From Tests to Proofs

We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a classical means of program verification, in practice existing tools do not scale even to moderately sized programs. This is because the constraints that need to be solved even for small programs are already too difficult for the underlying (non-linear) constraint solving engines. To overcome this obstacle, we propose to strengthen static constraint generation with information obtained from static abstract interpretation and dynamic execution of the program. The strengthening comes in the form of additional linear constraints that trigger a series of simplifications in the solver, and make solving more scalable. We demonstrate the practical applicability of the approach by an experimental evaluation on a collection of challenging benchmark programs and comparisons with related tools based on abstract interpretation and software model checking.

[1]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[2]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[3]  David K. Smith Theory of Linear and Integer Programming , 1987 .

[4]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[5]  Mats Carlsson,et al.  SICStus Prolog User''s Manual , 1993 .

[6]  Christian Holzbaur OFAI clp(Q,R) Manual , 1995 .

[7]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[8]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[9]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[10]  Audris Mockus,et al.  Does Code Decay? Assessing the Evidence from Change Management Data , 2001, IEEE Trans. Software Eng..

[11]  Antoine Mid The Octagon Abstract Domain , 2001 .

[12]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[13]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[14]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[15]  Henny B. Sipma,et al.  Linear Invariant Generation Using Non-linear Constraint Solving , 2003, CAV.

[16]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[17]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.

[18]  Henny B. Sipma,et al.  Constraint-Based Linear-Relations Analysis , 2004, SAS.

[19]  Henny B. Sipma,et al.  Non-linear loop invariant generation using Gröbner bases , 2004, POPL.

[20]  Deepak Kapur Automatically Generating Loop Invariants Using Quantifier Elimination , 2005, Deduction and Applications.

[21]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[22]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[23]  Patrick Cousot,et al.  Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming , 2005, VMCAI.

[24]  Henny B. Sipma,et al.  Scalable Analysis of Linear Systems Using Mathematical Programming , 2005, VMCAI.

[25]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[26]  Chao Wang,et al.  Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop , 2006, CAV.

[27]  Nicolas Halbwachs,et al.  Combining Widening and Acceleration in Linear Relation Analysis , 2006, SAS.

[28]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[29]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[30]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[31]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[32]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[33]  Supratik Chakraborty,et al.  Automatically Refining Abstract Interpretations , 2008, TACAS.

[34]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[35]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[36]  Ashutosh Gupta,et al.  InvGen: An Efficient Invariant Generator , 2009, CAV.