Loop Summarization with Rational Vector Addition Systems Jake - - PowerPoint PPT Presentation

Loop Summarization with Rational Vector Addition Systems

Jake Silverman

Zachary Kincaid

Princeton University

Invariant generation techniques are effective but can be unpredictable

2

The Why

Invariant generation techniques are effective but can be unpredictable

2

i = 0 while(i < 5) do i++ assert(i == 5)

Polyhedron domain with widening / narrowing verifies assertion

The Why

*D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable

• Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract

Domains (NSAD ’11)

Invariant generation techniques are effective but can be unpredictable

2

i = 1 j = 0 while(i < 5) do j = j + i i++ assert(i == 5)

Polyhedron domain with widening / narrowing fails to verify assertion Not monotone: more information led to worse analysis

The Why

*D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable

• Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract

Domains (NSAD ’11)

Invariant generation techniques are effective but can be unpredictable

2

i = 1 j = 0 while(i < 5) do j = j + i i++ assert(i == 5)

Polyhedron domain with widening / narrowing fails to verify assertion

i = 0 j = 0 while(i < 1000) do i = i + step j = j + step assert(i == j)

Ultimate Automizer verifies assertion Not monotone: more information led to worse analysis

The Why

*D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable

• Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract

Domains (NSAD ’11)

Invariant generation techniques are effective but can be unpredictable

2

i = 1 j = 0 while(i < 5) do j = j + i i++ assert(i == 5)

Polyhedron domain with widening / narrowing fails to verify assertion

assume(step < 2) i = 0 j = 0 while(i < 1000) do i = i + step j = j + step assert(i == j)

Ultimate Automizer fails to verify assertion within 1 hour Not monotone: more information led to worse analysis

The Why

*D. Monniaux and J. Le Guen. Stratified Static Analysis Based on Variable

• Dependencies. in Proc: International Workshop on Numerical and Symbolic Abstract

Domains (NSAD ’11)

Want: invariant generation technique that is predictable - can make theoretical guarantees about invariant quality (in particular, monotonicity) precise - assertion verification capability comparable with state-of-the-art software model checkers

The What

3

Exploit compositionality to compute transition formula that

• ver-approximates reachability relation of input

The How

4

• TR[

[if b then S1 else S2] ] ≜ b ∧ TR[ [S1] ] ∨ ¬b ∧ TR[ [S2] ]

TR[

[S1; S2] ] ≜ ∃ ⃗ x′′. TR[ [S1] ][ ⃗ x′′/ ⃗ x′] ∧ TR[ [S2] ][ ⃗ x′′/ ⃗ x ]

TR[

[while b do S] ] ≜ (b ∧ TR[ [S] ])* ∧ ¬b[ ⃗ x′/ ⃗ x ]

TR[ [x := a] ] ≜ x′ = a ∧ ⋀

y≠x

y′ = y

Exploit compositionality to compute transition formula that

• ver-approximates reachability relation of input

The How

4

if(*) then x = x + 1 else x = x + 2

x′ = x + 1 ∨ x′ = x + 2

• TR[

[if b then S1 else S2] ] ≜ b ∧ TR[ [S1] ] ∨ ¬b ∧ TR[ [S2] ]

TR[

[S1; S2] ] ≜ ∃ ⃗ x′′. TR[ [S1] ][ ⃗ x′′/ ⃗ x′] ∧ TR[ [S2] ][ ⃗ x′′/ ⃗ x ]

TR[

[while b do S] ] ≜ (b ∧ TR[ [S] ])* ∧ ¬b[ ⃗ x′/ ⃗ x ]

TR[ [x := a] ] ≜ x′ = a ∧ ⋀

y≠x

y′ = y

Can encode loop-free segments without loss of information

Exploit compositionality to compute transition formula that

• ver-approximates reachability relation of input

The How

Reachability relation of loops needs to be over-approximated

4

if(*) then x = x + 1 else x = x + 2

x′ = x + 1 ∨ x′ = x + 2

• TR[

[if b then S1 else S2] ] ≜ b ∧ TR[ [S1] ] ∨ ¬b ∧ TR[ [S2] ]

TR[

[S1; S2] ] ≜ ∃ ⃗ x′′. TR[ [S1] ][ ⃗ x′′/ ⃗ x′] ∧ TR[ [S2] ][ ⃗ x′′/ ⃗ x ]

TR[

[while b do S] ] ≜ (b ∧ TR[ [S] ])* ∧ ¬b[ ⃗ x′/ ⃗ x ]

TR[ [x := a] ] ≜ x′ = a ∧ ⋀

y≠x

y′ = y

Can encode loop-free segments without loss of information

Exploit compositionality to compute transition formula that

• ver-approximates reachability relation of input

The How

Reachability relation of loops needs to be over-approximated

4

if(*) then x = x + 1 else x = x + 2

x′ = x + 1 ∨ x′ = x + 2

• TR[

[if b then S1 else S2] ] ≜ b ∧ TR[ [S1] ] ∨ ¬b ∧ TR[ [S2] ]

TR[

[S1; S2] ] ≜ ∃ ⃗ x′′. TR[ [S1] ][ ⃗ x′′/ ⃗ x′] ∧ TR[ [S2] ][ ⃗ x′′/ ⃗ x ]

TR[

[while b do S] ] ≜ (b ∧ TR[ [S] ])* ∧ ¬b[ ⃗ x′/ ⃗ x ]

TR[ [x := a] ] ≜ x′ = a ∧ ⋀

y≠x

y′ = y

Can encode loop-free segments without loss of information If star operator is monotone, entire analysis in monotone

This talk

1) Predictable loop summarization using rational vector addition system with resets (ℚ-VASR) 2) Precision improvement via capturing control flow using ℚ-VASR with states (ℚ-VASRS)

5

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

6

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

• [

x y]

T1

→ [ y] + [ 1 −1],

T2

[ x y] → [ x y] + [ 10 −1]

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

6

Finite set of transformers. Describes reset/inc to each dimension

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

• [

x y]

T1

→ [ y] + [ 1 −1],

T2

[ x y] → [ x y] + [ 10 −1]

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

T1 (x′ = 1 ∧ y′ = y − 1) ∨ T2 (x′ = x + 10 ∧ y′ = y − 1)

6

Corresponds to transition formula of form ⋁

i∈T ⋀ j∈vars

x′

j = rij ⏟

⋅ xj + aij

⏟

{0,1} ℚ Finite set of transformers. Describes reset/inc to each dimension

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

• [

x y]

T1

→ [ y] + [ 1 −1],

T2

[ x y] → [ x y] + [ 10 −1]

5, 0.5

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

T1 (x′ = 1 ∧ y′ = y − 1) ∨ T2 (x′ = x + 10 ∧ y′ = y − 1)

6

Corresponds to transition formula of form ⋁

i∈T ⋀ j∈vars

x′

j = rij ⏟

⋅ xj + aij

⏟

{0,1} ℚ Finite set of transformers. Describes reset/inc to each dimension

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

• [

x y]

T1

→ [ y] + [ 1 −1],

T2

[ x y] → [ x y] + [ 10 −1]

5, 0.5 1,

• 0.5

15,

• 0.5

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

T1 (x′ = 1 ∧ y′ = y − 1) ∨ T2 (x′ = x + 10 ∧ y′ = y − 1)

6

Corresponds to transition formula of form ⋁

i∈T ⋀ j∈vars

x′

j = rij ⏟

⋅ xj + aij

⏟

{0,1} ℚ Finite set of transformers. Describes reset/inc to each dimension

ℚ-VASR

Key property: Reachability relation is LIRA-definable and computable in polytime

• [

x y]

T1

→ [ y] + [ 1 −1],

T2

[ x y] → [ x y] + [ 10 −1]

5, 0.5 1,

• 0.5

15,

• 0.5

1,

• 1.5

11,

• 1.5

25,

• 1.5

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

T1 (x′ = 1 ∧ y′ = y − 1) ∨ T2 (x′ = x + 10 ∧ y′ = y − 1)

6

Corresponds to transition formula of form ⋁

i∈T ⋀ j∈vars

x′

j = rij ⏟

⋅ xj + aij

⏟

{0,1} ℚ Finite set of transformers. Describes reset/inc to each dimension

Functional Queue

7

Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back)

Functional Queue

7

enqueue( )

Back Back hd hd

Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back)

Functional Queue

7

enqueue( )

Back Back hd

dequeue()

If Front is not empty

1

hd Front hd

Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back)

