7,287 research outputs found
On Verifying Complex Properties using Symbolic Shape Analysis
One of the main challenges in the verification of software systems is the
analysis of unbounded data structures with dynamic memory allocation, such as
linked data structures and arrays. We describe Bohne, a new analysis for
verifying data structures. Bohne verifies data structure operations and shows
that 1) the operations preserve data structure invariants and 2) the operations
satisfy their specifications expressed in terms of changes to the set of
objects stored in the data structure. During the analysis, Bohne infers loop
invariants in the form of disjunctions of universally quantified Boolean
combinations of formulas. To synthesize loop invariants of this form, Bohne
uses a combination of decision procedures for Monadic Second-Order Logic over
trees, SMT-LIB decision procedures (currently CVC Lite), and an automated
reasoner within the Isabelle interactive theorem prover. This architecture
shows that synthesized loop invariants can serve as a useful communication
mechanism between different decision procedures. Using Bohne, we have verified
operations on data structures such as linked lists with iterators and back
pointers, trees with and without parent pointers, two-level skip lists, array
data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob
data structure analysis systems, enabling us to combine Bohne with analyses of
data structure clients and apply it in the context of larger programs. This
report describes the Bohne algorithm as well as techniques that Bohne uses to
reduce the ammount of annotations and the running time of the analysis
Modular Construction of Shape-Numeric Analyzers
The aim of static analysis is to infer invariants about programs that are
precise enough to establish semantic properties, such as the absence of
run-time errors. Broadly speaking, there are two major branches of static
analysis for imperative programs. Pointer and shape analyses focus on inferring
properties of pointers, dynamically-allocated memory, and recursive data
structures, while numeric analyses seek to derive invariants on numeric values.
Although simultaneous inference of shape-numeric invariants is often needed,
this case is especially challenging and is not particularly well explored.
Notably, simultaneous shape-numeric inference raises complex issues in the
design of the static analyzer itself.
In this paper, we study the construction of such shape-numeric, static
analyzers. We set up an abstract interpretation framework that allows us to
reason about simultaneous shape-numeric properties by combining shape and
numeric abstractions into a modular, expressive abstract domain. Such a modular
structure is highly desirable to make its formalization and implementation
easier to do and get correct. To achieve this, we choose a concrete semantics
that can be abstracted step-by-step, while preserving a high level of
expressiveness. The structure of abstract operations (i.e., transfer, join, and
comparison) follows the structure of this semantics. The advantage of this
construction is to divide the analyzer in modules and functors that implement
abstractions of distinct features.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455
Relay: A New IR for Machine Learning Frameworks
Machine learning powers diverse services in industry including search,
translation, recommendation systems, and security. The scale and importance of
these models require that they be efficient, expressive, and portable across an
array of heterogeneous hardware devices. These constraints are often at odds;
in order to better accommodate them we propose a new high-level intermediate
representation (IR) called Relay. Relay is being designed as a
purely-functional, statically-typed language with the goal of balancing
efficient compilation, expressiveness, and portability. We discuss the goals of
Relay and highlight its important design constraints. Our prototype is part of
the open source NNVM compiler framework, which powers Amazon's deep learning
framework MxNet
Symbolic and analytic techniques for resource analysis of Java bytecode
Recent work in resource analysis has translated the idea of amortised resource analysis to imperative languages using a program logic that allows mixing of assertions about heap shapes, in the tradition of separation logic, and assertions about consumable resources. Separately, polyhedral methods have been used to calculate bounds on numbers of iterations in loop-based programs. We are attempting to combine these ideas to deal with Java programs involving both data structures and loops, focusing on the bytecode level rather than on source code
Template-based verification of heap-manipulating programs
We propose a shape analysis suitable for analysis engines that perform automatic invariant inference using an SMT solver. The proposed solution includes an abstract template domain that encodes the shape of a program heap based on logical formulae over bit-vectors. It is based on a points-to relation between pointers and symbolic addresses of abstract memory objects. Our abstract heap domain can be combined with value domains in a straight-forward manner, which particularly allows us to reason about shapes and contents of heap structures at the same time. The information obtained from the analysis can be used to prove reachability and memory safety properties of programs manipulating dynamic data structures, mainly linked lists. The solution has been implemented in 2LS and compared against state-of-the-art tools that perform the best in heap-related categories of the well-known Software Verification Competition (SV-COMP). Results show that 2LS outperforms these tools on benchmarks requiring combined reasoning about unbounded data structures and their numerical contents
