“…The other nine programs were obtained from [Antonopoulos et al 2017;Terauchi and Aiken 2005]. We compared ICRA on these 77 programs against three state-of-the-art software model checkers: Ultimate Automizer [Heizmann et al 2013] from SV-COMP16 and CPAchecker [Beyer and Keremoglu 2011] from SV-COMP17, both based on predicate abstraction; and SeaHorn [Gurfinkel et al 2015] version 0.1.0, a Horn-clause solver based on IC3. Timings (with a timeout limit of 60 seconds) were taken on a virtual machine (using Oracle VirtualBox), with a guest OS of Ubuntu 14.04, host of Microsoft Windows 7 Enterprise, and a 3.2 GHz quad-core Intel Core i5-4570 host CPU.…”
Automatic generation of non-linear loop invariants is a long-standing challenge in program analysis, with many applications. For instance, reasoning about exponentials provides a way to find invariants of digital-filter programs, and reasoning about polynomials and/or logarithms is needed for establishing invariants that describe the time or memory usage of many well-known algorithms. An appealing approach to this challenge is to exploit the powerful recurrence-solving techniques that have been developed in the field of computer algebra, which can compute exact characterizations of non-linear repetitive behavior. However, there is a gap between the capabilities of recurrence solvers and the needs of program analysis: (1) loop bodies are not merely systems of recurrence relationsÐthey may contain conditional branches, nested loops, non-deterministic assignments, etc., and (2) a client program analyzer must be able to reason about the closed-form solutions produced by a recurrence solver (e.g., to prove assertions).This paper presents a method for generating non-linear invariants of general loops based on analyzing recurrence relations. The key components are an abstract domain for reasoning about non-linear arithmetic, a semantics-based method for extracting recurrence relations from loop bodies, and a recurrence solver that avoids closed forms that involve complex or irrational numbers. Our technique has been implemented in a program analyzer that can analyze general loops and mutually recursive procedures. Our experiments show that our technique shows promise for non-linear assertion-checking and resource-bound generation.
“…The other nine programs were obtained from [Antonopoulos et al 2017;Terauchi and Aiken 2005]. We compared ICRA on these 77 programs against three state-of-the-art software model checkers: Ultimate Automizer [Heizmann et al 2013] from SV-COMP16 and CPAchecker [Beyer and Keremoglu 2011] from SV-COMP17, both based on predicate abstraction; and SeaHorn [Gurfinkel et al 2015] version 0.1.0, a Horn-clause solver based on IC3. Timings (with a timeout limit of 60 seconds) were taken on a virtual machine (using Oracle VirtualBox), with a guest OS of Ubuntu 14.04, host of Microsoft Windows 7 Enterprise, and a 3.2 GHz quad-core Intel Core i5-4570 host CPU.…”
Automatic generation of non-linear loop invariants is a long-standing challenge in program analysis, with many applications. For instance, reasoning about exponentials provides a way to find invariants of digital-filter programs, and reasoning about polynomials and/or logarithms is needed for establishing invariants that describe the time or memory usage of many well-known algorithms. An appealing approach to this challenge is to exploit the powerful recurrence-solving techniques that have been developed in the field of computer algebra, which can compute exact characterizations of non-linear repetitive behavior. However, there is a gap between the capabilities of recurrence solvers and the needs of program analysis: (1) loop bodies are not merely systems of recurrence relationsÐthey may contain conditional branches, nested loops, non-deterministic assignments, etc., and (2) a client program analyzer must be able to reason about the closed-form solutions produced by a recurrence solver (e.g., to prove assertions).This paper presents a method for generating non-linear invariants of general loops based on analyzing recurrence relations. The key components are an abstract domain for reasoning about non-linear arithmetic, a semantics-based method for extracting recurrence relations from loop bodies, and a recurrence solver that avoids closed forms that involve complex or irrational numbers. Our technique has been implemented in a program analyzer that can analyze general loops and mutually recursive procedures. Our experiments show that our technique shows promise for non-linear assertion-checking and resource-bound generation.
“…We set a 15GB memory limit and a 900s timeout for the analysis of each benchmark. We used SeaHorn [9] (v0.1.0), 2 an LLVM-based [21] framework for verification of safety properties of programs using Horn Clause solvers; Ultimate Automizer [10] (SV-COMP16), 3 an automata-based software model checker that is implemented in the Ultimate software analysis framework; CPAchecker (v1.4 with predicate abstraction), 4 a tool for configurable software verification that supports a wide range of techniques, including predicate abstraction, and shape and value anlysis; Impara (v0.2), 5 a tool that implements an algorithm that combines a symbolic form of partial-order reduction and lazy abstraction with interpolants for concurrent programs; Satabs (v3.2), 6 a verification tool based on predicate abstraction; and Threader (SV-COMP14), 7 a tool that uses compositional reasoning with regards to the thread structure of concurrent programs based on abstraction refinement. VVT (SV-COMP16), 8 a tool that can both verify programs using IC3 and predicate abstraction also can find bugs using bounded model checking.…”
Section: Methodsmentioning
confidence: 99%
“…It is a mature SAT-based bounded software model checker that uses a partial-order approach [1] to handle concurrent programs. We further used Lazy-CSeq [12] (v1.0), 10 a lazy sequentialization for bounded programs; CIVL [28] (v1.5), 11 a framework that uses a combination of explicit model checking and symbolic execution for verification; and SMACK [24] (v1.5.2), 12 a bounded software model checker that verifies programs up to a given bound on loop iterations and recursion depth. For all tools we used as loop unwinding and round bounds the (same) minimum values necessary to find all bugs in the given sub-category.…”
Abstract. Lazy sequentialization has emerged as one of the most promising approaches for concurrent program analysis but the only efficient implementation given so far works just for bounded programs. This restricts the approach to bugfinding purposes. In this paper, we describe and evaluate a new lazy sequentialization translation that does not unwind loops and thus allows to analyze unbounded computations, even with an unbounded number of context switches. In connection with an appropriate sequential backend verification tool it can thus also be used for the safety verification of concurrent programs, rather than just for bug-finding. The main technical novelty of our translation is the simulation of the thread resumption in a way that does not use gotos and thus does not require that each statement is executed at most once. We have implemented this translation in the UL-CSeq tool for C99 programs that use the pthreads API. We evaluate UL-CSeq on several benchmarks, using different sequential verification backends on the sequentialized program, and show that it is more effective than previous approaches in proving the correctness of the safe benchmarks, and still remains competitive with state-of-the-art approaches for finding bugs in the unsafe benchmarks.
“…A], annotated with upper-bound resource assertions of the bounds reported by C4B; 9 and (iii) a miscellaneous collection of recursive programs. We also ran two state-of-the-art software model checkers, CPAchecker [3] and Ultimate Automizer [19], on the same programs. Specifically, we used CPAchecker version 1.6.1-unix with the configuration file "sv-comp16.properties", and the version of UAutomizer submitted to SV-COMP16.…”
Compositional recurrence analysis (CRA) is a static-analysis method based on an interesting combination of symbolic analysis and abstract interpretation. This paper addresses the problem of creating a context-sensitive interprocedural version of CRA that handles recursive procedures. The problem is non-trivial because there is an "impedance mismatch" between CRA, which relies on analysis techniques based on regular languages (i.e., Tarjan's pathexpression method), and the context-free-language underpinnings of context-sensitive analysis.We address this issue by showing that we can make use of a recently developed framework-Newtonian Program Analysis via Tensor Product (NPA-TP)-that reconciles this impedance mismatch when the abstract domain supports a few special operations. Our approach introduces new problems that are not addressed by NPA-TP; however, we are able to resolve those problems. We call the resulting algorithm Interprocedural CRA (ICRA).Our experimental study of ICRA shows that it has broad overall strength. The study showed that ICRA is both faster and handles more assertions than two state-of-the-art software model checkers. It also performs well when applied to the problem of establishing bounds on resource usage, such as memory used or execution time.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.