Abstract:Abstract. We present a new modular shape analysis that can synthesize heap memory specification on a per method basis. We rely on a second-order biabduction mechanism that can give interpretations to unknown shape predicates. There are several novel features in our shape analysis. Firstly, it is grounded on second-order bi-abduction. Secondly, we distinguish unknown pre-predicates in pre-conditions, from unknown post-predicates in post-condition; since the former may be strengthened, while the latter may be we… Show more
“…As such, the soundness of this lemma immediately follows from the soundness of second-order abduction [28,45].…”
Section: Sound Invariant Inferencementioning
confidence: 91%
“…Inferring Predicate Invariant Our invariant inference is based on the principle of secondorder abduction [28,45]. Given the predicate P defined by m branches as P(t) ≡ m i=1 ∆ i , we assume a sound invariant of P as an unknown (second-order ) variable I(t).…”
Section: Sound Invariant Inferencementioning
confidence: 99%
“…We also present an evaluation of S2SATSL in compositional (modular) program verification with the HIP/S2 system [14,28] for a range of data structures.…”
Section: Implementation and Evaluationmentioning
confidence: 99%
“…S2SATSL solver is integrated into the HIP/S2 [14,29,28] system to prune infeasible program paths in symbolic execution. Furthermore, S2SATSL is also used by the entailment procedure SLEEK to discharge verification conditions (VC) generated.…”
Section: Modular Verification With S2satslmentioning
Abstract. In this work, we present a semi-decision procedure for a fragment of separation logic with user-defined predicates and Presburger arithmetic. To check the satisfiability of a formula, our procedure iteratively unfolds the formula and examines the derived disjuncts. In each iteration, it searches for a proof of either satisfiability or unsatisfiability. Our procedure is further enhanced with automatically inferred invariants as well as detection of cyclic proof. We also identify a syntactically restricted fragment of the logic for which our procedure is terminating and thus complete. This decidable fragment is relatively expressive as it can capture a range of sophisticated data structures with non-trivial pure properties, such as size, sortedness and near-balanced. We have implemented the proposed solver and a new system for verifying heap-based programs. We have evaluated our system on benchmark programs from a software verification competition.
“…As such, the soundness of this lemma immediately follows from the soundness of second-order abduction [28,45].…”
Section: Sound Invariant Inferencementioning
confidence: 91%
“…Inferring Predicate Invariant Our invariant inference is based on the principle of secondorder abduction [28,45]. Given the predicate P defined by m branches as P(t) ≡ m i=1 ∆ i , we assume a sound invariant of P as an unknown (second-order ) variable I(t).…”
Section: Sound Invariant Inferencementioning
confidence: 99%
“…We also present an evaluation of S2SATSL in compositional (modular) program verification with the HIP/S2 system [14,28] for a range of data structures.…”
Section: Implementation and Evaluationmentioning
confidence: 99%
“…S2SATSL solver is integrated into the HIP/S2 [14,29,28] system to prune infeasible program paths in symbolic execution. Furthermore, S2SATSL is also used by the entailment procedure SLEEK to discharge verification conditions (VC) generated.…”
Section: Modular Verification With S2satslmentioning
Abstract. In this work, we present a semi-decision procedure for a fragment of separation logic with user-defined predicates and Presburger arithmetic. To check the satisfiability of a formula, our procedure iteratively unfolds the formula and examines the derived disjuncts. In each iteration, it searches for a proof of either satisfiability or unsatisfiability. Our procedure is further enhanced with automatically inferred invariants as well as detection of cyclic proof. We also identify a syntactically restricted fragment of the logic for which our procedure is terminating and thus complete. This decidable fragment is relatively expressive as it can capture a range of sophisticated data structures with non-trivial pure properties, such as size, sortedness and near-balanced. We have implemented the proposed solver and a new system for verifying heap-based programs. We have evaluated our system on benchmark programs from a software verification competition.
“…The aforementioned automated program verification tools based on separation logic [7,8,14,16,19,24,28] are all based on symbolic heaps, and increasingly targeted at verifying specifications involving user-defined rather than hard-coded predicates. Indeed, there are now even tools capable of automatically generating the definitions of inductive predicates needed for analysis [11,25]. On the theoretical side, the satisfiability problem for our logic was recently shown decidable [10] and its entailment problem undecidable [4], although decidability results have been obtained for restricted classes of entailments [5,22].…”
Copyright and moral rights to this thesis/research project are retained by the author and/or other copyright owners. The work is supplied on the understanding that any use for commercial gain is strictly forbidden. A copy may be downloaded for personal, non-commercial, research or study without prior permission and without charge. Any use of the thesis/research project for private study or research must be properly acknowledged with reference to the work's full bibliographic details.This thesis/research project may not be reproduced in any format or medium, or extensive quotations taken from it, or its content changed in any way, without first obtaining permission in writing from the copyright holder(s).If you believe that any material held in the repository infringes copyright law, please contact the Repository Team at Middlesex University via the following email address:eprints@mdx.ac.ukThe item will be removed from the repository while any claim is being investigated.
AbstractWe investigate the model checking problem for symbolic-heap separation logic with user-defined inductive predicates, i.e., the problem of checking that a given stack-heap memory state satisfies a given formula in this language, as arises e.g. in software testing or runtime verification. First, we show that the problem is decidable; specifically, we present a bottom-up fixed point algorithm that decides the problem and runs in exponential time in the size of the problem instance.Second, we show that, while model checking for the full language is EXPTIME-complete, the problem becomes NP-complete or PTIME-solvable when we impose natural syntactic restrictions on the schemata defining the inductive predicates. We additionally present NP and PTIME algorithms for these restricted fragments.Finally, we report on the experimental performance of our procedures on a variety of specifications extracted from programs, exercising multiple combinations of syntactic restrictions.
Concolic testing is a test generation technique which works effectively by integrating random testing generation and symbolic execution. Existing concolic testing engines focus on numeric programs. Heap-manipulating programs make extensive use of complex heap objects like trees and lists. Testing such programs is challenging due to multiple reasons. Firstly, test inputs for such programs are required to satisfy non-trivial constraints which must be specified precisely. Secondly, precisely encoding and solving path conditions in such programs are challenging and often expensive. In this work, we propose the first concolic testing engine called CSF for heap-manipulating programs based on separation logic. CSF effectively combines specification-based testing and concolic execution for test input generation. It is evaluated on a set of challenging heapmanipulating programs. The results show that CSF generates valid test inputs with high coverage efficiently. Furthermore, we show that CSF can be potentially used in combination with precondition inference tools to reduce the user effort.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.