A Theory for Control-Flow Graph Exploration

  • Stephan Arlt
  • Philipp Rümmer
  • Martin Schäf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8172)


Detection of infeasible code has recently been identified as a scalable and automated technique to locate likely defects in software programs. Given the (acyclic) control-flow graph of a procedure, infeasible code detection depends on an exhaustive search for feasible paths through the graph. A number of encodings of control-flow graphs into logic (understood by theorem provers) have been proposed in the past for this application. In this paper, we compare the performance of these different encodings in terms of runtime and the number of queries processed by the prover. We present a theory of acyclic control-flow as an alternative method of handling control-flow graphs. Such a theory can be built into theorem provers by means of theory plug-ins. Our experiments show that such native handling of control-flow can lead to significant performance gains, compared to previous encodings.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arlt, S., Liu, Z., Schäf, M.: Reconstructing paths for reachable code. In: ICFEM (to appear, 2013)Google Scholar
  2. 2.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. SIGSOFT SEN 31 (September 2005)CrossRefGoogle Scholar
  3. 3.
    Bertolini, C., Schäf, M., Schweitzer, P.: Infeasible code detection. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 310–325. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Christ, J., Hoenicke, J., Schäf, M.: Towards bounded infeasible code detection. CoRR, abs/1205.6527 (2012)Google Scholar
  5. 5.
    Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software verification using k-induction. In: Yahav, E. (ed.) SAS. LNCS, vol. 6887, pp. 351–368. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: SOSP (2001)Google Scholar
  7. 7.
    Hoenicke, J., Leino, K.R., Podelski, A., Schäf, M., Wies, T.: Doomed program points. FMSD (2010)CrossRefGoogle Scholar
  8. 8.
    Hovemeyer, D., Pugh, W.: Finding bugs is easy. In: OOPSLA (2004)CrossRefGoogle Scholar
  9. 9.
    Johnson, D.S.: Approximation algorithms for combinatorial problems, vol. 9 (1974)Google Scholar
  10. 10.
    Leino, K.R.M., Rümmer, P.: A polymorphic intermediate verification language: Design and logical encoding. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 312–327. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). Journal of the ACM 53(6) (2006)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Raz, R., Safra, S.: A sub-constant error-probability low-degree test, and a sub-constant error-probability PCP characterization of NP. In: STOC (1997)Google Scholar
  13. 13.
    Rümmer, P.: A constraint sequent calculus for first-order logic with linear integer arithmetic. In: Cervesato, I., Veith, H., Voronkov, A. (eds.) LPAR 2008. LNCS (LNAI), vol. 5330, pp. 274–289. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Tomb, A., Flanagan, C.: Detecting inconsistencies via universal reachability analysis. In: ISSTAGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Stephan Arlt
    • 1
  • Philipp Rümmer
    • 2
  • Martin Schäf
    • 1
  1. 1.IISTUnited Nations UniversityMacau S.A.R.China
  2. 2.Uppsala UniversitySweden

Personalised recommendations