Shape Analysis through Predicate Abstraction and Model Checking

  • Dennis Dams
  • Kedar S. Namjoshi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2575)


We propose a new framework, based on predicate abstraction and model checking, for shape analysis of programs. Shape analysis is used to statically collect information—such as possible reachability and sharing—about program stores. Rather than use a specialized abstract interpretation based on shape graphs, we instantiate a generic and automated abstraction procedure with shape predicates from a correctness property. This results in a predicate-discovery procedure that identifies predicates relevant for correctness, using an analysis based on weakest preconditions, and creates a finite state abstract program. The correctness property is then checked on the abstraction with a model checking tool. To enable this process, we calculate weakest preconditions for common shape properties, and present heuristics for accelerating convergence. Exploring abstract state spaces with model checkers enables one to tap into a wealth of techniques and highly optimized implementations for state space exploration, and to analyze properties that go beyond invariances. We illustrate this simple and flexible framework with the analysis of some “classical” list manipulation programs, using our implementation of the abstraction algorithm, and the SPIN and COSPAN model checkers for state space exploration.


Model Check Shape Analysis Abstract Interpretation Correctness Property Linear Temporal Logic Formula 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    T. Ball, R. Majumdar, T.D. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. In PLDI, 2001.Google Scholar
  2. 2.
    T. Ball, A. Podelski, and S. Rajamani. Relative completeness of abstraction refinement for software model checking. In TACAS, volume 2280 of LNCS, 2002.Google Scholar
  3. 3.
    T. Ball and S. Rajamani. The SLAM toolkit. In CAV, volume 2102 of LNCS, 2001.Google Scholar
  4. 4.
    M. Benedikt, T. Reps, and M. Sagiv. A decidable logic for describing linked data structures. In ESOP, volume 1576 of LNCS, pages 2–19, 1999.Google Scholar
  5. 5.
    R. Bornat. Proving pointer programs in Hoare logic. In Mathematics of Program Construction, volume 1837 of LNCS, pages 102–126, 2000.CrossRefGoogle Scholar
  6. 6.
    E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In CAV, volume 1855 of LNCS, 2000.Google Scholar
  7. 7.
    P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238–252, 1977.Google Scholar
  8. 8.
    Patrick Cousot and Radhia Cousot. Comparing the Galois connection and widening/narrowing approaches to abstract interpretation. In M. Bruynooghe and M. Wirsing, editors, Programming Language Implementation and Logic Programming, volume 631 of LNCS, pages 269–295, 1992.CrossRefGoogle Scholar
  9. 9.
    S. Das and D. Dill. Successive approximation of abstract transition relations. In LICS, 2001.Google Scholar
  10. 10.
    S. Das, D. Dill, and S. Park. Experience with predicate abstraction. In CAV, volume 1633 of LNCS, 1999.Google Scholar
  11. 11.
    M. Davis and H. Putnam. A computing procedure for quantification theory. J. Assoc. Computing Machinery, 7:201–215, 1960.zbMATHMathSciNetGoogle Scholar
  12. 12.
    E.W. Dijkstra. Guarded commands, nondeterminacy, and formal derivation of programs. C.ACM, 18, 1975.Google Scholar
  13. 13.
    C. Flanagan and S. Qadeer. Predicate abstraction for software verification. In POPL, 2002.Google Scholar
  14. 14.
    S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In CAV, volume 1254 of LNCS, 1997.Google Scholar
  15. 15.
    D. Gries. The Science Of Programming. Springer-Verlag, 1981.Google Scholar
  16. 16.
    R.H. Hardin, Z. Har’el, and R.P. Kurshan. COSPAN. In CAV, volume 1102 of LNCS, 1996.Google Scholar
  17. 17.
    T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002.Google Scholar
  18. 18.
    G. Holzmann. The SPIN model checker. IEEE Transactions on Software Engineering, 23(5), May 1997.Google Scholar
  19. 19.
    J.L. Jensen, M.E. Jorgensen, N. Klarlund, and M.I. Schwartzbach. Automatic verification of pointer programs using monadic second-order logic. In SIGPLAN Conference on Programming Language Design and Implementation, pages 226–236, 1997.Google Scholar
  20. 20.
    M. Kaufmann, P. Manolios, and J.S. Moore. Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, 2000.Google Scholar
  21. 21.
    N. Klarlund and M.I. Schwartzbach. Graphs and decidable transductions based on edge constraints (extended abstract). In Colloquium on Trees in Algebra and Programming, pages 187–201, 1994.Google Scholar
  22. 22.
    Y. Lakhnech, S. Bensalem, S. Berezin, and S. Owre. Incremental verification by abstraction. In TACAS, volume 2031 of LNCS, 2001.Google Scholar
  23. 23.
    D. Lesens, N. Halbwachs, and P. Raymond. Automatic verification of parameterized networks of processes. Theoretical Computer Science, 256:113–144, 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    T. Lev-Ami and M. Sagiv. TVLA: A system for implementing static analyses. In SAS, volume 1824 of LNCS, 2000.Google Scholar
  25. 25.
    J. Morris. (1) A general axiom of assignment (2) Assignment and linked data structures. In M. Broy and G. Schmidt, editors, Theoretical Foundations of Programming Methodology, 1981.Google Scholar
  26. 26.
    K.S. Namjoshi and R.P. Kurshan. Syntactic program transformations for automatic abstraction. In CAV, volume 1855 of LNCS, 2000.Google Scholar
  27. 27.
    G. Nelson. Verifying reachability invariants of linked structures. In POPL, 1983.Google Scholar
  28. 28.
    N. Rinetzky and S. Sagiv. Interprocedural shape analysis for recursive programs. In Computational Complexity, pages 133–149, 2001.Google Scholar
  29. 29.
    M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. TOPLAS, 24(3):217–298, 2002.CrossRefGoogle Scholar
  30. 30.
    D.A. Schmidt and B. Steffen. Program analysis as model checking of abstract interpretations. In SAS, volume 1503 of LNCS, 1998.Google Scholar
  31. 31.
    A. Stump, C.W. Barrett, D.L. Dill, and J.R. Levitt. A decision procedure for an extensional theory of arrays. In LICS, pages 29–37, 2001.Google Scholar
  32. 32.
  33. 33.
    E. Yahav. Verifying safety properties of concurrent Java programs using 3-valued logic. In POPL, pages 27–40, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Dennis Dams
    • 1
  • Kedar S. Namjoshi
    • 1
  1. 1.Bell Labs, Lucent TechnologiesNJ

Personalised recommendations