Backward Analysis via over-Approximate Abstraction and under-Approximate Subtraction

Bakhirkin, Alexey; Berdine, Josh; Piterman, Nir

doi:10.1007/978-3-319-10936-7_3

Cited by 7 publications

(10 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We compute necessary and sufficient preconditions independently from the calling context of the procedure. Similar techniques for computing necessary preconditions are proposed by Miné [24] using a lower widening technique to perform a polyhedral backward analysis, and Bakhirkin et al [1] who combine over-approximative backward analysis with a subtraction operation to obtain under-approximations.…”

Section: Resultsmentioning

confidence: 98%

“…Input: formula ψF , ψE, transition constraint τ Output: set of predicates 1 Var P , P : set of predicates; 2 Var ψF , ψE: formula; 3 ψF := ψF ∨ pre(τ, ψF ); 4 ψE := ψE ∨ pre(τ, ψE); 5 if ψF ∧ ψE ≡ false then return ∅; 6 ; 7 Let τ.pc = ; 8 Let ψ F ≡ (ψF ∧ pc = ) be of the form (i∈I) ϕi; 9 Let ψ E ≡ (ψE ∧ pc = ) be of the form (j∈J) ϕ j ; 10 P := ∅;…”

Section: Algorithm 2: Splitpredmentioning

confidence: 99%

See 1 more Smart Citation

Necessary and Sufficient Preconditions via Eager Abstraction

Seghir

Schrammel

2014

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. The precondition for safe execution of a procedure is useful for understanding, verifying and debugging programs. We have previously presented a cegar-based approach for inferring necessary and sufficient preconditions based on the iterative abstraction-refinement of the set of safe and unsafe states until they become disjoint. A drawback of that approach is that safe and unsafe traces are explored separately and each time they are built entirely before being checked for consistency. In this paper, we present an eager approach that explores shared prefixes between safe and unsafe traces conjointly. As a result, individual state sets, by construction, fulfil the property of separation between safe and unsafe states without requiring any refinement. Experiments using our implementation of this technique in the precondition generator P-Gen show a significant improvement compared to our previous cegar-based method. In some cases the running time drops from several minutes to several seconds.

show abstract

Section: Resultsmentioning

confidence: 98%

Section: Algorithm 2: Splitpredmentioning

confidence: 99%

Necessary and Sufficient Preconditions via Eager Abstraction

Seghir

Schrammel

2014

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Most are from the repositories of state-of-the-art software verification tools such as DAGGER 1 (Gulavani et al 2008), TRACER 2 (Jaffar et al 2012), InvGen 3 (Gupta and Rybalchenko 2009), and from the TACAS 2013 Software Verification Competition (Beyer 2013, Control flow and Loops categories). 4 Other examples are from the literature on precondition generation, backwards analysis and parameter synthesis (Bakhirkin et al 2014;Miné 2012a;Miné 2012b;Moy 2008;Bakhirkin and Monniaux 2017;Cassez et al 2017) and manually translated to CHCs. These benchmarks are designed to demonstrate/test the strengths/usability of different tools and methods proposed to solve software verification, parameter synthesis and precondition generation problems and contain up to approximately 500 lines of code.…”

Section: Benchmarksmentioning

confidence: 99%

“…bakhirkin-fig3 (Bakhirkin et al 2014) (1 ≤ a ≤ 99 → b ≥ 1) ∧ (a ≤ 0 → b = 0) bakhirkin (Bakhirkin et al 2014) 1 ≤ a ≤ 60 ∨ a ≥ 100 mine (Miné 2012a) 0 ≤ a ≤ 5 mon fig1 (Bakhirkin and Monniaux 2017) a = b ∧ a ≥ 0 moy (Moy 2008) b < 1 ∨ (b < 2 ∧ a > 0) navas2 (crafted) a ≤ 99 ∨ b ≥ 100 simple function (Miné 2012b) 6 ≤ a ≤ 61 test both branches (Miné 2012b) 3 ≤ a ≤ 17 test nondet body (Miné 2012b) 6 ≤ a ≤ 13 test nondet cond (Miné 2012b) 3 ≤ a ≤ 17 test then branch (Miné 2012b) 10 ≤ a ≤ 20 fischer (Cassez et al 2017) a + 2c < b ∨ a < 0 ∨ b < 0 ∨ c ≤ 0 Jhala (Jhala and McMillan 2006) a < 0 ∨ a ≥ b ∨ c = d Ball SLAM (Ball et al 2004) b < c client ssh protocol b < a ∨ b < 2 ∨ a > 3 Beyer et al (2007) n ≤ i ∧ a + b = 3n…”

Section: Program Preconditionmentioning

confidence: 99%

“…Moy (2008) presents a method for deriving sufficient preconditions (for use with a theorem prover), employing weakest-precondition reasoning and forward abstract interpretation to attempt to generalise conditions at loop heads. Bakhirkin et al (2014) observe that there may be an advantage in generalising an abstract complement operation to (abstract) logical subtraction, as this can improve opportunities to find a tighter approximation of a set of states. Miné (2012a) infers sufficient conditions for safety, not by instantiating a generic mechanism for complementation, but by designing all required purpose-built backward transfer functions.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An iterative approach to precondition inference using constrained Horn clauses

Kafle

Gallagher²,

Gange

et al. 2018

Theory and Practice of Logic Programming

View full text Add to dashboard Cite

We present a method for automatic inference of conditions on the initial states of a program that guarantee that the safety assertions in the program are not violated. Constrained Horn clauses (CHCs) are used to model the program and assertions in a uniform way, and we use standard abstract interpretations to derive an over-approximation of the set ofunsafeinitial states. The precondition then is the constraint corresponding to the complement of that set, under-approximating the set ofsafeinitial states. This idea of complementation is not new, but previous attempts to exploit it have suffered from the loss of precision. Here we develop an iterative specialisation algorithm to give more precise, and in some cases optimal safety conditions. The algorithm combines existing transformations, namely constraint specialisation, partial evaluation and a trace elimination transformation. The last two of these transformations perform polyvariant specialisation, leading to disjunctive constraints which improve precision. The algorithm is implemented and tested on a benchmark suite of programs from the literature in precondition inference and software verification competitions.

show abstract

Backward Analysis via over-Approximate Abstraction and under-Approximate Subtraction

2014

Self Cite

View full text Add to dashboard Cite

Abstract. We propose a novel approach for computing weakest liberal safe preconditions of programs. The standard approaches, which call for either underapproximation of a greatest fixed point, or complementation of a least fixed point, are often difficult to apply successfully. Our approach relies on a different decomposition of the weakest precondition of loops. We exchange the greatest fixed point for the computation of a least fixed point above a recurrent set, instead of the bottom element. Convergence is achieved using over-approximation, while in order to maintain soundness we use an under-approximating logical subtraction operation. Unlike general complementation, subtraction more easily allows for increased precision in case its arguments are related. The approach is not restricted to a specific abstract domain and we use it to analyze programs using the abstract domains of intervals and of 3-valued structures.

show abstract

Backward Analysis via over-Approximate Abstraction and under-Approximate Subtraction

Cited by 7 publications

References 26 publications

Necessary and Sufficient Preconditions via Eager Abstraction

Necessary and Sufficient Preconditions via Eager Abstraction

An iterative approach to precondition inference using constrained Horn clauses

Backward Analysis via over-Approximate Abstraction and under-Approximate Subtraction

Contact Info

Product

Resources

About