14 research outputs found
Automatic generation of loop invariants
CppInv works in two stages. Firstly, it parses a source code written in a subset of
C++ and abstracts all execution paths of the program building a control flow graph
associated to a transition system. Paths are expressed as arbitrary propositional
formulas over linear integer arithmetic including high level operators like integer
division and modulo. That makes easy the initial modeling. Later, formulas are
normalized and only paths between a set of locations that cover every cycle of the
control flow graph are regarded.
Secondly, CppInv generates linear invariants at the selected locations setting out
a constraint solving problem. We present a method to discover all linear invariant
of the considered form.
As a result, our tool can find linear invariants efficiently for a large set of interesting
programs. Moreover, CppInv is also able to generate some non-linear invariants
automatically. For instance, it is possible to prove the total correctness of a program
that multiplies two integers from the invariants returned by the tool
Automatic program analysis using Max-SMT
This thesis addresses the development of techniques to build fully-automatic tools for analyzing sequential programs written in imperative languages like C or C++. In order to do the reasoning about programs, the approach taken in this thesis follows the constraint-based method used in program analysis. The idea of the constraint-based method is to consider a template for candidate invariant properties, e.g., linear conjunctions of inequalities. These templates involve both program variables as well as parameters whose values are initially unknown and have to be determined so as to ensure invariance. To this end, the conditions on inductive invariants are expressed by means of constraints (hence the name of the approach) on the unknowns. Any solution to these constraints then yields an invariant. In particular, if linear inequalities are taken as target invariants, conditions can be transformed into arithmetic constraints over the unknowns by means of Farkas' Lemma. In the general case, a Satisfiability Modulo Theories (SMT) problem over non-linear arithmetic is obtained, for which effective SMT solvers exist.
One of the novelties of this thesis is the presentation of an optimization version of the SMT problems generated by the constraint-based method in such a way that, even when they turn out to be unsatisfiable, some useful information can be obtained for refining the program analysis. In particular, we show in this work how our approach can be exploited for proving termination of sequential programs, disproving termination of non-deterministic programs, and do compositional safety verification. Besides, an extension of the constraint-based method to generate universally quantified array invariants is also presented. Since the development of practical methods is a priority in this thesis, all the techniques have been implemented and tested with examples coming from academic and industrial environments.
The main contributions of this thesis are summarized as follows:
1. A new constraint-based method for the generation of universally quantified invariants of array programs. We also provide extensions of the approach for sorted arrays.
2. A novel Max-SMT-based technique for proving termination. Thanks to expressing the generation of a ranking function as a Max-SMT optimization problem where constraints are assigned different weights, quasi-ranking functions -functions that almost satisfy all conditions for ensuring well-foundedness- are produced in a lack of ranking functions. Moreover, Max-SMT makes it easy to combine the process of building the termination argument with the usually necessary task of generating supporting invariants.
3. A Max-SMT constraint-based approach for proving that programs do not terminate. The key notion of the approach is that of a quasi-invariant, which is a property such that if it holds at a location during execution once, then it continues to hold at that location from then onwards. Our technique considers for analysis strongly connected subgraphs of a program's control flow graph and thus produces more generic witnesses of non-termination than existing methods. Furthermore, it can handle programs with unbounded non-determinism.
