A Solver for Reachability Modulo Theories

Lal, Akash; Qadeer, Shaz; Lahiri, Shuvendu K.

doi:10.1007/978-3-642-31424-7_32

Cited by 119 publications

(105 citation statements)

References 30 publications

(44 reference statements)

Supporting

Mentioning

103

Contrasting

Unclassified

Order By: Relevance

“…Finally, SMT-based reachability analysis has been used in software testing in tools such as KLEE [16] for symbolic execution and constraint solving, finding possible inputs that will cause a program to crash and outputting these as test cases, and SMT-CBMC [3] and Corral [42] for bounded model checking where unbounded types are represented by built-in variables and the syntax of expressions is restricted so that it can be efficiently decided by SMT solving. See [17] for a comprehensive account of symbolic techniques for reachability analysis in software testing, including SMT-based ones.…”

Section: Related Work and Concluding Remarksmentioning

confidence: 99%

Rewriting modulo SMT and open system analysis

Rocha

Meseguer

Muñoz

2017

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

Abstract. This paper proposes rewriting modulo SMT, a new technique that combines the power of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo SMT is ideally suited to model and analyze reachability properties of infinite-state open systems, i.e., systems that interact with a nondeterministic environment. Such systems exhibit both internal nondeterminism, which is proper to the system, and external nondeterminism, which is due to the environment. In a reflective formalism, such as rewriting logic, rewriting modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT naturally extends rewriting-based reachability analysis techniques, which are available for closed systems, to open systems. The proposed technique is illustrated with the formal analysis of: (i) a real-time system that is beyond the scope of timed-automata methods and (ii) automatic detection of reachability violations in a synchronous language developed to support autonomous spacecraft operations.

show abstract

Section: Related Work and Concluding Remarksmentioning

confidence: 99%

Rewriting modulo SMT and open system analysis

Rocha

Meseguer

Muñoz

2017

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

show abstract

“…The first scheme for an arbitrary but bounded number of context switches was given in [24]. Since then, several algorithms and implementations have been developed (see [9,23,3,20,19,33]). Lazy sequentialization schemes have played an important role in the development of efficient tools.…”

Section: Related Workmentioning

confidence: 99%

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

et al. 2017

View full text Add to dashboard Cite

Abstract. Lazy sequentialization has proven to be one of the most effective techniques for concurrent program verification. The Lazy-CSeq sequentialization tool performs a "lazy" code-to-code translation from a concurrent program into an equivalent non-deterministic sequential program, i.e., it preserves the valuations of the program variables along its executions. The obtained program is then analyzed using sequential bounded model checking tools. However, the sizes of the individual states still pose problems for further scaling. We therefore use abstract interpretation to minimize the representation of the concurrent program's (shared global and thread-local) state variables. More specifically, we run the Frama-C abstract interpretation tool over the programs constructed by Lazy-CSeq to compute overapproximating intervals for all (original) state variables and then exploit CBMC's bitvector support to reduce the number of bits required to represent these in the sequentialized program. We have implemented this approach in the last release of Lazy-CSeq and demonstrate the effectiveness of this approach; in particular, we show that it leads to large performance gains for very hard verification problems.

show abstract

“…Then Alive passes P and a bounding parameter K ∈ N to our AsyncChecker delay-bounded asynchronous program analysis tool [9] which attempts to determine whether the assertion can be violated (in an execution using at most K delay operations, per task). AsyncChecker essentially performs a variation of our delay-bounded translation of Section 3.3-which results in a sequential Boogie program-and hands the resulting program P to the Corral SMT-based bounded model checker [14] to detect assertion violations.…”

Section: Experiencementioning

confidence: 99%

“…Our relatively easy-to-implement prototype leverages existing SMT-based program verification tools [14], and as far as we are aware, is the first tool which can automatically detect divergence in distributed asynchronous programs.…”

Section: Introductionmentioning

confidence: 99%

Finding Non-terminating Executions in Distributed Asynchronous Programs

Emmi

Lal

2012

Static Analysis

Self Cite

View full text Add to dashboard Cite

Abstract. Programming distributed and reactive asynchronous systems is complex due to the lack of synchronization between concurrently executing tasks, and arbitrary delay of message-based communication.As even simple programming mistakes have the capability to introduce divergent behavior, a key liveness property is eventual quiescence: for any finite number of external stimuli (e.g., client-generated events), only a finite number of internal messages are ever created. In this work we propose a practical three-step reduction-based approach for detecting divergent executions in asynchronous programs. As a first step, we give a code-to-code translation reducing divergence of an asynchronous program P to completed state-reachability-i.e., reachability to a given state with no pending asynchronous tasks-of a polynomiallysized asynchronous program P . In the second step, we give a code-to-code translation under-approximating completed state-reachability of P by state-reachability of a polynomially-sized recursive sequential program P (K), for the given analysis parameter K ∈ N. Following Emmi et al.[8]'s delay-bounding approach, P (K) encodes a subset of P 's, and thus of P 's, behaviors by limiting scheduling nondeterminism. As K is increased, more possibly divergent behaviors of P are considered, and in the limit as K approaches infinity, our reduction is complete for programs with finite data domains. As the final step we give the resulting state-reachability query to an off-the-shelf SMT-based sequential program verification tool. We demonstrate the feasibility of our approach by implementing a prototype analysis tool called Alive, which detects divergent executions in several hand-coded variations of textbook distributed algorithms. As far as we are aware, our easy-to-implement prototype is the first tool which automatically detects divergence for distributed and reactive asynchronous programs. IntroductionThe ever-increasing popularity of online commercial and social networks, along with proliferating mobile computing devices, promises to make distributed software an even more pervasive component of technological infrastructure. In a * Supported by a Fondation Sciences Mathématiques de Paris post-doctoral fellowship.

show abstract

A Solver for Reachability Modulo Theories

Cited by 119 publications

References 30 publications

Rewriting modulo SMT and open system analysis

Rewriting modulo SMT and open system analysis

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

Finding Non-terminating Executions in Distributed Asynchronous Programs

Contact Info

Product

Resources

About