute superiority of any given method, they do allow us to identify interesting trends.This work was funded by FCT - Foundation for Science and Technology, the Portuguese Ministry of Science, Technology and Higher Education, through the Operacional Programme for Human Capital (POCH). Grant reference: PD/BD/52236/2013