4. An automated compositional program verification technique for safety properties based on quasi-invariants. For a given program part (e.g., a single loop) and a postcondition, we show how to, using a Max-SMT solver, an inductive invariant together with a precondition can be synthesized so that the precondition ensures the validity of the invariant and that the invariant implies the postcondition. From this, we build a bottom-up program verification framework that propagates preconditions of small program parts as postconditions for preceding program parts. The method recovers from failures to prove validity of a precondition, using the obtained intermediate results to restrict the search space for further proof attempts.Esta tesis se centra en el desarrollo de técnicas para construir herramientas altamente automatizadas que analicen programas secuenciales escritos en lenguajes imperativos como C o C++. Para realizar el razonamiento sobre los programas, la aproximación tomada en esta tesis se basa en un conocido método basado en restricciones utilizado en análisis de progamas. La idea de dicho método consiste en considerar plantillas que expresen propiedades invariantes candidatas, p.e., conjunciones de desigualdades lineales. Estas plantillas contienen tanto variables del programa como parámetros cuyos valores son inicialmente desconocidos y tienen que ser determinados para garantizar la invariancia. Para este fin, las condiciones sobre invariantes inductivos son expresadas mediante restricciones sobre los valores desconocidos. Cualquier solución a estas restricciones llevan a un invariante. En particular, si desigualdades lineales son los invariantes objetivo, las condiciones pueden ser transformadas en restricciones aritméticas sobre los valores desconocidos mediante el lema de Farkas. En el caso general, un problema de Satisfactibilidad Modulo TeorÃas (SMT) sobre aritmética no-lineal es obtenido, para el cual existen resolvedores eficientes. Una de las novedades de esta tesis es la presentación de una versión de optimización de los problemas SMT generados por el método tal que, incluso cuando son insatisfactibles, se puede obtener cierta información útil para refinar el análisis del programa. En particular, en este trabajo se muestra como la aproximación tomada puede usarse para probar terminación de programas, probar la no terminación de programas y realizar verificación por partes de la corrección de programas. Además, también se describe una extensión del método basado en restricciones para generar invariantes universalmente cuantificados sobre arrays. Debido a que el desarrollo de métodos prácticos es una prioridad en esta tesis, todas las técnicas han sido implementadas y probadas con ejemplos extraÃdos del entorno académico e industrial. Las principales contribuciones de esta tesis pueden resumirse en: 1. Un nuevo método basado en restricciones para la generación de invariantes universalmente cuantificados sobre arrays. También se explica extensiones del método para aplicarlo a arrays ordenados. 2. Un técnica novedosa basada en Max-SMT para probar terminación. Gracias a expresar la generación de funciones de ranking como problemas de optimización Max-SMT, donde a las restricciones se les asigna diferentes pesos, se generan cuasi-funciones de ranking, funciones que casi satisfacen todas las condiciones que garantizan la existencia de una relación bien fundada, en ausencia de funciones de ranking. Además, Max-SMT facilita la combinación del proceso de construcción de un argumento de terminación con la tarea habitualmente necesaria de generar invariantes de apoyo. 3. Un método basado en restricciones y Max-SMT para probar que un programa no termina. El concepto clave del método es el de cuasi-invariante, que es una propiedad tal que si se cumple una vez en un punto del programa durante la ejecución, entonces continúa cumpliendose en ese punto desde entonces en adelante. Nuestra técnica considera en su análisis subgrafos fuertemente conexos del grafo de control de flujo del programa y produce testigos de no terminación más genéricos que otros métodos existentes. Además, es capaz de tratar programas con no determinismo. 4. Una técnica automatizada de verificación por partes de propiedades de corrección de un programa basada en cuasi-invariantes. Dado una parte de un programa (p.e., un único bucle) con una postcondición, se muestra como, usando Max-SMT, puede sintetizarse un invariante inductivo junto a una precondición que garantiza la validez del invariante y que el invariante implica la postcondición. Apartir de esto, se describe una infraestructura de verificación de programas de abajo a arriba que propaga precondiciones
Aplicación de las 2 estructuras a las gramáticas del lenguaje humano y representación gráfica de ambas
La teorÃa de las 2-estructuras [5] proporciona una infraestructura matemática para la descomposición y la transformación de grafos. Se trata de un formalismo muy potente y robusto que permite representar múltiples grafos en una sola estructura algebraica, una 2-estructura, y derivar de ella una descomposición única en 2-estructuras más simples. En este proyecto se ha llevado a cabo su estudio con dos finalidades:El diseño y la implementación de un paquete de software que sistematice el análisis, la transformación y la visualización de las principales estructuras involucradas en la teorÃa de las 2-estructuras. La investigación y el desarrollo de posibles aplicaciones de las 2-estructuras a las gramáticas usadas en el procesamiento del lenguaje humano (lenguaje natural).El lenguaje natural es casi en cualquier aspecto más complejo de lo esperado [6]. La sintaxis de muchos idiomas incluye reglas gramaticales que son sensibles al contexto, fenómenos cuyo procesado está muy lejos de tener