Proving Safety with Trace Automata and Bounded Model Checking

Loop under-approximation is a technique that enriches C programs with additional branches that represent the effect of a (limited) range of loop iterations. While this technique can speed up the detection of bugs significantly, it introduces redundant execution traces which may complicate the verification of the program. This holds particularly true for verification tools based on Bounded Model Checking, which incorporate simplistic heuristics to determine whether all feasible iterations of a loop have been considered. We present a technique that uses \emph{trace automata} to eliminate redundant executions after performing loop acceleration. The method reduces the diameter of the program under analysis, which is in certain cases sufficient to allow a safety proof using Bounded Model Checking. Our transformation is precise---it does not introduce false positives, nor does it mask any errors. We have implemented the analysis as a source-to-source transformation, and present experimental results showing the applicability of the technique

Lynx: A Programmatic SAT Solver for the RNA-folding Problem

15th International Conference, Trento, Italy, June 17-20, 2012. ProceedingsThis paper introduces Lynx, an incremental programmatic SAT solver that allows non-expert users to introduce domain-specific code into modern conflict-driven clause-learning (CDCL) SAT solvers, thus enabling users to guide the behavior of the solver. The key idea of Lynx is a callback interface that enables non-expert users to specialize the SAT solver to a class of Boolean instances. The user writes specialized code for a class of Boolean formulas, which is periodically called by Lynx’s search routine in its inner loop through the callback interface. The user-provided code is allowed to examine partial solutions generated by the solver during its search, and to respond by adding CNF clauses back to the solver dynamically and incrementally. Thus, the user-provided code can specialize and influence the solver’s search in a highly targeted fashion. While the power of incremental SAT solvers has been amply demonstrated in the SAT literature and in the context of DPLL(T), it has not been previously made available as a programmatic API that is easy to use for non-expert users. Lynx’s callback interface is a simple yet very effective strategy that addresses this need. We demonstrate the benefits of Lynx through a case-study from computational biology, namely, the RNA secondary structure prediction problem. The constraints that make up this problem fall into two categories: structural constraints, which describe properties of the biological structure of the solution, and energetic constraints, which encode quantitative requirements that the solution must satisfy. We show that by introducing structural constraints on-demand through user provided code we can achieve, in comparison with standard SAT approaches, upto 30x reduction in memory usage and upto 100x reduction in time

Extended Thromboprophylaxis with Betrixaban in Acutely Ill Medical Patients

Background Patients with acute medical illnesses are at prolonged risk for venous thrombosis. However, the appropriate duration of thromboprophylaxis remains unknown. Methods Patients who were hospitalized for acute medical illnesses were randomly assigned to receive subcutaneous enoxaparin (at a dose of 40 mg once daily) for 10±4 days plus oral betrixaban placebo for 35 to 42 days or subcutaneous enoxaparin placebo for 10±4 days plus oral betrixaban (at a dose of 80 mg once daily) for 35 to 42 days. We performed sequential analyses in three prespecified, progressively inclusive cohorts: patients with an elevated d-dimer level (cohort 1), patients with an elevated d-dimer level or an age of at least 75 years (cohort 2), and all the enrolled patients (overall population cohort). The statistical analysis plan specified that if the between-group difference in any analysis in this sequence was not significant, the other analyses would be considered exploratory. The primary efficacy outcome was a composite of asymptomatic proximal deep-vein thrombosis and symptomatic venous thromboembolism. The principal safety outcome was major bleeding. Results A total of 7513 patients underwent randomization. In cohort 1, the primary efficacy outcome occurred in 6.9% of patients receiving betrixaban and 8.5% receiving enoxaparin (relative risk in the betrixaban group, 0.81; 95% confidence interval [CI], 0.65 to 1.00; P=0.054). The rates were 5.6% and 7.1%, respectively (relative risk, 0.80; 95% CI, 0.66 to 0.98; P=0.03) in cohort 2 and 5.3% and 7.0% (relative risk, 0.76; 95% CI, 0.63 to 0.92; P=0.006) in the overall population. (The last two analyses were considered to be exploratory owing to the result in cohort 1.) In the overall population, major bleeding occurred in 0.7% of the betrixaban group and 0.6% of the enoxaparin group (relative risk, 1.19; 95% CI, 0.67 to 2.12; P=0.55). Conclusions Among acutely ill medical patients with an elevated d-dimer level, there was no significant difference between extended-duration betrixaban and a standard regimen of enoxaparin in the prespecified primary efficacy outcome. However, prespecified exploratory analyses provided evidence suggesting a benefit for betrixaban in the two larger cohorts. (Funded by Portola Pharmaceuticals; APEX ClinicalTrials.gov number, NCT01583218. opens in new tab.

Successful use of incremental BMC in the automotive industry

Program analysis is on the brink of mainstream usage in embedded systems development. Formal verification of behavioural requirements, finding runtime errors and automated test case generation are some of the most common applications of automated verification tools based on Bounded Model Checking (BMC). Existing industrial tools for embedded software use an off-the-shelf Bounded Model Checker and apply it iteratively to verify the program with an increasing number of unwindings. This approach unnecessarily wastes time repeating work that has already been done and fails to exploit the power of incremental SAT solving. This paper reports on the extension of the software model checker Cbmc to support incremental BMC and its successful integration with the industrial embedded software verification tool BTC EmbeddedTester. We present an extensive evaluation over large industrial embedded programs, mainly from automotive industry. We show that incremental BMC cuts runtimes by one order of magnitude in comparison to the standard non-incremental approach, enabling the application of formal verification to large and complex embedded software

Incremental SAT-Based Method with Native Boolean Cardinality Handling for the Hamiltonian Cycle Problem

International audienc

Inferring definite counterexamples through under-approximation

Abstract. Abstract interpretation for proving safety properties summarizes concrete traces into abstract states, thereby trading the ability to distinguish traces for tractability. Given a violation of a safety property, it is thus unclear which trace led to the violation. Moreover, since part of the abstract state is over-approximate, such a trace may not exist at all. We propose a novel backward analysis that is based on abduction of propositional Boolean logic and that only generates legitimate traces that reveal actual defects. The key to tractability lies in modifying an existing projection algorithm to stop prematurely with an under-approximation and by combining various algorithmic techniques to handle loops finitely.