scholarly journals Complete decision procedure for the theory of bounded pointer arithmetic based on quantifier instantiation and SMT

2021 ◽  
Vol 33 (4) ◽  
pp. 177-194
Author(s):  
Rafael Faritovich Sadykov ◽  
Mikhail Usamovich Mandrykin
Keyword(s):  
Program Verification ◽  
Source Code ◽  
Decision Procedures ◽  
C Programs ◽  
Smt Solver ◽  
Smt Solvers ◽  
Relevant Logics ◽  
Soundness And Completeness ◽  
C Program ◽  
Quantifier Instantiation

The process of developing C programs is quite often prone to errors related to the uses of pointer arithmetic and operations on memory addresses. This promotes a need in developing various tools for automated program verification. One of the techniques frequently employed by those tools is invocation of appropriate decision procedures implemented within existing SMT-solvers. But at the same time both the SMT standard and most existing SMT-solvers lack the relevant logics (combinations of logical theories) for directly and precisely modelling the semantics of pointer operations in C. One of the possible ways to support these logics is to implement them in an SMT solver, but this approach can be time-consuming (as requires modifying the solver’s source code), inflexible (introducing any changes to the theory’s signature or semantics can be unreasonably hard) and limited (every solver has to be supported separately). Another way is to design and implement custom quantifier instantiation strategies. These strategies can be then used to translate formulas in the desired theory combinations to formulas in well-supported decidable logics such as QF_UFLIA. In this paper, we present an instantiation procedure for translating formulas in the theory of bounded pointer arithmetic into the QF_UFLIA logic. We formally proved soundness and completeness of our instantiation procedure in Isabelle/HOL. The paper presents an informal description of this proof of the proposed procedure. The theory of bounded pointer arithmetic itself was formulated based on known errors regarding the correct use of pointer arithmetic operations in industrial code as well as the semantics of these operations specified in the C standard. Similar procedure can also be defined for a practically relevant fragment of the theory of bit vectors (monotone propositional combinations of equalities between bitwise expressions). Our approach is sufficient to obtain efficient decision procedures implemented as Isabelle/HOL proof methods for several decidable logical theories used in C program verification by relying on the existing capabilities of well-known SMT solvers, such as Z3 and proof reconstruction capabilities of the Isabelle/HOL proof assistant.

scholarly journals A Unified Framework for DPLL(T) + Certificates

2013 ◽  
Vol 2013 ◽  
pp. 1-13
Author(s):  
Min Zhou ◽  
Fei He ◽  
Bow-Yaw Wang ◽  
Ming Gu ◽  
Jiaguang Sun
Keyword(s):  
Satisfiability Modulo Theories ◽  
Experimental Results ◽  
Unified Framework ◽  
Time Saving ◽  
Smt Solver ◽  
Smt Solvers ◽  
Soundness And Completeness ◽  
Checking Procedure ◽  
Generation Procedure

Satisfiability Modulo Theories (SMT) techniques are widely used nowadays. SMT solvers are typically used as verification backends. When an SMT solver is invoked, it is quite important to ensure the correctness of its results. To address this problem, we propose a unified certificate framework based on DPLL(T), including a uniform certificate format, a unified certificate generation procedure, and a unified certificate checking procedure. The certificate format is shown to be simple, clean, and extensible to different background theories. The certificate generation procedure is well adapted to most DPLL(T)-based SMT solvers. The soundness and completeness for DPLL(T) + certificates were established. The certificate checking procedure is straightforward and efficient. Experimental results show that the overhead for certificates generation is only 10%, which outperforms other methods, and the certificate checking procedure is quite time saving.

scholarly journals Reasoning with Triggers

10.29007/3c1n ◽  
2018 ◽  
Author(s):  
Claire Dross ◽  
Sylvain Conchon ◽  
Johannes Kanig ◽  
Andrei Paskevich
Keyword(s):  
Decision Procedure ◽  
Decision Procedures ◽  
Description Language ◽  
Smt Solver ◽  
First Order ◽  
Smt Solvers ◽  
Precise Sense ◽  
Universal Quantifiers ◽  
Internal Knowledge

SMT solvers can decide the satisfiability of ground formulas modulo a combination ofbuilt-in theories. Adding a built-in theory to a given SMT solver is a complex and time consuming task that requires internal knowledge of the solver. However, many theories can be easily expressed using first-order formulas. Unfortunately, since universal quantifiers are not handled in a complete way by SMT solvers, these axiomatics cannot be used as decision procedures.In this paper, we show how to extend a generic SMT solver to accept a custom theory description and behave as a decision procedure for that theory, provided that the described theory is complete and terminating in a precise sense. The description language consists of first-order axioms with triggers, an instantiation mechanism that is found in many SMT solvers. This mechanism, which usually lacks a clear semantics in existing languages and tools, is rigorously defined here; this definition can be used to prove completeness and termination of the theory. We demonstrate using the theory of arrays, how such proofs can be achieved in our formalism.

