Silvio Ranise | Bruno Kessler Foundation (original) (raw)
Papers by Silvio Ranise
We are interested in automatically proving safety properties of infinite state systems. We presen... more We are interested in automatically proving safety properties of infinite state systems. We present a technique for invariant synthesis which can be incorporated in backward reachability analysis. The main theoretical result ensures that (under suitable hypotheses) our method is guaranteed to find an invariant if one exists. We also discuss heuristics that allow us to derive an implementation of the technique showing remarkable speed-ups on a significant set of safety problems in parametrised systems.
We present SAFARI, a model checker designed to prove (possibly universally quantified) safety pro... more We present SAFARI, a model checker designed to prove (possibly universally quantified) safety properties of imperative programs with arrays of unknown length. SAFARI is based on an extension of lazy abstraction capable of handling existentially quantified formulæ for ...
Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique fo... more Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method suffers from an intrinsic limitation, due to the fact that invariants needed for verification usually contain universally quantified variables, which are not present in program specifications. In this work we present an extension of the interpolation-based lazy abstraction framework in which arrays of unknown length can be handled in a natural manner. In particular, we exploit the Model Checking Modulo Theories framework to derive a backward reachability version of lazy abstraction that supports reasoning about arrays. The new approach has been implemented in a tool, called safari, which has been validated on a wide range of benchmarks. We show by means of experiments that our approach can synthesize and prove universally quantified properties over arrays in a completely automatic fashion. Keywords SMT • Model checking • Lazy abstraction • Array programs This paper combines and extends materials previously published in [4,5].
Proceedings - 5th IEEE International Conference on Semantic Computing, ICSC 2011, 2011
As the number and sophistication of on-line applications increase, there is a growing concern on ... more As the number and sophistication of on-line applications increase, there is a growing concern on how access to sensitive resources (e.g., personal health records) is regulated. Since ontologies can support the definition of fine-grained policies as well as the combination of heterogeneous policies, semantic technologies are expected to play an important role in this context. But understanding the implications of the access control policies of the needed complexity goes beyond the ability of a security administrator. Automatic support to the analysis of access control policies is therefore needed. In this paper we present an automatic analysis technique for access control policies that reduces the reachability problem for access control policies to satisfiability problems in a decidable fragment of first-order logic for which efficient solvers exist. We illustrate the application of our technique on an access control model inspired by a Personal Health Application of real-world complexity.
Electronic Notes in Theoretical Computer Science, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a subformula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique. * Partially funded by INRIA/CASSIS project, CAPES grant BEX0006/02-5, and CNPq grant 500473/2003-0.
Journal of The Brazilian Computer Society, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.
We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Mo... more We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Modulo Theory techniques, for assisting in the design of fault tolerant algorithms. To prove the practical viability of our methodology, we apply it to formally check the agreement property of the reliable broadcast protocols of Chandra and Toueg.
Model Checking Modulo Theories is a recent approach for the automated verification of safety prop... more Model Checking Modulo Theories is a recent approach for the automated verification of safety properties of a class of infinite state systems manipulating arrays, called array-based systems. The idea is to repeatedly compute pre-images of a set of (unsafe) states by using certain classes of first-order formulae representing sets of states and transitions, and then reduce fix-point checks to Satisfiability Modulo Theories problems. Unfortunately, if the guards contain universally quantified index variables, the backward procedure cannot be fully automated. In this paper, we overcome the problem by describing a syntactic transformation on array-based systems, which can be seen as an instance of the well-known operation of relativization of quantifiers in first-order logic. Interestingly, when specifying and verifying distributed systems, the proposed syntactic transformation can be inter-preted as the adoption of the crash-failure model, which is well-known in the literature of fault-t...
The number of available online services, their effectiveness and usage level and their level of i... more The number of available online services, their effectiveness and usage level and their level of interaction are important indicators of the "smartness" level of e-government. Increasing these indicators has positive effects not only in terms of time and effort spent by citizens and enterprises to access and use the services provided by the administration but also by triggering the optimization process of the back offices of the administration. The Municipality of Trento is launching an innovation project aimed at increasing the number, usage and interaction level of online services with the objective of moving all relevant services and processes managed by the Trento administration online. This approach is based on the innovative concept of a "one-stop shop" for interactive online services, which the Municipality wants to define and implement with the help of the Trento innovation ecosystem; going beyond the classical concept of a unique access point, Trento wants to deliver a single access point to online services that is simple, trusted, complete, connected and open to better serve the innovation needs of this core enabler of the smart city.
