430 research outputs found
Transfer Function Synthesis without Quantifier Elimination
Traditionally, transfer functions have been designed manually for each
operation in a program, instruction by instruction. In such a setting, a
transfer function describes the semantics of a single instruction, detailing
how a given abstract input state is mapped to an abstract output state. The net
effect of a sequence of instructions, a basic block, can then be calculated by
composing the transfer functions of the constituent instructions. However,
precision can be improved by applying a single transfer function that captures
the semantics of the block as a whole. Since blocks are program-dependent, this
approach necessitates automation. There has thus been growing interest in
computing transfer functions automatically, most notably using techniques based
on quantifier elimination. Although conceptually elegant, quantifier
elimination inevitably induces a computational bottleneck, which limits the
applicability of these methods to small blocks. This paper contributes a method
for calculating transfer functions that finesses quantifier elimination
altogether, and can thus be seen as a response to this problem. The
practicality of the method is demonstrated by generating transfer functions for
input and output states that are described by linear template constraints,
which include intervals and octagons.Comment: 37 pages, extended version of ESOP 2011 pape
Computabilities of Validity and Satisfiability in Probability Logics over Finite and Countable Models
The -logic (which is called E-logic in this paper) of
Kuyper and Terwijn is a variant of first order logic with the same syntax, in
which the models are equipped with probability measures and in which the
quantifier is interpreted as "there exists a set of measure
such that for each , ...." Previously, Kuyper and
Terwijn proved that the general satisfiability and validity problems for this
logic are, i) for rational , respectively
-complete and -hard, and ii) for ,
respectively decidable and -complete. The adjective "general" here
means "uniformly over all languages."
We extend these results in the scenario of finite models. In particular, we
show that the problems of satisfiability by and validity over finite models in
E-logic are, i) for rational , respectively
- and -complete, and ii) for , respectively
decidable and -complete. Although partial results toward the countable
case are also achieved, the computability of E-logic over countable
models still remains largely unsolved. In addition, most of the results, of
this paper and of Kuyper and Terwijn, do not apply to individual languages with
a finite number of unary predicates. Reducing this requirement continues to be
a major point of research.
On the positive side, we derive the decidability of the corresponding
problems for monadic relational languages --- equality- and function-free
languages with finitely many unary and zero other predicates. This result holds
for all three of the unrestricted, the countable, and the finite model cases.
Applications in computational learning theory, weighted graphs, and neural
networks are discussed in the context of these decidability and undecidability
results.Comment: 47 pages, 4 tables. Comments welcome. Fixed errors found by Rutger
Kuype
Checking Observational Purity of Procedures
Verifying whether a procedure is observationally pure is useful in many
software engineering scenarios. An observationally pure procedure always
returns the same value for the same argument, and thus mimics a mathematical
function. The problem is challenging when procedures use private mutable global
variables, e.g., for memoization of frequently returned answers, and when they
involve recursion.
We present a novel verification approach for this problem. Our approach
involves encoding the procedure's code as a formula that is a disjunction of
path constraints, with the recursive calls being replaced in the formula with
references to a mathematical function symbol. Then, a theorem prover is invoked
to check whether the formula that has been constructed agrees with the function
symbol referred to above in terms of input-output behavior for all arguments.
We evaluate our approach on a set of realistic examples, using the Boogie
intermediate language and theorem prover. Our evaluation shows that the
invariants are easy to construct manually, and that our approach is effective
at verifying observationally pure procedures.Comment: FASE 201
Building Better Bit-Blasting for Floating-Point Problems
An effective approach to handling the theory of floating-point is to reduce it to the theory of bit-vectors. Implementing the required encodings is complex, error prone and requires a deep understanding of floating-point hardware. This paper presents SymFPU, a library of encodings that can be included in solvers. It also includes a verification argument for its correctness, and experimental results showing that its use in CVC4 out-performs all previous tools. As well as a significantly improved performance and correctness, it is hoped this will give a simple route to add support for the theory of floating-point
Biabduction (and related problems) in array separation logic
We investigate array separation logic (\mathsf {ASL}), a variant of symbolic-heap separation logic in which the data structures are either pointers or arrays, i.e., contiguous blocks of memory. This logic provides a language for compositional memory safety proofs of array programs. We focus on the biabduction problem for this logic, which has been established as the key to automatic specification inference at the industrial scale. We present an \mathsf {NP} decision procedure for biabduction in \mathsf {ASL}, and we also show that the problem of finding a consistent solution is \mathsf {NP}-hard. Along the way, we study satisfiability and entailment in \mathsf {ASL}, giving decision procedures and complexity bounds for both problems. We show satisfiability to be \mathsf {NP}-complete, and entailment to be decidable with high complexity. The surprising fact that biabduction is simpler than entailment is due to the fact that, as we show, the element of choice over biabduction solutions enables us to dramatically reduce the search space
- …