Abstract Interpretation with Unfoldings

We present and evaluate a technique for computing path-sensitive interference conditions during abstract interpretation of concurrent programs. In lieu of fixed point computation, we use prime event structures to compactly represent causal dependence and interference between sequences of transformers. Our main contribution is an unfolding algorithm that uses a new notion of independence to avoid redundant transformer application, thread-local fixed points to reduce the size of the unfolding, and a novel cutoff criterion based on subsumption to guarantee termination of the analysis. Our experiments show that the abstract unfolding produces an order of magnitude fewer false alarms than a mature abstract interpreter, while being several orders of magnitude faster than solver-based tools that have the same precision.Comment: Extended version of the paper (with the same title and authors) to appear at CAV 201

Global Guidance for Local Generalization in Model Checking

SMT-based model checkers, especially IC3-style ones, are currently the most effective techniques for verification of infinite state systems. They infer global inductive invariants via local reasoning about a single step of the transition relation of a system, while employing SMT-based procedures, such as interpolation, to mitigate the limitations of local reasoning and allow for better generalization. Unfortunately, these mitigations intertwine model checking with heuristics of the underlying SMT-solver, negatively affecting stability of model checking. In this paper, we propose to tackle the limitations of locality in a systematic manner. We introduce explicit global guidance into the local reasoning performed by IC3-style algorithms. To this end, we extend the SMT-IC3 paradigm with three novel rules, designed to mitigate fundamental sources of failure that stem from locality. We instantiate these rules for the theory of Linear Integer Arithmetic and implement them on top of SPACER solver in Z3. Our empirical results show that GSPACER, SPACER extended with global guidance, is significantly more effective than both SPACER and sole global reasoning, and, furthermore, is insensitive to interpolation.Comment: Published in CAV 202

Global Guidance for Local Generalization in Model Checking

SMT-based model checkers, especially IC3-style ones, are currently the most effective techniques for verification of infinite state systems. They infer global inductive invariants via local reasoning about a single step of the transition relation of a system, while employing SMT-based procedures, such as interpolation, to mitigate the limitations of local reasoning and allow for better generalization. Unfortunately, these mitigations intertwine model checking with heuristics of the underlying SMT-solver, negatively affecting stability of model checking. In this paper, we propose to tackle the limitations of locality in a systematic manner. We introduce explicit global guidance into the local reasoning performed by IC3-style algorithms. To this end, we extend the SMT-IC3 paradigm with three novel rules, designed to mitigate fundamental sources of failure that stem from locality. We instantiate these rules for the theory of Linear Integer Arithmetic and implement them on top of Spacer solver in Z3. Our empirical results show that GSpacer, Spacer extended with global guidance, is significantly more effective than both Spacer and sole global reasoning, and, furthermore, is insensitive to interpolation

Invariant Synthesis for Incomplete Verification Engines

We propose a framework for synthesizing inductive invariants for incomplete verification engines, which soundly reduce logical problems in undecidable theories to decidable theories. Our framework is based on the counter-example guided inductive synthesis principle (CEGIS) and allows verification engines to communicate non-provability information to guide invariant synthesis. We show precisely how the verification engine can compute such non-provability information and how to build effective learning algorithms when invariants are expressed as Boolean combinations of a fixed set of predicates. Moreover, we evaluate our framework in two verification settings, one in which verification engines need to handle quantified formulas and one in which verification engines have to reason about heap properties expressed in an expressive but undecidable separation logic. Our experiments show that our invariant synthesis framework based on non-provability information can both effectively synthesize inductive invariants and adequately strengthen contracts across a large suite of programs

Nel positively regulates the genesis of retinal ganglion cells by promoting their differentiation and survival during development

Peer reviewedPublisher PD

Extended Follow-Up Following a Phase 2b Randomized Trial of the Candidate Malaria Vaccines FP9 ME-TRAP and MVA ME-TRAP among Children in Kenya

Background. "FFM ME-TRAP'' is sequential immunisation with two attenuated poxvirus vectors (FP9 and modified vaccinia virus Ankara) delivering the pre-erythrocytic malaria antigen ME-TRAP. Over nine months follow-up in our original study, there was no evidence that FFM ME-TRAP provided protection against malaria. The incidence of malaria was slightly higher in children who received FFM ME-TRAP, but this was not statistically significant (hazard ratio 1.5, 95% CI 1.0-2.3). Although the study was unblinded, another nine months follow-up was planned to monitor the incidence of malaria and other serious adverse events. Methods and Findings. 405 children aged 1-6 yrs were initially randomized to vaccination with either FFM ME-TRAP or control (rabies vaccine). 380 children were still available for follow-up after the first nine months. Children were seen weekly and whenever they were unwell for nine months monitoring. The axillary temperature was measured, and blood films taken when febrile. The primary analysis was time to parasitaemia >2,500/mu l. During the second nine months monitoring, 49 events met the primary endpoint (febrile malaria with parasites >2,500/mu l) in the Intention To Treat (ITT) group. 23 events occurred among the 189 children in the FFM ME-TRAP group, and 26 among the 194 children in the control group. In the full 18 months of monitoring, there were 63 events in the FFM ME-TRAP group and 60 in the control group (HR = 1.2, CI 0.84-1.73, p = 0.35). There was no evidence that the HR changed over the 18 months (test for interaction between time and vaccination p = 0.11). Conclusions. Vaccination with FFM ME-TRAP was not protective against malaria in this study. Malaria incidence during 18 months of surveillance was similar in both vaccine groups. Trial Registration. Controlled-Trials. com ISRCTN88335123

Sex-differential impact of human cytomegalovirus infection on in vitro reactivity to toll-like receptor 2, 4 and 7/8 stimulation in Gambian infants

Human cytomegalovirus (HCMV) infection rates approach 100% by the first year of lifein low-income countries. It is not known if this drives changes to innate immunity in early life andthereby altered immune reactivity to infections and vaccines. Given the panoply of sex differences inimmunity, it is feasible that any immunological effects of HCMV would differ in males and females.We analysed ex vivo innate cytokine responses to a panel of toll-like receptor (TLR) ligands in 108nine-month-old Gambian males and females participating in a vaccine trial. We found evidencethat HCMV suppressed reactivity to TLR2 and TLR7/8 stimulation in females but not males. Thisis likely to contribute to sex differences in responses to infections and vaccines in early life and hasimplications for the development of TLR ligands as vaccine adjuvants. Development of an effectiveHCMV vaccine would be able to circumvent some of these potentially negative effects of HCMVinfection in childhood

Extracting Safe Thread Schedules from Incomplete Model Checking Results

Model checkers frequently fail to completely verify a concurrent program, even if partial-order reduction is applied. The verification engineer is left in doubt whether the program is safe and the effort toward verifying the program is wasted. We present a technique that uses the results of such incomplete verification attempts to construct a (fair) scheduler that allows the safe execution of the partially verified concurrent program. This scheduler restricts the execution to schedules that have been proven safe (and prevents executions that were found to be erroneous). We evaluate the performance of our technique and show how it can be improved using partial-order reduction. While constraining the scheduler results in a considerable performance penalty in general, we show that in some cases our approach—somewhat surprisingly—even leads to faster executions