Filters








109 Hits in 1.3 sec

Spatial Interpolants [article]

Aws Albarghouthi, Josh Berdine, Byron Cook, Zachary Kincaid
2015 arXiv   pre-print
We propose Splinter, a new technique for proving properties of heap-manipulating programs that marries (1) a new separation logic-based analysis for heap reasoning with (2) an interpolation-based technique for refining heap-shape invariants with data invariants. Splinter is property directed, precise, and produces counterexample traces when a property does not hold. Using the novel notion of spatial interpolants modulo theories, Splinter can infer complex invariants over general recursive
more » ... ates, e.g., of the form all elements in a linked list are even or a binary tree is sorted. Furthermore, we treat interpolation as a black box, which gives us the freedom to encode data manipulation in any suitable theory for a given program (e.g., bit vectors, arrays, or linear arithmetic), so that our technique immediately benefits from any future advances in SMT solving and interpolation.
arXiv:1501.04100v1 fatcat:zkbago6jmnahbixu5bqcprr3c4

Spatial Interpolants [chapter]

Aws Albargouthi, Josh Berdine, Byron Cook, Zachary Kincaid
2015 Lecture Notes in Computer Science  
We propose SplInter, a new technique for proving properties of heap-manipulating programs that marries (1) a new separation logic-based analysis for heap reasoning with (2) an interpolation-based technique for refining heap-shape invariants with data invariants. SplInter is property directed, precise, and produces counterexample traces when a property does not hold. Using the novel notion of spatial interpolants modulo theories, SplInter can infer complex invariants over general recursive
more » ... ates, e.g., of the form all elements in a linked list are even or a binary tree is sorted. Furthermore, we treat interpolation as a black box, which gives us the freedom to encode data manipulation in any suitable theory for a given program (e.g., bit vectors, arrays, or linear arithmetic), so that our technique immediately benefits from any future advances in SMT solving and interpolation.
doi:10.1007/978-3-662-46669-8_26 fatcat:igaxfz3slvbdtbv3odp57drxke

Verification Condition Generation and Variable Conditions in Smallfoot [article]

Josh Berdine, Cristiano Calcagno, Peter W. O'Hearn
2012 arXiv   pre-print
Ian Wehrman and Berdine have since found some cases where these relaxed conditions are unsound, prompting a revisitation of this topic.  ... 
arXiv:1204.4804v1 fatcat:sjm5kv2jfnhjpeiu4dyyevuapi

Thread-modular shape analysis

Alexey Gotsman, Josh Berdine, Byron Cook, Mooly Sagiv
2007 SIGPLAN notices  
We present the first shape analysis for multithreaded programs that avoids the explicit enumeration of execution-interleavings. Our approach is to automatically infer a resource invariant associated with each lock that describes the part of the heap protected by the lock. This allows us to use a sequential shape analysis on each thread. We show that resource invariants of a certain class can be characterized as least fixed points and computed via repeated applications of shape analysis only on
more » ... ach individual thread. Based on this approach, we have implemented a thread-modular shape analysis tool and applied it to concurrent heap-manipulating code from Windows device drivers.
doi:10.1145/1273442.1250765 fatcat:qknm2ogxdvcuxlkcw26cigov7a

:{unav)

Josh Berdine, Peter O'Hearn, Uday Reddy, Hayo Thielecke
2012 Higher-Order and Symbolic Computation  
in analogy with "Σ" (Sigma) for iterated sum and "Π" (Pi) for iterated product.LinUC.tex; 2/08/2002;14:30; p.20 LinUC.tex; 2/08/2002; 14:30; p.21 LinUC.tex; 2/08/2002; 14:30; p. 23 Berdine  ... 
doi:10.1023/a:1020891112409 fatcat:qnacygxbcfhtxijr4xfi2wuz64

Symbolic Execution with Separation Logic [chapter]

Josh Berdine, Cristiano Calcagno, Peter W. O'Hearn
2005 Lecture Notes in Computer Science  
We describe a sound method for automatically proving Hoare triples for loop-free code in Separation Logic, for certain preconditions and postconditions (symbolic heaps). The method uses a form of symbolic execution, a decidable proof theory for symbolic heaps, and extraction of frame axioms from incomplete proofs. This is a precursor to the use of the logic in automatic specification checking, program analysis, and model checking.
doi:10.1007/11575467_5 fatcat:2gjjlzccfjardj2424agvwfqqa

