No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Borealis Bounded Model Checker: The Coming of Age Story
Abstract
Our research group has been developing a bounded model checker called Borealis for almost 4 years now, and it has been mostly a research prototype with all that it entails. A lot of different ideas have been tested in Borealis, and this chapter draws a bottom line for most of them. We believe this chapter would be of interest to other researchers as a brief introduction to the topic of bounded model checking, and to us as a cornerstone on which to build our future work on making Borealis into a tool.
... Analysis Module starts the analysis using the built main application KFG and instrumented library KFG. It converts the program into Predicate State representation [4] and uses z3 SMT-solver for defect detection. Instrumentation Module and Analysis Module were developed as KEX extensions. ...
... We created a specification for okHttp 4 and evaluated SPIDER on it. The results of the evaluation are shown below. ...
Modern software design practice implies widespread use in the development of ready-made components, usually designed as external libraries. The undoubted advantages of reusing third-party code can be offset by integration errors that appear in the developed software. The reason for the appearance of such errors is mainly due to misunderstanding or incomplete understanding by the programmer of the details of external libraries such as an internal structure and the subtleties of functioning. The documentation provided with the libraries is often very sparse and describes only the main intended scenarios for the interaction of the program and the library. In this paper, we propose the approach based on the use of formal library specifications, which allows detecting integration errors using static analysis methods. To do this, the external library is described using the LibSL specification language, the resulting description is translated into the internal data structures of the KEX analyzer. The execution of the incorrect scenarios of library usage, such as the incorrect sequence of method calls or the violation of the API function contract, is marked in the program model with special built-in functions of the KEX analyzer. Later, when analyzing the program, KEX becomes able to detect integration errors, since incorrect library usage scenarios are diagnosed as calling marked functions. The proposed approach is implemented as SPIDER (SPecification-based Integration Defect Revealer), which is an extension of the Kex analyzer and has proven its efficiency by detecting integration errors of different classes on several special-made projects, as well as on several projects taken from open repositories.
Bounded model checking (BMC) is one of the most interesting and practical methods of software quality assurance; it converts the program to a logical formula, which is checked for correctness using SAT or SMT solvers. An inherent problem of BMC is how one does interprocedural analysis, which is usually performed using function inlining. However, inlining greatly increases the size and complexity of the resulting formula, making analysis close to impossible to perform in a reasonable time. In this work we propose a method of interprocedural BMC based on ideas from the related area of program static analysis; it works by creating context-sensitive versions of formulae for interesting safety properties, which are considerably smaller than formulae with full inlining. We have implemented a prototype based on our approach in a BMC tool called Borealis, evaluated it on a number of real-world programs and shown our approach to greatly improve analysis performance and precision.
The article presents a comprehensive approach to solving a number of problems that arise during the design, development, debugging and maintenance of multicomponent applications. The approach is based on a created formalism that allows specifying the structure and visible behavior of the component external to the application. At the same time, the mathematical approach used in the formalism is based on the system of extended finite state machine, which allows analyzing specifications in an acceptable time. For a programmer to set formal descriptions of the components, the LibSL specification language is developed. It allows the programmer to describe the specification of a component or a library in the form that is understandable to the programmer, without going into the mathematical basics of formalism. In this case, the interface of the library and its behavior, which is visible from the outside, are set. The implementation details are not included in the specification.
The rise of the software engineering industry sparkled the research on static analyzers in both academia and industry. Academic tools historically have an exhaustive feature set but don’t easily apply to industrial applications, and industrial verifiers are still very limited. The Equid project, which loosely stands for “Engine for performing queries on unified intermediate representations of program and domain models” is an attempt to fill the gap between theory and practice by building a language-agnostic analyzer in close contact with development and security community. In this introductory paper we set project goals, reveal motivation and describe code processing stages, such as preprocessing, translation to project’s own intermediate codes, virtual machine execution, constraint solving, all done to make static and interactive contract violation checks easier, more precisive yet informative. The project is compared to other analyzers. We believe that such a framework can draw attention to industrial uses clearly missed by verification communities and help shape a vision of universal static analyzer architectures.
