Zvonimir Rakamaric - Profile on Academia.edu (original) (raw)
Papers by Zvonimir Rakamaric
Abstract Heap-manipulating programs (HMPs), which manipulate unbounded linked data structures via... more Abstract Heap-manipulating programs (HMPs), which manipulate unbounded linked data structures via pointers, are a major frontier for formal verification of software. Formal verification is the process of proving (or disproving) the correctness of a system with respect to some kind of formal specification or property. The primary contributions of this thesis are the definition of a simple transitive closure logic tailored for formal verification of HMPs, and an efficient decision procedure for this logic.
Given a white-box component with specified unsafe states, we address the problem of automatically... more Given a white-box component with specified unsafe states, we address the problem of automatically generating an interface that captures safe orderings of invocations of's public methods. Method calls in the generated interface are guarded by constraints on their parameters. Unlike previous work, these constraints are generated automatically through an iterative refinement process.
Abstract Concurrency is inherent in today's software. Unexpected interactions between concurrentl... more Abstract Concurrency is inherent in today's software. Unexpected interactions between concurrently executing threads often cause subtle bugs in concurrent programs. Such bugs are hard to discover using traditional testing techniques since they require executing a program on a particular unit test (ie input) through a particular thread interleaving.
Abstract Many approaches to software verification are currently semi-automatic: a human must prov... more Abstract Many approaches to software verification are currently semi-automatic: a human must provide key logical insights-eg, loop invariants, class invariants, and frame axioms that limit the scope of changes that must be analyzed. This paper describes a technique for automatically inferring frame axioms of procedures and loops using static analysis. The technique builds on a pointer analysis that generates limited information about all data structures in the heap.
Abstract We introduce an automata-based formal model suitable for specifying, modeling, analyzing... more Abstract We introduce an automata-based formal model suitable for specifying, modeling, analyzing, and verifying asynchronous taskbased and message-passing programs. Our model consists of visibly pushdown automata communicating over unbounded reliable point-to-point first-in-first-out queues. Such a combination unifies two branches of research, one focused on task-based models, and the other on models of message-passing programs.
Abstract Software is large, complex, and error-prone. According to the US National Institute of S... more Abstract Software is large, complex, and error-prone. According to the US National Institute of Standards and Technology, software bugs cost the US economy an estimated $60 billion each year. The trend in hardware design of switching to multi-core architectures makes software development even more complex. Cutting software development costs and ensuring higher reliability of software is of global interest and a grand challenge.
Abstract We describe a simple and efficient algorithm for proving the termination of a class of l... more Abstract We describe a simple and efficient algorithm for proving the termination of a class of loops with nonlinear assignments to variables. The method is based on divergence testing for each variable in the cone-of-influence of the loop's condition. The analysis allows us to automatically prove the termination of loops that cannot be handled using previous techniques. We also describe a method for integrating our nonlinear termination proving technique into a larger termination proving framework that depends on linear reasoning.
International Journal on …, Jan 1, 2009
Reasoning about program heap, especially if it involves handling unbounded, dynamically heap-allo... more Reasoning about program heap, especially if it involves handling unbounded, dynamically heap-allocated data structures such as linked lists and arrays, is challenging. Furthermore, sound analysis that precisely models heap becomes significantly more challenging in the presence of low-level pointer manipulation that is prevalent in systems software. The reachability predicate has already proved to be useful for reasoning about the heap in type-safe languages where memory is manipulated by dereferencing object fields. In this paper, we present a memory model suitable for reasoning about low-level pointer operations that is accompanied by a formalization of the reachability predicate in the presence of internal pointers and pointer arithmetic. We have designed an annotation language for C programs that makes use of the new predicate. This language enables us to specify properties of many interesting data structures present in the Windows kernel. We present our experience with a prototype verifier on a set of illustrative C benchmarks.
