## Automatic predicate abstraction of C programs (2001)

### Cached

### Download Links

- [www.cs.ucla.edu]
- [www-cad.eecs.berkeley.edu]
- [web.eecs.umich.edu]
- [www.cs.ucla.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | IN PROC. ACM PLDI |

Citations: | 425 - 27 self |

### BibTeX

@INPROCEEDINGS{Ball01automaticpredicate,

author = {Thomas Ball and Rupak Majumdar and Todd Millstein and Sriram K. Rajamani},

title = {Automatic predicate abstraction of C programs},

booktitle = {IN PROC. ACM PLDI},

year = {2001},

pages = {203--213},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, state-space explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For infinite-state systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction of programs written in an industrial programming language such as C, and its implementation in a tool-- C2bp. The C2bp tool is part of the SLAM toolkit, which uses a combination of predicate abstraction, model checking, symbolic reasoning, and iterative refinement to statically check temporal safety properties of programs. Predicate abstraction of software has many applications, including detecting program errors, synthesizing program invariants, and improving the precision of program analyses through predicate sensitivity. We discuss our experience applying the C2bp predicate abstraction tool to a variety of problems, ranging from checking that list-manipulating code preserves heap invariants to finding errors in Windows NT device drivers.

### Citations

3153 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...ys. First, it computes over sets of bit vectors at each statement rather than single bit vectors. This is necessary to capture correlations between variables. Second, it uses binary decision diagrams =-=[9]-=- (BDDs) to implicitly represent the set of reachable states of a program, as well as the transfer functions for each statement in a boolean program. However, Bebop uses an explicit control- ow graph r... |

2004 | Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints - Cousot, Cousot - 1977 |

1535 |
A Discipline of Programming
- DIJKSTRA
- 1976
(Show Context)
Citation Context ...n expression (for example, \z=x+f(y);" is replaced by \t=f(y); z=x+t;"). 4.1 Weakest Preconditions and Cubes For a statement s and a predicate ', let WP (s; ') denote the weakest liberal precondition =-=[16, 20]-=- of ' with respect to statement s. WP (s;') is dened as the weakest predicate whose truth before s entails the truth of ' after s terminates (if it terminates). Let \x = e" be an assignment, where x ... |

1165 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...oteworthy because our predicate language is a quantier-free logic, rather than the more powerful logic of [30]. We have applied C2bp and Bebop to examples from Necula's work on proof-carrying code =-=[26]-=- to automatically identify loop invariants in these examples that the PCC compiler was required to generate. We have used C2bp in the SLAM toolkit to check temporal safety properties of Windows NT d... |

648 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...el check software mustsrst construct an abstract model of the software. A promising approach to construct abstractions automatically, called predicate abstraction, wassrst proposed by Graf and Sadi =-=[19]-=-. With predicate abstraction, the concrete states of a system are mapped to abstract states according to their evaluation under asnite set of predicates. Automatic predicate abstraction algorithms hav... |

606 | Bandera: Extracting finitestate models from Java source code - Corbett, Dwyer, et al. - 2000 |

579 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
- 1999
(Show Context)
Citation Context ...n than is possible with asowsensitive alias analysis. In another example, we show that list-manipulating code preserves various structural properties of the heap, as has been done with shape analysis =-=[30]-=-. This is noteworthy because our predicate language is a quantier-free logic, rather than the more powerful logic of [30]. We have applied C2bp and Bebop to examples from Necula's work on proof-car... |

498 |
The Science of Programming
- Gries
- 1981
(Show Context)
Citation Context ...n expression (for example, \z=x+f(y);" is replaced by \t=f(y); z=x+t;"). 4.1 Weakest Preconditions and Cubes For a statement s and a predicate ', let WP (s; ') denote the weakest liberal precondition =-=[16, 20]-=- of ' with respect to statement s. WP (s;') is dened as the weakest predicate whose truth before s entails the truth of ' after s terminates (if it terminates). Let \x = e" be an assignment, where x ... |

408 | Automatically validating temporal safety properties of interfaces
- Ball, Rajamani
(Show Context)
Citation Context ...rivers from the Windows 2000 Driver Development Kit 5 , as well as an internally developedsoppy device driver, to check for proper usage of locks and proper handling of interrupt request packets (see =-=[6]-=- for the details of the properties checked). The device drivers in the DDK are supposed to be exemplars for others to base their device drivers on. For the two properties we checked, the SLAM toolkit ... |

385 | Interprocedural dataflow analysis via graph reachability - Reps, Sagiv, et al. - 1994 |

374 | Enforcing high-level protocols in low-level software
- DELINE, FAHNDRICH
- 2001
(Show Context)
Citation Context ...oning of a variable's possible values and additionally allows relationships between variables to be dened. Another approach is to use richer type systems to modelsnite-state abstractions of programs =-=[14]-=-. Shape analysis [30] also uses a form of predicate abstraction, where the predicate language is asrst-order logic augmented with transitive closure. In contrast, our predicates are quantier-free. Sh... |

331 | Proving the correctness of multiprocess programs
- Lamport
- 1977
(Show Context)
Citation Context ...nterfaces it uses. Safety properties are the class of properties that state that \something bad does not happen". An example is requiring that a lock is never released withoutsrst being acquired (see =-=[23]-=- for a formal denition). Given a program and a safety property, we wish to either validate that the code respects the property, orsnd an execution path that shows how the code violates the property. ... |

