Automatic Verification of Integer Array Programs

Automatic Verification of

Integer Array Programs

Marius Bozga

1

, Peter Habermehl

2

, Radu Iosif

1

,

Filip Kone ˇcný

3 , 4

, Tomáš Vojnar

3

1 VERIMAG, CNRS/UJF/INPG, France

2 LIAFA, Université Paris Diderot/CNRS, France

3 Brno University of Technology, Czech Republic

4 VERIMAG, Université Joseph Fourier, France

Automatic Verification of Integer Array Programs – p. 1/17

Verification Problem

Proving Hoare triples

• {P} C {Q}




• {P} C {Q}

Considered programs

• integer arrays

• integer variables

• assignments

• conditional statements

• non-nested while loops

3

4

5

1

2

6

7

Example: Array rotation begin

e : = a [ 0 ] ; i = 0 ; while ( i ≤ n − 2 ) do a [ i ] : = a [ i + 1 ] ; i + + ; a [ n − 1 ] : = e ; end e

0 1 2

...

...

...

n − 1 e




• {P} C {Q}

Considered programs

• integer arrays

• integer variables

• assignments

• conditional statements

• non-nested while loops

Pre/Post-condition

• SIL – a decidable logic

[Habermehl, Iosif,

Vojnar LPAR’08]

Example: Array rotation pre-condition:

( n > 0 ) ∧

∀ i .

( 0 ≤ i ≤ n − 1 ) ⇒ ( a [ i ] = a

0

[ i ])

4

5

6

1

2

3 begin

e : = a [ 0 ] ; i = 0 ; while ( i ≤ n − 2 ) do a [ i ] : = a [ i + 1 ] ; i + + ;

7 a [ n − 1 ] : = e ; end post-condition:

∀ i .

( 0 ≤ i ≤ n − 2 ) ⇒ ( a [ i ] = a

0

[ i + 1 ]) ∧

∀ i .

( i = n − 1 ) ⇒ ( a [ i ] = g )

∀ i .

( i = 0 ) ⇒ ( a

0

[ i ] = g )


Verification Framework

Program state

• valuation of array variables to finite integer sequences a 7→ [ 2 , 3 , 4 , 7 , 9 , 10 ] , b 7→ [ 1 , 4 , 5 , 8 , 9 , 11 ]



Program state


Counter automata

• counter automata = integer programs with non-deterministic assignments ( x

′

< 10 )

• reachability of a control state is undecidable in general

• decidability of certain subclasses: flat, reversal-bounded, . . .

• tools available: ARMC, FAST, ASPIC, . . .



Program state


Counter automata

• counter automata = integer programs with non-deterministic assignments ( x

′

< 10 )

• reachability of a control state is undecidable in general

• decidability of certain subclasses: flat, reversal-bounded, . . .

• tools available: ARMC, FAST, ASPIC, . . .

Idea of encoding of a state a: b:

2 3 4 7 9 10

1 4 5 8 9 11

0 1 2 3 4 5 steps



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ

SIL post−condition

ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ ′


ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ ′ conversion

A ϕ ′


ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...


A ϕ ′ conversion

T

L


ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ ′ conversion conversion

A ϕ ′

⊗

T

L


ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ

2 ϕ ′ conversion conversion

⊗

T

L

A ϕ ′ } conversion

(abstraction)


ψ



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

}

SIL post−condition ϕ post−condition calculus ϕ

2

.

.

.

ϕ n

ψ

′ ϕ ′ conversion conversion

⊗

T

L


(abstraction)



SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

}

SIL post−condition ϕ post−condition calculus ϕ ′ conversion conversion

⊗

T

L

A ϕ ′ } ϕ

2

.

.

.

ϕ n

′ conversion

(abstraction)

} ϕ n

′

⇒

ψ

?


SIL – Single Index Logic n > 0 ∧ ∀ i .

( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]

SIL formulae – boolean combinations of:

• Presburger constraints on bound variables and

• array properties comparing array elements within a constant sized window.



( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]




Array property is a formula of the form:

∀ i .

γ

( i ) →

υ

( i ) , where:



( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]





∀ i .

γ

( i ) →

υ

( i ) , where:

• γ is a guard expression

– constraints on scalar variables



( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]





∀ i .

γ

( i ) →

υ

( i ) , where:



• υ is a value expression

– constraints on array terms a [ i + k ] ( k ∈ Z ) and the index variable i



( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]





∀ i .

γ

( i ) →

υ

( i ) , where:





– singly indexed : i is the only index variable



( 0 ≤ i ≤ n − 2 ) → a [ i ] = a

0

[ i + 1 ]





∀ i .

γ

( i ) →

υ

( i ) , where:





– singly indexed : i is the only index variable

Difference bound constraints : x − y ≤

α

, x ≤

α

, x ≥

α

,

α

∈ Z


SIL to Counter Automata

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...


A ϕ ′


ψ



Encoding of arrays

• accepting runs of a CA correspond to models of a SIL formula





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )

• array variable a → value counter x and index counter i x

′ = x + 2 ∧ i < 4 ∧ i

′ = i + 1 q i x < 5 ∧ x

′ = x + 2 ∧ i = 0 ∧ i

′ = i + 1 q

1 x

′ = x + 2 ∧ i = 4 ∧ i

′ = i + 1 q f





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )


′ = x + 2 ∧ i < 4 ∧ i

′ = i + 1 q i x < 5 ∧ x

′ = x + 2 ∧ i = 0 ∧ i

′ = i + 1 q

1 x

′ = x + 2 ∧ i = 4 ∧ i

′ = i + 1 q f





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )


′ = x + 2 ∧ i < 4 ∧ i

′ = i + 1 q i x < 5 ∧ x

′ = x + 2 ∧ i = 0 ∧ i

′ = i + 1 q

1 x

′ = x + 2 ∧ i = 4 ∧ i

′ = i + 1 q f





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )

• array variable a → value counter x and index counter i x

′ = x + 2 ∧ i < 4 ∧ i

′ = i + 1 q i x < 5 ∧ x

′ = x + 2 ∧ i = 0 ∧ i

′ = i + 1 q

1 x

′ = x + 2 ∧ i = 4 ∧ i

′ = i + 1 q f





Example: a [ 0 ]

< 5 ∧ ∀ i .

( 0 ≤ i ≤ 4 ) → ( a [ i + 1 ] = a [ i ] + 2 )


′ = x + 2 ∧ i < 4 ∧ i

′ = i + 1 q i x < 5 ∧ x

′ = x + 2 ∧ i = 0 ∧ i

′ = i + 1 q

1 x

′ = x + 2 ∧ i = 4 ∧ i

′ = i + 1 q f

• a model a = [ 3 , 5 , 7 , 9 , 11 , 13 ] , a run i 0 1 2 3 4 5 x 3 5 7 9 11 13


Loops to Counter Transducers

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...


A ϕ ′ conversion

T

L


ψ



Array access

• via terms a [ i ]

, . . . , a [ i + n ]



Array access


, . . . , a [ i + n ]

Encoding of an array

• 1 index counter to code i

•

2 ( n + 1 ) array counters

– code input/output values of a [ i ]

, . . . , a [ i + n ] ( n ∈ Z )

– the contents shifts when i++ is performed



Array access


, . . . , a [ i + n ]

Encoding of an array

• 1 index counter to code i

•

2 ( n + 1 ) array counters

– code input/output values of a [ i ]

, . . . , a [ i + n ] ( n ∈ Z )

– the contents shifts when i++ is performed

Example

• loop: for (i=0; i<=5; i++) a[i℄=a[i℄+3;

• input state: a = [ 3 , 5 , 7 , 9 , 11 , 13 ] , output state: a

′ = [ 6 , 8 , 10 , 12 , 14 , 16 ]

• run: i (index) 0 1 2 3 4 5 x (input-value) 3 5 7 9 11 13 y (output-value) 6 8 10 12 14 16