ACM SIGPLAN Notices, Jan 1, 2011
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedule... more We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their next-scheduled task. In limiting the delays an otherwise-deterministic scheduler is allowed, we discover concurrency bugs efficiently-by exploring few schedules-and robustly-i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic task-creation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis.
Model Checking Software, Jan 1, 2010
Context-Bounded Analysis has emerged as a practical and successful automatic formal analysis tech... more Context-Bounded Analysis has emerged as a practical and successful automatic formal analysis technique for fine-grained, shared-memory concurrent software. Two recent papers (in CAV 2008 and) have proposed ingenious translation approaches that promise much better scalability, backed by compelling, but differing, theoretical and conceptual advantages. Empirical evidence comparing the different translations, however, has been lacking. Furthermore, these papers focused exclusively on Boolean model checking, ignoring the also widely used paradigm of verification-condition checking. In this paper, we undertake a methodical, empirical evaluation of the three main source-to-source translations for context-bounded analysis of concurrent software, in a verificationcondition-checking paradigm. We evaluate their scalability under a wide range of experimental conditions. Our results show: (1) The newest, CAV 2009 translation is the clear loser, with the CAV 2008 translation the best in most instances, but the oldest, brute-force translation doing surprisingly well. Clearly, previous results for Boolean model checking do not apply to verification-condition checking.
Software Engineering and …, Jan 1, 2007
We describe a simple and efficient algorithm for proving the termination of a class of loops with... more We describe a simple and efficient algorithm for proving the termination of a class of loops with nonlinear assignments to variables. The method is based on divergence testing for each variable in the cone-of-influence of the loop's termination condition. The analysis allows us to automatically prove the termination of loops that cannot be handled using previous techniques. The paper closes with experimental results using short examples drawn from industrial code.
Verification, Model Checking, and Abstract …, Jan 1, 2009
centers on state-of-the-art research relevant to analysis of programs and systems and drawn from ... more centers on state-of-the-art research relevant to analysis of programs and systems and drawn from three research communities: verification, model checking, and abstract interpretation. A goal is to facilitate interaction, crossfertilization, and the advance of hybrid methods that combine two or all three areas. Topics covered by VMCAI include program verification, program certification, model checking, debugging techniques, abstract interpretation, abstract domains, static analysis, type systems, deductive methods, and optimization.
Verification, Model Checking, and …, Jan 1, 2007
This volume contains the papers presented at VMCAI 2007: Verification, Model Checking and Abstrac... more This volume contains the papers presented at VMCAI 2007: Verification, Model Checking and Abstract Interpretation held January 14-16, 2007 in Nice. VMCAI provides a forum for researchers from the communities of verification, model checking, and abstract interpretation, facilitating interaction, cross-fertilization, and advancement of hybrid methods that combine the three areas. This years VMCAI was held in conjunction with POPL, allowing further cross-fertilization between programming language research and the areas covered by VMCAI.
Computer Aided Verification, Jan 1, 2009
Context-bounded analysis is an attractive approach to verification of concurrent programs. Boundi... more Context-bounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14] provided a method for reducing the context-bounded verification of a concurrent boolean program to the verification of a sequential boolean program, thereby allowing sequential reasoning to be employed for verifying concurrent programs. In this work, we adapt the encoding to work for systems programs written in C with the heap and accompanying low-level operations such as pointer arithmetic and casts. Our approach is completely automatic: we use a verification condition generator and SMT solvers, instead of a boolean model checker, in order to avoid manual extraction of boolean programs and false alarms introduced by the abstraction. We demonstrate the use of field slicing for improving the scalability and (in some cases) coverage of our checking. We evaluate our tool STORM on a set of real-world Windows device drivers, and has discovered a bug that could not be detected by extensive application of previous tools.
Verification, Model Checking, and Abstract …, Jan 1, 2006
Tools and Algorithms for …, Jan 1, 2007
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedule... more We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their next-scheduled task. In limiting the delays an otherwise-deterministic scheduler is allowed, we discover concurrency bugs efficiently-by exploring few schedules-and robustly-i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic task-creation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis.
