On Verifying Complex Properties using Symbolic Shape Analysis

One of the main challenges in the verification of software systems is the analysis of unbounded data structures with dynamic memory allocation, such as linked data structures and arrays. We describe Bohne, a new analysis for verifying data structures. Bohne verifies data structure operations and shows that 1) the operations preserve data structure invariants and 2) the operations satisfy their specifications expressed in terms of changes to the set of objects stored in the data structure. During the analysis, Bohne infers loop invariants in the form of disjunctions of universally quantified Boolean combinations of formulas. To synthesize loop invariants of this form, Bohne uses a combination of decision procedures for Monadic Second-Order Logic over trees, SMT-LIB decision procedures (currently CVC Lite), and an automated reasoner within the Isabelle interactive theorem prover. This architecture shows that synthesized loop invariants can serve as a useful communication mechanism between different decision procedures. Using Bohne, we have verified operations on data structures such as linked lists with iterators and back pointers, trees with and without parent pointers, two-level skip lists, array data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob data structure analysis systems, enabling us to combine Bohne with analyses of data structure clients and apply it in the context of larger programs. This report describes the Bohne algorithm as well as techniques that Bohne uses to reduce the ammount of annotations and the running time of the analysis

On Generalized Records and Spatial Conjunction in Role Logic

We have previously introduced role logic as a notation for describing properties of relational structures in shape analysis, databases and knowledge bases. A natural fragment of role logic corresponds to two-variable logic with counting and is therefore decidable. We show how to use role logic to describe open and closed records, as well the dual of records, inverse records. We observe that the spatial conjunction operation of separation logic naturally models record concatenation. Moreover, we show how to eliminate the spatial conjunction of formulas of quantifier depth one in first-order logic with counting. As a result, allowing spatial conjunction of formulas of quantifier depth one preserves the decidability of two-variable logic with counting. This result applies to two-variable role logic fragment as well. The resulting logic smoothly integrates type system and predicate calculus notation and can be viewed as a natural generalization of the notation for constraints arising in role analysis and similar shape analysis approaches.Comment: 30 pages. A version appears in SAS 200

Simulating reachability using first-order logic with applications to verification of linked data structures

This paper shows how to harness existing theorem provers for first-order logic to automatically verify safety properties of imperative programs that perform dynamic storage allocation and destructive updating of pointer-valued structure fields. One of the main obstacles is specifying and proving the (absence) of reachability properties among dynamically allocated cells. The main technical contributions are methods for simulating reachability in a conservative way using first-order formulas--the formulas describe a superset of the set of program states that would be specified if one had a precise way to express reachability. These methods are employed for semi-automatic program verification (i.e., using programmer-supplied loop invariants) on programs such as mark-and-sweep garbage collection and destructive reversal of a singly linked list. (The mark-and-sweep example has been previously reported as being beyond the capabilities of ESC/Java.)Comment: 30 pages, LMC

Automating embedded analysis capabilities and managing software complexity in multiphysics simulation part I: template-based generic programming

An approach for incorporating embedded simulation and analysis capabilities in complex simulation codes through template-based generic programming is presented. This approach relies on templating and operator overloading within the C++ language to transform a given calculation into one that can compute a variety of additional quantities that are necessary for many state-of-the-art simulation and analysis algorithms. An approach for incorporating these ideas into complex simulation codes through general graph-based assembly is also presented. These ideas have been implemented within a set of packages in the Trilinos framework and are demonstrated on a simple problem from chemical engineering

Implementing Option Pricing Models When Asset Returns Are Predictable

Option pricing formulas obtained from continuous-time no- arbitrage arguments such as the Black-Scholes formula generally do not depend on the drift term of the underlying asset's diffusion equation. However, the drift is essential for properly implementing such formulas empirically, since the numerical values of the parameters that do appear in the option pricing formula can depend intimately on the drift. In particular, if the underlying asset's returns are predictable, this will influence the theoretical value and the empirical estimate of the diffusion coefficient å. We develop an adjustment to the Black-Scholes formula that accounts for predictability and show that this adjustment can be important even for small levels of predictability, especially for longer-maturity options. We propose a class of continuous-time linear diffusion processes for asset prices that can capture a wider variety of predictability, and provide several numerical examples that illustrate their importance for pricing options and other derivative assets.

A Survey of Symbolic Execution Techniques

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience. The present survey has been accepted for publication at ACM Computing Surveys. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fv

Natural discretizations for the divergence, gradient, and curl on logically rectangular grids

AbstractThis is the first in series of papers creating a discrete analog of vector analysis on logically rectangular, nonorthogonal, nonsmooth grids. We introduce notations for 2-D logically rectangular grids, describe both cell-valued and nodal discretizations for scalar functions, and construct the natural discretizations of vector fields, using the vector components normal and tangential to the cell boundaries. We then define natural discrete analogs of the divergence, gradient, and curl operators based on coordinate invariant definitions and interpret these formulas in terms of curvilinear coordinates, such as length of elements of coordinate lines, areas of elements of coordinate surfaces, and elementary volumes.We introduce the discrete volume integral of scalar functions, the discrete surface integral, and a discrete analog of the line integral and prove discrete versions of the main theorems relating these objects. These theorems include the following: the discrete analog of relationship div A→ = 0 if and only if A→ = curl B→; curl A→ = 0 if and only if A→ = grad ϕ; if A→ = grad ϕ, then the line integral does not depend on path; and if the line integral of a vector function is equal to zero for any closed path, then this vector is the gradient of a scalar function.Last, we define the discrete operators DIV, GRAD, and CURL in terms of primitive differencing operators (based on forward and backward differences) and primitive metric operators (related to multiplications of discrete functions by length of edges, areas of surfaces, and volumes of 3-D cells). These formulations elucidate the structure of the discrete operators and are useful when investigating the relationships between operators and their adjoints

Application of optimization techniques to vehicle design: A review

The work that has been done in the last decade or so in the application of optimization techniques to vehicle design is discussed. Much of the work reviewed deals with the design of body or suspension (chassis) components for reduced weight. Also reviewed are studies dealing with system optimization problems for improved functional performance, such as ride or handling. In reviewing the work on the use of optimization techniques, one notes the transition from the rare mention of the methods in the 70's to an increased effort in the early 80's. Efficient and convenient optimization and analysis tools still need to be developed so that they can be regularly applied in the early design stage of the vehicle development cycle to be most effective. Based on the reported applications, an attempt is made to assess the potential for automotive application of optimization techniques. The major issue involved remains the creation of quantifiable means of analysis to be used in vehicle design. The conventional process of vehicle design still contains much experience-based input because it has not yet proven possible to quantify all important constraints. This restraint on the part of the analysis will continue to be a major limiting factor in application of optimization to vehicle design