21 research outputs found
Invariant Synthesis for Incomplete Verification Engines
We propose a framework for synthesizing inductive invariants for incomplete
verification engines, which soundly reduce logical problems in undecidable
theories to decidable theories. Our framework is based on the counter-example
guided inductive synthesis principle (CEGIS) and allows verification engines to
communicate non-provability information to guide invariant synthesis. We show
precisely how the verification engine can compute such non-provability
information and how to build effective learning algorithms when invariants are
expressed as Boolean combinations of a fixed set of predicates. Moreover, we
evaluate our framework in two verification settings, one in which verification
engines need to handle quantified formulas and one in which verification
engines have to reason about heap properties expressed in an expressive but
undecidable separation logic. Our experiments show that our invariant synthesis
framework based on non-provability information can both effectively synthesize
inductive invariants and adequately strengthen contracts across a large suite
of programs
Program Verification with Separation Logic
International audienceSeparation Logic is a framework for the development of modular program analyses for sequential, inter-procedural and concurrent programs. The first part of the paper introduces Separation Logic first from a historical, then from a program verification perspective. Because program verification eventually boils down to deciding logical queries such as the validity of verification conditions, the second part is dedicated to a survey of decision procedures for Separation Logic, that stem from either SMT, proof theory or automata theory. Incidentally we address issues related to decidability and computational complexity of such problems, in order to expose certain sources of intractability
Enhancing Symbolic Execution of Heap-based Programs with Separation Logic for Test Input Generation
Symbolic execution is a well established method for test input generation.
Despite of having achieved tremendous success over numerical domains, existing
symbolic execution techniques for heap-based programs are limited due to the
lack of a succinct and precise description for symbolic values over unbounded
heaps. In this work, we present a new symbolic execution method for heap-based
programs based on separation logic. The essence of our proposal is
context-sensitive lazy initialization, a novel approach for efficient test
input generation. Our approach differs from existing approaches in two ways.
Firstly, our approach is based on separation logic, which allows us to
precisely capture preconditions of heap-based programs so that we avoid
generating invalid test inputs. Secondly, we generate only fully initialized
test inputs, which are more useful in practice compared to those partially
initialized test inputs generated by the state-of-the-art tools. We have
implemented our approach as a tool, called Java StarFinder, and evaluated it on
a set of programs with complex heap inputs. The results show that our approach
significantly reduces the number of invalid test inputs and improves the test
coverage
Concolic Testing Heap-Manipulating Programs
Concolic testing is a test generation technique which works effectively by
integrating random testing generation and symbolic execution. Existing concolic
testing engines focus on numeric programs. Heap-manipulating programs make
extensive use of complex heap objects like trees and lists. Testing such
programs is challenging due to multiple reasons. Firstly, test inputs for such
program are required to satisfy non-trivial constraints which must be specified
precisely. Secondly, precisely encoding and solving path conditions in such
programs are challenging and often expensive. In this work, we propose the
first concolic testing engine called CSF for heap-manipulating programs based
on separation logic. CSF effectively combines specification-based testing and
concolic execution for test input generation. It is evaluated on a set of
challenging heap-manipulating programs. The results show that CSF generates
valid test inputs with high coverage efficiently. Furthermore, we show that CSF
can be potentially used in combination with precondition inference tools to
reduce the user effort