Program analysis via satisfiability modulo path programs

Path-sensitivity is often a crucial requirement for verifying safety properties of programs. As it is infeasible to enumerate and analyze each path individually, analyses compromise by soundly merging information about executions along multiple paths. However, this frequently results in a loss of precision. We present a program analysis technique that we call Satisfiability Modulo Path Programs (SMPP), based on a path-based decomposition of a program. It is inspired by insights that have driven the development of modern SMT(Satisfiability Modulo Theory) solvers. SMPP symbolically enumerates path programs using a SAT formula over control edges in the program. Each enumerated path program is verified using an oracle, such as abstract interpretation or symbolic execution, to either find a proof of correctness or report a potential violation. If a proof is found, then SMPP extracts a sufficient set of control edges and corresponding interference edges, as a form of proof-based learning. Blocking clauses derived from these edges are added back to the SAT formula to avoid enumeration of other path programs guaranteed to be correct, thereby improving performance and scalability. We have applied SMPP in the F-Soft program verification framework, to verify properties of real-world C programs that require path-sensitive reasoning. Our results indicate that the precision from analyzing individual path programs, combined with their efficient enumeration by SMPP, can prove properties as well as indicate potential violations in the large.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Ashutosh Gupta,et al.  InvGen: An Efficient Invariant Generator , 2009, CAV.

[3]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.

[4]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[5]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[6]  Zohar Manna,et al.  Property-directed incremental invariant generation , 2008, Formal Aspects of Computing.

[7]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[8]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[9]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[10]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[11]  Helmut Veith,et al.  Counterexample-Guide dAbstractio nRefinemen t ? , 2000 .

[12]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[13]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[14]  Sriram Sankaranarayanan,et al.  SLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement , 2008, SAS.

[15]  Chao Wang,et al.  Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop , 2006, CAV.

[16]  Cesare Tinelli,et al.  Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T) , 2006, JACM.

[17]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[18]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[19]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[20]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[21]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[22]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[23]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[24]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[25]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[26]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[27]  Sriram Sankaranarayanan,et al.  Program Analysis Using Symbolic Ranges , 2007, SAS.

[28]  Jochen Hoenicke,et al.  Refinement of Trace Abstraction , 2009, SAS.

[29]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[30]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[31]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[32]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[33]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[34]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.