Structural Invariants

  • Ranjit Jhala
  • Rupak Majumdar
  • Ru-Gang Xu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4134)


We present structural invariants (SI), a new technique for incrementally overapproximating the verification condition of a program in static single assignment form by making a linear pass over the dominator tree of the program. The 1-level SI at a program location is the conjunction of all dominating program statements viewed as constraints. For any k, we define a k-level SI by recursively strengthening the dominating join points of the 1-level SI with the (k – 1)-level SI of the predecessors of the join point, thereby providing a tunable selector to add path-sensitivity incrementally. By ignoring program paths, the size of the SI and correspondingly the time to discharge the validity query remains small, allowing the technique to scale to large programs. We show experimentally that even with k ≤2, for a set of open-source programs totaling 570K lines and properties for which specialized analyses have been previously devised, our method provides an automatic and scalable algorithm with a low false positive rate.


Dominator Tree Structural Invariant Bound Model Check Exit Node Entry Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alpern, B., Wegman, M.N., Zadeck, F.K.: Detecting equality of variables in programs. In: POPL 1988, pp. 1–11. ACM, New York (1988)CrossRefGoogle Scholar
  2. 2.
    Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: POPL 2002: Principles of Programming Languages, pp. 1–3. ACM, New York (2002)Google Scholar
  3. 3.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: PASTE 2005, pp. 82–87. ACM, New York (2005)CrossRefGoogle Scholar
  4. 4.
    Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without bDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: PLDI 2003: Programming Languages Design and Implementation, pp. 196–207. ACM, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: PLDI 2000, pp. 321–333. ACM, New York (2000)CrossRefGoogle Scholar
  7. 7.
    Chen, H., Dean, D., Wagner, D.: Model checking one million lines of c code. In: NDSS 2004: Annual Network and Distributed System Security Symposium, pp. 171–185 (2004)Google Scholar
  8. 8.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Clarke, E., Kröning, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadek, F.K.: Efficiently computing static single assignment form and the program dependence graph. ACM Transactions on Programming Languages and Systems 13, 451–490 (1991)CrossRefGoogle Scholar
  11. 11.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: PLDI 2002: Programming Language Design and Implementation, pp. 57–68. ACM, New York (2002)CrossRefGoogle Scholar
  12. 12.
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. J. ACM 52(3), 365–473 (2005)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)MATHGoogle Scholar
  14. 14.
    Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: OSDI 2000: Operating System Design and Implementation. Usenix Association (2000)Google Scholar
  15. 15.
    Fang, Y.: Translation validation of optimizing compilers. PhD thesis (2005)Google Scholar
  16. 16.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI 2002: Programming Language Design and Implementation, pp. 234–245. ACM Press, New York (2002)CrossRefGoogle Scholar
  17. 17.
    Flanagan, C., Saxe, J.B.: Avoiding exponential explosion: generating compact verification conditions. In: POPL 2000: Principles of Programming Languages, pp. 193–205. ACM, New York (2000)Google Scholar
  18. 18.
    Floyd, R.W.: Assigning meanings to programs. In: Mathematical Aspects of Computer Science, pp. 19–32. American Mathematical Society (1967)Google Scholar
  19. 19.
    Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI 2002: Programming Language Design and Implementation, pp. 1–12. ACM, New York (2002)CrossRefGoogle Scholar
  20. 20.
    Grossman, D.: Safe Programming at the C Level of Abstraction. PhD thesis (2003)Google Scholar
  21. 21.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL 2002: Principles of Programming Languages, pp. 58–70. ACM, New York (2002)Google Scholar
  22. 22.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  24. 24.
    Xie, Y., Aiken, A.: Scalable error detection using boolean satisfiability. In: POPL 2005: Principles of Programming Languages, pp. 351–363. ACM, New York (2005)Google Scholar
  25. 25.
    Zhang, X., Jaeger, T., Koved, L.: Applying static analysis to verifying security properties. In: Grace Hopper Conference (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ranjit Jhala
    • 1
  • Rupak Majumdar
    • 2
  • Ru-Gang Xu
    • 2
  1. 1.UC San Diego 
  2. 2.UC Los Angeles 

Personalised recommendations