Abstract
Software model checking and static analysis have matured over the last decade, enabling their use in automated software verification. However, lack of scalability makes these tools hard to apply in industry practice. Furthermore, approximations in the models of program and environment lead to a profusion of false alarms. This paper proposes DC2, a verification framework using scope-bounding to address the issue of scalability, while retaining enough precision to avoid false alarms in practice. DC2 splits the analysis problem into manageable parts, relying on a combination of three automated techniques: (a) techniques to infer useful specifications for functions in the form of pre- and post-conditions; (b) stub inference techniques that infer abstractions to replace function calls beyond the verification scope; and (c) automatic refinement of pre- and post-conditions using counterexamples that are deemed to be false alarms by a user. The techniques enable DC2 to perform iterative reasoning over the calling environment of functions, to find non-trivial bugs and fewer false alarms. Based on the DC2 framework, we have developed a software model checking tool for C/C++ programs called Varvel, which has been in industrial use at NEC for a number of years. In addition to DC2, we describe other scalability and usability improvements in Varvel that have enabled its successful application on numerous large software projects. These include model simplifications, support for witness understanding to improve debugging assistance, and handling of C++ programs. We present experimental evaluations that demonstrate the effectiveness of DC2 and report on the usage of Varvel in NEC.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Note that this reasoning is only valid as long as there is no integer overflow of the loop counter. We thus perform this type of optimization only after we have computed sound ranges of the loop counter involved, as discussed earlier in this section.
Before applying bounded model checking, VeriSol (Ganai et al. 2005) spends about 10 % of its allocated analysis time to find short and local backwards proofs around properties of interest. These checks often catch simple proof patterns that would require disjunctive reasoning in the abstract domains to discover that a property cannot be violated.
Other CFG nodes may have been removed and merged into this initial CFG node.
Program slicing concerns the impact a statement may have on some other statement on any program path between the two. Data path slicing on the other hand considers a single program path, only Jhala and Majumdar (2005). Thus, while a statement may not be sliced away using standard program slicing due to its impact on some program behavior on a different program path, the statement may be irrelevant for the generated counterexample of interest.
References
Alur, R., Černý, P., Madhusudan, P., Nam, W.: Synthesis of interface specifications for Java classes. In: Proceedings of POPL , ACM Press, pp. 98–109 (2005)
Ammons, G., Bodík, R., Larus, J.R.: Mining specifications. In: POPL, ACM Press, pp. 4–16 (2002)
Babić, D., Hu, A.J.: Structural abstraction of software verification conditions. In: CAV, Springer, LNCS (2007)
Ball, T., Rajamani, S.K.: The SLAM project: Debugging system software via static analysis. In: POPL, ACM, pp. 1–3 (2002)
Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: PLDI, ACM Press, pp. 203–213 (2001)
Ball, T., Bounimova, E., Kumar, R., Levin, V.: Slam2: Static driver verification with under 4 % false alarms. In: FMCAD, IEEE, pp. 35–42 (2010)
Barnett, M., Fähndrich, M., Leino, K.R.M., Müller, P., Schulte, W., Venter, H.: Specification and verification: the spec# experience. Commun. ACM 54(6), 81–91 (2011)
Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model checking via large-block encoding. In: FMCAD, IEEE, pp. 25–32 (2009)
Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: TACAS, Springer, LNCS, pp. 193–207 (1999)
Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: PLDI, ACM, vol 548030, pp. 196–207 (2003)
Clarisó, R., Cortadella, J.: The octahedron abstract domain. In: Static Analysis Symposium, Springer, LNCS, vol 3148, pp. 312–327 (2004)
Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: CAV, Springer, LNCS, pp. 154–169 (2000)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS (2004)
Clarke Jr, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)
Cohen, E., Dahlweid, M., Hillebrand, M.A., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for verifying concurrent C. In: TPHOLs, Springer (2009)
Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proceedings of the Second International Symposium on Programming, Dunod, France, pp. 106–130 (1976)
Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In: POPL (1977a)
Cousot, P., Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977b)
Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among the variables of a program. In: POPL (1978)
Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTRÉE analyzer. In: ESOP, Springer, LNCS, pp. 21–30 (2005)
Cousot, P., Cousot, R., Logozzo, F.: Precondition inference from intermittent assertions and application to contracts on collections. In: VMCAI, Springer (2011)
Cousot, P., Cousot, R., Logozzo, F., Barnett, M.: An abstract interpretation framework for refactoring with application to extract methods with contracts. In: OOPSLA, ACM, pp. 213–232 (2012)
Cousot, P., Cousot, R., Fähndrich, M., Logozzo, F.: Automatic inference of necessary preconditions. In: VMCAI, Springer, LNCS, pp. 128–148 (2013)
CoVerity.: CoVerity Inc. program verifier. www.coverity.com (2013)
Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the PLDI, ACM Press (2003)
Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI, ACM, pp. 234–245 (2002)
Ganai, M., Gupta, A., Ashar, P.: DiVer: SAT-based model checking platform for verifying large scale systems. In: TACAS, Springer, LNCS, vol 3340 (2005)
Ganai, M.K., Li, W.: Bang for the Buck: Improvising and scheduling verification engines for effective resource utilization. In: MEMOCODE, IEEE Computer Society, pp. 8–17 (2009)
Goubault, E., Putot, S.: Static analysis of numerical algorithms. In: SAS, Springer, LNCS, vol 4134, pp. 18–34 (2006)
Hackett, B., Das, M., Wang, D., Yang, Z.: Modular checking for buffer overflows in the large. In: ICSE, ACM (2006)
Havelund, K., Pressburger, T.: Model checking java programs using java pathfinder. STTT 2(4), 366–381 (2000)
Hovemeyer, D., Pugh, W.: Finding more null pointer bugs, but not too many. In: PASTE, pp. 9–14 (2007)
Ivančić, F., Shlyakhter, I., Gupta, A., Ganai, M., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: ICCD, IEEE (2005a)
Ivančić, F., Shlyakhter, I., Gupta, A., Ganai, M., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: IEEE International Conference on Computer Design, pp. 297–308 (2005b)
Ivančić, F., Yang, Z., Ganai, M.K., Gupta, A., Ashar, P.: Efficient SAT-based bounded model checking for software verification. Theor. Comput. Sci. 404(3), 256–274 (2008)
Ivančić, F., Balakrishnan, G., Gupta, A., Sankaranarayanan, S., Maeda, N., Tokuoka, H., Imoto, T., Miyazaki, Y.: DC2: A framework for scalable, scope-bounded software verification. In: ASE, IEEE, pp. 133–142 (2011)
Jain, H., Ivančić, F., Gupta, A., Shlyakhter, I., Wang, C.: Using statically computed invariants inside the predicate abstraction and refinement loop. In: Ball T, Jones R (eds) 18th International Conference on Computer Aided Verification (CAV), Springer, LNCS, vol 4144, pp. 137–151 (2006)
Jhala, R., Majumdar, R.: Path slicing. In: PLDI ’05, ACM, pp. 38–47 (2005)
Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. 41(4), 21:1–21:54 (2009)
Joshi, S., Lahiri, S.K., Lal, A.: Underspecified harnesses and interleaved bugs. In: POPL, ACM, pp. 19–30 (2012)
Jung, Y., Kim, J., Shin, J., Yi, K.: Taming false alarms from a domain-unaware C analyzer by a bayesian statistical post analysis. In: Hankin, C., Siveroni, I. (eds) SAS, Springer, LNCS, vol 3672, pp. 203–217 (2005)
Karr, M.: Affine relationships among variables of a program. Acta Inf. 6, 133–151 (1976)
Kremenek, T., Engler, D.: Z-Ranking: Using statistical analysis to counter the impact of static analysis approximations. In: Cousot, R. (ed) SAS, Springer, LNCS, vol 2694, pp. 295–315 (2003)
