Predicate Abstraction of ANSI-C Programs Using SAT

Clarke, Edmund M.; Kroening, Daniel; Sharygina, Natasha; Yorav, Karen

doi:10.1023/b:form.0000040025.89719.f3

Cited by 139 publications

(118 citation statements)

References 35 publications

(42 reference statements)

Supporting

Mentioning

118

Contrasting

Order By: Relevance

“…The resulting finite-state abstraction can be analyzed efficiently using Boolean techniques. Predicate abstraction has been applied successfully in various verification tools to analyze software [BMMR01,HJMS02,CCG + 03,FQ02], hardware [CKSY04] and high-level protocols [DDP99,LBC03].…”

Section: Introductionmentioning

confidence: 99%

“…For example, Clarke et al [CKSY04], and Lahiri and Bryant [LBC03,LB04] perform predicate abstraction by Boolean quantifier elimination using SAT solvers for propositional and first-order logic respectively. The idea of using SMT solvers for predicate abstraction has also been explored repeatedly [DDP99,SS99,FQ02,BCLZ04], but differently from what we do here, in particular, concerning incrementality.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SMT Techniques for Fast Predicate Abstraction

Lahiri

Nieuwenhuis

Oliveras

2006

Computer Aided Verification

View full text Add to dashboard Cite

Abstract. Predicate abstraction is a technique for automatically extracting finite-state abstractions for systems with potentially infinite state space. The fundamental operation in predicate abstraction is to compute the best approximation of a Boolean formula ϕ over a set of predicates P . In this work, we demonstrate the use for this operation of a decision procedure based on the DPLL(T) framework for SAT Modulo Theories (SMT). The new algorithm is based on a careful generation of the set of all satisfying assignments over a set of predicates. It consistently outperforms previous methods by a factor of at least 20, on a diverse set of hardware and software verification benchmarks. We report detailed analysis of the results and the impact of a number of variations of the techniques. We also propose and evaluate a scheme for incremental refinement of approximations for predicate abstraction in the above framework.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

SMT Techniques for Fast Predicate Abstraction

Lahiri

Nieuwenhuis

Oliveras

2006

Computer Aided Verification

View full text Add to dashboard Cite

show abstract

“…Our implementation uses SATABS as the reachability checker [13], which implements SAT-based predicate abstraction. Our benchmarks are device drivers from the Windows Driver Development Kit (WDK).…”

Section: Large-scale Benchmarksmentioning

confidence: 99%

“…A system Ax ≤ b is called integral if the polyhedron {x ∈ Q n | Ax ≤ b} coincides with its integral hull (the convex hull of the integer points contained in it). 13 Lemma 6 (Integral version of Farkas' lemma). Suppose A ∈ Q n×k is a matrix, b ∈ Q n a vector such that the system Ax ≤ b of inequalities is satisfiable and integral, c ∈ Q k is a (row) vector, and δ ∈ Q is a rational.…”

Section: Ranking Functions For Disjunctive Integer Transition Relatmentioning

confidence: 99%

Ranking Function Synthesis for Bit-Vector Relations

Cook

Kroening

Rümmer

et al. 2010

Tools and Algorithms for the Construction and Analysis of Systems

Self Cite

View full text Add to dashboard Cite

Abstract. Ranking function synthesis is a key aspect to the success of modern termination provers for imperative programs. While it is wellknown how to generate linear ranking functions for relations over (mathematical) integers or rationals, efficient synthesis of ranking functions for machine-level integers (bit-vectors) is an open problem. This is particularly relevant for the verification of low-level code. We propose several novel algorithms to generate ranking functions for relations over machine integers: a complete method based on a reduction to Presburger arithmetic, and a template-matching approach for predefined classes of ranking functions based on reduction to SAT-and QBF-solving. The utility of our algorithms is demonstrated on examples drawn from Windows device drivers.

show abstract

“…This section provides a short overview of the algorithm. For more information on the algorithm, we refer the reader to [46,45].…”

Section: Existential Abstraction Of Transition Systems With Eventsmentioning

confidence: 99%

Model Checking with Abstraction for Web Services

Sharygina

Kröning

Test and Analysis of Web Services

Self Cite

View full text Add to dashboard Cite

Abstract. Web services are highly distributed programs and, thus, are prone to concurrency-related errors. Model checking is a powerful technique to identify flaws in concurrent systems. However, the existing model checkers have only very limited support for the programming languages and communication mechanisms used by typical implementations of web services. This chapter presents a formalization of communication semantics geared for web services, and an automated way to extract formal models from programs implementing web services for automatic formal analysis. The formal models are analyzed by means of a symbolic model checker that implements automatic abstraction refinement. Our implementation takes one or more PHP5 programs as input, and is able to verify joint properties of these programs running concurrently. IntroductionWeb services are instantiations of service-oriented architectures, where a service is a function that is well defined, self-contained and does not depend on the context or state of other services [1]. They are designed to be published, accessed and used via intranet or Internet. The elements of the design are (1) a service provider, which offers some service; (2) a service broker who maintains a catalog of available services; and (3) service requesters which seek for a service from the service broker, and then attach to the service provider by composing the offered services with its own components. A web service offers an arbitrary complex functionality, which is described in a global system structure. Examples of web services include information systems such as map or travel services, e-commerce systems such as web shops, travel agencies, stock brokers, etc. Clearly, it is essential to enforce security and safety requirements in the development of such systems.Web services are typically implemented in a very distributed manner and, thus, are prone to errors caused by the distribution. They often involve multiple parties. As an example, consider an online shop that accepts charges to a credit card as form of payment. The parties involved are the users or 122 N. Sharygina and D. Kröning customers, the vendor itself, and back-office service providers, e.g., the payment clearing service. The authorization of the payment is given by a service company for credit card transactions, whereas the "shopping basket" and warehousing are implemented by the vendor. It is easy to imagine another party involved in a transaction, e.g., a company that performs the actual shipment.Each party typically employs a large set of machines for the purpose of load sharing. The safety and security requirements are often global, i.e., require reasoning about multiple parties and may involve more than one server at each party.A typical scenario is depicted in Fig. 5.1. A merchant is operating three hosts (e.g., for redundancy or load-balancing reasons). Two of these hosts ('Host 1' and 'Host 2') are used to run a web server, e.g., Apache. The web server itself is split up into multiple processes, T 1 , . . . , T 4 . T...

show abstract

Predicate Abstraction of ANSI-C Programs Using SAT

Cited by 139 publications

References 35 publications

SMT Techniques for Fast Predicate Abstraction

SMT Techniques for Fast Predicate Abstraction

Ranking Function Synthesis for Bit-Vector Relations

Model Checking with Abstraction for Web Services

Contact Info

Product

Resources

About