Ranking function synthesis for bit-vector relations

Abstract

Ranking function synthesis is a key component of modern termination provers for imperative programs. While it is well-known how to generate linear ranking functions for relations over (mathematical) integers or rationals, efficient synthesis of ranking functions for machine-level integers (bit-vectors) is an open problem. This is particularly relevant for the verification of low-level code. We propose several novel algorithms to generate ranking functions for relations over machine integers: a complete method based on a reduction to Presburger arithmetic, and a template-matching approach for predefined classes of ranking functions based on reduction to SAT- and QBF-solving. The utility of our algorithms is demonstrated on examples drawn from Windows device drivers.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. 1.

    Alternatively, pairs \(( \mathit {state} _{i}, \mathit {state} '_{i})\) of variables with width \(\alpha ( \mathit {state} _{i})= \alpha ( \mathit {state} '_{i})=1\) can be used.

  2. 2.

    This deviates from the terminology in [29], where integrality is attributed to polyhedra, and not to systems of inequalities. We choose to speak of integral systems of inequalities for sake of brevity.

  3. 3.

    http://www.philipp.ruemmer.org/seneschal.shtml.

  4. 4.

    In [11], it was incorrectly stated that the constant term in (17) is “1” instead of “2”.

  5. 5.

    Version 6, now superseded by the Windows Driver Kit; see http://msdn.microsoft.com/en-us/windows/hardware/gg581061.

  6. 6.

    http://www.cprover.org/goto-cc/.

  7. 7.

    Following the hypothesis that loop termination seldom depends on complex variables that are possibly calculated by other loops, our slicing algorithm replaces all assignments that depend on five or more variables with non-deterministic values, and all loops other than the analysed one with program fragments that havoc the program state (non-deterministic assignments to all variables that might change during the execution of the loop).

  8. 8.

    http://www.philipp.ruemmer.org/seneschal.shtml.

  9. 9.

    http://www7.in.tum.de/~rybal/rankfinder/.

References

  1. 1.

    Alglave J, Kroening D, Nimal V, Tautschnig M (2013) Software verification for weak memory via program transformation. In: European symposium on programming (ESOP). Lecture notes in computer science, vol 7792. Springer, Berlin, pp 512–532

    Google Scholar 

  2. 2.

    Babic D, Hu AJ, Rakamaric Z, Cook B (2007) Proving termination by divergence. In: SEFM. IEEE Press, New York, pp 93–102

    Google Scholar 

  3. 3.

    Ball T, Kupferman O, Sagiv M (2007) Leaping loops in the presence of abstraction. In: CAV. Lecture notes in computer science, vol 4590. Springer, Berlin, pp 491–503

    Google Scholar 

  4. 4.

    Benedetti M (2005) sKizzo: a suite to evaluate and certify QBFs. In: CADE. Lecture notes in computer science, vol 3632. Springer, Berlin, pp 369–376

    Google Scholar 

  5. 5.

    Biere A (2005) Resolve and expand. In: SAT. Lecture notes in computer science, vol 3542. Springer, Berlin, pp 59–70

    Google Scholar 

  6. 6.

    Biere A, Artho C, Schuppan V (2002) Liveness checking as safety checking. In: FMICS. Electronic notes in theoretical computer science, vol 66. Elsevier, Amsterdam, pp 160–177

    Google Scholar 

  7. 7.

    Bradley AR, Manna Z, Sipma HB (2005) Termination analysis of integer linear loops. In: CONCUR. Lecture notes in computer science, vol 3653. Springer, Berlin, pp 488–502

    Google Scholar 

  8. 8.

    Brinkmann R, Drechsler R (2002) RTL-datapath verification using integer linear programming. In: Proc of VLSI design. IEEE Press, New York, pp 741–746

    Google Scholar 

  9. 9.

    Clarke EM, Kroening D, Sharygina N, Yorav K (2004) Predicate abstraction of ANSI-C programs using SAT. Form Methods Syst Des 25(2–3):105–127

    MATH  Article  Google Scholar 

  10. 10.

    Colón M, Sipma H (2001) Synthesis of linear ranking functions. In: TACAS. Lecture notes in computer science, vol 2031. Springer, Berlin, pp 67–81

    Google Scholar 

  11. 11.

    Cook B, Kroening D, Rümmer P, Wintersteiger CM (2010) Ranking function synthesis for bit-vector relations. In: TACAS. Lecture notes in computer science, vol 6015. Springer, Berlin, pp 236–250

    Google Scholar 

  12. 12.

    Cook B, Podelski A, Rybalchenko A (2005) Abstraction refinement for termination. In: SAS. Lecture notes in computer science, vol 3672. Springer, Berlin, pp 87–101

    Google Scholar 

  13. 13.

    Cook B, Podelski A, Rybalchenko A (2006) Termination proofs for systems code. In: PLDI. ACM, New York, pp 415–426

    Google Scholar 

  14. 14.

    Dams D, Gerth R, Grumberg O (2000) A heuristic for the automatic generation of ranking functions. In: Workshop on advances in verification, pp 1–8

    Google Scholar 

  15. 15.

    Encrenaz E, Finkel A (2009) Automatic verification of counter systems with ranking functions. In: INFINITY. Electronic notes in theoretical computer science, vol 239. Elsevier, Amsterdam, pp 85–103

    Google Scholar 

  16. 16.

