99 research outputs found
Incremental Dead State Detection in Logarithmic Time
Identifying live and dead states in an abstract transition system is a
recurring problem in formal verification; for example, it arises in our recent
work on efficiently deciding regex constraints in SMT. However,
state-of-the-art graph algorithms for maintaining reachability information
incrementally (that is, as states are visited and before the entire state space
is explored) assume that new edges can be added from any state at any time,
whereas in many applications, outgoing edges are added from each state as it is
explored. To formalize the latter situation, we propose guided incremental
digraphs (GIDs), incremental graphs which support labeling closed states
(states which will not receive further outgoing edges). Our main result is that
dead state detection in GIDs is solvable in amortized time per edge
for edges, improving upon per edge due to Bender, Fineman,
Gilbert, and Tarjan (BFGT) for general incremental directed graphs.
We introduce two algorithms for GIDs: one establishing the logarithmic time
bound, and a second algorithm to explore a lazy heuristics-based approach. To
enable an apples-to-apples experimental comparison, we implemented both
algorithms, two simpler baselines, and the state-of-the-art BFGT baseline using
a common directed graph interface in Rust. Our evaluation shows -x
speedups over BFGT for the largest input graphs over a range of graph classes,
random graphs, and graphs arising from regex benchmarks.Comment: 22 pages + reference
The undecidability of simultaneous rigid E-unification with two variables
Abstract. Recently it was proved that the problem of simultaneous rigid E-unification, or SREU, is undecidable. Here we show that 4 rigid equations with ground left-hand sides and 2 variables already imply undecidability. As a corollary we improve the undecidability result of the 3*-fragment of intuitionistic logic with equality. Our proof shows undecidability of a very restricted subset of the 33-fragment. Together with other results, it contributes to a complete characterization of decidability of the prenex fragment of intuitionistic logic with equality, in terms of the quantifier prefix. 1 I n t r o d u c t i o n Recently it was proved that the problem of simultaneous rigid E-unification (SREU) is undecidable Background of S R E U Simultaneous rigid E-unification was proposed by Ga~er, Raatz and Snyder 1 It has been noted by Gurevich and Veanes that 3 rigid equations suffice
Symbolic Tree Automata
Abstract We introduce symbolic tree automata as a generalization of finite tree automata with a parametric alphabet over any given background theory. We show that symbolic tree automata are closed under Boolean operations, and that the operations are effectively uniform in the given alphabet theory. This generalizes the corresponding classical properties known for finite tree automata
Derivative Based Extended Regular Expression Matching Supporting Intersection, Complement and Lookarounds
Regular expressions are widely used in software. Various regular expression
engines support different combinations of extensions to classical regular
constructs such as Kleene star, concatenation, nondeterministic choice (union
in terms of match semantics). The extensions include e.g. anchors, lookarounds,
counters, backreferences. The properties of combinations of such extensions
have been subject of active recent research.
In the current paper we present a symbolic derivatives based approach to
finding matches to regular expressions that, in addition to the classical
regular constructs, also support complement, intersection and lookarounds (both
negative and positive lookaheads and lookbacks). The theory of computing
symbolic derivatives and determining nullability given an input string is
presented that shows that such a combination of extensions yields a match
semantics that corresponds to an effective Boolean algebra, which in turn opens
up possibilities of applying various Boolean logic rewrite rules to optimize
the search for matches.
In addition to the theoretical framework we present an implementation of the
combination of extensions to demonstrate the efficacy of the approach
accompanied with practical examples
Play to Test
Testing tasks can be viewed (and organized!) as games against nature. We study reachability games in the context of testing. Such games are ubiquitous. A single industrial test suite may involve many instances of a reachability game. Hence the importance of optimal or near optimal strategies for reachability games. One can use linear programming or the value iteration method of Markov decision process theory to find optimal strategies. Both methods have been implemented in an industrial model-based testing tool, Spec Explorer, developed at Microsoft Research
Model-Based Testing of Safety Critical Real-Time Control Logic Software
The paper presents the experience of the authors in model based testing of
safety critical real-time control logic software. It describes specifics of the
corresponding industrial settings and discusses technical details of usage of
UniTESK model based testing technology in these settings. Finally, we discuss
possible future directions of safety critical software development processes
and a place of model based testing techniques in it.Comment: In Proceedings MBT 2012, arXiv:1202.582
Applying SMT Solvers to the Test Template Framework
The Test Template Framework (TTF) is a model-based testing method for the Z
notation. In the TTF, test cases are generated from test specifications, which
are predicates written in Z. In turn, the Z notation is based on first-order
logic with equality and Zermelo-Fraenkel set theory. In this way, a test case
is a witness satisfying a formula in that theory. Satisfiability Modulo Theory
(SMT) solvers are software tools that decide the satisfiability of arbitrary
formulas in a large number of built-in logical theories and their combination.
In this paper, we present the first results of applying two SMT solvers, Yices
and CVC3, as the engines to find test cases from TTF's test specifications. In
doing so, shallow embeddings of a significant portion of the Z notation into
the input languages of Yices and CVC3 are provided, given that they do not
directly support Zermelo-Fraenkel set theory as defined in Z. Finally, the
results of applying these embeddings to a number of test specifications of
eight cases studies are analysed.Comment: In Proceedings MBT 2012, arXiv:1202.582
Sound regular expression semantics for dynamic symbolic execution of JavaScript
Existing support for regular expressions in automated test generation or
verification tools is lacking. Common aspects of regular expression engines
found in mainstream programming languages, such as backreferences or greedy
matching, are commonly ignored or imprecisely approximated, leading to poor
test coverage or failed proofs. In this paper, we present the first complete
strategy to faithfully reason about regular expressions in the context of
symbolic execution, focusing on the operators found in JavaScript. We model
regular expression operations using string constraints and classical regular
expressions and use a refinement scheme to address the problem of matching
precedence and greediness. Our survey of over 400,000 JavaScript packages from
the NPM software repository shows that one fifth make use of complex regular
expressions features. We implemented our model in a dynamic symbolic execution
engine for JavaScript and evaluated it on over 1,000 Node.js packages
containing regular expressions, demonstrating that the strategy is effective
and can increase line coverage of programs by up to 30%Comment: This arXiv version (v4) contains fixes for some typographical errors
of the PLDI'19 version (the numbering of indices in Section 4.1 and the
example in Section 4.3
Corresponding
Abstract. We review known results and improve known boundaries between the decidable and the undecidable cases of second-order unification with various restrictions on second-order variables. As a key tool we prove an undecidability result that provides a partial solution to an open problem about simultaneous rigid E-unification
- …