123 research outputs found
On the Concept of Variable Roles and its Use in Software Analysis
Human written source code in imperative programming languages exhibits
typical patterns for variable use such as flags, loop iterators, counters,
indices, bitvectors etc. Although it is widely understood by practitioners that
these variable roles are important for automated software analysis tools, they
are not systematically studied by the formal methods community, and not well
documented in the research literature. In this paper, we study the notion of
variable roles on the example of basic types (int, float, char) in C. We
propose a classification of the variables in a program by variable roles, and
demonstrate that classical data flow analysis lends itself naturally both as a
specification formalism and an analysis paradigm for this classification
problem. We demonstrate the practical applicability of our method by predicting
membership of source files to the different categories of the software
verification competition SVCOMP 2013
Monadic second order finite satisfiability and unbounded tree-width
The finite satisfiability problem of monadic second order logic is decidable
only on classes of structures of bounded tree-width by the classic result of
Seese (1991). We prove the following problem is decidable:
Input: (i) A monadic second order logic sentence , and (ii) a
sentence in the two-variable fragment of first order logic extended
with counting quantifiers. The vocabularies of and may
intersect.
Output: Is there a finite structure which satisfies such
that the restriction of the structure to the vocabulary of has bounded
tree-width? (The tree-width of the desired structure is not bounded.)
As a consequence, we prove the decidability of the satisfiability problem by
a finite structure of bounded tree-width of a logic extending monadic second
order logic with linear cardinality constraints of the form
, where the and
are monadic second order variables. We prove the decidability of a similar
extension of WS1S
Environment and classical channels in categorical quantum mechanics
We present a both simple and comprehensive graphical calculus for quantum
computing. In particular, we axiomatize the notion of an environment, which
together with the earlier introduced axiomatic notion of classical structure
enables us to define classical channels, quantum measurements and classical
control. If we moreover adjoin the earlier introduced axiomatic notion of
complementarity, we obtain sufficient structural power for constructive
representation and correctness derivation of typical quantum informatic
protocols.Comment: 26 pages, many pics; this third version has substantially more
explanations than previous ones; Journal reference is of short 14 page
version; Proceedings of the 19th EACSL Annual Conference on Computer Science
Logic (CSL), Lecture Notes in Computer Science 6247, Springer-Verlag (2010
A Simple and Scalable Static Analysis for Bound Analysis and Amortized Complexity Analysis
We present the first scalable bound analysis that achieves amortized
complexity analysis. In contrast to earlier work, our bound analysis is not
based on general purpose reasoners such as abstract interpreters, software
model checkers or computer algebra tools. Rather, we derive bounds directly
from abstract program models, which we obtain from programs by comparatively
simple invariant generation and symbolic execution techniques. As a result, we
obtain an analysis that is more predictable and more scalable than earlier
approaches. Our experiments demonstrate that our analysis is fast and at the
same time able to compute bounds for challenging loops in a large real-world
benchmark. Technically, our approach is based on lossy vector addition systems
(VASS). Our bound analysis first computes a lexicographic ranking function that
proves the termination of a VASS, and then derives a bound from this ranking
function. Our methodology achieves amortized analysis based on a new insight
how lexicographic ranking functions can be used for bound analysis
On the Structure and Complexity of Rational Sets of Regular Languages
In a recent thread of papers, we have introduced FQL, a precise specification
language for test coverage, and developed the test case generation engine
FShell for ANSI C. In essence, an FQL test specification amounts to a set of
regular languages, each of which has to be matched by at least one test
execution. To describe such sets of regular languages, the FQL semantics uses
an automata-theoretic concept known as rational sets of regular languages
(RSRLs). RSRLs are automata whose alphabet consists of regular expressions.
Thus, the language accepted by the automaton is a set of regular expressions.
In this paper, we study RSRLs from a theoretic point of view. More
specifically, we analyze RSRL closure properties under common set theoretic
operations, and the complexity of membership checking, i.e., whether a regular
language is an element of a RSRL. For all questions we investigate both the
general case and the case of finite sets of regular languages. Although a few
properties are left as open problems, the paper provides a systematic semantic
foundation for the test specification language FQL
Precise static analysis of untrusted driver binaries
Most closed source drivers installed on desktop systems today have never been exposed to formal analysis. Without vendor support, the only way to make these often hastily written, yet critical programs accessible to static analysis is to directly work at the binary level. In this paper, we describe a full architecture to perform static analysis on binaries that does not rely on unsound external components such as disassemblers. To precisely calculate data and function pointers without any type information, we introduce Bounded Address Tracking, an abstract domain that is tailored towards machine code and is path sensitive up to a tunable bound assuring termination. We implemented Bounded Address Tracking in our binary analysis platform Jakstab and used it to verify API specifications on several Windows device drivers. Even without assumptions about executable layout and procedures as made by state of the art approaches, we achieve more precise results on a set of drivers from the Windows DDK. Since our technique does not require us to compile drivers ourselves, we also present results from analyzing over 300 closed source drivers
- …