Rotation Example – Loop Transducer i = 0 ; while ( i ≤ n − 2 ) do a [ i ] : = a [ i + 1 ] ; i + + ; q

0

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 i ≤ n − 2 ∧ x

′ w o

1

′

= x o ′ w i

1

= w o

1

∧

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ = i

∧ y

+

=

1 x o ′

∧

{2} q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ =

∧ i y

+

=

1 x o ′

∧

{4} q su f i = N

{5} q f in



0 i ≤ n − 2 ∧ x o ′

= w o

1

∧ x

′ w o

1

′

= w i

1

= w i

1

′ i

′

∧ w o

0

′

= i

∧ y

+

=

=

1 w x o

1 o ′

∧

∧

{2}

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 q loop i > n − 2

{3} i < N ∧ x o ′ = w o

0

∧ x

′ w o

1

′

= w i

1

= w i

1

′ i

′

∧ w o

0

′

=

∧ i y

+

=

=

1 w x o

1 o ′

∧

∧

{4} q su f i = N

{5} initialization q f in



0 i ≤ n − 2 ∧ x o ′

= w o

1

∧ x

′ w o

1

′

= w i

1 i

′

∧ w

= w i

1

′

= i o

0

+

′

1

= w o

1

∧

∧ y = x o ′

∧

{2}

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ =

∧ i y

+

=

1 x o ′

∧

{4} q su f i = N

{5} q f in



0

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 i ≤ n − 2 ∧ x o ′ = w o

1

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ = i

∧ y

+

=

1 x o ′

∧

{2} q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ =

∧ i y

+

=

1 x o ′

∧

{4} q su f i = N

{5} q f in



0 i ≤ n − 2 ∧ x o ′

= w o

1

∧ x

′ w o

1

′

= w i

1 i

′

∧ w

= w i

1

′

= i o

0

+

′

1

= w o

1

∧

∧ y = x o ′

∧

{2}

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ =

∧ i y

+

=

1 x o ′

∧

{4} q su f i = N

{5} q f in



0

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 i ≤ n − 2 ∧ x

′ w o

1

′

= x o ′ w i

1

= w o

1

∧

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ = i

∧ y

+

=

1 x o ′

∧

{2} q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ =

∧ i y

+

=

1 x o ′

∧

{4} q su f i = N

{5} q f in



0

N > 0 ∧ i = 0 ∧ x = w o

0

∧ w o

1

{1}

= w i

1 i ≤ n − 2 ∧ x

′ w o

1

′

= x o ′ w i

1

= w o

1

∧

∧ w o

0

′ = w o

1

∧

= w i

1

′ i

′ = i

∧ y

+

=

1 x o ′

∧

{2} q loop i > n − 2

{3} i < N ∧ x o ′

= w o

0

∧ x

′ w o

1

′

= w i

1

= w i

1

′ i

′

∧ w

= i

∧ o

0 y

+

′

= w o

1

∧

=

1 x o ′

∧

{4} q su f i = N

{5} q f in finalization


Post-image of a Transducer

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ ′ conversion conversion

A ϕ ′

⊗

T

L


ψ


Post-image of a Transducer

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

}


A ϕ ′

⊗

T

L

A ϕ

′

T

L input states transition relation

A ϕ

′

⊗ T

L output states

ψ


From CA to SIL – Abstraction (1)

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

} ϕ post−condition calculus ϕ

2 ϕ ′ conversion conversion

⊗

T

L


(abstraction)


ψ



Main idea

• post-condition automata can be directly translated back to SIL when:

– no nested loops appear in the control structure

– the only loops are self-loops

– all transitions on loops are DBM constraints

• each self-loop is translated to an array-property formula

• connect array property formulae by ∧ (sequences) and ∨ (branches)



Abstraction steps

• partition arrays into classes whose index advances at the same time y x a

′ b y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c y b x a

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +




• partition arrays into classes whose index advances at the same time

• make a copy A i class for each y x a

′ b y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c

A

A

1

.