Software analysis is becoming increasingly important as a way of software quality assurance. Most works in this area focus their attention on a single machine scenario, when the analysis is run and implemented on a single processing node, as it seems to be a good fit for the current software development methodologies. We argue that in some cases it is reasonable to employ high performance computing (HPC) to do software analysis, if the performance impact is worth the increase in computational requirements. In this paper we present our experience with the implementation of a HPC version of the bounded model checker Borealis, major problems we encountered together with their solutions, and the evaluation results on a number of different real-world projects.
The problem of improving precision of static analysis and verification techniques for C is hard due to simplification assumptions these techniques make about the code model. We present a novel approach to improving precision by executing the code model in a controlled environment that captures program errors and contract violations in a memory and time efficient way. We implemented this approach as an executor module Tassadar as a part of bounded model checker Borealis. We tested Tassadar on two test sets, showing that its impact on performance of Borealis is minimal.The article is published in the authors’ wording.
During model checking of software against various specifications, it is often the case that the same parts of the program have to be modeled/verified multiple times. To reduce the overall verification effort, this paper proposes a new technique that extracts function summaries after the initial successful verification run, and then uses them for more efficient subsequent analysis of the other specifications. Function summaries are computed as over-approximations using Craig interpolation, a mechanism which is well-known to preserve the most relevant information, and thus tend to be a good substitute for the functions that were examined in the previous verification runs. In our summarization-based verification approach, the spurious behaviors introduced as a side effect of the over-approximation, are ruled out automatically by means of the counter-example guided refinement of the function summaries. We implemented interpolation-based summarization in our FunFrog tool, and compared it with several state-of-the-art software model checking tools. Our experiments demonstrate the feasibility of the new technique and confirm its advantages on the large programs.
We present a novel approach for predicate abstraction of programs running on relaxed memory models. Our approach consists of two steps.
First, we reduce the problem of verifying a program P running on a memory model M to the problem of verifying a program P
M
that captures an abstraction of M as part of the program.
Second, we present a new technique for discovering predicates that enable verification of P
M
. The core idea is to extrapolate from the predicates used to verify P under sequential consistency. A key new concept is that of cube extrapolation: it successfully avoids exponential state explosion when abstracting P
M
.
We implemented our approach for the x86 TSO and PSO memory models and showed that predicates discovered via extrapolation are powerful enough to verify several challenging concurrent programs. This is the first time some of these programs have been verified for a model as relaxed as PSO.
This paper will present a design for loop op-timizations using high-level loop transforma-tions. We will describe a loop optimization in-frastructure based on improved induction vari-able, scalar evolution, and data dependence analysis. We also will describe loop trans-formation opportunities that utilize the infor-mation discovered. These transformations in-crease data locality and eliminate data depen-dencies that prevent optimization. The trans-formations also can be used to enable auto-matic vectorization and automatic paralleliza-tion functionality. The Tree-SSA infrastructure in GCC provides an opportunity for high level loop transforms to be implemented. Prior to the Loop Nest Op-timization effort described in this paper, GCC has performed no cache reuse, data locality, parallelization, or loop vectorization optimiza-tions. It also had no infrastructure to perform data dependence analysis for array accesses that are necessary to apply these transforma-tions safely. We have implemented data depen-dence analysis and linear loop transforms on top of Tree-SSA which provides the following features: 1. A data dependence framework for deter-mining whether two data references have a dependence. The core of the dependence analysis is a new, low-complexity algo-rithm for the recognition of scalar evolu-tions that tracks induction variables across a def-use graph. It is used to determine the legality of various transformations, in-cluding the vectorization transforms being implemented, and the matrix based trans-formations. 2. A matrix-based transformation method for rearranging loop nests to optimize lo-cality, cache reuse, and remove inner loop dependencies (to help vectorization and parallelization). This method can per-form any legal combination of loop inter-change, scaling, skewing, and reversal to a loop nest, and provides a simple interface to doing it.
C bounded model checking (cbmc) has proved to be a successful approach to automatic software analysis. The key idea is to (i) build a propositional formula
whose models correspond to program traces (of bounded length) that violate some given property and (ii) use state-of-the-art
SAT solvers to check the resulting formulae for satisfiability. In this paper, we propose a generalisation of the cbmc approach on the basis of an encoding into richer (but still decidable) theories than propositional logic. We show that our
approach may lead to considerably more compact formulae than those obtained with cbmc. We have built a prototype implementation of our technique that uses a satisfiability modulo theories (SMT) solver to solve
the resulting formulae. Computer experiments indicate that our approach compares favourably with—and on some significant problems
outperforms—cbmc.
