Combining predicate and numeric abstraction for software model checking

VSTTE 2008

Abstract

Predicate (PA) and numeric (NA) abstractions are the two principal techniques for software analysis. In this paper, we develop an approach to couple the two techniques tightly into a unified framework via a single abstract domain called NumPredDom. In particular, we develop and evaluate four data structures that implement NumPredDom but differ in their expressivity and internal representation and algorithms. All our data structures combine BDDs (for efficient propositional reasoning) with data structures for representing numerical constraints. Our technique is distinguished by its support for complex transfer functions that allow two-way interaction between predicate and numeric information during state transformation. We have implemented a general framework for reachability analysis of C programs on top of our four data structures. Our experiments on non-trivial examples show that our proposed combination of PA and NA is more powerful and more efficient than either technique alone.

Keywords

Model checking Abstract interpretation Program analysis Abstract domain Predicate abstraction Decision diagrams 

References

  1. 1.
    Bahar R.I., Frohm E.A., Gaona C.M., Hachtel G.D., Macii E., Pardo A., Somenzi F.: Algebraic decision diagrams and their applications. Formal Methods Syst Des (FMSD) 10(2/3), 171–206 (1997)CrossRefGoogle Scholar
  2. 2.
    Ball, T., Podelski, A., Rajamani, S.K.: Boolean and Cartesian abstraction for model checking C programs. In: Margaria, T., Yi, W. (eds.) Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS ’01), Genova, Italy. Lecture Notes in Computer Science, vol. 2031, pp. 268–283. Springer-Verlag, Berlin (2001)Google Scholar
  3. 3.
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) Proceedings of the 8th International SPIN Workshop on Model Checking of Software (SPIN ’01), Toronto, Canada, 19–20 May 2001. Lecture Notes in Computer Science, vol. 2057, pp. 103–122. Springer, New York (2001)Google Scholar
  4. 4.
    Beyer, D., Henzinger, T. A., Théoduloz, G.: Lazy shape analysis. In: Ball, T., Jones, R.B. (eds.) Proceedings of the 18th International Conference on Computer Aided Verification (CAV ’06), Seattle, WA, 17–20 August 2006. Lecture Notes in Computer Science, vol. 4144, pp. 532–546. Springer, New York (2006)Google Scholar
  5. 5.
    Beyer, D., Henzinger, T.A., Theoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Damm, W., Hermanns, H. (eds.) Proceedings of the 19th International Conference on Computer Aided Verification (CAV ’07). Lecture Notes in Computer Science, vol. 4590, pp. 504–518. Springer, Berlin (2007)Google Scholar
  6. 6.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI ’03), San Diego, CA, 9–11 June 2003, pp. 196–207. Association for Computing Machinery, New York (2003)Google Scholar
  7. 7.
    Bryant R.E.: Graph-Based Algorithms for Boolean Function Manipulation. IEEE Trans Comput (TC) 35(8), 677–691 (1986)MATHCrossRefGoogle Scholar
  8. 8.
    Bultan T., Gerber R., League C.: Composite model-checking: verification with type-specific symbolic representations. ACM Trans Softw Eng Methodol (TOSEM) 9(1), 3–50 (2000)CrossRefGoogle Scholar
  9. 9.
    Cavada R., Cimatti A., Franzén A., Kalyanasundaram K., Roveri, M., Shyamasundar, R.K.: Computing predicate abstractions by integrating BDDs and SMT solvers. In: Proceedings of the 7th International Conference on Formal Methods in Computer-Aided Design (FMCAD ’07), pp. 69–76. (2007)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL ’79), pp. 269–282. Association for Computing Machinery, San Antonio (1979)Google Scholar
  11. 11.