Abstract Heap-manipulating programs (HMPs), which manipulate unbounded linked data structures via... more Abstract Heap-manipulating programs (HMPs), which manipulate unbounded linked data structures via pointers, are a major frontier for formal verification of software. Formal verification is the process of proving (or disproving) the correctness of a system with respect to some kind of formal specification or property. The primary contributions of this thesis are the definition of a simple transitive closure logic tailored for formal verification of HMPs, and an efficient decision procedure for this logic.
Given a white-box component with specified unsafe states, we address the problem of automatically... more Given a white-box component with specified unsafe states, we address the problem of automatically generating an interface that captures safe orderings of invocations of's public methods. Method calls in the generated interface are guarded by constraints on their parameters. Unlike previous work, these constraints are generated automatically through an iterative refinement process.
Abstract Concurrency is inherent in today's software. Unexpected interactions between concurrentl... more Abstract Concurrency is inherent in today's software. Unexpected interactions between concurrently executing threads often cause subtle bugs in concurrent programs. Such bugs are hard to discover using traditional testing techniques since they require executing a program on a particular unit test (ie input) through a particular thread interleaving.
Abstract Many approaches to software verification are currently semi-automatic: a human must prov... more Abstract Many approaches to software verification are currently semi-automatic: a human must provide key logical insights-eg, loop invariants, class invariants, and frame axioms that limit the scope of changes that must be analyzed. This paper describes a technique for automatically inferring frame axioms of procedures and loops using static analysis. The technique builds on a pointer analysis that generates limited information about all data structures in the heap.
Abstract We introduce an automata-based formal model suitable for specifying, modeling, analyzing... more Abstract We introduce an automata-based formal model suitable for specifying, modeling, analyzing, and verifying asynchronous taskbased and message-passing programs. Our model consists of visibly pushdown automata communicating over unbounded reliable point-to-point first-in-first-out queues. Such a combination unifies two branches of research, one focused on task-based models, and the other on models of message-passing programs.
Abstract Software is large, complex, and error-prone. According to the US National Institute of S... more Abstract Software is large, complex, and error-prone. According to the US National Institute of Standards and Technology, software bugs cost the US economy an estimated $60 billion each year. The trend in hardware design of switching to multi-core architectures makes software development even more complex. Cutting software development costs and ensuring higher reliability of software is of global interest and a grand challenge.
Abstract We describe a simple and efficient algorithm for proving the termination of a class of l... more Abstract We describe a simple and efficient algorithm for proving the termination of a class of loops with nonlinear assignments to variables. The method is based on divergence testing for each variable in the cone-of-influence of the loop's condition. The analysis allows us to automatically prove the termination of loops that cannot be handled using previous techniques. We also describe a method for integrating our nonlinear termination proving technique into a larger termination proving framework that depends on linear reasoning.
International Journal on …, Jan 1, 2009
Reasoning about program heap, especially if it involves handling unbounded, dynamically heap-allo... more Reasoning about program heap, especially if it involves handling unbounded, dynamically heap-allocated data structures such as linked lists and arrays, is challenging. Furthermore, sound analysis that precisely models heap becomes significantly more challenging in the presence of low-level pointer manipulation that is prevalent in systems software. The reachability predicate has already proved to be useful for reasoning about the heap in type-safe languages where memory is manipulated by dereferencing object fields. In this paper, we present a memory model suitable for reasoning about low-level pointer operations that is accompanied by a formalization of the reachability predicate in the presence of internal pointers and pointer arithmetic. We have designed an annotation language for C programs that makes use of the new predicate. This language enables us to specify properties of many interesting data structures present in the Windows kernel. We present our experience with a prototype verifier on a set of illustrative C benchmarks.
ACM SIGPLAN Notices, Jan 1, 2011
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedule... more We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their next-scheduled task. In limiting the delays an otherwise-deterministic scheduler is allowed, we discover concurrency bugs efficiently-by exploring few schedules-and robustly-i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic task-creation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis.