We present MathSAT4, a state-of-the-art SMT solver. MathSAT4 handles several useful theories: (combinations of) equality and uninterpreted functions, difference logic, linear arithmetic,
and the theory of bit-vectors. It was explicitly designed for being used in formal verification, and thus provides functionalities
which extend the applicability of SMT in this setting. In particular: model generation (for counterexample reconstruction),
model enumeration (for predicate abstraction), an incremental interface (for BMC), and computation of unsatisfiable cores
and Craig interpolants (for abstraction refinement).
Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays,
and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in
various software verification and analysis applications.
Motivated by applications to program verification, we study a decision procedure for satisfiability in an expressive fragment of a theory of arrays, which is parameterized by the theories of the array elements. The decision procedure reduces satisfiability of a formula of the fragment to satisfiability of an equisatisfiable quantifier-free formula in the combined theory of equality with uninterpreted functions (EUF), Presburger arithmetic, and the element theories. This fragment allows a constrained use of universal quantification, so that one quantifier alternation is allowed, with some syntactic restrictions. It allows expressing, for example, that an assertion holds for all elements in a given index range, that two arrays are equal in a given range, or that an array is sorted. We demonstrate its expressiveness through applications to verification of sorting algorithms and parameterized systems. We also prove that satisfiability is undecidable for several natural extensions to the fragment. Finally, we describe our implementation in the π
VC verifying compiler.
Software verification is an important and difficult problem. Many static checking techniques for software require annotations from the programmer in the form of method specifications and loop invariants. This annotation overhead, particularly of loop invariants, is a significant hurdle in the acceptance of static checking. We reduce the annotation burden by inferring loop invariants automatically.Our method is based on predicate abstraction, an abstract interpretation technique in which the abstract domain is constructed from a given set of predicates over program variables. A novel feature of our approach is that it infers universally-quantified loop invariants, which are crucial for verifying programs that manipulate unbounded data such as arrays. We present heuristics for generating appropriate predicates for each loop automatically; the programmer can specify additional predicates as well. We also present an efficient algorithm for computing the abstraction of a set of states in terms of a collection of predicates.Experiments on a 44KLOC program show that our approach can automatically infer the necessary predicates and invariants for all but 31 of the 396 routines that contain loops.
Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding word-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we investigate the application of different SMT solvers to the verification of embedded software written in ANSI-C. We have extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for variables of finite bit width, bit-vector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded software applications from telecommunications, control systems, and medical devices. The experiments show that our approach can analyze larger problems and substantially reduce the verification time.
The state explosion problem remains a major hurdle in applying symbolic model checking to large hardware designs. State space abstraction, having been essential for verifying designs of industrial complexity, is typically a manual process, requiring considerable creativity and insight.In this article, we present an automatic iterative abstraction-refinement methodology that extends symbolic model checking. In our method, the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques that analyze such counterexamples and refine the abstract model correspondingly. We describe aSMV, a prototype implementation of our methodology in NuSMV. Practical experiments including a large Fujitsu IP core design with about 500 latches and 10000 lines of SMV code confirm the effectiveness of our approach.
Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding word-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we investigate the application of different SMT solvers to the verification of embedded software written in ANSI-C. We have extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for finite variables, bit-vector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded applications from telecommunications, control systems and medical devices. The experiments show that our approach can analyze larger problems and substantially reduce the verification time. Comment: 12 pages
Static analysis examines code in the absence of input data and without running the code. It can detect potential security violations (SQL injection), runtime errors (dereferencing a null pointer) and logical inconsistencies (a conditional test that can't possibly be true). Although a rich body of literature exists on algorithms and analytical frameworks used by such tools, reports describing experiences in industry are much harder to come by. The authors describe FindBugs, an open source static-analysis tool for Java, and experiences using it in production settings. FindBugs evaluates what kinds of defects can be effectively detected with relatively simple techniques and helps developers understand how to incorporate such tools into software development.
This paper presents a novel method for loop optimization that exploits symbolic evaluation of chains of recurrences (CRs). The method generalizes loop induction expression recognition, loop parallelization by induction variable substitution, loop strength reduction, and loop invariant expression elimination (code motion). Symbolic differencing of loops has been extensively studied by Haghighat for these type of transformations. The differencing method detects generalized loop induction variables and approximates the corresponding closed-form functions by polynomials bounded to a predetermined maximum order. We will show that compared to differencing methods, symbolic evaluation with CRs is safe, more powerful, and simpler to implement. We prove that CRs are unique normal forms, which is crucial for the use of CRs as intermediate program representations of recurrences. Based on the algorithms developed by Bachmann, Zima, and Wang, we develop a CR-based algorithm for loop anal...
. Symbolic Model Checking [3, 14] has proven to be a powerful technique for the verification of reactive systems. BDDs [2] have traditionally been used as a symbolic representation of the system. In this paper we show how boolean decision procedures, like Stalmarck's Method [16] or the Davis & Putnam Procedure [7], can replace BDDs. This new technique avoids the space blow up of BDDs, generates counterexamples much faster, and sometimes speeds up the verification. In addition, it produces counterexamples of minimal length. We introduce a bounded model checking procedure for LTL which reduces model checking to propositional satisfiability. We show that bounded LTL model checking can be done without a tableau construction. We have implemented a model checker BMC, based on bounded model checking, and preliminary results are presented. 1 Introduction Model checking [4] is a powerful technique for verifying reactive systems. Able to find subtle errors in real commercial designs...
Chains of Recurrences (CR's) are introduced as an effective method to evaluate functions at regular intervals. Algebraic properties of CR's are examined and an algorithm that constructs a CR for a given function is explained. Finally, an implementation of the method in MAXIMA/Common Lisp is discussed. 1 Introduction Given a closed-form function G(x), a common computational task is to evaluate the function at a number of points in an interval. More precisely, given a starting point x0 and an increment h, the task is to compute G(x0 + ih) for i = 0; 1; : : : ; n Gamma 1. Such computations occur frequently in practice: plotting curves of functions, computing finite sums and products, calculating integrals, and solving differential equations. Straightforward evaluations of G at all n points can be very inefficient and may sometimes even become the bottleneck of a given system. The SIG [5] graphing system is such an example. One way to speed up this type of evaluation is to compute the ...
Propositional bounded model checking has been applied successfully to verify embedded software but remains limited by increasing propositional formula sizes and the loss of high-level information during the translation preventing potential optimizations to reduce the state space to be explored. These limitations can be overcome by encoding high-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we propose the application of different background theories and SMT solvers to the verification of embedded software written in ANSI-C in order to improve scalability and precision in a completely automatic way. We have modified and extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for variables of finite bit width, bit-vector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded software applications from telecommunications, control systems, and medical devices. The experiments show that our ESBMC model checker can analyze larger problems than existing tools and substantially reduce the verification time.
For organisations like Facebook, high quality software is important. However, the pace of change and increasing complexity of modern code makes it difficult to produce error-free software. Available tools are often lacking in helping programmers develop more reliable and secure applications.
Formal verification is a technique able to detect software errors statically, before a product is actually shipped. Although this aspect makes this technology very appealing in principle, in practice there have been many difficulties that have hindered the application of software verification in industrial environments. In particular, in an organisation like Facebook where the release cycle is fast compared to more traditional industries, the deployment of formal techniques is highly challenging.
This paper describes our experience in integrating a verification tool based on static analysis into the software development cycle at Facebook.
When performing program analysis, loops are one of the most important aspects that needs to be taken into account. In the past, many approaches have been proposed to analyze loops to perform different tasks, ranging from compiler optimizations to Worst-Case Execution Time (WCET) analysis. While these approaches are powerful, they focus on tackling very specific categories of loops and known loop patterns, such as the ones for which the number of iterations can be statically determined. In this work, we developed a static analysis framework to characterize and analyze generic loops, without relying on techniques based on pattern matching. For this work, we focus on the Android platform, and we implemented a prototype, called CLAPP, that we used to perform the first large-scale empirical study of the usage of loops in Android applications. In particular, we used our tool to analyze a total of 4,110,510 loops found in 11,823 Android applications. As part of our evaluation, we provide the detailed results of our empirical study, we show how our analysis was able to determine that the execution of 63.28% of the loops is bounded, and we discuss several interesting insights related to the performance issues and security aspects associated with loops.
