Scaling Bounded Model Checking By Transforming Programs With Arrays

Bounded Model Checking is one the most successful techniques for finding bugs in program. However, model checkers are resource hungry and are often unable to verify programs with loops iterating over large arrays.We present a transformation that enables bounded model checkers to verify a certain class of array properties. Our technique transforms an array-manipulating (ANSI-C) program to an array-free and loop-free (ANSI-C) program thereby reducing the resource requirements of a model checker significantly. Model checking of the transformed program using an off-the-shelf bounded model checker simulates the loop iterations efficiently. Thus, our transformed program is a sound abstraction of the original program and is also precise in a large number of cases - we formally characterize the class of programs for which it is guaranteed to be precise. We demonstrate the applicability and usefulness of our technique on both industry code as well as academic benchmarks

Electroexcitation of the Roper resonance from CLAS data

The helicity amplitudes of the electroexcitation of the Roper resonance on proton are extracted at 1.7 < Q2 < 4.2 GeV2 from recent high precision JLab-CLAS cross sections data and longitudinally polarized beam asymmetry for pi+ electroproduction on protons. The analysis is made using two approaches, dispersion relations and unitary isobar model, which give consistent results. It is found that the transverse helicity amplitude for the gamma* p --> P11(1440) transition, which is large and negative at Q2=0, becomes large and positive at Q2 ~ 2 GeV2, and then drops slowly with Q2. Longitudinal helicity amplitude, that was previously found from CLAS data as large and positive at Q2=0.4,0.65 GeV2, drops with Q2. These results rule out the presentation of P11(1440) as a 3qG hybrid state, and provide strong evidence in favor of this resonance as a first radial excitation of the 3q ground state.Comment: 3 pages, 2 figures, Talk on the Workshop on "The Physics of Excited Nucleons", Bonn, Germany, October 200

Proving Safety with Trace Automata and Bounded Model Checking

Loop under-approximation is a technique that enriches C programs with additional branches that represent the effect of a (limited) range of loop iterations. While this technique can speed up the detection of bugs significantly, it introduces redundant execution traces which may complicate the verification of the program. This holds particularly true for verification tools based on Bounded Model Checking, which incorporate simplistic heuristics to determine whether all feasible iterations of a loop have been considered. We present a technique that uses \emph{trace automata} to eliminate redundant executions after performing loop acceleration. The method reduces the diameter of the program under analysis, which is in certain cases sufficient to allow a safety proof using Bounded Model Checking. Our transformation is precise---it does not introduce false positives, nor does it mask any errors. We have implemented the analysis as a source-to-source transformation, and present experimental results showing the applicability of the technique

A Simplex-Based Extension of Fourier-Motzkin for Solving Linear Integer Arithmetic

International audienceThis paper describes a novel decision procedure for quantifier-free linear integer arithmetic. Standard techniques usually relax the initial problem to the rational domain and then proceed either by projection (e.g. Omega-Test) or by branching/cutting methods (branch-and-bound, branch-and-cut, Gomory cuts). Our approach tries to bridge the gap between the two techniques: it interleaves an exhaustive search for a model with bounds inference. These bounds are computed provided an oracle capable of finding constant positive linear combinations of affine forms. We also show how to design an efficient oracle based on the Simplex procedure. Our algorithm is proved sound, complete, and terminating and is implemented in the Alt-Ergo theorem prover. Experimental results are promising and show that our approach is competitive with state-of-the-art SMT solvers

A simple abstraction of arrays and maps by program translation

We present an approach for the static analysis of programs handling arrays, with a Galois connection between the semantics of the array program and semantics of purely scalar operations. The simplest way to implement it is by automatic, syntactic transformation of the array program into a scalar program followed analysis of the scalar program with any static analysis technique (abstract interpretation, acceleration, predicate abstraction,.. .). The scalars invariants thus obtained are translated back onto the original program as universally quantified array invariants. We illustrate our approach on a variety of examples, leading to the " Dutch flag " algorithm

A Survey of Satisfiability Modulo Theory

Satisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis.Comment: Computer Algebra in Scientific Computing, Sep 2016, Bucharest, Romania. 201

Mechanism of Pion Production in alphaalphap Scattering at 1 GeV/nucleon

The one-pion and two-pion production in the p(alpha, alpha prime)X reaction at an energy of E{alpha} = 4.2 GeV has been studied by simultaneous registration of the scattered alpha particles and the secondary pion or proton. The obtained results demonstrate that the inelastic alpha-particle scattering on the proton at the energy of the experiment proceeds either through excitation and decay of Delta resonance in the projectile or through excitation in the target proton of the Roper resonance, which decays mainly on a nucleon and a pion or a nucleon and a sigma meson - system of two pions in the isospin I = 0, S-wave.Comment: 16 pages, 10 figures. Submitted to Proceedings of the XX International Baldin Seminar on High - Energy Physics Problems, Dubna, October 4 - 9, 201

A Reduction from Unbounded Linear Mixed Arithmetic Problems into Bounded Problems

We present a combination of the Mixed-Echelon-Hermite transformation and the Double-Bounded Reduction for systems of linear mixed arithmetic that preserve satisfiability and can be computed in polynomial time. Together, the two transformations turn any system of linear mixed constraints into a bounded system, i.e., a system for which termination can be achieved easily. Existing approaches for linear mixed arithmetic, e.g., branch-and-bound and cuts from proofs, only explore a finite search space after application of our two transformations. Instead of generating a priori bounds for the variables, e.g., as suggested by Papadimitriou, unbounded variables are eliminated through the two transformations. The transformations orient themselves on the structure of an input system instead of computing a priori (over-)approximations out of the available constants. Experiments provide further evidence to the efficiency of the transformations in practice. We also present a polynomial method for converting certificates of (un)satisfiability from the transformed to the original system

LNCS

Static program analyzers are increasingly effective in checking correctness properties of programs and reporting any errors found, often in the form of error traces. However, developers still spend a significant amount of time on debugging. This involves processing long error traces in an effort to localize a bug to a relatively small part of the program and to identify its cause. In this paper, we present a technique for automated fault localization that, given a program and an error trace, efficiently narrows down the cause of the error to a few statements. These statements are then ranked in terms of their suspiciousness. Our technique relies only on the semantics of the given program and does not require any test cases or user guidance. In experiments on a set of C benchmarks, we show that our technique is effective in quickly isolating the cause of error while out-performing other state-of-the-art fault-localization techniques

A Generic Framework for Implicate Generation Modulo Theories

International audienceThe clausal logical consequences of a formula are called its implicates. The generation of these implicates has several applications, such as the identification of missing hypotheses in a logical specification. We present a procedure that generates the implicates of a quantifier-free formula modulo a theory. No assumption is made on the considered theory, other than the existence of a decision procedure. The algorithm has been implemented (using the solvers MiniSAT, CVC4 and Z3) and experimental results show evidence of the practical relevance of the proposed approach