Model Checking Software, Jan 1, 2010
Context-Bounded Analysis has emerged as a practical and successful automatic formal analysis tech... more Context-Bounded Analysis has emerged as a practical and successful automatic formal analysis technique for fine-grained, shared-memory concurrent software. Two recent papers (in CAV 2008 and) have proposed ingenious translation approaches that promise much better scalability, backed by compelling, but differing, theoretical and conceptual advantages. Empirical evidence comparing the different translations, however, has been lacking. Furthermore, these papers focused exclusively on Boolean model checking, ignoring the also widely used paradigm of verification-condition checking. In this paper, we undertake a methodical, empirical evaluation of the three main source-to-source translations for context-bounded analysis of concurrent software, in a verificationcondition-checking paradigm. We evaluate their scalability under a wide range of experimental conditions. Our results show: (1) The newest, CAV 2009 translation is the clear loser, with the CAV 2008 translation the best in most instances, but the oldest, brute-force translation doing surprisingly well. Clearly, previous results for Boolean model checking do not apply to verification-condition checking.
Software Engineering and …, Jan 1, 2007
We describe a simple and efficient algorithm for proving the termination of a class of loops with... more We describe a simple and efficient algorithm for proving the termination of a class of loops with nonlinear assignments to variables. The method is based on divergence testing for each variable in the cone-of-influence of the loop's termination condition. The analysis allows us to automatically prove the termination of loops that cannot be handled using previous techniques. The paper closes with experimental results using short examples drawn from industrial code.
Verification, Model Checking, and Abstract …, Jan 1, 2009
centers on state-of-the-art research relevant to analysis of programs and systems and drawn from ... more centers on state-of-the-art research relevant to analysis of programs and systems and drawn from three research communities: verification, model checking, and abstract interpretation. A goal is to facilitate interaction, crossfertilization, and the advance of hybrid methods that combine two or all three areas. Topics covered by VMCAI include program verification, program certification, model checking, debugging techniques, abstract interpretation, abstract domains, static analysis, type systems, deductive methods, and optimization.
Verification, Model Checking, and …, Jan 1, 2007
This volume contains the papers presented at VMCAI 2007: Verification, Model Checking and Abstrac... more This volume contains the papers presented at VMCAI 2007: Verification, Model Checking and Abstract Interpretation held January 14-16, 2007 in Nice. VMCAI provides a forum for researchers from the communities of verification, model checking, and abstract interpretation, facilitating interaction, cross-fertilization, and advancement of hybrid methods that combine the three areas. This years VMCAI was held in conjunction with POPL, allowing further cross-fertilization between programming language research and the areas covered by VMCAI.
Computer Aided Verification, Jan 1, 2009
Context-bounded analysis is an attractive approach to verification of concurrent programs. Boundi... more Context-bounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14] provided a method for reducing the context-bounded verification of a concurrent boolean program to the verification of a sequential boolean program, thereby allowing sequential reasoning to be employed for verifying concurrent programs. In this work, we adapt the encoding to work for systems programs written in C with the heap and accompanying low-level operations such as pointer arithmetic and casts. Our approach is completely automatic: we use a verification condition generator and SMT solvers, instead of a boolean model checker, in order to avoid manual extraction of boolean programs and false alarms introduced by the abstraction. We demonstrate the use of field slicing for improving the scalability and (in some cases) coverage of our checking. We evaluate our tool STORM on a set of real-world Windows device drivers, and has discovered a bug that could not be detected by extensive application of previous tools.
Verification, Model Checking, and Abstract …, Jan 1, 2006
Tools and Algorithms for …, Jan 1, 2007
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedule... more We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their next-scheduled task. In limiting the delays an otherwise-deterministic scheduler is allowed, we discover concurrency bugs efficiently-by exploring few schedules-and robustly-i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic task-creation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis.