Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis

  • Dirk Beyer
  • Thomas A. Henzinger
  • Grégory Théoduloz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4590)


In automatic software verification, we have observed a theoretical convergence of model checking and program analysis. In practice, however, model checkers are still mostly concerned with precision, e.g., the removal of spurious counterexamples; for this purpose they build and refine reachability trees. Lattice-based program analyzers, on the other hand, are primarily concerned with efficiency. We designed an algorithm and built a tool that can be configured to perform not only a purely tree-based or a purely lattice-based analysis, but offers many intermediate settings that have not been evaluated before. The algorithm and tool take one or more abstract interpreters, such as a predicate abstraction and a shape analysis, and configure their execution and interaction using several parameters. Our experiments show that such customization may lead to dramatic improvements in the precision-efficiency spectrum.


Model Check Abstract State Program Counter Concrete State Abstract Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ball, T., Podelski, A., Rajamani, S.K.: Boolean and cartesian abstractions for model checking C programs. In: Margaria, T., Yi, W. (eds.) ETAPS 2001 and TACAS 2001. LNCS, vol. 2031, pp. 268–283. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Lazy shape analysis. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 532–546. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 85–108. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Codish, M., Mulkers, A., Bruynooghe, M., de la Banda, M., Hermenegildo, M.: Improving abstract interpretations by combining domains. In: Proc. PEPM, pp. 194–205. ACM Press, New York (1993)Google Scholar
  5. 5.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for the static analysis of programs by construction or approximation of fixpoints. In: Proc. POPL, pp. 238–252. ACM Press, New York (1977)Google Scholar
  6. 6.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. POPL, pp. 269–282. ACM Press, New York (1979)Google Scholar
  7. 7.
    Cousot, P., Cousot, R.: Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based and game-theoretic form. In: Wolper, P. (ed.) CAV 1995. LNCS, vol. 939, pp. 293–308. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Dwyer, M.B., Clarke, L.A.: A flexible architecture for building data-flow analyzers. In: Proc. ICSE, pp. 554–564. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  9. 9.
    Fischer, J., Jhala, R., Majumdar, R.: Joining data flow with predicates. In: Proc. ESEC/FSE, pp. 227–236. ACM Press, New York (2005)CrossRefGoogle Scholar
  10. 10.
    Gulwani, S., Tiwari, A.: Combining abstract interpreters. In: Proc. PLDI, pp. 376–386. ACM Press, New York (2006)Google Scholar
  11. 11.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM Press, New York (2002)Google Scholar
  12. 12.
    Lerner, S., Grove, D., Chambers, C.: Composing data-flow analyses and transformations. In: Proc. POPL, pp. 270–282. ACM Press, New York (2002)Google Scholar
  13. 13.
    Lev-Ami, T., Sagiv, M.: TVLA: A system for implementing static analyses. In: Palsberg, J. (ed.) SAS 2000. LNCS, vol. 1824, pp. 280–301. Springer, Heidelberg (2000)Google Scholar
  14. 14.
    Martin, F.: PAG: An efficient program analyzer generator. STTT 2, 46–67 (1998)zbMATHGoogle Scholar
  15. 15.
    Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Necula, G., McPeak, S., Rahul, S., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002 and ETAPS 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Sagiv, M., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM TOPLAS 24, 217–298 (2002)CrossRefGoogle Scholar
  18. 18.
    Schmidt, D.A.: Data-flow analysis is model checking of abstract interpretations. In: Proc. POPL, pp. 38–48. ACM Press, New York (1998)Google Scholar
  19. 19.
    Steffen, B.: Data-flow analysis as model checking. In: Ito, T., Meyer, A.R. (eds.) TACS 1991. LNCS, vol. 526, pp. 346–365. Springer, Heidelberg (1991)Google Scholar
  20. 20.
    Tjiangan, S.W.K., Hennessy, J.: SHARLIT: A tool for building optimizers. In: Proc. PLDI, pp. 82–93. ACM Press, New York (1992)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Dirk Beyer
    • 1
  • Thomas A. Henzinger
    • 2
  • Grégory Théoduloz
    • 2
  1. 1.Simon Fraser University, B.C.Canada
  2. 2.EPFLSwitzerland

Personalised recommendations