Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs

@article{Gawlitza2012InvariantGT,
  title={Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs},
  author={Thomas Gawlitza and David Monniaux},
  journal={Log. Methods Comput. Sci.},
  year={2012},
  volume={8}
}
We consider the problem of computing numerical invariants of programs, for instance bounds on the values of numerical program variables. More specifically, we study the problem of performing static analysis by abstract interpretation using template linear constraint domains. Such invariants can be obtained by Kleene iterations that are, in order to guarantee termination, accelerated by widening operators. In many cases, however, applying this form of extrapolation leads to invariants that are… 

Figures from this paper

Finding inductive invariants using satisfiability modulo theories and convex optimization. (Recherche d'invariants inductifs par satisfiabilité modulo théorie et optimisation convexe)

TLDR
A novel "formula slicing'' method for finding potentially disjunctive inductive invariants from program fragments obtained by symbolic execution is developed, and an algorithm parameterizable with any abstract interpretation for summary generation is developed and studied.

Inductive Reachability Witnesses

TLDR
This work considers the natural dual problem of under-approximating the set of program states that can reach a target state and extends techniques from both invariant generation and ranking-function synthesis to reachability analysis through the notion of (Universal) Inductive Reachability Witnesses (IRWs/UIRWs).

Scaling up logico-numerical strategy iteration (extended version)

TLDR
A modification of the strategy iteration algorithm where the strategies are stored succinctly, and the linear programs to be solved at each iteration step are simplified according to an equivalence relation.

Narrowing Operators on Template Abstract Domains

TLDR
It is shown that, for a large class of numerical abstract domains over integer variables (such as intervals, octagons and template polyhedra), it is possible to avoid infinite descending chains and omit narrowing.

Program Analysis with Local Policy Iteration

We present local policy iterationi¾?LPI, a new algorithm for deriving numerical invariants that combines the precision of max-policy iteration with the flexibility and scalability of conventional

How Hard is It to Verify Flat Affine Counter Systems with the Finite Monoid Property?

TLDR
This work provides complexity bounds for several decision problems of counter systems with guards defined by convex polyhedra and updates defined by affine transformations, by proving that reachability and model checking for Past Linear Temporal Logic stands in the second level of the polynomial hierarchy.

Safety Problems Are NP-complete for Flat Integer Programs with Octagonal Loops

TLDR
This paper proves the NP-completeness of the reachability problem for the class of flat counter machines with difference bounds and octagonal relations, labeling the transitions on the loops, and has a potential impact on other problems in program verification.

The Complexity of Reachability Problems for Flat Counter Machines with Periodic Loops

TLDR
This paper proves the NP-completeness of the reachability problem for the class of flat counter machines with difference bounds and octagonal relations, labeling the transitions on the loops, and has a potential impact for other problems in program verification.

Decidability of inferring inductive invariants

TLDR
This paper approaches the general problem of inferring first-order inductive invariants by restricting the language L of candidate invariants and presents a framework for systematically constructing infinite languages while keeping the invariant inference problem decidable.

A Survey of Satisfiability Modulo Theory

TLDR
The combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative “natural domain” approaches are explained.

References

SHOWING 1-10 OF 74 REFERENCES

Improving Strategies via SMT Solving

TLDR
The algorithm has low polynomial space complexity and performs for contrived examples in the worst case exponentially many strategy improvement steps; this is unsurprising, since the associated abstract reachability problem is Pi-p-2-complete.

Guided Static Analysis

TLDR
guided static analysis is introduced, a framework for controlling the exploration of the state-space of a program by applying standard static-analysis techniques to a sequence of modified versions of the analyzed program, and does not require any modifications to existing analysis techniques, and thus can be easily integrated into existingstatic-analysis tools.

Static Analysis by Policy Iteration on Relational Domains

We give a new practical algorithm to compute, in finite time, a fixpoint (and often the least fixpoint) of a system of equations in the abstract numerical domains of zones and templates used for

Accelerated Data-Flow Analysis

TLDR
The acceleration framework for symbolic verification is extended to data-flow analysis and a cubic-time acceleration-based algorithm for solving interval constraints with full multiplication is provided.

Symbolic Methods to Enhance the Precision of Numerical Abstract Domains

TLDR
These lightweight and generic symbolic methods to improve the precision of numerical static analyses based on Abstract Interpretation, and are incorporated within the Astree static analyzer that checks for the absence of run-time errors in embedded critical avionics software.

Using Bounded Model Checking to Focus Fixpoint Iterations

TLDR
This article describes how to avoid systematic exploration in static analysis by focusing on a single path at a time, designated by SMT-solving, thus doing away with widenings as well in some cases.

Automatic modular abstractions for template numerical constraints

  • D. Monniaux
  • Computer Science
    Log. Methods Comput. Sci.
  • 2010
TLDR
The motivation of the work is data-flow synchronous programming languages, used for building control-command embedded systems, but it also applies to imperative and functional programming.

Efficient chaotic iteration strategies with widenings

TLDR
This paper studies precise and efficient chaotic iteration strategies for computing fixed points of continuous functions over complete lattices of program properties when lattices are of infinite height and speedup techniques have to be used.

Succinct Representations for Abstract Interpretation

TLDR
This work improves previously proposed techniques for guided static analysis and the generation of disjunctive invariants by combining them with techniques for succinct representations of paths and symbolic representations for transitions based on static single assignment.

Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications

TLDR
This collection of papers on all theoretical and practical aspects of SAT solving will be extremely useful to both students and researchers and will lead to many further advances in the field.
...