27,492 research outputs found
On model checking data-independent systems with arrays without reset
A system is data-independent with respect to a data type X iff the operations
it can perform on values of type X are restricted to just equality testing. The
system may also store, input and output values of type X. We study model
checking of systems which are data-independent with respect to two distinct
type variables X and Y, and may in addition use arrays with indices from X and
values from Y . Our main interest is the following parameterised model-checking
problem: whether a given program satisfies a given temporal-logic formula for
all non-empty nite instances of X and Y . Initially, we consider instead the
abstraction where X and Y are infinite and where partial functions with finite
domains are used to model arrays. Using a translation to data-independent
systems without arrays, we show that the u-calculus model-checking problem is
decidable for these systems. From this result, we can deduce properties of all
systems with finite instances of X and Y . We show that there is a procedure
for the above parameterised model-checking problem of the universal fragment of
the u-calculus, such that it always terminates but may give false negatives. We
also deduce that the parameterised model-checking problem of the universal
disjunction-free fragment of the u-calculus is decidable. Practical motivations
for model checking data-independent systems with arrays include verification of
memory and cache systems, where X is the type of memory addresses, and Y the
type of storable values. As an example we verify a fault-tolerant memory
interface over a set of unreliable memories.Comment: Appeared in Theory and Practice of Logic Programming, vol. 4, no.
5&6, 200
Scaling Bounded Model Checking By Transforming Programs With Arrays
Bounded Model Checking is one the most successful techniques for finding bugs
in program. However, model checkers are resource hungry and are often unable to
verify programs with loops iterating over large arrays.We present a
transformation that enables bounded model checkers to verify a certain class of
array properties. Our technique transforms an array-manipulating (ANSI-C)
program to an array-free and loop-free (ANSI-C) program thereby reducing the
resource requirements of a model checker significantly. Model checking of the
transformed program using an off-the-shelf bounded model checker simulates the
loop iterations efficiently. Thus, our transformed program is a sound
abstraction of the original program and is also precise in a large number of
cases - we formally characterize the class of programs for which it is
guaranteed to be precise. We demonstrate the applicability and usefulness of
our technique on both industry code as well as academic benchmarks
A Static Analyzer for Large Safety-Critical Software
We show that abstract interpretation-based static program analysis can be
made efficient and precise enough to formally verify a class of properties for
a family of large programs with few or no false alarms. This is achieved by
refinement of a general purpose static analyzer and later adaptation to
particular programs of the family by the end-user through parametrization. This
is applied to the proof of soundness of data manipulation operations at the
machine level for periodic synchronous safety critical embedded software. The
main novelties are the design principle of static analyzers by refinement and
adaptation through parametrization, the symbolic manipulation of expressions to
improve the precision of abstract transfer functions, the octagon, ellipsoid,
and decision tree abstract domains, all with sound handling of rounding errors
in floating point computations, widening strategies (with thresholds, delayed)
and the automatic determination of the parameters (parametrized packing)
Proving Safety with Trace Automata and Bounded Model Checking
Loop under-approximation is a technique that enriches C programs with
additional branches that represent the effect of a (limited) range of loop
iterations. While this technique can speed up the detection of bugs
significantly, it introduces redundant execution traces which may complicate
the verification of the program. This holds particularly true for verification
tools based on Bounded Model Checking, which incorporate simplistic heuristics
to determine whether all feasible iterations of a loop have been considered.
We present a technique that uses \emph{trace automata} to eliminate redundant
executions after performing loop acceleration. The method reduces the diameter
of the program under analysis, which is in certain cases sufficient to allow a
safety proof using Bounded Model Checking. Our transformation is precise---it
does not introduce false positives, nor does it mask any errors. We have
implemented the analysis as a source-to-source transformation, and present
experimental results showing the applicability of the technique
A Logical Framework for Reputation Systems
Reputation systems are meta systems that record, aggregate and distribute information about the past behaviour of principals in an application. Typically, these applications are large-scale open distributed systems where principals are virtually anonymous, and (a priori) have no knowledge about the trustworthiness of each other. Reputation systems serve two primary purposes: helping principals decide whom to trust, and providing an incentive for principals to well-behave. A logical policy-based framework for reputation systems is presented. In the framework, principals specify policies which state precise requirements on the past behaviour of other principals that must be fulfilled in order for interaction to take place. The framework consists of a formal model of behaviour, based on event structures; a declarative logical language for specifying properties of past behaviour; and efficient dynamic algorithms for checking whether a particular behaviour satisfies a property from the language. It is shown how the framework can be extended in several ways, most notably to encompass parameterized events and quantification over parameters. In an extended application, it is illustrated how the framework can be applied for dynamic history-based access control for safe execution of unknown and untrusted programs
Verification of Imperative Programs by Constraint Logic Program Transformation
We present a method for verifying partial correctness properties of
imperative programs that manipulate integers and arrays by using techniques
based on the transformation of constraint logic programs (CLP). We use CLP as a
metalanguage for representing imperative programs, their executions, and their
properties. First, we encode the correctness of an imperative program, say
prog, as the negation of a predicate 'incorrect' defined by a CLP program T. By
construction, 'incorrect' holds in the least model of T if and only if the
execution of prog from an initial configuration eventually halts in an error
configuration. Then, we apply to program T a sequence of transformations that
preserve its least model semantics. These transformations are based on
well-known transformation rules, such as unfolding and folding, guided by
suitable transformation strategies, such as specialization and generalization.
The objective of the transformations is to derive a new CLP program TransfT
where the predicate 'incorrect' is defined either by (i) the fact 'incorrect.'
(and in this case prog is not correct), or by (ii) the empty set of clauses
(and in this case prog is correct). In the case where we derive a CLP program
such that neither (i) nor (ii) holds, we iterate the transformation. Since the
problem is undecidable, this process may not terminate. We show through
examples that our method can be applied in a rather systematic way, and is
amenable to automation by transferring to the field of program verification
many techniques developed in the field of program transformation.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455
- …