Electronic Notes in Theoretical Computer Science, 2003
Journal of The Brazilian Computer Society, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.
Software bugs are very difficult to detect even in small units of code. Several techniques to deb... more Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proof obligations. Building such a tool is a difficult, long, and error-prone activity. In this paper, we describe techniques to build provers which are highly automatic and flexible by combining state-of-the-art superposition theorem provers and BDDs. We report experimental results on formulae extracted from the debugging of C functions manipulating pointers showing that an implementation of our techniques can discharge proof obligations which cannot be handled by Simplify (the theorem prover used in the ESC/Java tool) and performs much better on others.
International Journal on Software Tools for Technology Transfer, 2009
Declarative techniques for software verification require the availability of scalable, predictabl... more Declarative techniques for software verification require the availability of scalable, predictable, and flexible satisfiability solvers. We describe our approach to build such solvers by combining equational theorem proving, Boolean solving, arithmetic reasoning, and some transformations of the proof obligations. The proposed techniques have been implemented in a system called haRVey and the viability of the approach is shown on proof obligations generated in the certification of aerospace code.
Most computer programs store elements of a given nature into container-based data structures such... more Most computer programs store elements of a given nature into container-based data structures such as lists, arrays, sets, and multisets. To verify the correctness of these programs, one needs to combine a theory S modeling the data structure with a theory T modeling the elements. This combination can be achieved using the classic Nelson-Oppen method only if both S and T are stably infinite. The goal of this paper is to relax the stable infiniteness requirement. To achieve this goal, we introduce the notion of polite theories, and we show that natural examples of polite theories include those modeling data structures such as lists, arrays, sets, and multisets. Furthemore, we provide a method that is able to combine a polite theory S with any theory T of the elements, regardless of whether T is stably infinite or not. The results of this paper generalize to many-sorted logic those recently obtained by Tinelli and Zarba concerning the combination of shiny theories with nonstably infinite theories in one-sorted logic.
In the context of combinations of theories with disjoint signatures, we classify the component th... more In the context of combinations of theories with disjoint signatures, we classify the component theories according to the decidability of constraint satisfiability problems in finite and infinite models, respectively. We exhibit a theory T 1 such that satisfiability is decidable, but satisfiability in infinite models is undecidable. It follows that satisfiability in T 1 ∪ T 2 is undecidable, whenever T2 has only infinite models, even if signatures are disjoint and satisfiability in T2 is decidable.
Journal of Symbolic Computation, 2003
The effective integration of decision procedures in formula simplification is a fundamental probl... more The effective integration of decision procedures in formula simplification is a fundamental problem in mechanical verification. The main source of difficulty occurs when the decision procedure is asked to solve goals containing symbols which are interpreted for the prover but uninterpreted for the decision procedure. To cope with the problem, Boyer & Moore proposed a technique, called augmentation , which extends the information available to the decision procedure with suitably selected facts. Constraint Contextual Rewriting (CCR, for short) is an extended form of contextual rewriting which generalizes the Boyer & Moore integration schema. In this paper we give a detailed account of the control issues related to the termination of CCR. These are particularly subtle and complicated since augmentation is mutually dependent from rewriting and it must be prevented from indefinitely extending the set of facts available to the decision procedure. A proof of termination of CCR is given.
Information and Computation/information and Control, 2003
We show how a well-known superposition-based inference system for first-order equational logic ca... more We show how a well-known superposition-based inference system for first-order equational logic can be used almost directly for deciding satisfiability in various theories including lists, encryption, extensional arrays, extensional finite sets, and combinations of them. We also give a superposition-based decision procedure for homomorphism.