Front hd result

Functional Queue

7

enqueue( )

Back Back hd

dequeue()

If Front is not empty

Back Front hd Back Front

1

hd hd Front hd Front hd result

Proof Goal: Amortized constant time operations Achieved by representing queue as two lists (front and back)

If Front is empty

2

Front hd result

Functional Queue

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then //Reverse back, append to front while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3 front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

8

Numeric abstraction reasoning about:

• length of back list
• length of front list
• total list size
• number of memory operations

Functional Queue

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then //Reverse back, append to front while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3 front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

procedure harness(): nb_ops := 0 while nondet() do nb_ops := nb_ops + 1 if (size > 0 && nondet()) enqueue() else dequeue()

8

Most general harness

Functional Queue

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then //Reverse back, append to front while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3 front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

procedure harness(): nb_ops := 0 while nondet() do nb_ops := nb_ops + 1 if (size > 0 && nondet()) enqueue() else dequeue()

8

Most general harness

Functional Queue Inner-Loop

while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3

back_len ≠ 0 ∧ front_len' = front_len + 1 ∧ back_len' = back_len − 1 ∧ mem_ops' = mem_ops + 3 ∧ size' = size

9

Transition formula for single iteration

Functional Queue Inner-Loop

while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3

back_len ≠ 0 ∧ front_len' = front_len + 1 ∧ back_len' = back_len − 1 ∧ mem_ops' = mem_ops + 3 ∧ size' = size

Vdeq = front_len back_len mem_ops size → front_len back_len mem_ops size + 1 −1 3

ℚ-VASR Abstraction

9

Transition formula for single iteration

Functional Queue Inner-Loop

while (back_len != 0) do front_len := front_len + 1 back_len := back_len - 1 mem_ops = mem_ops + 3

back_len ≠ 0 ∧ front_len' = front_len + 1 ∧ back_len' = back_len − 1 ∧ mem_ops' = mem_ops + 3 ∧ size' = size

Vdeq = front_len back_len mem_ops size → front_len back_len mem_ops size + 1 −1 3

ℚ-VASR Abstraction

9

∃k ∈ ℕ . front_len′ = front_len + k ∧ back_len′ = back_len − k ∧ mem_ops′ = mem_ops + 3k ∧ size′ = size

Reachability Relation Transition formula for single iteration

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

back_len′ = 0 ∧ ∃k ∈ ℕ . front_len′ = front_len + k ∧ back_len′ = back_len − k ∧ mem_ops′ = mem_ops + 3k ∧ size′ = size

Functional Queue

procedure harness(): nb_ops := 0 while nondet() do nb_ops := nb_ops + 1 if (size > 0 && nondet()) enqueue() else dequeue()

10

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

back_len′ = 0 ∧ ∃k ∈ ℕ . front_len′ = front_len + k ∧ back_len′ = back_len − k ∧ mem_ops′ = mem_ops + 3k ∧ size′ = size

Functional Queue

procedure harness(): nb_ops := 0 while nondet() do nb_ops := nb_ops + 1 if (size > 0 && nondet()) enqueue() else dequeue()

10

procedure enqueue(elt): back_len := back_len + 1 size := size + 1 mem_ops := mem_ops + 1 procedure dequeue(): if (front_len == 0) then front_len := front_len - 1 size = size - 1 mem_ops = mem_ops + 2

back_len′ = 0 ∧ ∃k ∈ ℕ . front_len′ = front_len + k ∧ back_len′ = back_len − k ∧ mem_ops′ = mem_ops + 3k ∧ size′ = size

Functional Queue

procedure harness(): nb_ops := 0 while nondet() do nb_ops := nb_ops + 1 if (size > 0 && nondet()) enqueue() else dequeue()

• can increase by arbitrary

value

• is always

incremented or decremented by 1 enqueue: dequeue:

front_len back_len + front_len (back_len + front_len) + + (back_len + front_len) − −

10

• grows

at most 4 times as quickly as

mem_ops nb_ops

Vhar = size back_len mem_ops + 3 * back_len back_len + front_len nb_ops → size back_len mem_ops + 3 * back_len back_len + front_len nb_ops + 1 1 4 1 1 enqueue , size back_len mem_ops + 3 * back_len back_len + front_len nb_ops → size back_len mem_ops + 3 * back_len back_len + front_len nb_ops + −1 2 −1 1 dequeue fast (conditional passed) , size back_len mem_ops + 3 * back_len back_len + front_len nb_ops → size mem_ops + 3 * back_len back_len + front_len nb_ops + −1 2 −1 1 dequeue slow (conditional taken)