soluciones eficientes (recordemos que los compiladores de lenguajes de programación sólo procesan un subconjunto muy simple de las gramáticas completamente libres del contexto y que el procesado de gramáticas sensibles al contexto es en general inviable). Las gramáticas suavemente sensibles al contexto (Mildly Context Sensitive Grammars, MCSG) pretenden capturar la sintaxis del lenguaje natural y conseguir su procesado eficiente [7,9]. Entre los lenguajes que describen estas gramáticas encontramos una subclase de gran interés por los siguientes tres motivos. Los lenguajes que contiene capturan un amplio espectro de las dependencias del lenguaje natural, son reconocibles en tiempo polinómico y existen cuatro formalismos independientes entre sà que los generan [8]. Son los lenguajes descritos por las gramáticas de adjunción de árboles (Tree Adjoining Grammars, TAG), las gramáticas de núcleo (Head Grammars, HG), las gramáticas lineales de Ãndices (Linear Indexed Grammars, LIG) y las gramáticas categoriales combinatorias (Combinatory Categorial Grammars, CCG). En este trabajo se presentan dos resultados producto de la investigación sobre la aplicación de las 2-estructuras a algunas de las gramáticas mencionadas: Una extensión de las HG que asocia explÃcitamente un árbol derivado a las cadenas generadas apoyándose en las bases de las 2-estructuras. Un algoritmo que genera una gramática TAG a partir de una frase con dependencias anidadas y cruzadas (las capturables por el formalismo)
Proving termination through conditional termination
We present a constraint-based method for proving conditional termination of integer programs. Building on this, we construct a framework to prove (unconditional) program termination using a powerful mechanism to combine conditional termination proofs. Our key insight is that a conditional termination proof shows termination for a subset of program execution states which do not need to be considered in the remaining analysis. This facilitates more effective termination as well as non-termination analyses, and allows handling loops with different execution phases naturally. Moreover, our method can deal with sequences of loops compositionally. In an empirical evaluation, we show that our implementation VeryMax outperforms state-of-the-art tools on a range of standard benchmarks.Peer ReviewedPostprint (author's final draft
Incomplete SMT techniques for solving non-linear formulas over the integers
We present new methods for solving the Satisfiability Modulo Theories problem over the theory of QuantifierFree Non-linear Integer Arithmetic, SMT(QF-NIA), which consists of deciding the satisfiability of ground formulas with integer polynomial constraints. Following previous work, we propose to solve SMT(QF-NIA)
instances by reducing them to linear arithmetic: non-linear monomials are linearized by abstracting them
with fresh variables and by performing case splitting on integer variables with finite domain. For variables
that do not have a finite domain, we can artificially introduce one by imposing a lower and an upper bound
and iteratively enlarge it until a solution is found (or the procedure times out).
The key for the success of the approach is to determine, at each iteration, which domains have to be
enlarged. Previously, unsatisfiable cores were used to identify the domains to be changed, but no clue was
obtained as to how large the new domains should be. Here, we explain two novel ways to guide this process by
analyzing solutions to optimization problems: (i) to minimize the number of violated artificial domain bounds,
solved via a Max-SMT solver, and (ii) to minimize the distance with respect to the artificial domains, solved
via an Optimization Modulo Theories (OMT) solver. Using this SMT-based optimization technology allows
smoothly extending the method to also solve Max-SMT problems over non-linear integer arithmetic. Finally,
we leverage the resulting Max-SMT(QF-NIA) techniques to solve ∃∀ formulas in a fragment of quantified
non-linear arithmetic that appears commonly in verification and synthesis applications.Peer ReviewedPostprint (author's final draft
Compositional safety verification with Max-SMT
We present an automated compositional program verification technique for safety properties based on conditional inductive invariants. For a given program part (e.g., a single loop) and a postcondition, we show how to, using a Max-SMT solver, an inductive invariant together with a precondition can be synthesized so that the precondition ensures the validity of the invariant and that the invariant implies the postcondition. From this, we build a bottom-up program verification framework that propagates preconditions of small program parts as postconditions for preceding program parts. The method recovers from failures to prove the validity of a precondition, using the obtained intermediate results to restrict the search space for further proof attempts. As only small program parts need to be handled at a time, our method is scalable and distributable. The derived conditions can be viewed as implicit contracts between different parts of the program, and thus enable an incremental program analysis.Peer ReviewedPostprint (published version
Automatic generation of loop invariants
CppInv works in two stages. Firstly, it parses a source code written in a subset of
C++ and abstracts all execution paths of the program building a control flow graph
associated to a transition system. Paths are expressed as arbitrary propositional
formulas over linear integer arithmetic including high level operators like integer
division and modulo. That makes easy the initial modeling. Later, formulas are
normalized and only paths between a set of locations that cover every cycle of the
control flow graph are regarded.
