Enhancing Approximations for Regular Reachability Analysis

This paper introduces two mechanisms for computing over-approximations of sets of reachable states, with the aim of ensuring termination of state-space exploration. The first mechanism consists in over-approximating the automata representing reachable sets by merging some of their states with respect to simple syntactic criteria, or a combination of such criteria. The second approximation mechanism consists in manipulating an auxiliary automaton when applying a transducer representing the transition relation to an automaton encoding the initial states. In addition, for the second mechanism we propose a new approach to refine the approximations depending on a property of interest. The proposals are evaluated on examples of mutual exclusion protocols

SMT-Based False Positive Elimination in Static Program Analysis

Static program analysis for bug detection in large C/C++ projects typically uses a high-level abstraction of the original program under investigation. As a result, so-called false positives are often inevitable, i.e., warnings that are not true bugs. In this work we present a novel abstraction refinement approach to automatically investigate and eliminate such false positives. Central to our approach is to view static analysis as a model checking problem, to iteratively compute infeasible sub-paths of infeasible paths using SMT solvers, and refine our models by adding observer automata to exclude such paths. Based on this new framework we present an implementation of the approach into the static analyzer Goanna and discuss a number of real-life experiments on larger C code projects, demonstrating that we were able to remove most false positives automatically

Flat fragments of CTL and CTL* : separating the expressive and distinguishing powers

We study both the expressive and the distinguishing powers of at temporal logics. These are fragments obtained by restricting the ??rst argument of the Until operator to propositional formulae. Both the linear-time and the branching-time cases are considered

Integrating real-time into Spin: a prototype implementation

We present a discrete-time extension of Promela, a high level modelling language for the specification concurrent systems, and the associated Spin model checker. Our implementation is fully compatible with Spin's partial order reduction algorithm, which is indeed one of its main strengths. The real time package is for most part orthogonal to the other features of the tool, resulting in a modular extension. We have evaluated it by several experiments, with encouraging results