Abstract
The success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In current schemes, the cause of a false alarm is identified as an infeasible error path, and the abstraction is refined in order to remove that path. By contrast, we view the cause of a false alarm -the spurious counterexample- as a full-fledged program, namely, a fragment of the original program whose control-flow graph may contain loops and represent unbounded computations. There are two advantages to using such path programs as counterexamples for abstraction refinement. First, we can bring the whole machinery of program analysis to bear on path programs, which are typically small compared to the original program. Specifically, we use constraint-based invariant generation to automatically infer invariants of path programs-so-called path invariants. Second, we use path invariants for abstraction refinement in order to remove not one infeasibility at a time, but at once all (possibly infinitely many) infeasible error computations that are represented by a path program. Unlike previous predicate discovery schemes, our method handles loops without unrolling them; it infers abstractions that involve universal quantification and naturally incorporates disjunctive reasoning.
- T. Ball, A. Podelski, and S. K. Rajamani. Relative completeness of abstraction refinement for software model checking. In Proc. TACAS, LNCS 2280, pp. 158--172. Springer, 2002. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. The sc Slam project: Debugging system software via static analysis. In Proc. POPL, pp. 1--3. ACM, 2002. Google ScholarDigital Library
- D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Invariant synthesis for combined theories. In Proc. VMCAI, LNCS 4349, pp. 378--394. Springer, 2007. Google ScholarDigital Library
- B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer for large safety-critical software. In Proc. PLDI, pp. 196--207. ACM, 2003. Google ScholarDigital Library
- A. R. Bradley, Z. Manna, and H. B. Sipma. Linear ranking with reachability. In Proc. CAV, LNCS 3576, pp. 491--504. Springer, 2005. Google ScholarDigital Library
- A. R. Bradley, Z. Manna, and H. B. Sipma. What's decidable about arrays? In Proc. VMCAI, LNCS 3855, pp. 427--442. Springer, 2006. Google ScholarDigital Library
- S. Chaki, E. M. Clarke, A. Groce, S. Jha, and H. Veith. Modular verification of software components in C. IEEE Trans. Software Eng., 30:388--402, 2004. Google ScholarDigital Library
- E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In Proc. CAV, LNCS 1855, pp. 154--169. Springer, 2000. Google ScholarDigital Library
- M. Colóp;n, S. Sankaranarayanan, and H. B. Sipma. Linear invariant generation using non-linear constraint solving. In Proc. CAV, LNCS 2725, pp. 420--432. Springer, 2003.Google Scholar
- P. Cousot. Partial completeness of abstract fixpoint checking. In Proc. SARA, LNCS 1864, pp. 1--15. Springer, 2000. Google ScholarDigital Library
- P. Cousot. Verification by abstract interpretation. In Verification: Theory and Practice, LNCS 2772, pp. 243--268. Springer, 2003.Google Scholar
- P. Cousot. Proving program invariance and termination by parametric abstraction, Lagrangian relaxation and semidefinite programming. In Proc. VMCAI, LNCS 3385, pp. 1--24. Springer, 2005. Google ScholarDigital Library
- P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for the static analysis of programs by construction or approximation of fixpoints. In Proc. POPL, pp. 238--252. ACM, 1977. Google ScholarDigital Library
- P. Cousot and R. Cousot. Comparing the Galois connection and widening/narrowing approaches to abstract interpretation. In Proc. PLILP, LNCS 631, pp. 269--295. Springer, 1992. Google ScholarDigital Library
- P. Cousot and N.l Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proc. POPL, pp. 84--96, 1978. Google ScholarDigital Library
- S. Das, D. L. Dill, and S. Park. Experience with predicate abstraction. In Proc. CAV, LNCS 1633, pp. 160--171. Springer, 1999. Google ScholarDigital Library
- J. Esparza, S. Kiefer, and S. Schwoon. Abstraction refinement with Craig interpolation and symbolic pushdown systems. In Proc. TACAS, LNCS 3920, pp. 489--503. Springer, 2006. Google ScholarDigital Library
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Proc. PLDI, pp. 234--245. ACM, 2002. Google ScholarDigital Library
- C. Flanagan and S. Qadeer. Predicate abstraction for software verification. In Proc. POPL, pp. 191--202. ACM, 2002. Google ScholarDigital Library