One of the most serious problems when doing program analyses is dealing with function calls. While function inlining is the traditional approach to this problem, it nonetheless suffers from the increase in analysis complexity due to the state space explosion. Craig interpolation has been successfully used in recent years in the context of bounded model checking to do function summarization which allows one to replace the complete function body with its succinct summary and, therefore, reduce the complexity, but unfortunately this technique can be applied only to a pair of unsatisfiable formulae. In this work-in-progress paper we present an approach to function summarization based on Craig interpolation that overcomes its limitation by using random model sampling. It captures interesting input/output relations, strengthening satisfiable formulae into unsatisfiable ones and thus allowing the use of Craig interpolation. Evaluation results show the applicability of this approach; in our future work we plan to do a more extensive evaluation on real-world examples.
Automated test generation has received a lot of attention in recent decades, because it is one possible solution to the problems inherent to software testing: the need to write tests in the first place and providing test coverage for the human factor. De facto the most promising technique to automatically generate a test is dynamic symbolic execution assisted by an automated constraint solver, e.g., an SMT solver. This process is very similar to bounded model checking, which also deals with generating models from source code, asserting logic properties in it, and processing the returned model. This paper describes a prototype unit test generator for C based on a working bounded model checker called Borealis and shows that these two techniques are very similar and can be easily implemented using the same basic components. The prototype test generator has been evaluated on a number of examples and has shown good results in terms of test coverage and test excessiveness.
We present a tool for the formal verification of ANSI-C programs using Bounded Model Checking (BMC). The emphasis is on usability: the tool supports almost all ANSI-C language features, including pointer constructs, dynamic memory allocation, recursion, and the float and double data types. From the perspective of the user, the verification is highly automated: the only input required is the BMC bound. The tool is integrated into a graphical user interface. This is essential for presenting long counterexample traces: the tool allows stepping through the trace in the same way a debugger allows stepping through a program.
In recent years, the study of a software quality assurance technique called bounded model checking (BMC) has been increasingly intensified, because it makes it possible to successfully detect both functional and nonfunctional defects in real software. In this paper, we propose an original approach to the implementation of BMC based on combining the results of several recent studies in this field, namely, the use of the LLVM compiler infrastructure for parsing and transformation of the source code, the use of SMT-solver Z3 for the verification of the correctness of the properties, and the improvement of the analysis efficiency using the approximation of functions. The experimental results show that the approach can be applied to real projects.
This report describes the 3rd International Competition on Software Verification (SV-COMP 2014), which is the third edition of a thorough comparative evaluation of fully automatic software verifiers. The reported results represent the state of the art in automatic software verification, in terms of effectiveness and efficiency. The verification tasks of the competition consist of nine categories containing a total of 2868 C programs, covering bit-vector operations, concurrent execution, control-flow and integer data-flow, device-drivers, heap data structures, memory manipulation via pointers, recursive functions, and sequentialized concurrency. The specifications include reachability of program labels and memory safety. The competition is organized as a satellite event at TACAS 2014 in Grenoble, France.
System programming languages such as C grant compiler writers freedom to generate efficient code for a specific instruction set by defining certain language constructs as undefined behavior. Unfortunately, the rules for what is undefined behavior are subtle and programmers make mistakes that sometimes lead to security vulnerabilities. This position paper argues that the research community should help address the problems that arise from undefined behavior, and not dismiss them as esoteric C implementation issues. We show that these errors do happen in real-world systems, that the issues are tricky, and that current practices to address the issues are insufficient.