We are interested in automatically proving safety properties of infinite state systems. We presen... more We are interested in automatically proving safety properties of infinite state systems. We present a technique for invariant synthesis which can be incorporated in backward reachability analysis. The main theoretical result ensures that (under suitable hypotheses) our method is guaranteed to find an invariant if one exists. We also discuss heuristics that allow us to derive an implementation of the technique showing remarkable speed-ups on a significant set of safety problems in parametrised systems.
We present SAFARI, a model checker designed to prove (possibly universally quantified) safety pro... more We present SAFARI, a model checker designed to prove (possibly universally quantified) safety properties of imperative programs with arrays of unknown length. SAFARI is based on an extension of lazy abstraction capable of handling existentially quantified formulæ for ...
Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique fo... more Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method suffers from an intrinsic limitation, due to the fact that invariants needed for verification usually contain universally quantified variables, which are not present in program specifications. In this work we present an extension of the interpolation-based lazy abstraction framework in which arrays of unknown length can be handled in a natural manner. In particular, we exploit the Model Checking Modulo Theories framework to derive a backward reachability version of lazy abstraction that supports reasoning about arrays. The new approach has been implemented in a tool, called safari, which has been validated on a wide range of benchmarks. We show by means of experiments that our approach can synthesize and prove universally quantified properties over arrays in a completely automatic fashion. Keywords SMT • Model checking • Lazy abstraction • Array programs This paper combines and extends materials previously published in [4,5].
Proceedings - 5th IEEE International Conference on Semantic Computing, ICSC 2011, 2011
As the number and sophistication of on-line applications increase, there is a growing concern on ... more As the number and sophistication of on-line applications increase, there is a growing concern on how access to sensitive resources (e.g., personal health records) is regulated. Since ontologies can support the definition of fine-grained policies as well as the combination of heterogeneous policies, semantic technologies are expected to play an important role in this context. But understanding the implications of the access control policies of the needed complexity goes beyond the ability of a security administrator. Automatic support to the analysis of access control policies is therefore needed. In this paper we present an automatic analysis technique for access control policies that reduces the reachability problem for access control policies to satisfiability problems in a decidable fragment of first-order logic for which efficient solvers exist. We illustrate the application of our technique on an access control model inspired by a Personal Health Application of real-world complexity.
Electronic Notes in Theoretical Computer Science, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a subformula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique. * Partially funded by INRIA/CASSIS project, CAPES grant BEX0006/02-5, and CNPq grant 500473/2003-0.
Journal of The Brazilian Computer Society, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.
We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Mo... more We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Modulo Theory techniques, for assisting in the design of fault tolerant algorithms. To prove the practical viability of our methodology, we apply it to formally check the agreement property of the reliable broadcast protocols of Chandra and Toueg.
Model Checking Modulo Theories is a recent approach for the automated verification of safety prop... more Model Checking Modulo Theories is a recent approach for the automated verification of safety properties of a class of infinite state systems manipulating arrays, called array-based systems. The idea is to repeatedly compute pre-images of a set of (unsafe) states by using certain classes of first-order formulae representing sets of states and transitions, and then reduce fix-point checks to Satisfiability Modulo Theories problems. Unfortunately, if the guards contain universally quantified index variables, the backward procedure cannot be fully automated. In this paper, we overcome the problem by describing a syntactic transformation on array-based systems, which can be seen as an instance of the well-known operation of relativization of quantifiers in first-order logic. Interestingly, when specifying and verifying distributed systems, the proposed syntactic transformation can be inter-preted as the adoption of the crash-failure model, which is well-known in the literature of fault-t...
The number of available online services, their effectiveness and usage level and their level of i... more The number of available online services, their effectiveness and usage level and their level of interaction are important indicators of the "smartness" level of e-government. Increasing these indicators has positive effects not only in terms of time and effort spent by citizens and enterprises to access and use the services provided by the administration but also by triggering the optimization process of the back offices of the administration. The Municipality of Trento is launching an innovation project aimed at increasing the number, usage and interaction level of online services with the objective of moving all relevant services and processes managed by the Trento administration online. This approach is based on the innovative concept of a "one-stop shop" for interactive online services, which the Municipality wants to define and implement with the help of the Trento innovation ecosystem; going beyond the classical concept of a unique access point, Trento wants to deliver a single access point to online services that is simple, trusted, complete, connected and open to better serve the innovation needs of this core enabler of the smart city.
