Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis

In automatic software verification, we have observed a theoretical convergence of model checking and program analysis. In practice, however, model checkers are still mostly concerned with precision, e.g., the removal of spurious counterexamples; for this purpose they build and refine reachability trees. Lattice-based program analyzers, on the other hand, are primarily concerned with efficiency. We designed an algorithm and built a tool that can be configured to perform not only a purely tree-based or a purely lattice-based analysis, but offers many intermediate settings that have not been evaluated before. The algorithm and tool take one or more abstract interpreters, such as a predicate abstraction and a shape analysis, and configure their execution and interaction using several parameters. Our experiments show that such customization may lead to dramatic improvements in the precision-efficiency spectrum.

[1]  David A. Schmidt Data flow analysis is model checking of abstract interpretations , 1998, POPL '98.

[2]  Patrick Cousot,et al.  Compositional and Inductive Semantic Definitions in Fixpoint, Equational, Constraint, Closure-condition, Rule-based and Game-Theoretic Form , 1995, CAV.

[3]  Sumit Gulwani,et al.  Combining abstract interpreters , 2006, PLDI '06.

[4]  Sorin Lerner,et al.  Composing dataflow analyses and transformations , 2002, POPL '02.

[5]  David A. Schmidt,et al.  The Essence of Computation , 2002 .

[6]  Florian Martin,et al.  PAG – an efficient program analyzer generator , 1998, International Journal on Software Tools for Technology Transfer.

[7]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[8]  Steven W. K. Tjiang,et al.  Sharlit—a tool for building optimizers , 1992, PLDI '92.

[9]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[10]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[11]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software, invited chapter , 2002 .

[12]  Thomas A. Henzinger,et al.  Lazy Shape Analysis , 2006, CAV.

[13]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[14]  Benjamin C. Pierce,et al.  Theoretical Aspects of Computer Software , 2001, Lecture Notes in Computer Science.

[15]  Bernhard Steffen,et al.  Data Flow Analysis as Model Checking , 1990, TACS.

[16]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[17]  Lori A. Clarke,et al.  A flexible architecture for building data flow analyzers , 1995, Proceedings of IEEE 18th International Conference on Software Engineering.

[18]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[19]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[20]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[21]  Rupak Majumdar,et al.  Joining dataflow with predicates , 2005, ESEC/FSE-13.

[22]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[23]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.