Danger Invariants

  • Cristina David
  • Pascal Kesseli
  • Daniel Kroening
  • Matt Lewis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9995)


Static analysers search for overapproximating proofs of safety commonly known as safety invariants. Conversely, static bug finders (e.g. Bounded Model Checking) give evidence for the failure of an assertion in the form of a counterexample trace. As opposed to safety invariants, the size of a counterexample is dependent on the depth of the bug, i.e., the length of the execution trace prior to the error state, which also determines the computational effort required to find them. We propose a way of expressing danger proofs that is independent of the depth of bugs. Essentially, such danger proofs constitute a compact representation of a counterexample trace, which we call a danger invariant. Danger invariants summarise sets of traces that are guaranteed to be able to reach an error state. Our conjecture is that such danger proofs will enable the design of bug finding analyses for which the computational effort is independent of the depth of bugs, and thus find deep bugs more efficiently. As an exemplar of an analysis that uses danger invariants, we design a bug finding technique based on a synthesis engine. We implemented this technique and compute danger invariants for intricate programs taken from SV-COMP 2016.


  1. 1.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  2. 2.
    Clarke, E.M., Biere, A., Raimi, R., Zhu, Y.: Bounded model checking using satisfiability solving. Formal Methods Syst. Des. 19(1), 7–34 (2001)CrossRefzbMATHGoogle Scholar
  3. 3.
    Clarke, E.M., Grumberg, O., Long, D.E.: Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16, 1512–1542 (1994)CrossRefGoogle Scholar
  4. 4.
    McMillan, K.L.: Lazy abstraction with interpolants. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 123–136. Springer, Heidelberg (2006). doi: 10.1007/11817963_14 CrossRefGoogle Scholar
  5. 5.
  6. 6.
    Haran, A., Carter, M., Emmi, M., Lal, A., Qadeer, S., Rakamarić, Z.: SMACK+Corral: a modular verifier. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 451–454. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_42 Google Scholar
  7. 7.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24730-2_15 CrossRefGoogle Scholar
  8. 8.
    Gurfinkel, A., Kahsai, T., Navas, J.A.: SeaHorn: a framework for verifying C programs (competition contribution). In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 447–450. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_41 Google Scholar
  9. 9.
    Beyer, D., Keremoglu, M.E.: CPAchecker: a tool for configurable software verification. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 184–190. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22110-1_16 CrossRefGoogle Scholar
  10. 10.
    David, C., Kesseli, P., Kroening, D., Lewis, M.: Danger invariants (extended version).
  11. 11.
    Gulwani, S., Srivastava, S., Venkatesan, R.: Program analysis as constraint solving. In: Proceedings of Programming Language Design and Implementation (PLDI), pp. 281–292 (2008)Google Scholar
  12. 12.
    David, C., Kroening, D., Lewis, M.: Using program synthesis for program analysis. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) LPAR 2015. LNCS, vol. 9450, pp. 483–498. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48899-7_34 CrossRefGoogle Scholar
  13. 13.
    Ball, T., Bounimova, E., Levin, V., Kumar, R., Lichtenberg, J.: The static driver verifier research platform. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 119–122. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14295-6_11 CrossRefGoogle Scholar
  14. 14.
    Nori, A.V., Rajamani, S.K.: An empirical study of optimizations in Yogi. In: International Conference on Software Engineering (ICSE). Association for Computing Machinery Inc., May 2010Google Scholar
  15. 15.
    Dullien, T.: Exploitation and state machines. In: Proceedings of Infiltrate (2011)Google Scholar
  16. 16.
    Godefroid, P., Nori, A.V., Rajamani, S.K., Tetali, S.: Compositional may-must program analysis: unleashing the power of alternation. In: Proceedings of Principles of Programming Languages, POPL, pp. 43–56 (2010)Google Scholar
  17. 17.
    Ball, T., Kupferman, O., Yorsh, G.: Abstraction for falsification. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 67–81. Springer, Heidelberg (2005). doi: 10.1007/11513988_8 CrossRefGoogle Scholar
  18. 18.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of Programming Language Design and Implementation, PLDI, pp. 213–223 (2005)Google Scholar
  19. 19.
    Beyene, T.A., Popeea, C., Rybalchenko, A.: Solving existentially quantified Horn clauses. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 869–882. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39799-8_61 CrossRefGoogle Scholar
  20. 20.
    Beyene, T.A., Brockschmidt, M., Rybalchenko, A.: CTL+FO verification as constraint solving. In: Proceedings of 2014 International Symposium on Model Checking of Software, SPIN 2014, San Jose, CA, USA, 21–23 July 2014, pp. 101–104 (2014)Google Scholar
  21. 21.
    Kroening, D., Lewis, M., Weissenbacher, G.: Under-approximating loops in C programs for fast counterexample detection. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 381–396. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39799-8_26 CrossRefGoogle Scholar
  22. 22.
    Kroening, D., Lewis, M., Weissenbacher, G.: Proving safety with trace automata and bounded model checking. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 325–341. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-19249-9_21 CrossRefGoogle Scholar
  23. 23.
    Colón, M.A., Sankaranarayanan, S., Sipma, H.B.: Linear invariant generation using non-linear constraint solving. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 420–432. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45069-6_39 CrossRefGoogle Scholar
  24. 24.
    Sharma, R., Aiken, A.: From invariant checking to invariant inference using randomized search. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 88–105. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-08867-9_6 Google Scholar
  25. 25.
    Hoenicke, J., Leino, K.R.M., Podelski, A., Schäf, M., Wies, T.: It’s doomed; we can prove it. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 338–353. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-05089-3_22 CrossRefGoogle Scholar
  26. 26.
    Ermis, E., Schäf, M., Wies, T.: Error invariants. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 187–201. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32759-9_17 CrossRefGoogle Scholar
  27. 27.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Alur, R., Bodík, R., Juniwal, G., Martin, M.M.K., Raghothaman, M., Seshia, S.A., Singh, R., Solar-Lezama, A., Torlak, E., Udupa, A.: Syntax-guided synthesis. In: Formal Methods in Computer-Aided Design, FMCAD 2013, Portland 20–23 October 2013, pp. 1–8 (2013).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Cristina David
    • 1
  • Pascal Kesseli
    • 1
  • Daniel Kroening
    • 1
  • Matt Lewis
    • 1
    • 2
  1. 1.University of OxfordOxfordUK
  2. 2.ImprobableLondonUK

Personalised recommendations