Zap: Automated Theorem Proving for Software Analysis

  • Thomas Ball
  • Shuvendu K. Lahiri
  • Madanlal Musuvathi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3835)

Abstract

Automated theorem provers (ATPs) are a key component that many software verification and program analysis tools rely on. However, the basic interface provided by ATPs (validity/satisfiability checking of formulas) has changed little over the years. We believe that program analysis clients would benefit greatly if ATPs were to provide a richer set of operations. We describe our desiderata for such an interface to an ATP, the logics (theories) that an ATP for program analysis should support, and present how we have incorporated many of these ideas in Zap, an ATP built at Microsoft Research.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [ABC+02]
    Audemard, G., Bertoli, P., Cimatti, A., Korniłowicz, A., Sebastiani, R.: A SAT-based approach for solving formulas over Boolean and linear mathematical propositions. In: Voronkov, A. (ed.) CADE 2002. LNCS (LNAI), vol. 2392, pp. 195–210. Springer, Heidelberg (2002)Google Scholar
  2. [AQRX04]
    Andrews, T., Qadeer, S., Rajamani, S.K., Xie, Y.: Zing: Exploiting program structure for model checking concurrent software. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. [BCM+92]
    Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: 1020 states and beyond. Information and Computation 98(2), 142–170 (1992)MATHCrossRefMathSciNetGoogle Scholar
  4. [BDS02]
    Barrett, C.W., Dill, D.L., Stump, A.: Checking satisfiability of first-order formulas by incremental translation to SAT. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 236–249. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. [BLS02]
    Bryant, R.E., Lahiri, S.K., Seshia, S.A.: Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 78–92. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. [BLS05]
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. [BMMR01]
    Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI 2001: Programming Language Design and Implementation, pp. 203–213. ACM, New York (2001)CrossRefGoogle Scholar
  8. [BR01]
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, pp. 103–122. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. [Bry86]
    Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers C-35(8), 677–691 (1986)CrossRefGoogle Scholar
  10. [BTV03]
    Bachmair, L., Tiwari, A., Vigneron, L.: Abstract congruence closure. J. Autom. Reasoning 31(2), 129–168 (2003)MATHCrossRefMathSciNetGoogle Scholar
  11. [CC77]
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for the static analysis of programs by construction or approximation of fixpoints. In: POPL 1977: Principles of Programming Languages, pp. 238–252. ACM, New York (1977)Google Scholar
  12. [CG96]
    Cherkassky, B.V., Goldberg, A.V.: Negative-cycle detection algorithms. In: European Symposium on Algorithms, pp. 349–363 (1996)Google Scholar
  13. [CGJ+00]
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. [CH78]
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: POPL 1978: Principles of Programming Languages, pp. 84–96. ACM, New York (1978)Google Scholar
  15. [CL05]
    Chang, B.-Y.E., Leino, K.R.M.: Abstract interpretation with alien expressions and heap structures. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. [Cla76]
    Clarke, L.A.: A system to generate test data and symbolically execute programs. IEEE Transactions on Software Engineering 2(3), 215–222 (1976)CrossRefGoogle Scholar
  17. [DNS03]
    Detlefs, D.L., Nelson, G., Saxe, J.B.: Simplify: A theorem prover for program checking. Technical report, HPL-2003-148 (2003)Google Scholar
  18. [FJOS03]
    Flanagan, C., Joshi, R., Ou, X., Saxe, J.: Theorem proving using lazy proof explication. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 355–367. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. [FLL+02]
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI 2002: Programming Language Design and Implementation, pp. 234–245. ACM, New York (2002)CrossRefGoogle Scholar
  20. [GHN+04]
    Ganzinger, H., Hagen, G., Nieuwenhuis, R., Oliveras, A., Tinelli, C.: DPLL(T): Fast decision procedures. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 175–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. [GM93]
    Gordon, M.J.C., Melham, T.F.: Introduction to HOL: A Theorem Proving Environment for Higher-Order Logic. Cambridge University Press, Cambridge (1993)MATHGoogle Scholar
  22. [GS97]
    Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)Google Scholar
  23. [GTN04]
    Gulwani, S., Tiwari, A., Necula, G.C.: Join algorithms for the theory of uninterpreted functions. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 311–323. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. [HJMM04]
    Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL 2004: Principles of Programming Languages, pp. 232–244. ACM, New York (2004)Google Scholar
  25. [IRR+04]
    Immerman, N., Rabinovich, A., Reps, T., Sagiv, S., Yorsh, G.: The boundary between decidability and undecidability for transitive-closure logics. In: Marcinkowski, J., Tarlecki, A. (eds.) CSL 2004. LNCS, vol. 3210, pp. 160–174. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. [JMSY94]
    Jaffar, J., Maher, M.J., Stuckey, P.J., Yap, H.C.: Beyond finite domains. In: Borning, A. (ed.) PPCP 1994. LNCS, vol. 874, pp. 86–94. Springer, Heidelberg (1994)Google Scholar
  27. [Kur94]
    Kurshan, R.P.: Computer-aided Verification of Coordinating Processes. Princeton University Press, Princeton (1994)Google Scholar
