Structural Invariants

We present structural invariants (SI), a new technique for incrementally overapproximating the verification condition of a program in static single assignment form by making a linear pass over the dominator tree of the program. The 1-level SI at a program location is the conjunction of all dominating program statements viewed as constraints. For any k, we define a k-level SI by recursively strengthening the dominating join points of the 1-level SI with the (k – 1)-level SI of the predecessors of the join point, thereby providing a tunable selector to add path-sensitivity incrementally. By ignoring program paths, the size of the SI and correspondingly the time to discharge the validity query remains small, allowing the technique to scale to large programs. We show experimentally that even with k ≤2, for a set of open-source programs totaling 570K lines and properties for which specialized analyses have been previously devised, our method provides an automatic and scalable algorithm with a low false positive rate.

[1]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[2]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[3]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[4]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[5]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[6]  Amir Pnueli,et al.  Translation validation of optimizing compilers , 2006 .

[7]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[8]  Dan Grossman,et al.  Safe Programming at the C Level of Abstraction , 2003 .

[9]  Holger Lyre,et al.  Holism and structuralism in U(1) gauge theory , 2004 .

[10]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[11]  Bowen Alpern,et al.  Detecting equality of variables in programs , 1988, POPL '88.

[12]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[13]  Anjan Chakravartty,et al.  A metaphysics for scientific realism , 2007 .

[14]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[15]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[16]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[17]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[18]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[19]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[20]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[21]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[22]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[23]  Yuri Balashov,et al.  Zero-Value Physical Quantities , 1999, Synthese.

[24]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[25]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[26]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[27]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[28]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .