International Conference on Verification, Model Checking, and Abstract Interpretation

Verification, Model Checking, and Abstract Interpretation pp 127-146 | Cite as

Program Analysis with Local Policy Iteration

  • Egor George Karpenkov
  • David Monniaux
  • Philipp Wendler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9583)


We present local policy iteration (LPI), a new algorithm for deriving numerical invariants that combines the precision of max-policy iteration with the flexibility and scalability of conventional Kleene iterations. It is defined in the Configurable Program Analysis (CPA) framework, thus allowing inter-analysis communication.

LPI uses adjustable-block encoding in order to traverse loop-free program sections, possibly containing branching, without introducing extra abstraction. Our technique operates over any template linear constraint domain, including the interval and octagon domains; templates can also be derived from the program source.

The implementation is evaluated on a set of benchmarks from the International Competition on Software Verification (SV-COMP). It competes favorably with state-of-the-art analyzers.



The authors wish to thank Tim King for proof-reading and extremely valuable feedback, Nikolaj Bjørner for improving \(\nu Z\) performance on our difficult cases, and the anonymous reviewers for their helpful suggestions.


  1. 1.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Graham, R.M., Harrison, M.A., Sethi, R. (eds.) POPL 1977, pp. 238–252. ACM, New York (1977)Google Scholar
  2. 2.
    Miné, A.: The octagon abstract domain. High. Ord. Symbolic Comput. 19(1), 31–100 (2006)MATHCrossRefGoogle Scholar
  3. 3.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Gawlitza, T., Seidl, H.: Precise relational invariants through strategy iteration. In: Duparc, J., Henzinger, T.A. (eds.) CSL 2007. LNCS, vol. 4646, pp. 23–40. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Gawlitza, T.M., Monniaux, D.: Invariant generation through strategy iteration in succinctly represented control flow graphs. Logical Meth. Comput. Sci. vol. 8(3:29) (2012)Google Scholar
  6. 6.
    Shamir, A.: A linear time algorithm for finding minimum cutsets in reducible graphs. SIAM J. Comput. 8(4), 645–655 (1979)MATHMathSciNetCrossRefGoogle Scholar
  7. 7.
    Beyer, D., Keremoglu, M.E.: CPAchecker: a tool for configurable software verification. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 184–190. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Bjørner, N., Phan, A.-D., Fleckenstein, L.: \(\nu \) Z - an optimizing SMT solver. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 194–199. Springer, Heidelberg (2015)Google Scholar
  9. 9.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 504–518. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Beyer, D., Keremoglu, M.E., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: Bloem, R., Sharygina, N. (eds.) FMCAD 2010, pp. 189–197. IEEE (2010)Google Scholar
  11. 11.
    Roux, P., Garoche, P.-L.: Integrating policy iterations in abstract interpreters. In: Van Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol. 8172, pp. 240–254. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Monniaux, D., Schrammel, P.: Speeding up logico-numerical strategy iteration. In: Müller-Olm, M., Seidl, H. (eds.) Static Analysis. LNCS, vol. 8723, pp. 253–267. Springer, Heidelberg (2014)Google Scholar
  13. 13.
    Gaubert, S., Goubault, É., Taly, A., Zennou, S.: Static analysis by policy iteration on relational domains. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 237–252. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Colón, M.A., Sankaranarayanan, S., Sipma, H.B.: Linear invariant generation using non-linear constraint solving. In: Hunt Jr, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 420–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Monniaux, D.: Automatic modular abstractions for template numerical constraints. Logical Meth. Comput. Sci. 6(3:4), June 2010Google Scholar
  16. 16.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Aho, A.V., Zilles, S.N., Szymanski, T.G. (eds.) POPL 1978, pp. 84–96. ACM, New York (1978)Google Scholar
  17. 17.
    Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model checking via large-block encoding. In: FMCAD 2009, pp. 25–32. IEEE (2009)Google Scholar
  18. 18.
    Monniaux, D., Gonnord, L.: Using bounded model checking to focus fixpoint iterations. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 369–385. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Gawlitza, T., Seidl, H.: Precise fixpoint computation through strategy iteration. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 300–315. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Bourdoncle, F.: Efficient chaotic iteration strategies with widenings. In: Broy, M., Pottosin, I.V., Bjørner, D. (eds.) Formal Methods in Programming and Their Applications. LNCS, vol. 735, pp. 128–141. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  21. 21.
    Beyer, D.: Software verification and verifiable witnesses. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 401–416. Springer, Heidelberg (2015)Google Scholar
  22. 22.
    Shved, P., Mandrykin, M., Mutilin, V.: Predicate analysis with BLAST 2.7. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 525–527. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Henry, J., Monniaux, D., Moy, M.: PAGAI: a path sensitive static analyser. Electr. Notes Theor. Comput. Sci. 289, 15–25 (2012)CrossRefGoogle Scholar
  24. 24.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, EAllen, Sistla, Aravinda Prasad (eds.) CAV 2000. LNCS, vol. 1855. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Egor George Karpenkov
    • 1
    • 2
  • David Monniaux
    • 1
    • 2
  • Philipp Wendler
    • 3
  1. 1.University Grenoble Alpes, VERIMAGGrenobleFrance
  2. 2.CNRSVERIMAGGrenobleFrance
  3. 3.University of PassauPassauGermany

Personalised recommendations