Advertisement

The Map Equality Domain

  • Daniel Dietsch
  • Matthias Heizmann
  • Jochen Hoenicke
  • Alexander NutzEmail author
  • Andreas Podelski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11294)

Abstract

We present a method that allows us to infer expressive invariants for programs that manipulate arrays and, more generally, data that are modeled using maps (including the program memory which is modeled as a map over integer locations). The invariants can express, for example, that memory cells have changed their contents only at locations that have not been previously allocated by another procedure. The motivation for the new method stems from the fact that, although state-of-the-art SMT solvers are starting to be able to check the validity of more and more complex invariants, there is not much work yet on their automatic inference. We present our method as a static analysis over an abstract domain that we introduce, the map equality domain. The main challenge in the design of the method lies in scalability; given the expressiveness of the invariants, it is a priori not clear that a corresponding static analysis can be made scalable. Preliminary experiments with a prototypical implementation of the method allow us to cautiously conclude that may indeed be the case.

References

  1. 1.
    Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22110-1_14CrossRefGoogle Scholar
  2. 2.
    Beyer, D.: Software verification with validation of results. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 331–349. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54580-5_20CrossRefGoogle Scholar
  3. 3.
    Brillout, A., Kroening, D., Rümmer, P., Wahl, T.: Program verification via Craig interpolation for presburger arithmetic with arrays. In: VERIFY@IJCAR of EPiC Series in Computing, vol. 3, pp. 31–46. EasyChair (2010)Google Scholar
  4. 4.
    Chang, B.-Y.E., Leino, K.R.M.: Abstract interpretation with alien expressions and heap structures. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 147–163. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30579-8_11CrossRefGoogle Scholar
  5. 5.
    Christ, J., Hoenicke, J.: Weakly equivalent arrays. In: Lutz, C., Ranise, S. (eds.) FroCoS 2015. LNCS (LNAI), vol. 9322, pp. 119–134. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24246-0_8CrossRefGoogle Scholar
  6. 6.
    Christ, J., Hoenicke, J., Nutz, A.: SMTInterpol: an interpolating SMT solver. In: Donaldson, A., Parker, D. (eds.) SPIN 2012. LNCS, vol. 7385, pp. 248–254. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31759-0_19CrossRefGoogle Scholar
  7. 7.
    Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36742-7_7CrossRefzbMATHGoogle Scholar
  8. 8.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks, pp. 269–282, ACM Press, New York (1979)Google Scholar
  10. 10.
    Cousot, P., Cousot, R., Logozzo, F.: A parametric segmentation functor for fully automatic and scalable array content analysis. In: POPL, pp. 105–118. ACM (2011)Google Scholar
  11. 11.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78800-3_24CrossRefGoogle Scholar
  12. 12.
    Downey, P.J., Sethi, R., Tarjan, R.E.: Variations on the common subexpression problem. J. ACM 27(4), 758–771 (1980)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Dutertre, B.: Yices 2.2. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 737–744. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08867-9_49CrossRefGoogle Scholar
  14. 14.
    Gange, G., Navas, J.A., Schachte, P., Søndergaard, H., Stuckey, P.J.: An abstract domain of uninterpreted functions. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 85–103. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49122-5_4CrossRefzbMATHGoogle Scholar
  15. 15.
    Greitschus, M., Dietsch, D., Podelski, A.: Loop invariants from counterexamples. In: Ranzato, F. (ed.) SAS 2017. LNCS, vol. 10422, pp. 128–147. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66706-5_7CrossRefGoogle Scholar
  16. 16.
    Gulwani, S., Tiwari, A.: An abstract domain for analyzing heap-manipulating low-level software. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 379–392. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73368-3_42CrossRefGoogle Scholar
  17. 17.
    Gulwani, S., Tiwari, A., Necula, G.C.: Join algorithms for the theory of uninterpreted functions. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 311–323. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30538-5_26CrossRefzbMATHGoogle Scholar
  18. 18.
    Hoenicke, J., Schindler, T.: Efficient interpolation in the theory of arrays. In: SMT Workshop (2017). http://smt-workshop.cs.uiowa.edu/2017/papers/SMT2017_paper_4.pdf
  19. 19.
    Leino, R.: This is Boogie 2. Microsoft Research, June 2008Google Scholar
  20. 20.
    McCarthy, J.: Towards a mathematical science of computation. In: IFIP Congress, pp. 21–28 (1962)Google Scholar
  21. 21.
    Stump, A., Barrett, C.W., Dill, D.L., Levitt. J.R.: A decision procedure for an extensional theory of arrays. In: LICS, pp. 29–37. IEEE Computer Society (2001)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Daniel Dietsch
    • 1
  • Matthias Heizmann
    • 1
  • Jochen Hoenicke
    • 1
  • Alexander Nutz
    • 1
    Email author
  • Andreas Podelski
    • 1
  1. 1.University of FreiburgFreiburg im BreisgauGermany

Personalised recommendations