11

State Space Transformation

i = 0 while(*) do x = x + i + 2 y = y + i i = i + 1

12

State Space Transformation

i = 0 while(*) do x = x + i + 2 y = y + i i = i + 1

• x′ = x + i + 2

y′ = y + i i′ = i + 1

12

Transition formula for single iteration of loop

Not representable as ℚ-VASR

State Space Transformation

i = 0 while(*) do x = x + i + 2 y = y + i i = i + 1

• x′ = x + i + 2

y′ = y + i i′ = i + 1

Can always over-approximate transition formula as ℚ-VASR by applying a lin. transformation

12

Transition formula for single iteration of loop

Not representable as ℚ-VASR

State Space Transformation

i = 0 while(*) do x = x + i + 2 y = y + i i = i + 1

• x′ = x + i + 2

y′ = y + i i′ = i + 1

Can always over-approximate transition formula as ℚ-VASR by applying a lin. transformation

12

{[ x − y i ] → [ x − y i ] + [ 2 1]}

[ 1 −1 1]

Dim 1 Dim 2 x y i

Transition formula for single iteration of loop

Not representable as ℚ-VASR

Key Result: For any LRA transition formula , we can compute a best ℚ-VASR abstraction of

F F

Predictable Analysis using ℚ-VASR Abstractions

13

Key Result: For any LRA transition formula , we can compute a best ℚ-VASR abstraction of

F F

VAS1

Predictable Analysis using ℚ-VASR Abstractions

VAS2

F

Lin Transformation

13

L i n T r a n s f

• r

m a t i

• n

Key Result: For any LRA transition formula , we can compute a best ℚ-VASR abstraction of

F F

VAS1

Predictable Analysis using ℚ-VASR Abstractions

VAS2

F

Lin Transformation Lin Transformation

13

Best VAS

L i n T r a n s f

• r

m a t i

• n

Lin Transformation L i n T r a n s f

• r

m a t i

• n

Computing Best ℚ-VASR Abstractions

Convert transition formula to DNF

1

14

DNF(F) = C1 ∨ C2 ∨ . . . Cn

Computing Best ℚ-VASR Abstractions

Convert transition formula to DNF

1 2

14

Compute best ℚ-VASR for each LRA cube

DNF(F) = C1 ∨ C2 ∨ . . . Cn

VAS_ABS(C1) VAS_ABS(C2) VAS_ABS(Cn)

Key contribution

Computing Best ℚ-VASR Abstractions

Convert transition formula to DNF

1 2

Compute best common abstraction of all ℚ-VASR abstractions

3

14

Compute best ℚ-VASR for each LRA cube

DNF(F) = C1 ∨ C2 ∨ . . . Cn

VAS_ABS(C1) VAS_ABS(C2) VAS_ABS(Cn)

⊔ ⊔

VAS_ABS(F)

Key contribution Key contribution

Computing Best ℚ-VASR Abstractions

Convert transition formula to DNF

1 2

Compute best common abstraction of all ℚ-VASR abstractions

3

Step 2 can only compute best ℚ-VASR for LRA cube

14

Compute best ℚ-VASR for each LRA cube

DNF(F) = C1 ∨ C2 ∨ . . . Cn

VAS_ABS(C1) VAS_ABS(C2) VAS_ABS(Cn)

⊔ ⊔

VAS_ABS(F)

Can use SMT solver to enumerate DNF lazily

1 2

Key contribution Key contribution

This talk

1) Predictable loop summarization using rational vector addition system with resets (ℚ-VASR) 2) Precision improvement via capturing control flow using ℚ-VASR with states (ℚ-VASRS)