Secondly, CppInv generates linear invariants at the selected locations setting out
a constraint solving problem. We present a method to discover all linear invariant
of the considered form.
As a result, our tool can find linear invariants efficiently for a large set of interesting
programs. Moreover, CppInv is also able to generate some non-linear invariants
automatically. For instance, it is possible to prove the total correctness of a program
that multiplies two integers from the invariants returned by the tool
Automatic generation of loop invariants
CppInv works in two stages. Firstly, it parses a source code written in a subset of
C++ and abstracts all execution paths of the program building a control flow graph
associated to a transition system. Paths are expressed as arbitrary propositional
formulas over linear integer arithmetic including high level operators like integer
division and modulo. That makes easy the initial modeling. Later, formulas are
normalized and only paths between a set of locations that cover every cycle of the
control flow graph are regarded.
Secondly, CppInv generates linear invariants at the selected locations setting out
a constraint solving problem. We present a method to discover all linear invariant
of the considered form.
As a result, our tool can find linear invariants efficiently for a large set of interesting
programs. Moreover, CppInv is also able to generate some non-linear invariants
automatically. For instance, it is possible to prove the total correctness of a program
that multiplies two integers from the invariants returned by the tool
Proving termination of imperative programs using Max-SMT
We show how Max-SMT can be exploited in constraint-based program termination proving. Thanks to expressing the generation of a ranking function as a Max-SMT optimization problem where constraints are assigned different weights, quasi-ranking functions --functions that almost satisfy all conditions for ensuring well-foundedness-- are produced in a lack of ranking functions. By means of trace partitioning, this allows our method to progress in the termination analysis where other approaches would get stuck. Moreover, Max-SMT makes it easy to combine the process of building the termination argument with the usually necessary task of generating supporting invariants. The method has been implemented in a prototype that has successfully been tested on a wide set of programs.Peer Reviewe
Minimal-model-guided approaches to solving polynomial constraints and extensions
In this paper we present new methods for deciding the satisfiability of formulas involving integer polynomial constraints. In previous work we proposed to solve SMT(NIA) problems by reducing them to SMT(LIA): non-linear monomials are linearized by abstracting them with fresh variables and by performing case splitting on integer variables with finite domain. When variables do not have finite domains, artificial ones can be introduced by imposing a lower and an upper bound, and made iteratively larger until a solution is found (or the procedure times out). For the approach to be practical, unsatisfiable cores are used to guide which domains have to be relaxed (i.e., enlarged) from one iteration to the following one. However, it is not clear then how large they have to be made, which is critical. Here we propose to guide the domain relaxation step by analyzing minimal models produced by the SMT(LIA) solver. Namely, we consider two different cost functions: the number of violated artificial domain bounds, and the distance with respect to the artificial domains. We compare these approaches with other techniques on benchmarks coming from constraint-based program analysis and show the potential of the method. Finally, we describe how one of these minimal-model-guided techniques can be smoothly adapted to deal with the extension Max-SMT of SMT(NIA) and then applied to program termination proving.Peer Reviewe