Electronic Notes in Theoretical Computer Science, 2003
Journal of The Brazilian Computer Society, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.
Software bugs are very difficult to detect even in small units of code. Several techniques to deb... more Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proof obligations. Building such a tool is a difficult, long, and error-prone activity. In this paper, we describe techniques to build provers which are highly automatic and flexible by combining state-of-the-art superposition theorem provers and BDDs. We report experimental results on formulae extracted from the debugging of C functions manipulating pointers showing that an implementation of our techniques can discharge proof obligations which cannot be handled by Simplify (the theorem prover used in the ESC/Java tool) and performs much better on others.
International Journal on Software Tools for Technology Transfer, 2009
Declarative techniques for software verification require the availability of scalable, predictabl... more Declarative techniques for software verification require the availability of scalable, predictable, and flexible satisfiability solvers. We describe our approach to build such solvers by combining equational theorem proving, Boolean solving, arithmetic reasoning, and some transformations of the proof obligations. The proposed techniques have been implemented in a system called haRVey and the viability of the approach is shown on proof obligations generated in the certification of aerospace code.
Most computer programs store elements of a given nature into container-based data structures such... more Most computer programs store elements of a given nature into container-based data structures such as lists, arrays, sets, and multisets. To verify the correctness of these programs, one needs to combine a theory S modeling the data structure with a theory T modeling the elements. This combination can be achieved using the classic Nelson-Oppen method only if both S and T are stably infinite. The goal of this paper is to relax the stable infiniteness requirement. To achieve this goal, we introduce the notion of polite theories, and we show that natural examples of polite theories include those modeling data structures such as lists, arrays, sets, and multisets. Furthemore, we provide a method that is able to combine a polite theory S with any theory T of the elements, regardless of whether T is stably infinite or not. The results of this paper generalize to many-sorted logic those recently obtained by Tinelli and Zarba concerning the combination of shiny theories with nonstably infinite theories in one-sorted logic.
In the context of combinations of theories with disjoint signatures, we classify the component th... more In the context of combinations of theories with disjoint signatures, we classify the component theories according to the decidability of constraint satisfiability problems in finite and infinite models, respectively. We exhibit a theory T 1 such that satisfiability is decidable, but satisfiability in infinite models is undecidable. It follows that satisfiability in T 1 ∪ T 2 is undecidable, whenever T2 has only infinite models, even if signatures are disjoint and satisfiability in T2 is decidable.
Journal of Symbolic Computation, 2003
The effective integration of decision procedures in formula simplification is a fundamental probl... more The effective integration of decision procedures in formula simplification is a fundamental problem in mechanical verification. The main source of difficulty occurs when the decision procedure is asked to solve goals containing symbols which are interpreted for the prover but uninterpreted for the decision procedure. To cope with the problem, Boyer & Moore proposed a technique, called augmentation , which extends the information available to the decision procedure with suitably selected facts. Constraint Contextual Rewriting (CCR, for short) is an extended form of contextual rewriting which generalizes the Boyer & Moore integration schema. In this paper we give a detailed account of the control issues related to the termination of CCR. These are particularly subtle and complicated since augmentation is mutually dependent from rewriting and it must be prevented from indefinitely extending the set of facts available to the decision procedure. A proof of termination of CCR is given.
Information and Computation/information and Control, 2003
We show how a well-known superposition-based inference system for first-order equational logic ca... more We show how a well-known superposition-based inference system for first-order equational logic can be used almost directly for deciding satisfiability in various theories including lists, encryption, extensional arrays, extensional finite sets, and combinations of them. We also give a superposition-based decision procedure for homomorphism.
Electronic Notes in Theoretical Computer Science, 2004
We present a technique to prove invariants of model-based specifications in a fragment of set the... more We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verification of the proof obligations obtained by the translation is described. Furthermore, we discuss how a subformula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique. * Partially funded by INRIA/CASSIS project, CAPES grant BEX0006/02-5, and CNPq grant 500473/2003-0.