A Craig interpolant for a mutually inconsistent pair of formulas (A,B) is a formula that is (1) implied by A, (2) inconsistent with B, and (3) expressed over the common variables of A and B. An interpolant can be efficiently derived from a refutation of A ∧ B, for certain theories and proof systems. We will discuss a number of applications of this concept in finite- and infinite-state model checking.KeywordsModel CheckTransition RelationProof SystemState FormulaTransition FormulaThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Bounded model checking (BMC) of C and C++ programs is challenging due to the complex and intricate syntax and semantics of these programming languages. The BMC tool LLBMC presented in this paper thus uses the LLVM compiler framework in order to translate C and C++ programs into LLVM's intermediate representation. The resulting code is then converted into a logical representation and simplified using rewrite rules. The simplified formula is finally passed to an SMT solver. In contrast to many other tools, LLBMC uses a flat, bit-precise memory model. It can thus precisely model, e.g., memory-based re-interpret casts as used in C and static/dynamic casts as used in C++. An empirical evaluation shows that LLBMC compares favorable to the related BMC tools CBMC and ESBMC.
Empirical studies of retrieval performance have shown a tendency for Precision to decline as Recall increases. This article examines the nature of the relationship between Precision and Recall. The relationships between Recall and the number of documents retrieved, between Precision and the number of documents retrieved, and between Precision and Recall are described in the context of different assumptions about retrieval performance. It is demonstrated that a tradeoff between Recall and Precision is unavoidable whenever retrieval performance is consistently better than retrieval at random. More generally, for the Precision–Recall trade-off to be avoided as the total number of documents retrieved increases, retrieval performance must be equal to or better than overall retrieval performance up to that point. Examination of the mathematical relationship between Precision and Recall shows that a quadratic Recall curve can resemble empirical Recall–Precision behavior if transformed into a tangent parabola. With very large databases and/or systems with limited retrieval capabilities there can be advantages to retrieval in two stages: Initial retrieval emphasizing high Recall, followed by more detailed searching of the initially retrieved set, can be used to improve both Recall and Precision simultaneously. Even so, a tradeoff between Precision and Recall remains. © 1994 John Wiley & Sons, Inc.
This well-accepted introduction to computational geometry is a textbook for high-level undergraduate and low-level graduate courses. The focus is on algorithms and hence the book is well suited for students in computer science and engineering. Motivation is provided from the application areas: all solutions and techniques from computational geometry are related to particular applications in robotics, graphics, CAD/CAM, and geographic information systems. For students this motivation will be especially welcome. Modern insights in computational geometry are used to provide solutions that are both efficient and easy to understand and implement. All the basic techniques and topics from computational geometry, as well as several more advanced topics, are covered. The book is largely self-contained and can be used for self-study by anyone with a basic background in algorithms. In this third edition, besides revisions to the second edition, new sections discussing Voronoi diagrams of line segments, farthest-point Voronoi diagrams, and realistic input models have been added.
One task of metamathematics is to relate suggestive but nonelementary modeltheoretic concepts to more elementary proof-theoretic concepts, thereby opening up modeltheoretic problems to proof-theoretic methods of attack. Herbrand's Theorem (see [8] or also [9], vol. 2) or Gentzen's Extended Hauptsatz (see [5] or also [10]) was first used along these lines by Beth [1]. Using a modified version he showed that for all first-order systems a certain modeltheoretic notion of definability coincides with a certain proof theoretic notion. In the present paper the Herbrand-Gentzen Theorem will be applied to generalize Beth's results from primitive predicate symbols to arbitrary formulas and terms.
This may be interpreted as showing that (apart from some relatively minor exceptions which will be made apparent below) the expressive power of each first-order system is rounded out, or the system is functionally complete , in the following sense: Any functional relationship which obtains between concepts that are expressible in the system is itself expressible and provable in the system.
A second application is concerned with the hierarchy of second-order formulas. A certain relationship is shown to hold between first-order formulas and those second-order formulas which are of the form (∃T 1 )…(∃T k )A or (T 1 )…(T k )A with A being a first-order formula. Modeltheoretically this can be regarded as a relationship between the class AC and the class PC ⊿ of sets of models, investigated by Tarski in [12] and [13].
Improving static analysis by loop unrolling on an arbitrary iteration
- M Akhin
- M Belyaev
- V Itsykson
- M. Akhin
A guide to undefined behavior in C and C++
- J Regehr
Enabling polyhedral optimizations in LLVM
- T C Grosser
Status report on software verification
- D Beyer
Moving fast with software verification
- C Calcagno
- D Distefano
- J Dubreil
- Cristiano Calcagno