Using dynamic analysis to generate disjunctive invariants

Nguyen, ThanhVu; Kapur, Deepak; Weimer, Westley; Forrest, Stephanie

doi:10.1145/2568225.2568275

Cited by 28 publications

(9 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also do not consider general disjunctive invariants or numerical relations (e.g., only check equivalences among memory addresses and do not consider other relationships such as the address of x is greater than that of y). Existing numerical invariant studies [38,39] have shown that dynamic analysis often produces many spurious invariants involving disjunctions and general inequalities.…”

Section: Resultsmentioning

confidence: 99%

SLING: using dynamic analysis to infer program invariants in separation logic

Zheng

Nguyen

2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

We introduce a new dynamic analysis technique to discover invariants in separation logic for heap-manipulating programs. First, we use a debugger to obtain rich program execution traces at locations of interest on sample inputs. These traces consist of heap and stack information of variables that point to dynamically allocated data structures. Next, we iteratively analyze separate memory regions related to each pointer variable and search for a formula over predefined heap predicates in separation logic to model these regions. Finally, we combine the computed formulae into an invariant that describes the shape of explored memory regions.We present SLING, a tool that implements these ideas to automatically generate invariants in separation logic at arbitrary locations in C programs, e.g., program pre and postconditions and loop invariants. Preliminary results on existing benchmarks show that SLING can efficiently generate correct and useful invariants for programs that manipulate a wide variety of complex data structures.

show abstract

Section: Resultsmentioning

confidence: 99%

SLING: using dynamic analysis to infer program invariants in separation logic

Zheng

Nguyen

2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

show abstract

“…Notice that our problem of finding minimal refinements is a relaxation of this NPhard problem, as we are not interested in minimizing the number of subsets; rather, our notion of minimality corresponds to that of non-redundancy in [4]. Redundancy and minimization in logical formulae have been studied extensively, in work such as [18,19,26,30]. The notion of redundancy we present here is substantially different.…”

Section: Related Workmentioning

confidence: 99%

Minimal Assumptions Refinement for Realizable Specifications

Cavezza

Alrajeh

György

2020

Proceedings of the 8th International Conference on Formal Methods in Software Engineering

View full text Add to dashboard Cite

A challenge that has gathered much attention in recent years is automated synthesis of correct-by-construction software systems from declarative specifications. The specification language is typically a subset of linear temporal logic called generalized reactivity of rank 1, for which there exists an efficient synthesis algorithm. Specifications in this language model the system as the interaction between an environment and a controller, the former satisfying a set of assumptions and the latter a set of guarantees. In order for a solution to exist, a sufficient set of assumptions implying the guarantees must be provided. The assumptions must be as general as possible and small enough to be intelligible by engineers that need to assess their consistency with the true environment where the synthesized controller will operate. The search for such assumptions is generally a refinement approach driven by counterstrategies, characterizations of undesirable environment behaviors that force the violation of the guarantees; assumptions are progressively refined in order to exclude such behaviors. In this work we provide a heuristic to drive this counterstrategy-guided search towards smaller refinements. We define a concept of minimality of refinements with respect to counterstrategies and provide an algorithm that provably finds minimal refinements with little time overhead. We show experimentally that it consistently produces one or more shorter solutions than state of the art for a set of popular case studies. We also demonstrate that in a popular case study (AMBA-AHB protocol) our heuristic finds a close-to-optimal solution that cannot be found by previous fully automated approaches. CCS CONCEPTS • Software and its engineering Formalsoftwareverification; Requirements analysis; • Hardware Buses and high-speed links.

show abstract

“…Compared to earlier sampling-based approaches [49,60,65,66] which learn invariants using existing abstract interpretation transformers, our primary focus is a new specification inference technique inspired by recent advances in data-driven program analysis. These data-driven approaches can be classified into two broad categories: (1) Tools such as Daikon [12] and [18,21,42,53,70] infer invariants by summarizing properties from test data, but the structure of the constructed invariants is limited to a bounded number of disjunctions, making them unlikely to discover patterns between relations like in-order or forward-order, because it is not clear how syntax-derived templates could capture the semantics of ordering relations implicit in the construction of data structures; (2) Other tools learn unrestricted invariants but either require user-annotated post-conditions [15,16,36,51,54,69] (in order to rule out program states not seen in normal executions) or noncommutativity conditions [17] to drive the collection of "bad samples". The quality of synthesized invariants in these systems is limited by the precision and availability of such conditions.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

“…Notably, existing data-driven learning techniques are ineffective in discovering such specifications. Template-based mining techniques [12,42,53] require us to provide the Boolean skeleton of these specifications a priori, which we often do not know. Classification-based learning techniques [15,16,51,54,69] search for specifications that rule out so-called bad program states that represent violations of programmer-supplied assertions, usually annotated as postconditions in source programs.…”

Section: Introductionmentioning

confidence: 99%

Automatically learning shape specifications

2016

View full text Add to dashboard Cite

This paper presents a novel automated procedure for discovering expressive shape specifications for sophisticated functional data structures. Our approach extracts potential shape predicates based on the definition of constructors of arbitrary user-defined inductive data types, and combines these predicates within an expressive first-order specification language using a lightweight data-driven learning procedure. Notably, this technique requires no programmer annotations, and is equipped with a type-based decision procedure to verify the correctness of discovered specifications. Experimental results indicate that our implementation is both efficient and effective, capable of automatically synthesizing sophisticated shape specifications over a range of complex data types, going well beyond the scope of existing solutions.

show abstract

Using dynamic analysis to generate disjunctive invariants

Cited by 28 publications

References 43 publications

SLING: using dynamic analysis to infer program invariants in separation logic

SLING: using dynamic analysis to infer program invariants in separation logic

Minimal Assumptions Refinement for Realizable Specifications

Automatically learning shape specifications

Contact Info

Product

Resources

About