Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Finding $\forall\exists$ Hyperbugs using Symbolic Execution

Arthur Correnson, Tobias Niessen, Bernd Finkbeiner, Georg Weissenbacher

TL;DR

This work tackles the challenge of verifying forall-exists hyperproperties, which require, for every execution, the existence (and non-existence) of related traces. It introduces a fully automated approach that extends symbolic execution with trace quantification in the fragment $ extrm{OHyperLTL}_ ext{safe}$, using a bounded semantics to manage terminating and non-terminating behaviors. A lazy, scalable algorithm—supported by an asynchronous product construction—computes symbolic encodings of bounded hyperproperties and can generate concrete counterexamples without user guidance. Empirical evaluation on public and new benchmarks shows the method effectively identifies hyperproperty violations across infinite-state reactive programs, often faster than existing tools, and without requiring loop invariants. This advances automated hyperbug detection and provides a practical pathway toward scalable analysis of complex relational properties.

Abstract

Many important hyperproperties, such as refinement and generalized non-interference, fall into the class of $\forall\exists$ hyperproperties and require, for each execution trace of a system, the existence of another trace relating to the first one in a certain way. The alternation of quantifiers renders $\forall\exists$ hyperproperties extremely difficult to verify, or even just to test. Indeed, contrary to trace properties, where it suffices to find a single counterexample trace, refuting a $\forall\exists$ hyperproperty requires not only to find a trace, but also a proof that no second trace satisfies the specified relation with the first trace. As a consequence, automated testing of $\forall\exists$ hyperproperties falls out of the scope of existing automated testing tools. In this paper, we present a fully automated approach to detect violations of $\forall\exists$ hyperproperties in software systems. Our approach extends bug-finding techniques based on symbolic execution with support for trace quantification. We provide a prototype implementation of our approach, and demonstrate its effectiveness on a set of challenging examples.

Finding $\forall\exists$ Hyperbugs using Symbolic Execution

TL;DR

This work tackles the challenge of verifying forall-exists hyperproperties, which require, for every execution, the existence (and non-existence) of related traces. It introduces a fully automated approach that extends symbolic execution with trace quantification in the fragment , using a bounded semantics to manage terminating and non-terminating behaviors. A lazy, scalable algorithm—supported by an asynchronous product construction—computes symbolic encodings of bounded hyperproperties and can generate concrete counterexamples without user guidance. Empirical evaluation on public and new benchmarks shows the method effectively identifies hyperproperty violations across infinite-state reactive programs, often faster than existing tools, and without requiring loop invariants. This advances automated hyperbug detection and provides a practical pathway toward scalable analysis of complex relational properties.

Abstract

Many important hyperproperties, such as refinement and generalized non-interference, fall into the class of hyperproperties and require, for each execution trace of a system, the existence of another trace relating to the first one in a certain way. The alternation of quantifiers renders hyperproperties extremely difficult to verify, or even just to test. Indeed, contrary to trace properties, where it suffices to find a single counterexample trace, refuting a hyperproperty requires not only to find a trace, but also a proof that no second trace satisfies the specified relation with the first trace. As a consequence, automated testing of hyperproperties falls out of the scope of existing automated testing tools. In this paper, we present a fully automated approach to detect violations of hyperproperties in software systems. Our approach extends bug-finding techniques based on symbolic execution with support for trace quantification. We provide a prototype implementation of our approach, and demonstrate its effectiveness on a set of challenging examples.
Paper Structure (29 sections, 16 theorems, 11 equations, 6 figures, 3 tables, 3 algorithms)

This paper contains 29 sections, 16 theorems, 11 equations, 6 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Challenges.
  3. Contributions.
  4. Note.
  5. Preliminaries
  6. First-order logic and theories barwise_introduction_1977.
  7. Program Graphs.
  8. Specifying Hyperproperties of Programs in $\textrm{OHyperLTL}_\mathit{safe}$
  9. Syntax
  10. Semantics
  11. Bounded Semantics
  12. Finding Hyperbugs by Symbolic Execution
  13. Symbolic Encoding of the Bounded Semantics
  14. Computing Symbolic Encodings
  15. Automated Bug-Finding Algorithms
  16. ...and 14 more sections

Key Result

theorem 1

Let $\psi$ be an infinitely observable specification and $k \in \mathbb{N}$. Then $\models^\omega \psi \implies \models^k \psi$.

Figures (6)

  • Figure 1: Two versions of a simple voting protocol with a bug underlined
  • Figure 2: A simple program and a possible translation as a program graph
  • Figure 3: A simple program, and a specification of GNI in OHyperLTL
  • Figure 4: Two programs, and a specification of refinement in OHyperLTL
  • Figure 5: Median runtimes of our approach, HyperQB groote_bounded_2021, and HyHorn verification_as_chc on instances of escalating. Missing data points indicate timeouts after 30 minutes. The vertical axis is logarithmic.
  • ...and 1 more figures

Theorems & Definitions (33)

  • definition 1: Program graph
  • definition 2: Semantics of instructions
  • definition 3: Transition semantics
  • definition 4: Trace semantics
  • definition 5: Syntax of $\textrm{OHyperLTL}_\mathit{safe}$
  • definition 6: Observational trace semantics
  • definition 7: Infinite-trace semantics of $\textrm{HyperLTL}_\mathit{safe}$
  • definition 8: Bounded semantics of $\textrm{OHyperLTL}_\mathit{safe}$
  • definition 9: Infinitely observable programs
  • definition 10: Infinitely observable specifications
  • ...and 23 more