  28. [Lag85]
    Lagarias, J.C.: The computational complexity of simultaneous diophantine approximation problems. SIAM Journal of Computing 14(1), 196–209 (1985)MATHCrossRefMathSciNetGoogle Scholar
  29. [LBC03]
    Lahiri, S.K., Bryant, R.E., Cook, B.: A symbolic approach to predicate abstraction. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 141–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  30. [LBC05]
    Lahiri, S.K., Ball, T., Cook, B.: Predicate abstraction via symbolic decision procedures. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 24–38. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. [LM05a]
    Lahiri, S.K., Musuvathi, M.: An efficient decision procedure for UTVPI constraints. In: Gramlich, B. (ed.) FroCos 2005. LNCS (LNAI), vol. 3717, pp. 168–183. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  32. [LM05b]
    Lahiri, S.K., Musuvathi, M.: An efficient Nelson-Oppen decision procedure for difference constraints over rationals. Technical Report MSR-TR-2005-61, Microsoft Research (2005)Google Scholar
  33. [LMO05]
    Leino, K.R.M., Musuvathi, M., Ou, X.: A two-tier technique for supporting quantifiers in a lazily proof-explicating theorem prover. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 334–348. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  34. [LS04]
    Lahiri, S.K., Seshia, S.A.: The UCLID decision procedure. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 475–478. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. [Mar99]
    Marquis, P.: Consequence-finding algorithms. In: Handbook of Defeasible Reasoning and Uncertainty Management Systems: Algorithms for Defeasible and Uncertain Reasoning, vol. 5, pp. 41–145. Kluwer Academic Publishers, Dordrecht (1999)Google Scholar
  36. [McM03]
    McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  37. [McM04]
    McMillan, K.L.: An interpolating theorem prover. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 16–30. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  38. [MMZ+01]
    Moskewicz, M., Madigan, C., Zhao, Y., Zhang, L., Malik, S.: Chaff: Engineering an efficient SAT solver. In: DAC 2001: Design Automation Conference, pp. 530–535. ACM Press, New York (2001)CrossRefGoogle Scholar
  39. [MS01]
    Møller, A., Schwartzbach, M.I.: The pointer assertion logic engine. In: PLDI 2001: Programming Language Design and Implementation, pp. 221–231. ACM Press, New York (2001)CrossRefGoogle Scholar
  40. [Nec97]
    Necula, G.C.: Proof carrying code. In: POPL 1997: Principles of Programming Languages, pp. 106–119. ACM, New York (1997)Google Scholar
  41. [NO79a]
    Nelson, G., Oppen, D.C.: Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems (TOPLAS) 2(1), 245–257 (1979)CrossRefGoogle Scholar
  42. [NO79b]
    Nelson, G., Oppen, D.C.: Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems 1(2), 245–257 (1979)MATHCrossRefGoogle Scholar
  43. [NO80]
    Nelson, G., Oppen, D.C.: Fast decision procedures based on the congruence closure. Journal of the ACM 27(2), 356–364 (1980)MATHCrossRefMathSciNetGoogle Scholar
  44. [Opp80]
    Oppen, D.C.: Complexity, convexity and combinations of theories. Theoretical Computer Science 12, 291–302 (1980)MATHCrossRefMathSciNetGoogle Scholar
  45. [ORS92]
    Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)Google Scholar
  46. [Pra77]
    Pratt, V.: Two easy theories whose combination is hard. Technical report, Massachusetts Institute of Technology, Cambridge, Mass (September 1977)Google Scholar
  47. [RA01]
    Riazanov, A., Voronkov, A.: Vampire 1.1 (system description). In: Goré, R.P., Leitsch, A., Nipkow, T. (eds.) IJCAR 2001. LNCS (LNAI), vol. 2083, pp. 376–380. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  48. [SB04]
    Seshia, S.A., Bryant, R.E.: Deciding quantifier-free Presburger formulas using parameterized solution bounds. In: LICS 2004: Logic in Computer Science, July 2004, pp. 100–109. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  49. [SG04]
    Shoham, S., Grumberg, O.: Monotonic abstraction-refinement for CTL. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 546–560. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  50. [SRW99]
    Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: POPL 1999: Principles of Programming Languages, pp. 105–118. ACM, New York (1999)Google Scholar
  51. [TH96]
    Tinelli, C., Harandi, M.T.: A new correctness proof of the Nelson–Oppen combination procedure. In: FroCos 1996: Frontiers of Combining Systems. Applied Logic, pp. 103–120. Kluwer Academic Publishers, Dordrecht (1996)Google Scholar
  52. [TS05]
    Tillmann, N., Schulte, W.: Parameterized unit tests. In: FSE 2005: Foundations of Software Engineering, pp. 253–262. ACM Press, New York (2005)Google Scholar
  53. [YM05]
    Yorsh, G., Musuvathi, M.: A combination method for generating interpolants. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS (LNAI), vol. 3632, pp. 353–368. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  54. [YRS04]
    Yorsh, G., Reps, T., Sagiv, M.: Symbolically computing most-precise abstract operations for shape analysis. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 530–545. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  55. [ZZ96]
    Zhang, H., Zhang, J.: Generating models by SEM. In: McRobbie, M.A., Slaney, J.K. (eds.) CADE 1996. LNCS, vol. 1104, pp. 308–312. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Thomas Ball
    • 1
  • Shuvendu K. Lahiri
    • 1
  • Madanlal Musuvathi
    • 1
  1. 1.Microsoft Research 

Personalised recommendations