Lazy Shape Analysis

  • Dirk Beyer
  • Thomas A. Henzinger
  • Grégory Théoduloz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4144)


Many software model checkers are based on predicate abstraction. If the verification goal depends on pointer structures, the approach does not work well, because it is difficult to find adequate predicate abstractions for the heap. In contrast, shape analysis, which uses graph-based heap abstractions, can provide a compact representation of recursive data structures. We integrate shape analysis into the software model checker Blast. Because shape analysis is expensive, we do not apply it globally. Instead, we ensure that, like predicates, shape graphs are computed and stored locally, only where necessary for proving the verification goal. To achieve this, we extend lazy abstraction refinement, which so far has been used only for predicate abstractions, to three-valued logical structures. This approach does not only increase the precision of model checking, but it also increases the efficiency of shape analysis. We implemented the technique by extending Blast with calls to Tvla.


Model Checker Program Location Unary Predicate Predicate Abstraction Shape Class 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balaban, I., Pnueli, A., Zuck, L.D.: Shape analysis by predicate abstraction. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 164–180. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Ball, T., Rajamani, S.K.: The Slam project: Debugging system software via static analysis. In: Proc. POPL, pp. 1–3. ACM Press, New York (2002)Google Scholar
  3. 3.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Lazy shape analysis. Technical Report MTC-REPORT-2005-006, EPFL (2005)Google Scholar
  4. 4.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Software Eng. 30(6), 388–402 (2004)CrossRefGoogle Scholar
  5. 5.
    Chase, D.R., Wegman, M.N., Zadeck, F.K.: Analysis of pointers and structures. In: Proc. PLDI, pp. 296–310. ACM, New York (1990)Google Scholar
  6. 6.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Dams, D., Namjoshi, K.S.: Shape analysis through predicate abstraction and model checking. In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003. LNCS, vol. 2575, pp. 310–324. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Fischer, J., Jhala, R., Majumdar, R.: Joining data flow with predicates. In: Proc. FSE, pp. 227–236. ACM, New York (2005)Google Scholar
  9. 9.
    Gopan, D., Reps, T.W., Sagiv, M.: A framework for numeric analysis of array operations. In: Proc. POPL, pp. 338–350. ACM, New York (2005)Google Scholar
  10. 10.
    Gulavani, B.S., Rajamani, S.K.: Counterexample-driven refinement for abstract interpretation. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006 and ETAPS 2006. LNCS, vol. 3920, pp. 474–488. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. POPL, pp. 232–244. ACM Press, New York (2004)Google Scholar
  12. 12.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM Press, New York (2002)Google Scholar
  13. 13.
    Jones, N.D., Muchnick, S.S.: A flexible approach to interprocedural data-flow analysis and programs with recursive data structures. In: Proc. POPL, pp. 66–74. ACM Press, New York (1982)Google Scholar
  14. 14.
    Kurshan, R.P.: Computer-Aided Verification of Coordinating Processes. Princeton University Press, Princeton (1994)Google Scholar
  15. 15.
    Lev-Ami, T., Reps, T.W., Sagiv, M., Wilhelm, R.: Putting static analysis to work for verification: A case study. In: Proc. ISSTA, pp. 26–38. ACM Press, New York (2000)CrossRefGoogle Scholar
  16. 16.
    Lev-Ami, T., Sagiv, M.: Tvla: A system for implementing static analyses. In: Palsberg, J. (ed.) SAS 2000. LNCS, vol. 1824, pp. 280–301. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Loginov, A., Reps, T.W., Sagiv, M.: Abstraction refinement via inductive learning. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 519–533. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Sagiv, M., Reps, T.W., Wilhelm, R.: Parametric shape analysis via three-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  20. 20.
    Yorsh, G., Reps, T.W., Sagiv, M., Wilhelm, R.: Logical characterizations of heap abstractions. ACM Trans. Comput. Log. (to appear)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Dirk Beyer
    • 1
  • Thomas A. Henzinger
    • 1
  • Grégory Théoduloz
    • 1
  1. 1.EPFLSwitzerland

Personalised recommendations