Formal Aspects of Computing

, Volume 19, Issue 3, pp 375–399 | Cite as

Program verification with interacting analysis plugins

  • Nathaniel Charlton
Original Article


In this paper we propose and argue for a modular framework for interprocedural program analysis, where multiple program analysis tools are combined in order to exploit the particular advantages of each. This allows for “plugging together” such tools as required by each verification task and makes it easy to integrate new analyses. Our framework automates the sharing of information between plugins using a first order logic with transitive closure, in a way inspired by the open product of Cortesi et al.

We describe a prototype implementation of our framework, which performs static assertion checking on a simple language for heap-manipulating programs. This implementation includes plugins for three existing approaches—predicate abstraction, 3-valued shape analysis and a decidable pointer analysis—and for a simple type system. We demonstrate through a detailed example the increase in precision that our approach can provide. Finally we discuss the design decisions we have taken, in particular the tradeoffs involved in the choice of language by which the plugins communicate, and identify some future directions for our work.


Abstraction Software verification Plugins Open product 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. BCM+92.
    Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1992) Symbolic model checking: 1020 states and beyond. Inform Comput 98:142–170Google Scholar
  2. BCO04.
    Berdine J, Calcagno C, O’Hearn PW (2004) A decidable fragment of separation logic. In: Kamal L, Meena M (eds) FSTTCS 2004: foundations of software technology and theoretical computer science, 24th International Conference, Chennai, India, December 16–18, 2004, Proceedings, Vol 3328 of LNCS, pp 97–109, Springer, HeidelbergGoogle Scholar
  3. BG03.
    Bustan D, Grumberg O (2003) Simulation-based minimization. ACM Trans Comput Logic 4(2):181–206Google Scholar
  4. BR00.
    Ball T, Rajamani SK (2000) Bebop: a symbolic model checker for boolean programs. In: Proceedings of SPIN 2000, Vol 1885 of LNCS, pp 113–130, Springer, HeidelbergGoogle Scholar
  5. BR01.
    Ball T, Rajamani SK (2001) Automatically validating temporal safety properties of interfaces. In: SPIN ’01: proceedings of the 8th international SPIN workshop on Model checking of software, Vol 2057 of LNCS, pp 103–122, Springer, HeidelbergGoogle Scholar
  6. BR02.
    Ball T, Rajamani SK (2002) Generating abstract explanations of spurious counterexamples in C programs. Technical report, Microsoft. MSR-TR-2002-09Google Scholar
  7. CC79.
    Cousot P, Cousot R (1979) Systematic design of program analysis frameworks. In: POPL, pp 269–282Google Scholar
  8. CC92.
    Cousot P, Cousot R (1992) Abstract interpretation and application to logic programs. J Logic Program 13(2–3):103–179zbMATHCrossRefGoogle Scholar
  9. CC04.
    Clarisó R, Cortadella J (2004) The octahedron abstract domain. In: SAS, pp 312–327Google Scholar
  10. CCH00.
    Cortesi A, Charlier BL, Van Hentenryck P (2000) Combinations of abstract domains for logic programming: open product and generic pattern construction. Sci Comput Program 38(1–3):27–71zbMATHCrossRefGoogle Scholar
  11. Cha06a.
    Charlton N (2006) Program verification with interacting analysis plugins. Technical Report 2006/11, Department of Computing, Imperial College London, ISSN 1469-4174Google Scholar
  12. Cha06b.
    Charlton N (2006) Verification of Java programs with interacting analysis plugins. Electronic Notes in Theoretical Computer Science. 145, In: Proceedings of the 5th international workshop on automated verification of critical systems (AVoCS 2005):131–150Google Scholar
  13. CL05.
    Evan Chang B-Y, Leino KRM (2005) Abstract interpretation with alien expressions and heap structures. In: VMCAI’05, Vol 3385 of LNCS, pp 147–163, Springer, HeidelbergGoogle Scholar
  14. CMB+95.
    Codish M, Mulkers A, Bruynooghe M, Garcia de la Banda M, Hermenegildo M (1995) Improving abstract interpretations by combining domains. ACM Trans Program Lang Syst 17(1):28–44CrossRefGoogle Scholar
  15. CPR05.
    Cook B, Podelski A, Rybalchenko A (2005) Abstraction-refinement for termination. In: Hankin C, Siveroni I (eds) Static analysis: 12th international symposium, SAS 2005, Vol 3672 of LNCS, p 15, Springer, LondonGoogle Scholar
  16. DDP99.
    Das S, Dill DL, Park S (1999) Experience with predicate abstraction. In: Computer Aided Verification. Vol 1633 of LNCS, pp 160–171Google Scholar
  17. DM05.
