It’s Doomed; We Can Prove It

  • Jochen Hoenicke
  • K. Rustan M. Leino
  • Andreas Podelski
  • Martin Schäf
  • Thomas Wies
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5850)


Programming errors found early are the cheapest. Tools applying to the early stage of code development exist but either they suffer from false positives (“noise”) or they require strong user interaction. We propose to avoid this deficiency by defining a new class of errors. A program fragment is doomed if its execution will inevitably fail, in whatever state it is started. We use a formal verification method to identify such errors fully automatically and, most significantly, without producing noise. We report on preliminary experiments with a prototype tool.


Theorem Prover Null Pointer Program Point Loop Body Back Edge 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ayewah, N., Pugh, W., David Morgenthaler, J., Penix, J., Zhou, Y.: Evaluating static analysis defect warnings on production software. In: Workshop on Program Analysis for Software Tools and Engineering, PASTE, pp. 1–8. ACM, New York (2007)CrossRefGoogle Scholar
  2. 2.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: Workshop on Program Analysis for Software Tools and Engineering, PASTE, pp. 82–87. ACM, New York (2005)CrossRefGoogle Scholar
  4. 4.
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Chatterjee, S., Lahiri, S., Qadeer, S., Rakamaric, Z.: A reachability predicate for analyzing low-level software. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 19–33. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A practical verification methodology for concurrent programs. Technical Report MSR-TR-2009-15, Microsoft Research (February 2009)Google Scholar
  7. 7.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, TOPLAS 13(4), 451–490 (1991)CrossRefGoogle Scholar
  8. 8.
    Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Englewood Cliffs (1976)zbMATHGoogle Scholar
  9. 9.
    Evans, D., Larochelle, D.: Improving security using extensible lightweight static analysis. IEEE Software 19(1), 42–51 (2002)CrossRefGoogle Scholar
  10. 10.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: ACM Conference on Programming Language Design and Implementation, PLDI, pp. 234–245. ACM, New York (2002)Google Scholar
  11. 11.
    Flanagan, C., Saxe, J.B.: Avoiding exponential explosion: generating compact verification conditions. In: Annual ACM Symposium on the Principles of Programming Languages, POPL, pp. 193–205. ACM, New York (2001)Google Scholar
  12. 12.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 235–239. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Hovemeyer, D., Pugh, W.: Finding more null pointer bugs, but not too many. In: Workshop on Program Analysis for Software Tools and Engineering, PASTE, pp. 9–14. ACM, New York (2007)CrossRefGoogle Scholar
  14. 14.
    Hovemeyer, D., Spacco, J., Pugh, W.: Evaluating and tuning a static analysis to find null pointer bugs. ACM SIGSOFT Software Engineering Notes 31(1), 13–19 (2006)CrossRefGoogle Scholar
  15. 15.
    Janssen, J., Corporaal, H.: Making graphs reducible with controlled node splitting. ACM Transactions on Programming Languages and Systems, TOPLAS 19(6), 1031–1052 (1997)CrossRefGoogle Scholar
  16. 16.
    Kuncak, V.: Modular Data Structure Verification. PhD thesis, EECS Department, Massachusetts Institute of Technology (February 2007)Google Scholar
  17. 17.
    Rustan, K., Leino, M.: Efficient weakest preconditions. Information Processing Letters, IPL 93(6), 281–288 (2005)zbMATHGoogle Scholar
  18. 18.
    Rustan, K., Leino, M.: This is Boogie 2. Manuscript KRML 178 (June 2008),
  19. 19.
    Luckham, D.C., Suzuki, N.: Verification of array, record, and pointer operations in Pascal. ACM Transactions on Programming Languages and Systems, TOPLAS 1(2), 226–244 (1979)zbMATHCrossRefGoogle Scholar
  20. 20.
    Nelson, G.: A generalization of Dijkstra’s calculus. ACM Transactions on Programming Languages and Systems, TOPLAS 11(4), 517–561 (1989)CrossRefGoogle Scholar
  21. 21.
    Rümmer, P., Shah, M.A.: Proving programs incorrect using a sequent calculus for Java Dynamic Logic. In: Gurevich, Y., Meyer, B. (eds.) TAP 2007. LNCS, vol. 4454, pp. 41–60. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jochen Hoenicke
    • 1
  • K. Rustan M. Leino
    • 2
  • Andreas Podelski
    • 1
  • Martin Schäf
    • 1
  • Thomas Wies
    • 1
    • 3
  1. 1.University of Freiburg 
  2. 2.Microsoft ResearchRedmond
  3. 3.EPFLSwitzerland

Personalised recommendations