Scaling Bounded Model Checking By Transforming Programs With Arrays

Bounded Model Checking is one the most successful techniques for finding bugs in program. However, model checkers are resource hungry and are often unable to verify programs with loops iterating over large arrays.We present a transformation that enables bounded model checkers to verify a certain class of array properties. Our technique transforms an array-manipulating (ANSI-C) program to an array-free and loop-free (ANSI-C) program thereby reducing the resource requirements of a model checker significantly. Model checking of the transformed program using an off-the-shelf bounded model checker simulates the loop iterations efficiently. Thus, our transformed program is a sound abstraction of the original program and is also precise in a large number of cases - we formally characterize the class of programs for which it is guaranteed to be precise. We demonstrate the applicability and usefulness of our technique on both industry code as well as academic benchmarks

Efficient Certified RAT Verification

Clausal proofs have become a popular approach to validate the results of SAT solvers. However, validating clausal proofs in the most widely supported format (DRAT) is expensive even in highly optimized implementations. We present a new format, called LRAT, which extends the DRAT format with hints that facilitate a simple and fast validation algorithm. Checking validity of LRAT proofs can be implemented using trusted systems such as the languages supported by theorem provers. We demonstrate this by implementing two certified LRAT checkers, one in Coq and one in ACL2

Rich Counter-Examples for Temporal-Epistemic Logic Model Checking

Model checking verifies that a model of a system satisfies a given property, and otherwise produces a counter-example explaining the violation. The verified properties are formally expressed in temporal logics. Some temporal logics, such as CTL, are branching: they allow to express facts about the whole computation tree of the model, rather than on each single linear computation. This branching aspect is even more critical when dealing with multi-modal logics, i.e. logics expressing facts about systems with several transition relations. A prominent example is CTLK, a logic that reasons about temporal and epistemic properties of multi-agent systems. In general, model checkers produce linear counter-examples for failed properties, composed of a single computation path of the model. But some branching properties are only poorly and partially explained by a linear counter-example. This paper proposes richer counter-example structures called tree-like annotated counter-examples (TLACEs), for properties in Action-Restricted CTL (ARCTL), an extension of CTL quantifying paths restricted in terms of actions labeling transitions of the model. These counter-examples have a branching structure that supports more complete description of property violations. Elements of these counter-examples are annotated with parts of the property to give a better understanding of their structure. Visualization and browsing of these richer counter-examples become a critical issue, as the number of branches and states can grow exponentially for deeply-nested properties. This paper formally defines the structure of TLACEs, characterizes adequate counter-examples w.r.t. models and failed properties, and gives a generation algorithm for ARCTL properties. It also illustrates the approach with examples in CTLK, using a reduction of CTLK to ARCTL. The proposed approach has been implemented, first by extending the NuSMV model checker to generate and export branching counter-examples, secondly by providing an interactive graphical interface to visualize and browse them.Comment: In Proceedings IWIGP 2012, arXiv:1202.422

Witness and Counterexample Automata for ACTL

Abstract. Witnesses and counterexamples produced by model checkers provide a very useful source of diagnostic information. They are usually returned in the form of a single computation path along the model of the system. However, a single computation path is not enough to explain all reasons of a validity or a failure. Our work in this area is motivated by the application of action-based model checking algorithms to the test case generation for models formally specified with a CCS-like process algebra. There, only linear and finite witnesses and counterexamples are useful and for the given formula and model an efficient representation of the set of witnesses (counterexamples) explaining all reasons of validity (failure) is needed. This paper identifies a fragment of action computation tree logic (ACTL) that can be handled in this way. Moreover, a suitable form of witnesses and counterexamples is proposed and witness and counterex-ample automata are introduced, which are finite automata recognizing them. An algorithm for generating such automata is given.

Localizing Defects in Multithreaded Programs by Mining Dynamic Call Graphs

Writing multithreaded software for multicore computers confronts many developers with the difficulty of finding parallel programming errors. In the past, most parallel debugging techniques have concentrated on finding race conditions due to wrong usage of synchronization constructs. A widely unexplored issue, however, is that a wrong usage of non-parallel programming constructs may also cause wrong parallel application behavior. This paper presents a novel defect-localization technique for multithreaded shared-memory programs that is based on analyzing execution anomalies. Compared to race detectors that report just on wrong synchronization, this method can detect a wider range of defects affecting parallel execution. It works on a condensed representation of the call graphs of multithreaded applications and employs data-mining techniques to locate a method containing a defect. Our results from controlled application experiments show that we found race conditions, but also other programming errors leading to incorrect parallel program behavior. On average, our approach reduced in our benchmark the amount of code to be inspected to just 7.1% of all methods

Search for CP violation in D0 and D+ decays

A high statistics sample of photoproduced charm particles from the FOCUS (E831) experiment at Fermilab has been used to search for CP violation in the Cabibbo suppressed decay modes D+ to K-K+pi+, D0 to K-K+ and D0 to pi-pi+. We have measured the following CP asymmetry parameters: A_CP(K-K+pi+) = +0.006 +/- 0.011 +/- 0.005, A_CP(K-K+) = -0.001 +/- 0.022 +/- 0.015 and A_CP(pi-pi+) = +0.048 +/- 0.039 +/- 0.025 where the first error is statistical and the second error is systematic. These asymmetries are consistent with zero with smaller errors than previous measurements.Comment: 12 pages, 4 figure

The Target Silicon Detector for the FOCUS Spectrometer

We describe a silicon microstrip detector interleaved with segments of a beryllium oxide target which was used in the FOCUS photoproduction experiment at Fermilab. The detector was designed to improve the vertex resolution and to enhance the reconstruction efficiency of short-lived charm particles.Comment: 18 pages, 14 figure

New FOCUS results on charm mixing and CP violation

We present a summary of recent results on CP violation and mixing in the charm quark sector based on a high statistics sample collected by photoproduction experiment FOCUS (E831 at Fermilab). We have measured the difference in lifetimes for the $D^0$ decays: $D^0 \to K^-\pi^+$ and $D^0 \to K^-K^+$. This translates into a measurement of the $y_{CP}$ mixing parameter in the \d0d0 system, under the assumptions that $K^-K^+$ is an equal mixture of CP odd and CP even eigenstates, and CP violation is negligible in the neutral charm meson system. We verified the latter assumption by searching for a CP violating asymmetry in the Cabibbo suppressed decay modes $D^+ \to K^-K^+\pi^+$, $D^0 \to K^-K^+$ and $D^0 \to \pi^-\pi^+$. We show preliminary results on a measurement of the branching ratio $\Gamma(D^{*+}\to \pi^+ (K^+\pi^-))/\Gamma(D^{*+}\to \pi^+ (K^-\pi^+))$.Comment: 9 pages, 6 figures, requires espcrc2.sty. Presented by S.Bianco at CPConf2000, September 2000, Ferrara (Italy). In this revision, fixed several stylistic flaws, add two significant references, fixed a typo in Tab.