Variance analyses from invariance analyses

Josh Berdine, Aziem Chawdhary, Byron Cook, Dino Distefano, Peter O'Hearn
2007 SIGPLAN notices  
An invariance assertion for a program location is a statement that always holds at during execution of the program. Program invariance analyses infer invariance assertions that can be useful when trying to prove safety properties. We use the term variance assertion to mean a statement that holds between any state at and any previous state that was also at . This paper is concerned with the development of analyses for variance assertions and their application to proving termination and liveness
more » ... roperties. We describe a method of constructing program variance analyses from invariance analyses. If we change the underlying invariance analysis, we get a different variance analysis. We describe several applications of the method, including variance analyses using linear arithmetic and shape analysis. Using experimental results we demonstrate that these variance analyses give rise to a new breed of termination provers which are competitive with and sometimes better than today's state-of-the-art termination provers.
doi:10.1145/1190215.1190249 fatcat:e7egkqmt55f73dahlrbwxllz2e

Structuring the verification of heap-manipulating programs

Aleksandar Nanevski, Viktor Vafeiadis, Josh Berdine
2010 SIGPLAN notices  
Most systems based on separation logic consider only restricted forms of implication or non-separating conjunction, as full support for these connectives requires a non-trivial notion of variable context, inherited from the logic of bunched implications (BI). We show that in an expressive type theory such as Coq, one can avoid the intricacies of BI, and support full separation logic very efficiently, using the native structuring primitives of the type theory. Our proposal uses reflection to
more » ... le equational reasoning about heaps, and Hoare triples with binary postconditions to further facilitate it. We apply these ideas to Hoare Type Theory, to obtain a new proof technique for verification of higher-order imperative programs that is general, extendable, and supports very short proofs, even without significant use of automation by tactics. We demonstrate the usability of the technique by verifying the fast congruence closure algorithm of Nieuwenhuis and Oliveras, employed in the state-of-the-art Barcelogic SAT solver. 1. a = b → class inv D → class inv (join class D a b ) 2. a = b → class inv D → class inv (join use D a b ) 3. class inv D → class inv (propagate D) Most of the other predicates from the definition of shape were much more difficult to establish, primarily because they are actually invalidated at various point of the execution, but are then reestablished at the end. Thus, we needed to generalize these predi-
doi:10.1145/1707801.1706331 fatcat:xjuqhyzrebcb5oufdmguyr2k5m

A Forward Analysis for Recurrent Sets [chapter]

Alexey Bakhirkin, Josh Berdine, Nir Piterman
2015 Lecture Notes in Computer Science  
Non-termination of structured imperative programs is primarily due to infinite loops. An important class of non-terminating loop behaviors can be characterized using the notion of recurrent sets. A recurrent set is a set of states from which execution of the loop cannot or might not escape. Existing analyses that infer recurrent sets to our knowledge rely on one of: the combination of forward and backward analyses, quantifier elimination, or SMT-solvers. We propose a purely forward abstract
more » ... rpretation-based analysis that can be used together with a possibly complicated abstract domain where none of the above is readily available. The analysis searches for a recurrent set of every individual loop in a program by building a graph of abstract states and analyzing it in a novel way. The graph is searched for a witness of a recurrent set that takes the form of what we call a recurrent component which is somewhat similar to the notion of an end component in a Markov decision process.
doi:10.1007/978-3-662-48288-9_17 fatcat:wpjk3higdjhbjb6lkcilpf5erm

A Decidable Fragment of Separation Logic [chapter]

Josh Berdine, Cristiano Calcagno, Peter W. O'Hearn
2004 Lecture Notes in Computer Science  
We present a fragment of separation logic oriented to linked lists, and study decision procedures for validity of entailments. The restrictions in the fragment are motivated by the stylized form of reasoning done in example program proofs. The fragment includes a predicate for describing linked list segments (a kind of reachability or transitive closure). Decidability is first proved by semantic means: by showing a small model property that bounds the size of potential countermodels that must
more » ... checked. We then provide a complete proof system for the fragment, the termination of which furnishes a second decision procedure.
doi:10.1007/978-3-540-30538-5_9 fatcat:u27sggqivfbb3pycqrq6yhdltu