15

ℚ-VASRS Abstractions Example

int x = 0, i = 0 while(*) do if(i%2 == 0) i = i + 1 else x = x + 1 i = i + 1

16

ℚ-VASRS Abstractions Example

int x = 0, i = 0 while(*) do if(i%2 == 0) i = i + 1 else x = x + 1 i = i + 1

{[i x] → [ i + 1 x ], [i x] → [ i + 1 x + 1]}

A Best ℚ-VASR Abstraction Cannot show 2x ≤ i

16

ℚ-VASRS Abstractions Example

int x = 0, i = 0 while(*) do if(i%2 == 0) i = i + 1 else x = x + 1 i = i + 1

i%2 == 0 i%2 == 1

[i x] → [ i + 1 x ] [i x] → [ i + 1 x + 1]

{[i x] → [ i + 1 x ], [i x] → [ i + 1 x + 1]}

ℚ-VASRS Abstraction A Best ℚ-VASR Abstraction Cannot show 2x ≤ i

ℚ-VASRS Abstraction can prove that loop maintains invariant 2x ≤ i

16

ℚ-VASRS

State 1 State 2 State 3

Transformer 1 Transformer 2 Transformer 3 Transformer 4 Transformer 5

Transition formula representing reachability relation computable in polytime*

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

Reachability relation defined by sequences of transformers that form paths through graph.

17

ℚ-VASRS

State 1 State 2 State 3

Transformer 1 Transformer 2 Transformer 3 Transformer 4 Transformer 5

Transition formula representing reachability relation computable in polytime* Predicate Q-VASRS: Control States are predicates over program variables. Predicates must partition state space.

i > 0 i = 0 i < 0

*C. Haase and S. Halfon. Integer vector addition systems with states. in Proc: International Workshop on Reachability Problems (RP ‘14)

Reachability relation defined by sequences of transformers that form paths through graph.

17

Key Result: Can compute best ℚ-VASRS abstraction of input LRA formula with a fixed set of predicates

F

Best ℚ-VASRS Abstractions

18

Key Result: Can compute best ℚ-VASRS abstraction of input LRA formula with a fixed set of predicates

F

Best ℚ-VASRS Abstractions

a b c

VAS abstraction (a ∧ F ∧ b[

⃗ x′

• /

⃗ x ])

V A S a b s t r a c t i

• n
• (c ∧ F ∧ b[

⃗ x′/ ⃗ x ])

… V A S a b s t r a c t i

• n
• (

a ∧ F ∧ a [ ⃗ x ′

• /

⃗ x ] )

… … … … …

18

Predictable ℚ-VASRS Abstractions

19

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Solution Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Use connected components of topological closure of as predicates

∃x′. F

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Solution Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Use connected components of topological closure of as predicates

∃x′. F

F G F ⊧ G Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Solution Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Use connected components of topological closure of as predicates

∃x′. F

F G F ⊧ G

View formula as finite union of convex polyhedra

1

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Solution Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Use connected components of topological closure of as predicates

∃x′. F

F G F ⊧ G

View formula as finite union of convex polyhedra

1

Convert strict inequalities to non-strict

2

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Predictable ℚ-VASRS Abstractions

Solution Need monotonicity

19

That if , then is at least as fine as

F ⊧ G Predicates(F) Predicates(G)

Use connected components of topological closure of as predicates

∃x′. F

F G F ⊧ G

View formula as finite union of convex polyhedra

1

Convert strict inequalities to non-strict

2

Compute largest connect components

3

Finer set of predicates => potentially more precise abstraction No best set of predicates, must settle for a good one

Results newer than paper version: ℚ-VASR and ℚ-VASRS faster after optimization ℚ-VASR passes two more cases after bug fix

Evaluation

% Correct 0.25 0.5 0.75 1 C4B (35) HOLA (46) SVCOMP-19 (84)

ℚ-VASR ℚ-VASRS CRA SeaHorn UltAuto

31/35 40/46 78/84

20

Accuracy Runtime

ℚ-VASR ℚ-VASRS CRA

C4B (35) HOLA (46) SVCOMP-19 (84)

SeaHorn UltAuto 29 S 50 S 73 S 33 S 65 S 107 S 30 S 56 S 87 S 2431 S 2112 S 3038 S 3974 S 3003 S 6933 S

Timeout: 300 Seconds per case SVCOMP-19 restricted to safe integer benchmarks from loops category Most accurate tool in any given suite does not subsume all others

Summary

• Developed predictable and compositional program

analysis with ℚ-VASR

• Extended analysis with ℚ-VASR with states to capture

control flow information

• Shown improvements in both accuracy and speed over

state-of-art-tools while providing guarantees about invariant quality

21