scholarly journals Experiments on the feasibility of using a floating-point simplex in an SMT solver

10.29007/j7x4 ◽  
2018 ◽  
Author(s):  
Diego Caminha Barbosa de Oliveira ◽  
David Monniaux
Keyword(s):  
Simplex Algorithm ◽  
Decision Procedures ◽  
Linear Constraints ◽  
Decision Problems ◽  
Floating Point ◽  
Protocol Verification ◽  
Smt Solver ◽  
Smt Solvers ◽  
State Of Art ◽  
Floating Point Implementation

SMT solvers use simplex-based decision procedures to solve decision problems whose formulas are quantifier-free and atoms are linear constraints over the rationals. State-of-art SMT solvers use rational (exact) simplex implementations, which have shown good performance for typical software, hardware or protocol verification problems over the years.Yet, most other scientific and technical fields use (inexact) floating-point computations, which are deemed far more efficient than exact ones.It is therefore tempting to use a floating-point simplex implementation inside an SMT solver, though special precautions must be taken to avoid unsoundness.In this work, we describe experimental results, over common benchmarks (SMT-LIB) of the integration of a mature floating-point implementation of the simplex algorithm (GLPK) into an existing SMT solver (OpenSMT).We investigate whether commonly cited reasons for and against the use of floating-point truly apply to real cases from verification problems.

scholarly journals VS3: SMT Solvers for Program Verification

2009 ◽  
pp. 702-708 ◽  
Author(s):  
Saurabh Srivastava ◽  
Sumit Gulwani ◽  
Jeffrey S. Foster
Keyword(s):  
Program Verification ◽  
Smt Solvers

The complexity of decision procedures in relevance logic II

1999 ◽  
Vol 64 (4) ◽  
pp. 1774-1802 ◽  
Author(s):  
Alasdair Urquhart
Keyword(s):  
Lower Bound ◽  
Decision Problem ◽  
Decision Procedure ◽  
Linear Logic ◽  
Decision Procedures ◽  
Search Tree ◽  
Saul Kripke ◽  
Decision Method ◽  
Relevant Logics ◽  
Primitive Recursive

In this paper, we show that there is no primitive recursive decision procedure for the implication-conjunction fragments of the relevant logics R, E and T, as well as for a family of related logics. The lower bound on the complexity is proved by combining the techniques of an earlier paper on the same subject [20] with a method used by Lincoln, Mitchell, Scedrov and Shankar in proving that propositional linear logic is undecidable.The decision problem for the pure implicational fragments of E and R were solved by Saul Kripke in a tour de force of combinatorial reasoning, published only as an abstract [9]. Belnap and Wallace extended Kripke's decision procedure to the implication-negation fragment of E in [3]; an account of their decision method is to be found in [1, pp. 124–139]. The decision method extends immediately to the implication/negation fragment of R. In fact, in the case of R we can go farther: Meyer in his thesis [13] showed how to translate the logic LR, which results from R by omitting the distribution axiom, into R→⋀, so that the decision procedure can be extended to all of LR. This decision procedure has been implemented as a program Kripke by Thistlewaite, McRobbie and Meyer [17]. The program is not simply a straightforward implementation of the decision procedure; finite matrices are used extensively to prune invalid nodes from the search tree.

scholarly journals Development in Vulkan: a domain-specific approach

2021 ◽  
Vol 33 (5) ◽  
pp. 181-204
Author(s):  
Vladimir Frolov ◽  
Vadim Sanzharov ◽  
Vladimir Galaktionov ◽  
Alexander Shcherbakov
Keyword(s):  
Image Processing ◽  
Ray Tracing ◽  
Code Generation ◽  
Source Code ◽  
General Purpose ◽  
Software Systems ◽  
Specific Class ◽  
Domain Specific ◽  
Architectural Patterns ◽  
C Program