SLAyer: Memory Safety for Systems-Level Code [chapter]

Josh Berdine, Byron Cook, Samin Ishtiaq
2011 Lecture Notes in Computer Science  
SLAyer is a program analysis tool designed to automatically prove memory safety of industrial systems code. In this paper we describe SLAyer's implementation, and its application to Windows device drivers. This paper accompanies the first release of SLAyer.
doi:10.1007/978-3-642-22110-1_15 fatcat:nlmzrrv5kfen5p6bfgbjymffdy

Interprocedural Shape Analysis with Separated Heap Abstractions [chapter]

Alexey Gotsman, Josh Berdine, Byron Cook
2006 Lecture Notes in Computer Science  
We describe an interprocedural shape analysis that makes use of spatial locality (i.e. the fact that most procedures modify only a small subset of the heap) in its representation of abstract states. Instead of tracking reachability information directly and aliasing information indirectly, our representation tracks reachability indirectly and aliasing directly. Computing the effect of procedure calls and returns on an abstract state is easy because the representation exhibits spatial locality
more » ... roring the locality that is present in the concrete semantics. The benefits of this approach include improved speed, support for programs that deallocate memory, the handling of bounded numbers of heap cutpoints, and support for cyclic and shared data structures.
doi:10.1007/11823230_16 fatcat:jo6ybevimbdkdagtheok5ig7wq

Resourceful Reachability as HORN-LA [chapter]

Josh Berdine, Nikolaj Bjørner, Samin Ishtiaq, Jael E. Kriener, Christoph M. Wintersteiger
2013 Lecture Notes in Computer Science  
The program verification tool SLAyer uses abstractions during analysis and relies on a solver for reachability to refine spurious counterexamples. In this context, we extract a reachability benchmark suite and evaluate methods for encoding reachability properties with heaps using Horn clauses over linear arithmetic. The benchmarks are particularly challenging and we describe and evaluate pre-processing transformations that are shown to have significant effect.
doi:10.1007/978-3-642-45221-5_10 fatcat:jwjtagrd6ncl3giimo6ik433ju

Diagnosing Abstraction Failure for Separation Logic–Based Analyses [chapter]

Josh Berdine, Arlen Cox, Samin Ishtiaq, Christoph M. Wintersteiger
2012 Lecture Notes in Computer Science  
Abstraction refinement is an effective verification technique for automatically proving safety properties of software. Application of this technique in shape analyses has proved impractical as core components of existing refinement techniques such as backward analysis, general conjunction, and identification of unreachable but doomed states are computationally infeasible in such domains. We propose a new method to diagnose proof failures to be used in a refinement scheme for Separation
more » ... ed shape analyses. To check feasibility of abstract error traces, we perform Bounded Model Checking over the traces using a novel encoding into SMT. A subsequent diagnosis finds discontinuities on infeasible traces, and identifies doomed states admitted by the abstraction. To construct doomed states, we give a model-finding algorithm for "symbolic heap" Separation Logic formulas, employing the execution machinery of the feasibility checker to search for concrete counter-examples. The diagnosis has been implemented in SLAyer, and we present a simple scheme for refining the abstraction of hierarchical data structures, and illustrate its effectiveness on benchmarks from the SLAyer test suite. This work was performed while an intern at Microsoft Research, Cambridge.
doi:10.1007/978-3-642-31424-7_16 fatcat:zmat27hfpje43mcpxpf35jkavm

Smallfoot: Modular Automatic Assertion Checking with Separation Logic [chapter]

Josh Berdine, Cristiano Calcagno, Peter W. O'Hearn
2006 Lecture Notes in Computer Science  
Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe Smallfoot, a tool for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and this allows reasoning to be fully automatic. The presentation in the paper is tutorial in style. We illustrate what the tool can do via examples which are oriented toward novel aspects of separation
more » ... c, namely: avoidance of frame axioms (which say what a procedure does not change); embracement of "dirty" features such as memory disposal and address arithmetic; information hiding in the presence of pointers; and modular reasoning about concurrent programs.
doi:10.1007/11804192_6 fatcat:i7otxuwxard6jijiaiwvefoswm
« Previous Showing results 1 — 15 out of 109 results