..

A n y b x a

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +





• make a copy A i class for each

• create an abstraction A i

′ of each copy A i

(over-approximate) y x a

′ b y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c

A

A

1

.

..

A n

A

1

.

..

′

A n

′ y b x a

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +








(over-approximate)

• translate each A i

′ to ϕ i y x a

′ b y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c

A

A

1

.

..

A n

A

1

.

..

′

A n

′ ϕ

1

.

..

ϕ n y b x a

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +








(over-approximate)

• translate each A i

′ to ϕ i

• resulting formula is V ϕ i y x a

′ b y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c y b x a

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +

A

A

1

.

..

A n

A

1

.

..

′

A n

′ ϕ

1

.

..

ϕ n ϕ

= V n i = 1 ϕ i


From CA to SIL – Abstraction (3) x a y b

′ y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c t

1 t

2 x a y b

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +



′ y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c t

1 t

2 x a y b

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +

[ i b

] class y x a

′ b y c

′

≥

=

0 x a

, i

, i a b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 y b x a

′

< 0

= y b

,

, i i a b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ + t

2



′ y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c t

1 t

2 x a y b

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +

[ i b

] class y x a

′ b y c

′

≥

=

0 x a

, i

, i a b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 y b x a

′

< 0

= y b

,

, i i a b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ + t

2

→ x a y b

′ y c

′

≥ 0 , i a

= x a

, i b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 t

2

∗ i a

′

≥ i a

, y b

′ i a

′

= y

− i a b

, i b

= i c

′

′

= i b

,

− i c



′ y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c t

1 t

2 x a y b

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +

[ i b

] class y x a

′ b y c

′

≥

=

0 x a

, i

, i a b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 y b x a

′

< 0

= y b

,

, i i a b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ + t

2

→ x a y b

′ y c

′

≥ 0 , i a

= x a

, i b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 t

2

∗ i a

′

≥ i a

, y b

′ i a

′

= y

− i a b

, i b

= i c

′

′

= i b

,

− i c

→ y b

′

≥ 0 , i b

+ + t

1

◦ t

2

∗



′ y c

′

≥ 0 , i a

+ + ,

= x a

, i b

= y c

, i c

′

+ + ,

= i c t

1 t

2 x a y b

′

< 0 , i a

= y b

, i b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ +

[ i b

] class y x a

′ b y c

′

≥

=

0 x a

, i

, i a b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 y b x a

′

< 0

= y b

,

, i i a b

′

+ + ,

= i b

, y c

′ = x a

, i c

+ + t

2

→ x a y b

′ y c

′

≥ 0 , i a

= x a

, i b

= y c

, i c

′

+ + ,

+ +

= i c

, t

1 t

2

∗ i a

′

≥ i a

, y b

′ i a

′

= y

− i a b

, i b

= i c

′

′

= i b

,

− i c

→ y b

′

≥ 0 , i b

+ + t

1

◦ t

2

∗

→ ∀ i .

( i ≥ 1 ) → ( b [ i ] ≥ 0 )


SIL Entailment

SIL pre−condition

// non-looping code

...

if() ...

else if() ...

else ...

...

while ( . . .

) { if() ...

else if() ...

...

else ...

}


⊗

T

L

A ϕ ′ }

.

.

.

ϕ

2 ϕ n

′ conversion

(abstraction)

} ϕ n

′

⇒

ψ

?


SIL Entailment

Given

• ϕ n

′

– inferred post-condition in SIL

• ψ

– user-specified post-condition in SIL

Entailment check

• validity of ϕ n

′

→

ψ

• unsatisfiability of ϕ n

′

∧ ¬

ψ

• satisfiability of SIL is decidable


Results

Size of automata encoding the loop post-condition program init partition insert control states counters

7

4

4

4

8

24

19

15 rotate


Results

Size of automata encoding the loop post-condition program init partition insert control states counters

7

4

4

4

8

24

19

15 rotate

Abstraction technique

• sufficient to prove user post-conditions program init partition insert post-condition

∀ i .

