TY - GEN
T1 - How to avoid proving the absence of integer overflows
AU - Clochard, Martin
AU - Filliȃtre, Jean Christophe
AU - Paskevich, Andrei
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016/1/1
Y1 - 2016/1/1
N2 - When proving safety of programs, we must show, in particular, the absence of integer overflows. Unfortunately, there are lots of situations where performing such a proof is extremely difficult, because the appropriate restrictions on function arguments are invasive and may be hard to infer. Yet, in certain cases, we can relax the desired property and only require the absence of overflow during the first n steps of execution, n being large enough for all practical purposes. It turns out that this relaxed property can be easily ensured for large classes of algorithms, so that only a minimal amount of proof is needed, if at all. The idea is to restrict the set of allowed arithmetic operations on the integer values in question, imposing a “speed limit” on their growth. For example, if we repeatedly increment a 64-bit integer, starting from zero, then we will need at least 264 steps to reach an overflow; on current hardware, this takes several hundred years. When we do not expect any single execution of our program to run that long, we have effectively proved its safety against overflows of all variables with controlled growth speed. In this paper, we give a formal explanation of this approach, prove its soundness, and show how it is implemented in the context of deductive verification.
AB - When proving safety of programs, we must show, in particular, the absence of integer overflows. Unfortunately, there are lots of situations where performing such a proof is extremely difficult, because the appropriate restrictions on function arguments are invasive and may be hard to infer. Yet, in certain cases, we can relax the desired property and only require the absence of overflow during the first n steps of execution, n being large enough for all practical purposes. It turns out that this relaxed property can be easily ensured for large classes of algorithms, so that only a minimal amount of proof is needed, if at all. The idea is to restrict the set of allowed arithmetic operations on the integer values in question, imposing a “speed limit” on their growth. For example, if we repeatedly increment a 64-bit integer, starting from zero, then we will need at least 264 steps to reach an overflow; on current hardware, this takes several hundred years. When we do not expect any single execution of our program to run that long, we have effectively proved its safety against overflows of all variables with controlled growth speed. In this paper, we give a formal explanation of this approach, prove its soundness, and show how it is implemented in the context of deductive verification.
U2 - 10.1007/978-3-319-29613-5_6
DO - 10.1007/978-3-319-29613-5_6
M3 - Conference contribution
AN - SCOPUS:84958979373
SN - 9783319296128
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 94
EP - 109
BT - Verified Software
A2 - Seshia, Sanjit A.
A2 - Gurfinkel, Arie
PB - Springer Verlag
T2 - 7th International Conference on Verified Software: Theories, Tools, and Experiments, VSTTE 2015
Y2 - 18 July 2015 through 19 July 2015
ER -