    Falke S, Kapur D, Sinz C (2012) Termination analysis of imperative programs using bitvector arithmetic. In: VSTTE. Lecture notes in computer science, vol 7152. Springer, Berlin, pp 261–277

    Google Scholar 

  17. 17.

    Giunchiglia E, Narizzano M, Tacchella A (2004) QuBE++: an efficient QBF solver. In: FMCAD. Lecture notes in computer science, vol 3312. Springer, Berlin, pp 201–213

    Google Scholar 

  18. 18.

    Griggio A (2011) Effective word-level interpolation for software verification. In: Formal methods in computer-aided design (FMCAD). IEEE Press, New York, pp 28–36

    Google Scholar 

  19. 19.

    Horwitz S, Reps TW, Binkley D (1988) Interprocedural slicing using dependence graphs. In: PLDI. ACM, New York, pp 35–46

    Google Scholar 

  20. 20.

    Jussila T, Biere A (2007) Compressing BMC encodings with QBF. In: Workshop on bounded model checking (BMC’06). Electronic notes in theoretical computer science, vol 174. Elsevier, Amsterdam, pp 45–56

    Google Scholar 

  21. 21.

    Jussila T, Biere A, Sinz C, Kroening D, Wintersteiger CM (2007) A first step towards a unified proof checker for QBF. In: SAT. Lecture notes in computer science, vol 4501. Springer, Berlin, pp 201–214

    Google Scholar 

  22. 22.

    Kovásznai G, Fröhlich A, Biere A (2012) On the complexity of fixed-size bit-vector logics with binary encoded bit-width. In: SMT workshop at IJCAR

    Google Scholar 

  23. 23.

    Parthasarathy G, Iyer MK, Cheng KT, Wang LC (2004) An efficient finite-domain constraint solver for circuits. In: Design automation conference (DAC). ACM, New York, pp 212–217

    Google Scholar 

  24. 24.

    Podelski A, Rybalchenko A (2004) A complete method for the synthesis of linear ranking functions. In: VMCAI. Lecture notes in computer science, vol 2937. Springer, Berlin, pp 239–251

    Google Scholar 

  25. 25.

    Podelski A, Rybalchenko A (2004) Transition invariants. In: LICS. IEEE Press, New York, pp 32–41

    Google Scholar 

  26. 26.

    Podelski A, Rybalchenko A (2007) ARMC: The logical choice for software model checking with abstraction refinement. In: PADL. Lecture notes in computer science, vol 4354. Springer, Berlin, pp 245–259

    Google Scholar 

  27. 27.

    Presburger M (1930) Über die Vollständigkeit eines gewissen Systems der Arithmetik ganzer Zahlen, in welchem die Addition als einzige Operation hervortritt. In: Sprawozdanie z I kongresu metematyków slowiańskich, Warsaw, 1929, pp 92–101.

    Google Scholar 

  28. 28.

    Rümmer P (2008) A constraint sequent calculus for first-order logic with linear integer arithmetic. In: LPAR. Lecture notes in computer science, vol 5330. Springer, Berlin, pp 274–289

    Google Scholar 

  29. 29.

    Schrijver A (1986) Theory of linear and integer programming. Wiley, New York

    Google Scholar 

  30. 30.

    Stockmeyer LJ, Meyer AR (1973) Word problems requiring exponential time (preliminary report). In: STOC. ACM, New York, pp 1–9

    Google Scholar 

  31. 31.

    Wegner P (1960) A technique for counting ones in a binary computer. Commun ACM 3(5):322

    Article  Google Scholar 

  32. 32.

    Wintersteiger CM, Hamadi Y, de Moura L (2013) Efficiently solving quantified bit-vector formulas. Form Methods Syst Des 42:3–23

    Article  Google Scholar 

  33. 33.

    Yang H, Lee O, Berdine J, Calcagno C, Cook B, Distefano D, O’Hearn PW (2008) Scalable shape analysis for systems code. In: CAV. Lecture notes in computer science, vol 5123. Springer, Berlin, pp 385–398

    Google Scholar 

Download references

Acknowledgements

We would like to thank M. Narizzano for providing us with an experimental version of the QuBE QBF-Solver that outputs an assignment for the top-level existentials and H. Samulowitz for discussions about QBF encodings of the termination problem and for evaluating several QBF solvers. Furthermore, we are grateful for useful comments from Vijay D’Silva and Georg Weissenbacher, as well as the anonymous referees who identified important technical and presentational issues in previous revisions of this article.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Christoph M. Wintersteiger.

Additional information

This is an extended version of our TACAS 2010 paper [11]. Supported by the Swiss National Science Foundation grant no. 200021-111687, by the Engineering and Physical Sciences Research Council (EPSRC) under grant no. EP/G026254/1, the EU FP7 STREP MOGENTES, the ARTEMIS CESAR project, and ERC project 280053.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Cook, B., Kroening, D., Rümmer, P. et al. Ranking function synthesis for bit-vector relations. Form Methods Syst Des 43, 93–120 (2013). https://doi.org/10.1007/s10703-013-0186-4

Download citation

Keywords

  • Software verification
  • Ranking functions
  • Termination
  • Bit-vectors