4,320 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Integrating bottom-up and top-down reasoning in COLAB
The knowledge compilation laboratory COLAB integrates declarative knowledge representation formalisms, providing source-to-source and source-to-code compilers of various knowledge types. Its architecture separates taxonomical and assertional knowledge. The assertional component consists of a constraint system and a rule system, which supports bottom-up and top-down reasoning of Horn clauses. Two approaches for forward reasoning have been implemented. The first set-oriented approach uses a fixpoint computation. It allows top-down verification of selected premises. Goal-directed bottom-up reasoning is achieved by a magic-set transformation of the rules with respect to a goal. The second tuple-oriented approach reasons forward to derive the consequences of an explicitly given set of facts. This is achieved by a transformation of the rules to top-down executable Horn clauses. The paper gives an overview of the various forward reasoning approaches, their compilation into an abstract machine and their integration into the COLAB shell
Satisfiability Modulo ODEs
We study SMT problems over the reals containing ordinary differential
equations. They are important for formal verification of realistic hybrid
systems and embedded software. We develop delta-complete algorithms for SMT
formulas that are purely existentially quantified, as well as exists-forall
formulas whose universal quantification is restricted to the time variables. We
demonstrate scalability of the algorithms, as implemented in our open-source
solver dReal, on SMT benchmarks with several hundred nonlinear ODEs and
variables.Comment: Published in FMCAD 201
A Tree Logic with Graded Paths and Nominals
Regular tree grammars and regular path expressions constitute core constructs
widely used in programming languages and type systems. Nevertheless, there has
been little research so far on reasoning frameworks for path expressions where
node cardinality constraints occur along a path in a tree. We present a logic
capable of expressing deep counting along paths which may include arbitrary
recursive forward and backward navigation. The counting extensions can be seen
as a generalization of graded modalities that count immediate successor nodes.
While the combination of graded modalities, nominals, and inverse modalities
yields undecidable logics over graphs, we show that these features can be
combined in a tree logic decidable in exponential time
Fifty years of Hoare's Logic
We present a history of Hoare's logic.Comment: 79 pages. To appear in Formal Aspects of Computin
User-friendly Support for Common Concepts in a Lightweight Verifier
Machine verification of formal arguments can only increase our confidence in the correctness of those arguments, but the costs of employing machine verification still outweigh the benefits for some common kinds of formal reasoning activities. As a result, usability is becoming increasingly important in the design of formal verification tools. We describe the "aartifact" lightweight verification system, designed for processing formal arguments involving basic, ubiquitous mathematical concepts. The system is a prototype for investigating potential techniques for improving the usability of formal verification systems. It leverages techniques drawn both from existing work and from our own efforts. In addition to a parser for a familiar concrete syntax and a mechanism for automated syntax lookup, the system integrates (1) a basic logical inference algorithm, (2) a database of propositions governing common mathematical concepts, and (3) a data structure that computes congruence closures of expressions involving relations found in this database. Together, these components allow the system to better accommodate the expectations of users interested in verifying formal arguments involving algebraic and logical manipulations of numbers, sets, vectors, and related operators and predicates. We demonstrate the reasonable performance of this system on typical formal arguments and briefly discuss how the system's design contributed to its usability in two case studies
Generalized Craig Interpolation for Stochastic Boolean Satisfiability Problems with Applications to Probabilistic State Reachability and Region Stability
The stochastic Boolean satisfiability (SSAT) problem has been introduced by
Papadimitriou in 1985 when adding a probabilistic model of uncertainty to
propositional satisfiability through randomized quantification. SSAT has many
applications, among them probabilistic bounded model checking (PBMC) of
symbolically represented Markov decision processes. This article identifies a
notion of Craig interpolant for the SSAT framework and develops an algorithm
for computing such interpolants based on a resolution calculus for SSAT. As a
potential application area of this novel concept of Craig interpolation, we
address the symbolic analysis of probabilistic systems. We first investigate
the use of interpolation in probabilistic state reachability analysis, turning
the falsification procedure employing PBMC into a verification technique for
probabilistic safety properties. We furthermore propose an interpolation-based
approach to probabilistic region stability, being able to verify that the
probability of stabilizing within some region is sufficiently large
- …