68 research outputs found
Interpolant tree automata and their application in Horn clause verification
This paper investigates the combination of abstract interpretation over the
domain of convex polyhedra with interpolant tree automata, in an
abstraction-refinement scheme for Horn clause verification. These techniques
have been previously applied separately, but are combined in a new way in this
paper. The role of an interpolant tree automaton is to provide a generalisation
of a spurious counterexample during refinement, capturing a possibly infinite
set of spurious counterexample traces. In our approach these traces are then
eliminated using a transformation of the Horn clauses. We compare this approach
with two other methods; one of them uses interpolant tree automata in an
algorithm for trace abstraction and refinement, while the other uses abstract
interpretation over the domain of convex polyhedra without the generalisation
step. Evaluation of the results of experiments on a number of Horn clause
verification problems indicates that the combination of interpolant tree
automaton with abstract interpretation gives some increase in the power of the
verification tool, while sometimes incurring a performance overhead.Comment: In Proceedings VPT 2016, arXiv:1607.0183
Combining Forward and Backward Abstract Interpretation of Horn Clauses
Alternation of forward and backward analyses is a standard technique in
abstract interpretation of programs, which is in particular useful when we wish
to prove unreachability of some undesired program states. The current
state-of-the-art technique for combining forward (bottom-up, in logic
programming terms) and backward (top-down) abstract interpretation of Horn
clauses is query-answer transformation. It transforms a system of Horn clauses,
such that standard forward analysis can propagate constraints both forward, and
backward from a goal. Query-answer transformation is effective, but has issues
that we wish to address. For that, we introduce a new backward collecting
semantics, which is suitable for alternating forward and backward abstract
interpretation of Horn clauses. We show how the alternation can be used to
prove unreachability of the goal and how every subsequent run of an analysis
yields a refined model of the system. Experimentally, we observe that combining
forward and backward analyses is important for analysing systems that encode
questions about reachability in C programs. In particular, the combination that
follows our new semantics improves the precision of our own abstract
interpreter, including when compared to a forward analysis of a
query-answer-transformed system.Comment: Francesco Ranzato. 24th International Static Analysis Symposium
(SAS), Aug 2017, New York City, United States. Springer, Static Analysi
An iterative approach to precondition inference using constrained Horn clauses
We present a method for automatic inference of conditions on the initial
states of a program that guarantee that the safety assertions in the program
are not violated. Constrained Horn clauses (CHCs) are used to model the program
and assertions in a uniform way, and we use standard abstract interpretations
to derive an over-approximation of the set of unsafe initial states. The
precondition then is the constraint corresponding to the complement of that
set, under-approximating the set of safe initial states. This idea of
complementation is not new, but previous attempts to exploit it have suffered
from the loss of precision. Here we develop an iterative specialisation
algorithm to give more precise, and in some cases optimal safety conditions.
The algorithm combines existing transformations, namely constraint
specialisation, partial evaluation and a trace elimination transformation. The
last two of these transformations perform polyvariant specialisation, leading
to disjunctive constraints which improve precision. The algorithm is
implemented and tested on a benchmark suite of programs from the literature in
precondition inference and software verification competitions.Comment: Paper presented at the 34nd International Conference on Logic
Programming (ICLP 2018), Oxford, UK, July 14 to July 17, 2018 18 pages, LaTe
Solving non-linear Horn clauses using a linear Horn clause solver
In this paper we show that checking satisfiability of a set of non-linear
Horn clauses (also called a non-linear Horn clause program) can be achieved
using a solver for linear Horn clauses. We achieve this by interleaving a
program transformation with a satisfiability checker for linear Horn clauses
(also called a solver for linear Horn clauses). The program transformation is
based on the notion of tree dimension, which we apply to a set of non-linear
clauses, yielding a set whose derivation trees have bounded dimension. Such a
set of clauses can be linearised. The main algorithm then proceeds by applying
the linearisation transformation and solver for linear Horn clauses to a
sequence of sets of clauses with successively increasing dimension bound. The
approach is then further developed by using a solution of clauses of lower
dimension to (partially) linearise clauses of higher dimension. We constructed
a prototype implementation of this approach and performed some experiments on a
set of verification problems, which shows some promise.Comment: In Proceedings HCVS2016, arXiv:1607.0403
Enhancing Predicate Pairing with Abstraction for Relational Verification
Relational verification is a technique that aims at proving properties that
relate two different program fragments, or two different program runs. It has
been shown that constrained Horn clauses (CHCs) can effectively be used for
relational verification by applying a CHC transformation, called predicate
pairing, which allows the CHC solver to infer relations among arguments of
different predicates. In this paper we study how the effects of the predicate
pairing transformation can be enhanced by using various abstract domains based
on linear arithmetic (i.e., the domain of convex polyhedra and some of its
subdomains) during the transformation. After presenting an algorithm for
predicate pairing with abstraction, we report on the experiments we have
performed on over a hundred relational verification problems by using various
abstract domains. The experiments have been performed by using the VeriMAP
transformation and verification system, together with the Parma Polyhedra
Library (PPL) and the Z3 solver for CHCs.Comment: Pre-proceedings paper presented at the 27th International Symposium
on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur,
Belgium, 10-12 October 2017 (arXiv:1708.07854
Precondition Inference via Partitioning of Initial States
Precondition inference is a non-trivial task with several applications in
program analysis and verification. We present a novel iterative method for
automatically deriving sufficient preconditions for safety and unsafety of
programs which introduces a new dimension of modularity. Each iteration
maintains over-approximations of the set of \emph{safe} and \emph{unsafe}
\emph{initial} states. Then we repeatedly use the current abstractions to
partition the program's \emph{initial} states into those known to be safe,
known to be unsafe and unknown, and construct a revised program focusing on
those initial states that are not yet known to be safe or unsafe. An
experimental evaluation of the method on a set of software verification
benchmarks shows that it can solve problems which are not solvable using
previous methods.Comment: 19 pages, 8 figure
A Survey of Satisfiability Modulo Theory
Satisfiability modulo theory (SMT) consists in testing the satisfiability of
first-order formulas over linear integer or real arithmetic, or other theories.
In this survey, we explain the combination of propositional satisfiability and
decision procedures for conjunctions known as DPLL(T), and the alternative
"natural domain" approaches. We also cover quantifiers, Craig interpolants,
polynomial arithmetic, and how SMT solvers are used in automated software
analysis.Comment: Computer Algebra in Scientific Computing, Sep 2016, Bucharest,
Romania. 201
- …