49 research outputs found
The Tree Width of Separation Logic with Recursive Definitions
Separation Logic is a widely used formalism for describing dynamically
allocated linked data structures, such as lists, trees, etc. The decidability
status of various fragments of the logic constitutes a long standing open
problem. Current results report on techniques to decide satisfiability and
validity of entailments for Separation Logic(s) over lists (possibly with
data). In this paper we establish a more general decidability result. We prove
that any Separation Logic formula using rather general recursively defined
predicates is decidable for satisfiability, and moreover, entailments between
such formulae are decidable for validity. These predicates are general enough
to define (doubly-) linked lists, trees, and structures more general than
trees, such as trees whose leaves are chained in a list. The decidability
proofs are by reduction to decidability of Monadic Second Order Logic on graphs
with bounded tree width.Comment: 30 pages, 2 figure
Generating Non-Linear Interpolants by Semidefinite Programming
Interpolation-based techniques have been widely and successfully applied in
the verification of hardware and software, e.g., in bounded-model check- ing,
CEGAR, SMT, etc., whose hardest part is how to synthesize interpolants. Various
work for discovering interpolants for propositional logic, quantifier-free
fragments of first-order theories and their combinations have been proposed.
However, little work focuses on discovering polynomial interpolants in the
literature. In this paper, we provide an approach for constructing non-linear
interpolants based on semidefinite programming, and show how to apply such
results to the verification of programs by examples.Comment: 22 pages, 4 figure
Unbounded Superoptimization
Our aim is to enable software to take full advantage of the capabilities of emerging microprocessor designs without modifying the compiler. Towards this end, we propose a new approach to code generation and optimization. Our approach uses an SMT solver in a novel way to generate efficient code for modern architectures and guarantee that the generated code correctly implements the source code. The distinguishing characteristic of our approach is that the size of the constraints does not depend on the candidate sequence of instructions. To study the feasibility of our approach, we implemented a preliminary prototype, which takes as input LLVM IR code and uses Z3 SMT solver to generate ARMv7-A assembly. The prototype handles arbitrary loop-free code (not only basic blocks) as input and output. We applied it to small but tricky examples used as standard benchmarks for other superoptimization and synthesis tools. We are encouraged to see that Z3 successfully solved complex constraints that arise from our approach. This work paves the way to employing recent advances in SMT solvers and has a potential to advance SMT solvers further by providing a new category of challenging benchmarks that come from an industrial application domain
Model counting for complex data structures
We extend recent approaches for calculating the probability of program behaviors, to allow model counting for complex data structures with numeric fields. We use symbolic execution with lazy initialization to compute the input structures leading to the occurrence of a target event, while keeping a symbolic representation of the constraints on the numeric data. Off-the-shelf model counting tools are used to count the solutions for numerical constraints and field bounds encoding data structure invariants are used to reduce the search space. The technique is implemented in the Symbolic PathFinder tool and evaluated on several complex data structures. Results show that the technique is much faster than an enumeration-based method that uses the Korat tool and also highlight the benefits of using the field bounds to speed up the analysis
Efficient Interpolation for the Theory of Arrays
Existing techniques for Craig interpolation for the quantifier-free fragment
of the theory of arrays are inefficient for computing sequence and tree
interpolants: the solver needs to run for every partitioning of the
interpolation problem to avoid creating -mixed terms. We present a new
approach using Proof Tree Preserving Interpolation and an array solver based on
Weak Equivalence on Arrays. We give an interpolation algorithm for the lemmas
produced by the array solver. The computed interpolants have worst-case
exponential size for extensionality lemmas and worst-case quadratic size
otherwise. We show that these bounds are strict in the sense that there are
lemmas with no smaller interpolants. We implemented the algorithm and show that
the produced interpolants are useful to prove memory safety for C programs.Comment: long version of the paper at IJCAR 201
Local reasoning about the presence of bugs: Incorrectness Separation Logic
There has been a large body of work on local reasoning for proving the absence of bugs, but none for proving their presence. We present a new formal framework for local reasoning about the presence of bugs, building on two complementary foundations: 1) separation logic and 2) incorrectness logic. We explore the theory of this new incorrectness separation logic (ISL), and use it to derive a begin-anywhere, intra-procedural symbolic execution analysis that has no false positives by construction. In so doing, we take a step towards transferring modular, scalable techniques from the world of program verification to bug catching