Kurshan, R.: Computer-aided Verification of Coordinating Processes: The Automata-Theoretic Approach. Princeton University Press, Princeton (1994)
Lal, A., Qadeer, S., Lahiri, S.K.: A solver for reachability modulo theories. In: CAV, Springer, LNCS, pp. 427–443 (2012)
Lee, W., Lee, W., Yi, K.: Sound non-statistical clustering of static analysis alarms. In: VMCAI, Springer, LNCS vol 7148, pp. 299–314 (2012)
Loginov, A., Yahav, E., Chandra, S., Fink, S., Rinetzky, N., Nanda, MG.: Verifying dereference safety via expanding-scope analysis. In: ISSTA, ACM (2008)
Logozzo, F., Lahiri, S.K., Fähndrich, M., Blackshear, S.: Verification modulo versions: towards usable verification. In: PLDI, ACM (2014)
MathWorks.: PolySpace program analysis tool. www.polyspace.com (2013)
Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: PADO II, Springer, LNCS, vol 2053, pp. 155–172 (2001)
Miné, A.: The octagon abstract domain. In: WCRE (2001)
Moy, Y., Marché, C.: Modular inference of subprogram contracts for safety checking. J. Symb. Comput. 45(11), 1184–1211 (2010)
NEC.: NEC globally provides cloud software development environment. http://www.nec.com/en/press/201209/global_20120927_02.html (2012)
NEC.: NEC internal data center. http://www.nec.com/en/case/idc/pdf/catalogue (2013)
Prabhu, P., Maeda, N., Balakrishnan, G., Ivančić, F., Gupta, A.: Interprocedural exception analysis for C++. In: ECOOP, Springer, LNCS, vol 6813 (2011)
Rossie Jr, J.G., Friedman, D.P.: An algebraic semantics of subobjects. In: OOPSLA, ACM, New York, NY, USA, pp. 187–199 (1995)
Sankaranarayanan, S., Colón, M., Sipma, H., Manna, Z.: Efficient strongly relational polyhedral analysis. In: VMCAI, Springer, LNCS, pp. 111–125 (2006a)
Sankaranarayanan, S., Ivančić, F., Shlyahkter, I., Gupta A.: Static analysis in disjunctive numerical domains. In: Yi K (ed) SAS, Springer, LNCS, vol 4134 (2006b)
Sankaranarayanan, S., Ivančić, F., Gupta, A.: Program analysis using symbolic ranges. In: SAS, Springer, LNCS, vol 4634, pp. 366–383 (2007)
Shao, D., Khurshid, S., Perry, D.E.: An incremental approach to scope-bounded checking using a lightweight formal method. In: FM (2009)
Stroustrup, B.: Multiple inheritance for C++. Comput. Syst. 2(4), 367–395 (1989)
Taghdiri, M., Jackson, D.: Inferring specifications to detect errors in code. ASE 14(1), 87–121 (2007)
Tip, F.: A survey of program slicing techniques. J. Programm. Lang. 3, 121–189 (1995)
Tkachuk, O., Dwyer, M.B., Pasareanu, C.: Automated environment generation for software model checking. In: Automated Software Engineering, IEEE Computer Society, pp. 116–129 (2003)
Venet, A., Brat, G.P.: Precise and efficient static array bound checking for large embedded C programs. In: PLDI, ACM Press, pp. 231–242 (2004)
Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the Network and Distributed Systems Security Conference, ACM Press, pp. 3–17 (2000)
Xie, Y., Aiken, A.: Saturn: A scalable framework for error detection using boolean satisfiability. Trans. Programm. Lang. Syst. 29(3), 16 (2007)
Yang, J., Balakrishnan, G., Maeda, N., Ivančić, F., Gupta, A., Sinha, N., Sankaranarayanan, S., Sharma, N.: Object model construction for inheritance in C++ and its applications to program analysis. In: CC, Springer, LNCS, vol 7210 (2012)
Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: SIGSoft/FSE, ACM (2004)
Acknowledgments
We would like to acknowledge the assistance and support of many people who helped in the development and application of Varvel in NEC—Yuusuke Hashimoto, Shinichi Iwasaki, Nik Kishinoue, Fusako Mitsuhashi, Yoshiaki Miyazaki, Shigeo Mori, Mitsuyuki Ohashi, and Hiroki Tokuoka from NEC Corporation; Aviral Bhatnagar, Deepak Chhetri, Srishti Gupta, Jaspreet Kaur, Ravi Kumar, Ujjwal Kumar, Rohit Pathak, Naveen Sharma, and Himanshu Shivnani from NEC Technologies India, and Shin Nakajima from the Japanese National Institute of Informatics (NII). We are very grateful for their support and dedicated efforts.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ivančić, F., Balakrishnan, G., Gupta, A. et al. Scalable and scope-bounded software verification in Varvel . Autom Softw Eng 22, 517–559 (2015). https://doi.org/10.1007/s10515-014-0164-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10515-014-0164-0