2,785 research outputs found
SMT-based Model Checking for Recursive Programs
We present an SMT-based symbolic model checking algorithm for safety
verification of recursive programs. The algorithm is modular and analyzes
procedures individually. Unlike other SMT-based approaches, it maintains both
"over-" and "under-approximations" of procedure summaries. Under-approximations
are used to analyze procedure calls without inlining. Over-approximations are
used to block infeasible counterexamples and detect convergence to a proof. We
show that for programs and properties over a decidable theory, the algorithm is
guaranteed to find a counterexample, if one exists. However, efficiency depends
on an oracle for quantifier elimination (QE). For Boolean Programs, the
algorithm is a polynomial decision procedure, matching the worst-case bounds of
the best BDD-based algorithms. For Linear Arithmetic (integers and rationals),
we give an efficient instantiation of the algorithm by applying QE "lazily". We
use existing interpolation techniques to over-approximate QE and introduce
"Model Based Projection" to under-approximate QE. Empirical evaluation on
SV-COMP benchmarks shows that our algorithm improves significantly on the
state-of-the-art.Comment: originally published as part of the proceedings of CAV 2014; fixed
typos, better wording at some place
Automated incremental software verification
Software continuously evolves to meet rapidly changing human needs. Each evolved transformation of a program is expected to preserve important correctness and security properties. Aiming to assure program correctness after a change, formal verification techniques, such as Software Model Checking, have recently benefited from fully automated solutions based on symbolic reasoning and abstraction. However, the majority of the state-of-the-art model checkers are designed that each new software version has to be verified from scratch. In this dissertation, we investigate the new Formal Incremental Verification (FIV) techniques that aim at making software analysis more efficient by reusing invested efforts between verification runs. In order to show that FIV can be built on the top of different verification techniques, we focus on three complementary approaches to automated formal verification. First, we contribute the FIV technique for SAT-based Bounded Model Checking developed to verify programs with (possibly recursive) functions with respect to the set of pre-defined assertions. We present the function-summarization framework based on Craig interpolation that allows extracting and reusing over- approximations of the function behaviors. We introduce the algorithm to revalidate the summaries of one program locally in order to prevent re-verification of another program from scratch. Second, we contribute the technique for simulation relation synthesis for loop-free programs that do not necessarily contain assertions. We introduce an SMT-based abstraction- refinement algorithm that proceeds by guessing a relation and checking whether it is a simulation relation. We present a novel algorithm for discovering simulations symbolically, by means of solving ∀∃-formulas and extracting witnessing Skolem relations. Third, we contribute the FIV technique for SMT-based Unbounded Model Checking developed to verify programs with (possibly nested) loops. We present an algorithm that automatically derives simulations between programs with different loop structures. The automatically synthesized simulation relation is then used to migrate the safe inductive invariants across the evolution boundaries. Finally, we contribute the implementation and evaluation of all our algorithmic contributions, and confirm that the state-of-the-art model checking tools can successfully be extended by the FIV capabilities
Soft Contract Verification
Behavioral software contracts are a widely used mechanism for governing the
flow of values between components. However, run-time monitoring and enforcement
of contracts imposes significant overhead and delays discovery of faulty
components to run-time.
To overcome these issues, we present soft contract verification, which aims
to statically prove either complete or partial contract correctness of
components, written in an untyped, higher-order language with first-class
contracts. Our approach uses higher-order symbolic execution, leveraging
contracts as a source of symbolic values including unknown behavioral values,
and employs an updatable heap of contract invariants to reason about
flow-sensitive facts. We prove the symbolic execution soundly approximates the
dynamic semantics and that verified programs can't be blamed.
The approach is able to analyze first-class contracts, recursive data
structures, unknown functions, and control-flow-sensitive refinements of
values, which are all idiomatic in dynamic languages. It makes effective use of
an off-the-shelf solver to decide problems without heavy encodings. The
approach is competitive with a wide range of existing tools---including type
systems, flow analyzers, and model checkers---on their own benchmarks.Comment: ICFP '14, September 1-6, 2014, Gothenburg, Swede
Higher-order Program Verification as Satisfiability Modulo Theories with Algebraic Data-types
We report on work in progress on automatic procedures for proving properties
of programs written in higher-order functional languages. Our approach encodes
higher-order programs directly as first-order SMT problems over Horn clauses.
It is straight-forward to reduce Hoare-style verification of first-order
programs into satisfiability of Horn clauses. The presence of closures offers
several challenges: relatively complete proof systems have to account for
closures; and in practice, the effectiveness of search procedures depend on
encoding strategies and capabilities of underlying solvers. We here use
algebraic data-types to encode closures and rely on solvers that support
algebraic data-types. The viability of the approach is examined using examples
from the literature on higher-order program verification
Combining Static and Dynamic Contract Checking for Curry
Static type systems are usually not sufficient to express all requirements on
function calls. Hence, contracts with pre- and postconditions can be used to
express more complex constraints on operations. Contracts can be checked at run
time to ensure that operations are only invoked with reasonable arguments and
return intended results. Although such dynamic contract checking provides more
reliable program execution, it requires execution time and could lead to
program crashes that might be detected with more advanced methods at compile
time. To improve this situation for declarative languages, we present an
approach to combine static and dynamic contract checking for the functional
logic language Curry. Based on a formal model of contract checking for
functional logic programming, we propose an automatic method to verify
contracts at compile time. If a contract is successfully verified, dynamic
checking of it can be omitted. This method decreases execution time without
degrading reliable program execution. In the best case, when all contracts are
statically verified, it provides trust in the software since crashes due to
contract violations cannot occur during program execution.Comment: Pre-proceedings paper presented at the 27th International Symposium
on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur,
Belgium, 10-12 October 2017 (arXiv:1708.07854
Sequentializing Parameterized Programs
We exhibit assertion-preserving (reachability preserving) transformations
from parameterized concurrent shared-memory programs, under a k-round
scheduling of processes, to sequential programs. The salient feature of the
sequential program is that it tracks the local variables of only one thread at
any point, and uses only O(k) copies of shared variables (it does not use extra
counters, not even one counter to keep track of the number of threads).
Sequentialization is achieved using the concept of a linear interface that
captures the effect an unbounded block of processes have on the shared state in
a k-round schedule. Our transformation utilizes linear interfaces to
sequentialize the program, and to ensure the sequential program explores only
reachable states and preserves local invariants.Comment: In Proceedings FIT 2012, arXiv:1207.348
- …