    Cousot P., Cousot R.: Abstract interpretation frameworks. J Logic Comput (JLC) 2(4), 511–547 (1992)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Fischer, J., Jhala, R., Majumdar, R.: Joining dataflow with predicates. In: Proceedings of the 13th ACM SIGSOFT Symposium on Foundations of Software Engineering (FSE ’05), Lisbon, Portugal, 5–9 September 2005, pp. 227–236. Association for Computing Machinery, New York (2005)Google Scholar
  13. 13.
    Graf, S., Saïdi, H.: Construction of Abstract State Graphs with PVS. In: Grumberg, O. (ed.) Proceedings of the 9th International Conference on Computer Aided Verification (CAV ’97), Haifa, Israel, 22–25 June 1997. Lecture Notes in Computer Science, vol. 1254, pp. 72–83. Springer, New York (1997)Google Scholar
  14. 14.
    Gulavani, B.S., Chakraborty, S., Nori, A.V., Rajamani, S.K.: Automatically Refining Abstract Interpretations. In: Ramakrishnan, C.R., Rehof, J. (eds.) Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS ’08). Lecture Notes in Computer Science, vol. 4963, pp. 443–458, Springer, Budapest (2008)Google Scholar
  15. 15.
    Gulwani, S., Tiwari, A.: Combining abstract interpreters. In: Proceedings of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation (PLDI ’06), Ottawa, Ontario, Canada, 11–14 June 2006, pp. 376–386. Association for Computing Machinery, New York (2006)Google Scholar
  16. 16.
    Gurfinkel A., Chaki, S.: Combining predicate and numeric abstraction for software model checking. In: Proceedings of the 8th International Conference on Formal Methods in Computer-Aided Design (FMCAD ’08), pp. 127–135. IEEE Computer Society, Portland (2008)Google Scholar
  17. 17.
    Gurfinkel, A., Chaki, S.: Combining predicate and numeric abstraction for software model checking (EXTENDED ABSTRACT). In: Rozier, K.Y. (ed.) Proceedings of the 6th NASA Langley Formal Methods Workshop (LFM ’08), pp. 47–49. Langley (2008)Google Scholar
  18. 18.
    Jain, H., Ivancic, F., Gupta, A., Shlyakhter, I., Wang, C.: Using statically computed invariants inside the predicate abstraction and refinement loop. In: Ball, T., Jones, R.B. (eds.) Proceedings of the 18th International Conference on Computer Aided Verification (CAV ’06), Seattle, WA, 17–20 August 2006. Lecture Notes in Computer Science, vol. 4144, pp. 137–151. Springer, New York (2006)Google Scholar
  19. 19.
    Lahiri, S., Nieuwenhuis, R., Oliveras, A.: SMT techniques for fast predicate abstraction. In: Proceedings of the 18th International Conference on Computer Aided Verification (CAV ’06). Lecture Notes in Computer Science, vol. 4144, pp. 424–437, Springer, Seattle (2006)Google Scholar
  20. 20.
    Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, S. (ed.) Proceedings of the 14th European Symposium on Programming (ESOP ’05). Lecture Notes in Computer Science, vol. 3444, pp. 5–20. Springer, Edinburgh (2005)Google Scholar
  21. 21.
    McMillan, K.: Lazy abstraction with interpolants. In: Proceedings of the 18th International Conference on Computer Aided Verification (CAV ’06). Lecture Notes in Computer Science, vol. 4144, pp. 123–136. Springer, Seattle (2006)Google Scholar
  22. 22.
    Møller, J.B., Lichtenberg, J., Andersen, H.R., Hulgaard, H.: Difference decision diagrams. In: Flum, J., Rodríguez-Artalejo, M. (eds.) Proceedings of Computer Science Logic 1999. Lecture Notes in Computer Science, vol. 1683, pp. 111–125. Springer, Madrid (1999)Google Scholar
  23. 23.
    Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: Proceedings of the 12th ACM SIGSOFT Symposium on Foundations of Software Engineering (FSE ’04), Newport Beach, CA, October 31–November 5, 2004, pp. 97–106. Association for Computing Machinery, New York (2004)Google Scholar

Copyright information

© Carnegie Mellon University 2010

Authors and Affiliations

  1. 1.Software Engineering InstituteCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations