14,017 research outputs found
Inductive Reachability Witnesses
In this work, we consider the fundamental problem of reachability analysis
over imperative programs with real variables. The reachability property
requires that a program can reach certain target states during its execution.
Previous works that tackle reachability analysis are either unable to handle
programs consisting of general loops (e.g. symbolic execution), or lack
completeness guarantees (e.g. abstract interpretation), or are not automated
(e.g. incorrectness logic/reverse Hoare logic). In contrast, we propose a novel
approach for reachability analysis that can handle general programs, is
(semi-)complete, and can be entirely automated for a wide family of programs.
Our approach extends techniques from both invariant generation and
ranking-function synthesis to reachability analysis through the notion of
(Universal) Inductive Reachability Witnesses (IRWs/UIRWs). While traditional
invariant generation uses over-approximations of reachable states, we consider
the natural dual problem of under-approximating the set of program states that
can reach a target state. We then apply an argument similar to ranking
functions to ensure that all states in our under-approximation can indeed reach
the target set in finitely many steps
Higher-Order Demand-Driven Program Analysis
We explore a novel approach to higher-order program analysis that brings ideas of on-demand lookup from first-order CFL-reachability program analyses to higher-order programs. The analysis needs to produce only a control-flow graph; it can derive all other information including values of variables directly from the graph. Several challenges had to be overcome, including how to build the control-flow graph on-the-fly and how to deal with non-local variables in functions. The resulting analysis is flow- and context-sensitive with a provable polynomial-time bound. The analysis is formalized and proved correct and terminating, and an initial implementation is described
All-Path Reachability Logic
This paper presents a language-independent proof system for reachability
properties of programs written in non-deterministic (e.g., concurrent)
languages, referred to as all-path reachability logic. It derives
partial-correctness properties with all-path semantics (a state satisfying a
given precondition reaches states satisfying a given postcondition on all
terminating execution paths). The proof system takes as axioms any
unconditional operational semantics, and is sound (partially correct) and
(relatively) complete, independent of the object language. The soundness has
also been mechanized in Coq. This approach is implemented in a tool for
semantics-based verification as part of the K framework (http://kframework.org
A Petri Net-Based Tool for Detecting Deadlocks and Race Conditions in Concurrent Programs
A static analysis tool for detecting deadlocks and potential race conditions on shared variables in concurrent programs is presented. It is based on Petri Net modeling and reachability analysis, where a concurrent program is modeled as an augmented Petri net and a reachability graph is then derived and analyzed for desired information. Place-Transition subnets representing programming language constructs are described. Transitions in these subnets are augmented with sets of shared variables that occur in sections of the program, called concurrency zones, related to the transitions. The tool consists of four modules. The modeling module employs the augmented subnets as building blocks in translating only the synchronization-related statements of a concurrent program and connects the subnets to yield the total model. The second module produces an augmented reachability graph for the augmented Petri net. The analyzer module searches the augmented reachability graph for deadlocks, race conditions and other useful analysis information requested by the user about the underlying program. The user interface is provided by an X-window based module. Ada is used as a representative of concurrent languages that adopt the rendezvous model of interprocess communication and synchronization. The validation of the tool, its applicability and limitations are also discussed
Safety Verification of Phaser Programs
We address the problem of statically checking control state reachability (as
in possibility of assertion violations, race conditions or runtime errors) and
plain reachability (as in deadlock-freedom) of phaser programs. Phasers are a
modern non-trivial synchronization construct that supports dynamic parallelism
with runtime registration and deregistration of spawned tasks. They allow for
collective and point-to-point synchronizations. For instance, phasers can
enforce barriers or producer-consumer synchronization schemes among all or
subsets of the running tasks. Implementations %of these recent and dynamic
synchronization are found in modern languages such as X10 or Habanero Java.
Phasers essentially associate phases to individual tasks and use their runtime
values to restrict possible concurrent executions. Unbounded phases may result
in infinite transition systems even in the case of programs only creating
finite numbers of tasks and phasers. We introduce an exact gap-order based
procedure that always terminates when checking control reachability for
programs generating bounded numbers of coexisting tasks and phasers. We also
show verifying plain reachability is undecidable even for programs generating
few tasks and phasers. We then explain how to turn our procedure into a sound
analysis for checking plain reachability (including deadlock freedom). We
report on preliminary experiments with our open source tool
Constraint-based reachability
Iterative imperative programs can be considered as infinite-state systems
computing over possibly unbounded domains. Studying reachability in these
systems is challenging as it requires to deal with an infinite number of states
with standard backward or forward exploration strategies. An approach that we
call Constraint-based reachability, is proposed to address reachability
problems by exploring program states using a constraint model of the whole
program. The keypoint of the approach is to interpret imperative constructions
such as conditionals, loops, array and memory manipulations with the
fundamental notion of constraint over a computational domain. By combining
constraint filtering and abstraction techniques, Constraint-based reachability
is able to solve reachability problems which are usually outside the scope of
backward or forward exploration strategies. This paper proposes an
interpretation of classical filtering consistencies used in Constraint
Programming as abstract domain computations, and shows how this approach can be
used to produce a constraint solver that efficiently generates solutions for
reachability problems that are unsolvable by other approaches.Comment: In Proceedings Infinity 2012, arXiv:1302.310
SMT-based Model Checking for Recursive Programs
We present an SMT-based symbolic model checking algorithm for safety
verification of recursive programs. The algorithm is modular and analyzes
procedures individually. Unlike other SMT-based approaches, it maintains both
"over-" and "under-approximations" of procedure summaries. Under-approximations
are used to analyze procedure calls without inlining. Over-approximations are
used to block infeasible counterexamples and detect convergence to a proof. We
show that for programs and properties over a decidable theory, the algorithm is
guaranteed to find a counterexample, if one exists. However, efficiency depends
on an oracle for quantifier elimination (QE). For Boolean Programs, the
algorithm is a polynomial decision procedure, matching the worst-case bounds of
the best BDD-based algorithms. For Linear Arithmetic (integers and rationals),
we give an efficient instantiation of the algorithm by applying QE "lazily". We
use existing interpolation techniques to over-approximate QE and introduce
"Model Based Projection" to under-approximate QE. Empirical evaluation on
SV-COMP benchmarks shows that our algorithm improves significantly on the
state-of-the-art.Comment: originally published as part of the proceedings of CAV 2014; fixed
typos, better wording at some place
- …