By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

Slides:

Advertisements

Similar presentations

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

Advertisements

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

CS 355 – Programming Languages

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

CS 363 Comparative Programming Languages Semantics.

Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.

Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008.

Lecture 11 Abstract Interpretation on Control-Flow Graphs.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Semantics In Text: Chapter 3.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.

SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,

CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.

1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

CS223: Software Engineering Lecture 26: Software Testing.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.

Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Weakest Precondition of Unstructured Programs

Control Flow Testing Handouts

Program Analysis via Satisfiability Modulo Path Programs

Outline of the Chapter Basic Idea Outline of Control Flow Testing

Symbolic Implementation of the Best Transformer

CSE 311 Foundations of Computing I

Axiomatic Verification II

Axiomatic Verification II

Abstraction, Verification & Refinement

Predicate Abstraction

COP4020 Programming Languages

Presentation transcript:

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09

Introduction Current trends in provable assertion derivation: An abstract framework is set up by the user The user must come up with a framework which is both expressive enough and sufficiently inexpensive Abstract domains Shapes and Templates Invariant templates Linear arithmetic Uninterrupted functions CEGAR The abstract interpretation refinement is done automatically But loops cause problem

Path Programs Counterexamples can be seen as a full-fledge program A Path Program is not just a single infeasibility It can represent a whole family of them! So it is ideal for loops When we remove a path program, we are removing many false alarms Path program decomposes a large program into a set of smaller programs To achieve all these we must add universal quantifiers to the set!

Advantages We can overcome two limitations of CEGAR-based schemes Avoid iterative unwinding of loops We can treat infinite paths and also we can treat finite paths more efficiently We can handle a larger class of problems Dependence of correctness of program on arrays

Example 1 (FORWARD) What does BLAST do? No predicates are tracked and just reach ability checked What does BLAST do? Is the contra example genuine or spurious?

Example 1 (FORWARD) What does BLAST do? In the third phase it extracts the predicates and adds them to predicate abstraction But again for two iterations we need to do the same thing!

Path Invariant We infer path invariants from Path Programs A path invariant map is a map from a location of the prog to a set of formulas Initial location maps to true For each (l, ρ,l’) in the path program, the successor of the formula at l with respect to the program operation ρ implies the formula at l’ The path is safe, if the error location is mapped to formula false

Example 2 (INIT-CHECK)

Formulation A program is P=(X, L, l 0, T, l e ) Error location does not have any outgoing edges These together make a directed graph called the control-flow graph (CFG) A computation of the program is the sequence,…, If (l, ρ,l’) is an edge in T then we have (s i,s i+1 ) satisfies ρ

Computation of Path Invariants We use the template-based invariant generation In template-based invariant synthesis, we assume that for each control location in the domain of the map η, we have a so-called invariant template, which is a parametric constraint over program variables.

Universal Quantifiers We construct a suitable template by analyzing a given path program. If the program contains an assertion that is iteratively checked, then we add a universally quantified implication to the template.