In this paper we propose a high-level approach to developing GPU applications based on the Vulkan API. The purpose of the work is to reduce the complexity of developing and debugging applications that implement complex algorithms on the GPU using Vulkan. The proposed approach uses the technology of code generation by translating a C++ program into an optimized implementation in Vulkan, which includes automatic shader generation, resource binding, and the use of synchronization mechanisms (Vulkan barriers). The proposed solution is not a general-purpose programming technology, but specializes in specific tasks. At the same time, it has extensibility, which allows to adapt the solution to new problems. For single input C++ program, we can generate several implementations for different cases (via translator options) or different hardware. For example, a call to virtual functions can be implemented either through a switch construct in a kernel, or through sorting threads and an indirect dispatching via different kernels, or through the so-called callable shaders in Vulkan. Instead of creating a universal programming technology for building various software systems, we offer an extensible technology that can be customized for a specific class of applications. Unlike, for example, Halide, we do not use a domain-specific language, and the necessary knowledge is extracted from ordinary C++ code. Therefore, we do not extend with any new language constructs or directives and the input source code is assumed to be normal C++ source code (albeit with some restrictions) that can be compiled by any C++ compiler. We use pattern matching to find specific patterns (or patterns) in C++ code and convert them to GPU efficient code using Vulkan. Pattern are expressed through classes, member functions, and the relationship between them. Thus, the proposed technology makes it possible to ensure a cross-platform solution by generating different implementations of the same algorithm for different GPUs. At the same time, due to this, it allows you to provide access to specific hardware functionality required in computer graphics applications. Patterns are divided into architectural and algorithmic. The architectural pattern defines the domain and behavior of the translator as a whole (for example, image processing, ray tracing, neural networks, computational fluid dynamics and etc.). Algorithmic pattern express knowledge of data flow and control and define a narrower class of algorithms that can be efficiently implemented in hardware. Algorithmic patterns can occur within architectural patterns. For example, parallel reduction, compaction (parallel append), sorting, prefix sum, histogram calculation, map-reduce, etc. The proposed generator works on the principle of code morphing. The essence of this approach is that, having a certain class in the program and transformation rules, one can automatically generate another class with the desired properties (for example, the implementation of the algorithm on the GPU). The generated class inherits from the input class and thus has access to all data and functions of the input class. Overriding virtual functions in generated class helps user to carefully connect generated code to the other Vulkan code written by hand. Shaders can be generated in two variants: OpenCL shaders for google “clspv” compiler and GLSL shaders for an arbitrary GLSL compiler. Clspv variant is better for code which intensively uses pointers and the GLSL generator is better if specific HW features are used (like hardware ray tracing acceleration). We have demonstrated our technology on several examples related to image processing and ray tracing on which we get 30-100 times acceleration over multithreaded CPU implementation.

scholarly journals Improved Loop Execution Modeling in the Clang Static Analyzer

2020 ◽  
Author(s):  
Péter György Szécsi ◽  
Gábor Horváth ◽  
Zoltán Porkoláb
Keyword(s):  
Arbitrary Number ◽  
Symbolic Execution ◽  
Source Code ◽  
Current Method ◽  
Analysis Tool ◽  
Constant Number ◽  
Loop Modeling ◽  
Code Analysis ◽  
C Programs ◽  
Alternative Approaches

The LLVM Clang Static Analyzer is a source code analysis tool which aims to find bugs in C, C++, and Objective-C programs using symbolic execution, i.e. it simulates the possible execution paths of the code. Currently the simulation of the loops is somewhat naive (but efficient), unrolling the loops a predefined constant number of times. However, this approach can result in a loss of coverage in various cases. This study aims to introduce two alternative approaches which can extend the current method and can be applied simultaneously: (1) determining loops worth to fully unroll with applied heuristics, and (2) using a widening mechanism to simulate an arbitrary number of iteration steps. These methods were evaluated on numerous open source projects, and proved to increase coverage in most of the cases. This work also laid the infrastructure for future loop modeling improvements.

scholarly journals Learning Probabilistic Termination Proofs

2021 ◽  
pp. 3-26
Author(s):  
Alessandro Abate ◽  
Mirco Giacobbe ◽  
Diptarko Roy
Keyword(s):  
Learning Strategy ◽  
Source Code ◽  
Satisfiability Modulo Theories ◽  
Smt Solver ◽  
Execution Traces ◽  
State Dependent ◽  
Polynomial Programs ◽  
Continuous State ◽  
Guided Inductive ◽  
Probabilistic Programs

AbstractWe present the first machine learning approach to the termination analysis of probabilistic programs. Ranking supermartingales (RSMs) prove that probabilistic programs halt, in expectation, within a finite number of steps. While previously RSMs were directly synthesised from source code, our method learns them from sampled execution traces. We introduce the neural ranking supermartingale: we let a neural network fit an RSM over execution traces and then we verify it over the source code using satisfiability modulo theories (SMT); if the latter step produces a counterexample, we generate from it new sample traces and repeat learning in a counterexample-guided inductive synthesis loop, until the SMT solver confirms the validity of the RSM. The result is thus a sound witness of probabilistic termination. Our learning strategy is agnostic to the source code and its verification counterpart supports the widest range of probabilistic single-loop programs that any existing tool can handle to date. We demonstrate the efficacy of our method over a range of benchmarks that include linear and polynomial programs with discrete, continuous, state-dependent, multi-variate, hierarchical distributions, and distributions with undefined moments.

Sign in / Sign up

Export Citation Format

Share Document