Synthesizing Short-Circuiting Validation of Data Structure Invariants
This paper presents incremental verification-validation, a novel approach for
checking rich data structure invariants expressed as separation logic
assertions. Incremental verification-validation combines static verification of
separation properties with efficient, short-circuiting dynamic validation of
arbitrarily rich data constraints. A data structure invariant checker is an
inductive predicate in separation logic with an executable interpretation; a
short-circuiting checker is an invariant checker that stops checking whenever
it detects at run time that an assertion for some sub-structure has been fully
proven statically. At a high level, our approach does two things: it statically
proves the separation properties of data structure invariants using a static
shape analysis in a standard way but then leverages this proof in a novel
manner to synthesize short-circuiting dynamic validation of the data
properties. As a consequence, we enable dynamic validation to make up for
imprecision in sound static analysis while simultaneously leveraging the static
verification to make the remaining dynamic validation efficient. We show
empirically that short-circuiting can yield asymptotic improvements in dynamic
validation, with low overhead over no validation, even in cases where static
verification is incomplete
Spatial Interpolants
We propose Splinter, a new technique for proving properties of
heap-manipulating programs that marries (1) a new separation logic-based
analysis for heap reasoning with (2) an interpolation-based technique for
refining heap-shape invariants with data invariants. Splinter is property
directed, precise, and produces counterexample traces when a property does not
hold. Using the novel notion of spatial interpolants modulo theories, Splinter
can infer complex invariants over general recursive predicates, e.g., of the
form all elements in a linked list are even or a binary tree is sorted.
Furthermore, we treat interpolation as a black box, which gives us the freedom
to encode data manipulation in any suitable theory for a given program (e.g.,
bit vectors, arrays, or linear arithmetic), so that our technique immediately
benefits from any future advances in SMT solving and interpolation.Comment: Short version published in ESOP 201
Reliability Assurance for Deep Neural Network Architectures Against Numerical Defects
With the widespread deployment of deep neural networks (DNNs), ensuring the
reliability of DNN-based systems is of great importance. Serious reliability
issues such as system failures can be caused by numerical defects, one of the
most frequent defects in DNNs. To assure high reliability against numerical
defects, in this paper, we propose the RANUM approach including novel
techniques for three reliability assurance tasks: detection of potential
numerical defects, confirmation of potential-defect feasibility, and suggestion
of defect fixes. To the best of our knowledge, RANUM is the first approach that
confirms potential-defect feasibility with failure-exhibiting tests and
suggests fixes automatically. Extensive experiments on the benchmarks of 63
real-world DNN architectures show that RANUM outperforms state-of-the-art
approaches across the three reliability assurance tasks. In addition, when the
RANUM-generated fixes are compared with developers' fixes on open-source
projects, in 37 out of 40 cases, RANUM-generated fixes are equivalent to or
even better than human fixes.Comment: To appear at 45th International Conference on Software Engineering
(ICSE 2023), camera-ready versio
An Abstract Domain to Infer Symbolic Ranges over Nonnegative Parameters
AbstractThe value range information of program variables is useful in many applications such as compiler optimization and program analysis. In the framework of abstract interpretation, the interval abstract domain infers numerical bounds for each program variable. However, in certain applications such as automatic parallelization, symbolic ranges are often desired. In this paper, we present a new numerical abstract domain, namely the abstract domain of parametric ranges, to infer symbolic ranges over nonnegative parameters for each program variable. The new domain is designed based on the insight that in certain contexts, program procedures often have nonnegative parameters, such as the length of an input list and the size of an input array. The domain of parametric ranges seeks to infer the lower and upper bounds for each program variable where each bound is a linear expression over nonnegative parameters. The time and memory complexity of the domain operations of parametric ranges is O(nm) where n is the number of program variables and m is the number of nonnegative parameters. On this basis, we show the application of parametric ranges to infer symbolic ranges of the sizes of list segments in programs manipulating singly-linked lists. Finally, we show preliminary experimental results
- âŠ