( 0 ≤ i ≤ n − 1 ) ⇒ ( a [ i ] = 0 )

∀ i .

( 0 ≤ i ≤ n b

− 1 ) ⇒ ( b [ i ] ≥ 0 ) ∧ ∀ i .

( 0 ≤ i ≤ n c

− 1 ) ⇒ ( c [ i ]

< 0 )

∀ i .

( 0 ≤ i ≤ n − 2 ) ⇒ ( a [ i ] ≤ a [ i + 1 ]) ∧ ∀ i .

( i = k ) ⇒ ( a [ i ] = e )

∀ i .

( 0 ≤ i ≤ n − 2 ) ⇒ ( a [ i ] = a

0

[ i + 1 ]) ∧ ∀ i .

( i = n − 1 ) ⇒ ( a [ i ] = e ) rotate


Summary

Approach

• two-way automata-logic connection (counter automata, SIL logic)


Summary

Approach

• two-way automata-logic connection (counter automata, SIL logic) verification problem involving arrays ( uninterpreted functions )

⇓ reachability problem on CA ( non-deterministic integer programs )


Summary

Approach



Highlights

• translation from loops to CA without fixpoint computation


Summary

Approach



Highlights


• inferred post-conditions in a decidable logic (SIL)


Summary

Approach



Highlights


• inferred post-conditions in a decidable logic (SIL)

• leveraging on the progress on CA tools


Ongoing / Future Work

FLATA – a counter automata tool

• goals

– checking of safety properties

– computation of the input-output relation

• approach

– fast algorithm for transitive closure of a DBM relation

– techniques for elimination of control states

– reduce number of counters


Ongoing / Future Work

FLATA – a counter automata tool

• goals

– checking of safety properties

– computation of the input-output relation

• approach

– fast algorithm for transitive closure of a DBM relation

– techniques for elimination of control states

– reduce number of counters

More general classes of programs

• nested loops

• function calls

Termination checking


Related Work

Abstract interpretation

A Framework for Numeric Analysis of Array Operations

D. Gopan, T.W. Reps, and S. Sagiv

In POPL’05. ACM, 2005

Discovering Properties about Arrays in Simple Programs

N. Halbwachs and M. Péron

In Proc. of PLDI’08. ACM, 2008

Lifting Abstract Interpreters to Quantified Logical Domains

S. Gulwani, B. McCloskey, and A. Tiwari

In POPL’08. ACM, 2008


Related Work

Predicate abstraction / Interpolation

Array Abstractions from Proofs

R. Jhala and K. McMillan

In CAV’07, LNCS 4590. Springer, 2007

Quantified Invariant Generation Using an Interpolating Saturation Prover

K. McMillan

In Proc. of TACAS’08, LNCS 4963. Springer, 2008


Related Work

Logics / Theorem proving

What’s Decidable About Arrays?

A.R. Bradley, Z. Manna, and H.B. Sipma

In Proc. of VMCAI’06, LNCS 3855. Springer, 2006

Rewriting Systems with Data: A Framework for Reasoning about Systems with Unbounded Structures over Infinite Data Domains

A. Bouajjani, P. Habermehl, Y. Jurski, and M. Sighireanu

In Proc. FCT’07, LNCS 4639, 2007

Finding Loop Invariants for Programs over Arrays Using a Theorem Prover

L. Kovács and A. Voronkov

In Proc. of FASE’09, LNCS 5503, Springer, 2009

A Logic-Based Framework for Reasoning about Composite Data Structures

A. Bouajjani, C. Dragoi, C. Enea, M. Sighireanu

In Proc. of CONCUR’09, LNCS 5710, Springer, 2009


Questions?


Automatic Verification of Integer Array Programs

Automatic Verification of

Integer Array Programs

Questions?

Related documents

Products

Support

Automatic Verification of Integer Array Programs