Texte intégral
An SMT-based verification framework for
software systems handling arrays
Doctoral Dissertation submitted to the
Faculty of Informatics of the Universit`a della Svizzera Italiana
in partial fulfillment of the requirements for the degree of
Doctor of Philosophy
presented by
Francesco Alberti
under the supervision of
Natasha Sharygina
April 2015
Dissertation Committee
Nikolaj Bjørner Microsoft Research, Redmond, WA, USA
Rolf Krause Universit`a della Svizzera Italiana, Lugano, Switzerland
Viktor Kuncak ´
Ecole Polytechnique F´ed´erale de Lausanne, Lausanne, Switzerland
Nate Nystrom Universit`a della Svizzera Italiana, Lugano, Switzerland
Dissertation accepted on 15 April 2015
Research Advisor PhD Program Directors
Natasha Sharygina Igor Pivkin Stefan Wolf
i
I certify that except where due acknowledgement has been given, the work
presented in this thesis is that of the author alone; the work has not been sub-
mitted previously, in whole or in part, to qualify for any other academic award;
and the content of the thesis is the result of work which has been carried out
since the official commencement date of the approved research program.
Francesco Alberti
Lugano, 15 April 2015
ii
Abstract
Recent advances in the areas of automated reasoning and first-order theorem
proving paved the way to the developing of effective tools for the rigorous formal
analysis of computer systems. Nowadays many formal verification frameworks
are built over highly engineered tools (SMT-solvers) implementing decision
procedures for quantifier-free fragments of theories of interest for (dis)proving
properties of software or hardware products.
The goal of this thesis is to go beyond the quantifier-free case and enable
sound and effective solutions for the analysis of software systems requiring the
usage of quantifiers. This is the case, for example, of software systems handling
array variables, since meaningful properties about arrays (e.g., “the array is
sorted”) can be expressed only by exploiting quantification.
The first contribution of this thesis is the definition of a new Lazy Ab-
straction with Interpolants framework in which arrays can be handled in a
natural manner. We identify a fragment of the theory of arrays admitting
quantifier-free interpolation and provide an effective quantifier-free interpola-
tion algorithm. The combination of this result with an important preprocessing
technique allows the generation of the required quantified formulæ.
Second, we prove that accelerations, i.e., transitive closures, of an inter-
esting class of relations over arrays are definable in the theory of arrays via
∃∗∀∗-first order formulæ. We further show that the theoretical importance of
this result has a practical relevance: Once the (problematic) nested quantifiers
are suitably handled, acceleration offers a precise (not over-approximated) al-
ternative to abstraction solutions.
Third, we present new decision procedures for quantified fragments of the
theories of arrays. Our decision procedures are fully declarative, parametric
in the theories describing the structure of the indexes and the elements of the
arrays and orthogonal with respect to known results.
Fourth, by leveraging our new results on acceleration and decision proce-
dures, we show that the problem of checking the safety of an important class
of programs with arrays is fully decidable.
iii
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
1
/
202
100%