- R. W. Floyd. Assigning meanings to programs. In Mathematical Aspects of Computer Science, pp. 19--32. AMS, 1967.Google Scholar
- D. Gopan, T. W. Reps, and M. Sagiv. A framework for numeric analysis of array operations. In Proc. POPL, pp. 338--350. ACM, 2005. Google ScholarDigital Library
- S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In Proc. CAV, LNCS 1254, pp. 72--83. Springer, 1997. Google ScholarDigital Library
- S. Gulwani and N. Jojic. Program verification as probabilistic inference. In Proc. POPL, pp. 277--289. ACM, 2007. Google ScholarDigital Library
- S.Gulwani and A.Tiwari. Combining abstract interpreters. In Proc. PLDI, pp. 376--386. ACM, 2006. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and K. L. McMillan. Abstractions from proofs. In Proc. POPL, pp. 232--244. ACM, 2004. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Proc. POPL, pp. 58--70. ACM, 2002. Google ScholarDigital Library
- C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12:576--580, 1969. Google ScholarDigital Library
- F. Ivancic, Z. Yang, M. K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar. sc F-Soft: Software verification platform. In Proc. CAV, LNCS 3576, pp. 301--306. Springer, 2005. Google ScholarDigital Library
- R. Jhala and K. L. McMillan. A practical and complete approach to predicate refinement. In Proc. TACAS, LNCS 3920, pp. 459--473. Springer, 2006. Google ScholarDigital Library
- D. Kapur. Automatically generating loop invariants using quantifier elimination. Technical Report 05431 (it Deduction and Applications), IBFI Schloss Dagstuhl, 2006.Google Scholar
- D. Kapur and C. Zarba. A reduction approach to decision procedures. Technical Report TR-CS-2005-44, University of New Mexico, 2005.Google Scholar
- M. Karr. Affine relationships among variables of a program. Acta Inf., 6:133--151, 1976.Google ScholarDigital Library
- J. C. King. Symbolic execution and program testing. Commun. ACM, 19:385--394, 1976. Google ScholarDigital Library
- S. K. Lahiri and R. E. Bryant. Indexed predicate discovery for unbounded system verification. In Proc. CAV, LNCS 3114, pp. 135--147. Springer, 2004.Google Scholar
- Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer, 1995. Google ScholarDigital Library
- LMauborgne and X. Rival. Trace partitioning in abstract interpretation based static analyzers. In Proc. ESOP, LNCS 3444, pp. 5--20. Springer, 2005. Google ScholarDigital Library
- K. L. McMillan. Lazy abstraction with interpolants. In Proc. CAV, LNCS 4144, pp. 123--136. Springer, 2006. Google ScholarDigital Library
- AMiné. The octagon abstract domain. Higher-Order and Symbolic Comp., 19:31--100, 2006. Google ScholarDigital Library
- M. Sagiv, T. W. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst., 24:217--298, 2002. Google ScholarDigital Library
- S. Sankaranarayanan, F. Ivancic, I. Shlyakhter, and A. Gupta. Static analysis in disjunctive numerical domains. In Proc. SAS, LNCS 4134, pp. 3--17. Springer, 2006. Google ScholarDigital Library
- S. Sankaranarayanan, H. B. Sipma, and Z. Manna. Constraint-based linear-relations analysis. In Proc. SAS, LNCS 3148, pp. 53--68. Springer, 2004.Google Scholar
- S. Sankaranarayanan, H. B. Sipma, and Z. Manna. Non-linear loop invariant generation using Gröbner bases. In Proc. POPL, pp. 318--329. ACM, 2004. Google ScholarDigital Library
- S. Sankaranarayanan, H. B. Sipma, and Z. Manna. Scalable analysis of linear systems using mathematical programming. In Proc. VMCAI, LNCS 3385, pp. 25--41. Springer, 2005. Google ScholarDigital Library
- V. Sofronie-Stokkermans. Hierarchic reasoning in local theory extensions. In Proc. CADE, LNCS 3632, pp. 219--234. Springer, 2005. Google ScholarDigital Library
Index Terms
- Path invariants
Recommendations
Path invariants
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationThe success of software verification depends on the ability to find a suitable abstraction of a program automatically. We propose a method for automated abstraction refinement which overcomes some limitations of current predicate discovery schemes. In ...
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Predicate abstraction with indexed predicates
Predicate abstraction provides a powerful tool for verifying properties of infinite-state systems using a combination of a decision procedure for a subset of first-order logic and symbolic methods originally developed for finite-state model checking. We ...
Comments