Fairness Modulo Theory: A New Approach to LTL Software Model Checking

Dietsch, Daniel; Heizmann, Matthias; Langenfeld, Vincent; Podelski, Andreas

doi:10.1007/978-3-319-21690-4_4

Cited by 31 publications

(23 citation statements)

References 51 publications

(68 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In recent years, techniques have emerged for proving temporal properties of imperative programs (or automata derived therefrom) [4,[12][13][14]17]. While there is some similarity (i.e.…”

Section: Recoverability and Storage Systemsmentioning

confidence: 99%

Reducing crash recoverability to reachability

Koskinen

Yang

2016

SIGPLAN Not.

View full text Add to dashboard Cite

Software applications run on a variety of platforms (filesystems, virtual slices, mobile hardware, etc.) that do not provide 100% uptime. As such, these applications may crash at any unfortunate moment losing volatile data and, when re-launched, they must be able to correctly recover from potentially inconsistent states left on persistent storage. From a verification perspective, crash recovery bugs can be particularly frustrating because, even when it has been formally proved for a program that it satisfies a property, the proof is foiled by these external events that crash and restart the program.In this paper we first provide a hierarchical formal model of what it means for a program to be crash recoverable. Our model captures the recoverability of many real world programs, including those in our evaluation which use sophisticated recovery algorithms such as shadow paging and write-ahead logging. Next, we introduce a novel technique capable of automatically proving that a program correctly recovers from a crash via a reduction to reachability. Our technique takes an input control-flow automaton and transforms it into an encoding that blends the capture of snapshots of pre-crash states into a symbolic search for a proof that recovery terminates and every recovered execution simulates some crashfree execution. Our encoding is designed to enable one to apply existing abstraction techniques in order to do the work that is necessary to prove recoverability.We have implemented our technique in a tool called ELEVEN82, capable of analyzing C programs to detect recoverability bugs or prove their absence. We have applied our tool to benchmark examples drawn from industrial file systems and databases, including GDBM, LevelDB, LMDB, PostgreSQL, SQLite, VMware and ZooKeeper. Within minutes, our tool is able to discover bugs or prove that these fragments are crash recoverable.

show abstract

“…In recent years, techniques have emerged for proving temporal properties of imperative programs (or automata derived therefrom) [4,[12][13][14]17]. While there is some similarity (i.e.…”

Section: Recoverability and Storage Systemsmentioning

confidence: 99%

Reducing crash recoverability to reachability

Koskinen

Yang

2016

SIGPLAN Not.

View full text Add to dashboard Cite

show abstract

“…In recent years, verifying software systems at code level has attracted more attentions [7,8,9,10,11,12]. Tools like, SLAM [13], BLAST [14], CPAChecker [15] and CBMC [16], support only safety property verification.…”

Section: Introductionmentioning

confidence: 99%

“…=⇒ α ptr(b, j1) ∼ ptr(b , j1) ∧ α v2 ∼ n2 Definition 2, 3, 4, (1, 2, 7) (9) =⇒ α ptr(b, j1) ∼ ptr(b , j1) ∧ v2 = n2 v2 and n2 are both non-pointer values, (8) (10) =⇒ α ptr(b, j1 + v2 * sizeof (τ )) ∼ ptr(b, j 1 + n2 * sizeof (τ )) Lemma 1, (9) (11) =⇒ α ptr(b, j) ∼ ptr(b , j ) (4, 6, 10) (12) ⇐⇒ α e1 aop e2 ∼r ra1 aop ra2 Definition 3, (11) (13) =⇒ α e1 aop e2 ∼e ra1 aop ra2 Definition 4, (12) Case 3: both e 2 and ra 2 are of pointer type τ * while both e 1 and ra 1 are of integer type. The proof is similar to Case 2.…”

mentioning

confidence: 99%

“…=⇒ α ptr(b, j) ∼ ptr(b , j ) Definition 2, 4, (1, 3, 4) (6) (G, E e, M ⇒v) ∧ (ra, σi−1, si, i)⇓n assumption (7) =⇒ α v ∼ n Definition 3, 4, (2, 3, 6) In the MSVL program, we have (8) s l i (xm) = (b , j ) assumption (9) (la := ra, σi−1, si, i) (12,13) {here storeval and loadval are borrowed from [26], see Appendix A.} TER, (16,17) Note that, (16) tells us the MSVL program eventually terminates and (17) indicates that final states M and s i+1 are equivalent.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Translating Xd-C programs to MSVL programs

Wang

Tian

Zhang

et al. 2020

Theoretical Computer Science

View full text Add to dashboard Cite

C language is one of the most popular languages for software systems. In order to verify safety, reliability and security properties of such systems written in C, a tool UMC4M for runtime verification at code level based on Modeling, Simulation and Verification Language (MSVL) and its compiler MC is employed. To do so, a C program P has to be translated to an MSVL program M and the negation of a desired property Q is also translated to an MSVL program M', then "M and M'" is compiled and executed armed with MC. Whether P violates Q is checked by evaluating whether there exists an acceptable execution of new MSVL program "M and M'". Therefore, how to translate a C program to an MSVL program is a critical issue. However, in general, C is of complicated structures with goto statement. In this paper, we confine the syntax of C in a suitable subset called Xd-C without loss of expressiveness. Further, we present a translation algorithm from an Xd-C program to an MSVL program based on translation algorithms for expressions and statements. Moreover, the equivalences between expressions and statements involved in Xd-C and MSVL programs are inductively proved. Subsequently, the equivalence between the original Xd-C program and the translated MSVL program is also proved. In addition, the proposed approach has been implemented by a tool called C2M . A benchmark of experiments including 13 real-world Xd-C programs is conducted. The results show that C2M works effectively.

show abstract

“…Instead, they are used as a finite representation of an infinite path in a control flow graph. For example, in (potentially spurious) counterexamples in termination analysis [14,6,19,22,23,29,30,20], stability analysis [10,31], cost analysis [1,17], or the verification of temporal properties [13,12,16] (c) Fig. 1: Three nonterminating linear lasso programs.…”

Section: Introductionmentioning

confidence: 99%

Geometric Nontermination Arguments

Leike

Heizmann

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We present a new kind of nontermination argument, called geometric nontermination argument. The geometric nontermination argument is a finite representation of an infinite execution that has the form of a sum of several geometric series. For so-called linear lasso programs we can decide the existence of a geometric nontermination argument using a nonlinear algebraic ∃-constraint. We show that a deterministic conjunctive loop program with nonnegative eigenvalues is nonterminating if an only if there exists a geometric nontermination argument. Furthermore, we present an evaluation that demonstrates that our method is feasible in practice.

show abstract

Fairness Modulo Theory: A New Approach to LTL Software Model Checking

Cited by 31 publications

References 51 publications

Reducing crash recoverability to reachability

Reducing crash recoverability to reachability

Translating Xd-C programs to MSVL programs

Geometric Nontermination Arguments

Contact Info

Product

Resources

About