    Dietl W, Müller P (2005) Universes: lightweight ownership for JML. J Obj Technol (JOT) 4(8):5–32Google Scholar
  18. DNS05.
    Detlefs D, Nelson G, Saxe JB (2005) Simplify: a theorem prover for program checking. J ACM 52(3):365–473CrossRefGoogle Scholar
  19. HJMS02.
    Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: Proceedings of the 29th annual symposium on principles of programming languages, pp 58–70. ACM, New YorkGoogle Scholar
  20. HS96.
    Havelund K, Shankar N (1996) Experiments in theorem proving and model checking for protocol verification. In: Gaudel M-C, Woodcock J (eds). FME’96: industrial benefit and advances in formal methods. Vol 1051 of LNCS. Springer, Heidelberg, pp 662–681Google Scholar
  21. Hub03.
    Hubbers E (2003) Integrating tools for automatic program verification. In: Ershov memorial conference, pp 214–221Google Scholar
  22. Imm87.
    Immerman N (1987) Languages that capture complexity classes. SIAM J Comput 16(4):760–778zbMATHCrossRefGoogle Scholar
  23. Imm99.
    Immerman N (1999) Descriptive complexity. Springer, New YorkzbMATHGoogle Scholar
  24. IRR+04.
    Immerman N, Rabinovich AM, Reps TW, Sagiv S, Yorsh G (2004) The boundary between decidability and undecidability for transitive-closure logics. In: CSL’04. Vol 3210 of LNCS, pp 160–174. Springer, HeidelbergGoogle Scholar
  25. JMG+02.
    Jim T, Morrisett G, Grossman D, Hicks M, Cheney J, Wang Y (2002) Cyclone: a safe dialect of C. In: Proceedings of the USENIX Annual Technical Conference. USENIXGoogle Scholar
  26. KLZR05.
    Kuncak V, Lam P, Zee K, Rinard M (2005) Implications of a data structure consistency checking system. In: International conference on verifed software: tools, techniques, experimentsGoogle Scholar
  27. KM01.
    Klarlund N, Møller A (2001) MONA Version 1.4 user manual. BRICS Notes Series NS-01-1, Department of Computer Science, University of AarhusGoogle Scholar
  28. KNR05.
    Kuncak V, Nguyen HH, Rinard MC (2005) An algorithm for deciding BAPA: Boolean algebra with presburger arithmetic. In: CADE, pp 260–277Google Scholar
  29. LAIR+05.
    Lev-Ami T, Immerman N, Reps T, Sagiv M, Srivastava S, Yorsh G (2005) Simulating reachability using first-order logic with applications to verification of linked data structures. In: CADE 2005, Vol 3632 of lecture notes in artificial intelligence. Springer, HeidelbergGoogle Scholar
  30. LAMS04.
    Lev-Ami T, Manevich R, Sagiv S (2004) TVLA: a system for generating abstract interpreters. In: IFIP Congress Topical Sessions, pp 367–376Google Scholar
  31. Mic04.
    Static driver verifier (2004) Finding bugs in device drivers at compile-time. Technical report, MicrosoftGoogle Scholar
  32. MN05.
    McPeak S, Necula GC (2005) Data structure specifications via local equality axioms. In: CAV 2005, Vol 3576 of LNCS. Springer, HeidelbergGoogle Scholar
  33. MS01.
    Moller A, Schwartzbach MI (2001) The pointer assertion logic engine. In: PLDI ’01: proceedings of the ACM SIGPLAN 2001 conference on programming language design and implementation. pp 221–231. ACM, New YorkGoogle Scholar
  34. NEFE03.
    Nentwich C, Emmerich W, Finkelstein A, Ellmer E (2003) Flexible consistency checking. ACM Trans Softw Eng Methodol 12(1):28–63CrossRefGoogle Scholar
  35. Nel83.
    Nelson G (1983) Verifying reachability invariants of linked structures. In: POPL ’83: proceedings of the 10th ACM SIGACT-SIGPLAN symposium on principles of programming languages, pp 38–47. ACM, New YorkGoogle Scholar
  36. NNH99.
    Nielson F, Nielson HR, Hankin C (1999) Principles of program analysis. Springer, New York, Secaucus, NJGoogle Scholar
  37. NR03.
    Nour K, Raffalli C (2003) Simple proof of the completeness theorem for second-order classical and intuitionistic logic by reduction to first-order mono-sorted logic. Theoret Comput Sci 308(1–3):227–237zbMATHCrossRefGoogle Scholar
  38. SRW02.
    Sagiv M, Reps T, Wilhelm R (2002) Parametric shape analysis via 3-valued logic. ACM Trans Program Lang Syst 24(3):217–298CrossRefGoogle Scholar
  39. Wre03.
    Wren A (2003) Inferring ownership. Master’s thesis, Imperial College, London, MEng4 ThesisGoogle Scholar
  40. Yor03.
    Yorsh G (2003) Logical characterizations of heap abstractions. Master’s thesis, Tel Aviv UniversityGoogle Scholar
  41. YRS+06.
    Yorsh G, Rabinovich A, Sagiv M, Meyer A, Bouajjani A (2006) A logic of reachable patterns in linked data-structures. In: Proceedigns of foundations of software science and computation structures (FOSSACS 2006) (to appear)Google Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  1. 1.Department of Computing, South Kensington campusImperial College LondonLondonUK

Personalised recommendations