Conflict-Directed Graph Coverage

  • Daniel Schwartz-Narbonne
  • Martin SchäfEmail author
  • Dejan Jovanović
  • Philipp Rümmer
  • Thomas Wies
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9058)


Many formal method tools for increasing software reliability apply Satisfiability Modulo Theories (SMT) solvers to enumerate feasible paths in a program subject to certain coverage criteria. Examples include inconsistent code detection tools and concolic test case generators. These tools have in common that they typically treat the SMT solver as a black box, relying on its ability to efficiently search through large search spaces. However, in practice the performance of SMT solvers often degrades significantly if the search involves reasoning about complex control-flow. In this paper, we open the black box and devise a new algorithm for this problem domain that we call conflict-directed graph coverage. Our algorithm relies on two core components of an SMT solver, namely conflict-directed learning and deduction by propagation, and applies domain-specific modifications for reasoning about control-flow graphs. We implemented conflict-directed coverage and used it for detecting code inconsistencies in several large Java open-source projects with over one million lines of code in total. The new algorithm yields significant performance gains on average compared to previous algorithms and reduces the running times on hard search instances from hours to seconds.


Feasible Path Graph Coverage Complete Path Benchmark Program Full Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The legion of the bouncy castle.
  2. 2.
    Arlt, S., Rubio-González, C., Rümmer, P., Schäf, M., Shankar, N.: The gradual verifier. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2014. LNCS, vol. 8430, pp. 313–327. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Arlt, S., Rümmer, P., Schäf, M.: A theory for control-flow graph exploration. In: Van Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol. 8172, pp. 506–515. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Arlt, S., Schäf, M.: Joogie: infeasible code detection for java. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 767–773. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  5. 5.
    Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: localizing errors in counterexample traces. SIGPLAN Not., 97–105 (2003)Google Scholar
  6. 6.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. SIGSOFT Softw. Eng. Notes, 82–87 (2005)Google Scholar
  7. 7.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. ACM SIGSOFT Software Engineering Notes 31, 82–87 (2005)Google Scholar
  8. 8.
    Beer, I., Ben-David, S., Eisner, C., Rodeh, Y.: Efficient detection of vacuity in ACTL formulas. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 279–290. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  9. 9.
    Bertolini, C., Schäf, M., Schweitzer, P.: Infeasible code detection. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 310–325. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Bjørner, N., Dutertre, B., de Moura, L.: Accelerating lemma learning using joins-DPLL (join). In: Int. Conf. Logic for Programming, Artif. Intell. and Reasoning, LPAR (2008)Google Scholar
  11. 11.
    Chockler, H., Kupferman, O., Vardi, M.Y.: Coverage metrics for temporal logic model checking. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 528–542. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  12. 12.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 451–490 (1991)Google Scholar
  13. 13.
    de Moura, L., Bjørner, N.: Relevancy propagation. Technical Report MSR-TR-2007-140, Microsoft Research (2007)Google Scholar
  14. 14.
    de Moura, L., Bjørner, N.S.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  15. 15.
    Dillig, I., Dillig, T., Aiken, A.: Static error detection using semantic inconsistency inference. In: PLDI (2007)Google Scholar
  16. 16.
    Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: A general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, SOSP 2001, pp. 57–72. ACM, New York (2001)Google Scholar
  17. 17.
    Gheorghiu, M., Gurfinkel, A.: Vaquot: A tool for vacuity detection. Technical report. In: Proceedings of Tool Track, FM 2006 (2005)Google Scholar
  18. 18.
    Hoenicke, J., Leino, K.R., Podelski, A., Schäf, M., Wies, T.: Doomed program points. Formal Methods in System Design (2010)Google Scholar
  19. 19.
    Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM Sigplan Notices 39(12), 92–106 (2004)CrossRefGoogle Scholar
  20. 20.
    Janota, M., Grigore, R., Moskal, M.: Reachability analysis for annotated code. In: SAVCBS (2007)Google Scholar
  21. 21.
    Karp, R.M.: Reducibility among combinatorial problems. In: Symposium on the Complexity of Computer Computations, The IBM Research Symposia Series, pp. 85–103. Plenum Press, New York (1972)Google Scholar
  22. 22.
    Leino, K.R.M., Millstein, T.D., Saxe, J.B.: Generating error traces from verification-condition counterexamples. Sci. Comput. Program. 55(1–3), 209–226 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Leino, K.R.M., Rümmer, P.: A Polymorphic intermediate verification language: design and logical encoding. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 312–327. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  24. 24.
    Rümmer, P.: A constraint sequent calculus for first-order logic with linear integer arithmetic. In: Cervesato, I., Veith, H., Voronkov, A. (eds.) LPAR 2008. LNCS, vol. 5330, pp. 274–289. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  25. 25.
    Schäf, M.: Bixie: Find contradictions in java code (2014).
  26. 26.
    Schäf, M.: Gravy website (2014).
  27. 27.
    Silva, J.P.M., Lynce, I., Malik, S.: Conflict-driven clause learning SAT solvers. In: Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185, pp. 131–153. IOS Press (2009)Google Scholar
  28. 28.
    Tomb, A., Flanagan, C.: Detecting inconsistencies via universal reachability analysis. In: ISSTA, pp. 287–297 (2012)Google Scholar
  29. 29.
    Wang, X., Zeldovich, N., Kaashoek, M.F., Solar-Lezama, A.: Towards optimization-safe systems: analyzing the impact of undefined behavior. In: SOSP, pp. 260–275. ACM (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Daniel Schwartz-Narbonne
    • 1
  • Martin Schäf
    • 2
    Email author
  • Dejan Jovanović
    • 2
  • Philipp Rümmer
    • 3
  • Thomas Wies
    • 1
  1. 1.New York UniversityNew YorkUSA
  2. 2.SRI InternationalMenlo ParkUSA
  3. 3.Uppsala UniversityUppsalaSweden

Personalised recommendations