235 | Bebop: A symbolic model checker for Boolean programs
- Ball, Rajamani
- 2000
(Show Context)
Citation Context ...cts the corresponding boolean transfer functions that conservatively represent the eect of s on the predicates in E. The resulting boolean program can be analyzed precisely using a tool called Bebop =-=[5]-=- that performs interprocedural data ow analysis [31, 28] using binary decision diagrams. We present the details of the C2bp algorithm, as well as results from applying C2bp to a variety of problems an... |

207 | Unification-based Pointer Analysis with Directional Assignments
- Das
- 2000
(Show Context)
Citation Context ... true or false. The C2bp tool determines that the other two predicates are unaected by the assignment \prev=NULL;", so they need not be updated. The C2bp tool uses asowinsensitive points-to analysis =-=[12]-=- to resolve aliases between pointers. In this program, since none of the pointer variables in the set f curr, prev, next, newl g has its address taken, none of these variables can be aliased by any ot... |

176 | Boolean and cartesian abstractions for model checking C programs
- Ball, Podelski, et al.
(Show Context)
Citation Context ...ey contain loops). For a detailed proof of soundness of the abstraction algorithm presented in this paper, the interested reader is referred to our technical report [3]. In work with Andreas Podelski =-=[4]-=- we have used the framework of abstraction interpretation to formalize the precision of the C2bp algorithm for single procedure programs with no pointers. Section 4.6 reviews the soundness theorem for... |

165 |
as an assertion language for mutable data structures
- BI
- 2001
(Show Context)
Citation Context ...to use linear types to encode that there are no external pointers to the list other than p. It would also be interesting to investigate the use of predicates expressible in some recent pointer logics =-=[29, 22]-=-. We have focused on predicate abstraction of singlethreaded programs, and it would be interesting to extend C2bp to work for multi-threaded code. Several issues need to be resolved here. First, one n... |

163 |
Abstract interpretation: A uni lattice model for static analysis of programs by construction of approximations of
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...s well. Since a boolean program that allows all paths to be feasible is sound as well, we also need to state the sense in which B is precise. We do that via the terminology of abstract interpretation =-=[11]-=-. Soundness. For any path p feasible in P , it is guaranteed that p is feasible in BP(P;E) as well. Further, ifsis the state of the C program P after executing path p, then there exists an execution o... |

138 | Experience with Predicate Abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ...! next = hnext holds. 7 Related Work Our work is inspired by the predicate abstraction work of Graf and Saidi [19]. Predicate abstraction has been used in the verication of cache coherence protocols =-=[13]-=-. However, these eorts work at the specication level, on a language with guarded commands. Doing predicate abstraction on a general-purpose programming language is the novel aspect of our work. A me... |

117 |
Set-based analysis of ML programs
- Heintze
(Show Context)
Citation Context ...A cartesian abstraction maps a set of boolean vectors to a threevalued vector obtained by ignoring dependencies between the components of the vectors (see, for example, the work on set-based analysis =-=[21]-=-). For example, the set of boolean 4 For simplicity, we assume that each formal still refers to the same value as its corresponding actual at the end of the call. This can be checked using a standard ... |

113 | Techniques for program verification - Nelson - 1981 |

107 | Intuitionistic reasoning about shared mutable data structure
- Reynolds
- 2000
(Show Context)
Citation Context ...to use linear types to encode that there are no external pointers to the list other than p. It would also be interesting to investigate the use of predicates expressible in some recent pointer logics =-=[29, 22]-=-. We have focused on predicate abstraction of singlethreaded programs, and it would be interesting to extend C2bp to work for multi-threaded code. Several issues need to be resolved here. First, one n... |

85 | Improving data-flow analysis with path profiles - Ammons, Larus - 1998 |

70 |
Implementation of an Array Bound Checker
- Suzuki, Ishihata
- 1977
(Show Context)
Citation Context ...data ow analyses in Bebop could be used to achieve similar results. Prior work for generating loop invariants has used symbolic execution on the concrete semantics, augmented with widening heuristics =-=[32, 33]-=-. The Houdini tool guesses a candidate set of annotations (invariants) and uses the ESC/Java checker to refute inconsistent annotations until convergence [18]. In contrast, the tools C2bp andBebop use... |

69 | Tool-supported program abstraction for finite-state verification - Dwyer, Hatcliff, et al. - 2001 |

55 | Safety checking of machine code
- Xu, Miller, et al.
- 2000
(Show Context)
Citation Context ...data ow analyses in Bebop could be used to achieve similar results. Prior work for generating loop invariants has used symbolic execution on the concrete semantics, augmented with widening heuristics =-=[32, 33]-=-. The Houdini tool guesses a candidate set of annotations (invariants) and uses the ESC/Java checker to refute inconsistent annotations until convergence [18]. In contrast, the tools C2bp andBebop use... |

33 |
Bandera: extracting models from Java source code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ... (p = q). That is, (p 6= q) ) (p 6= q). mutually recursive procedures with no additional mechanism. This diers from most other approaches to software model checking, which inline procedure calls =-=[10]-=-. In the following section, we describe a modular abstraction process for procedures: each procedure can be abstracted given only the signatures of the abstractions of its callees, and such signatures... |

27 | Parameterized verification of multithreaded software libraries - Ball, Chaki, et al. - 2001 |

27 | Path-sensitive value-flow analysis - Bodik, Anik - 1998 |

26 | Polymorphic predicate abstraction
- Ball, Millstein, et al.
- 2000
(Show Context)
Citation Context ...rs we have analyzed (even though they contain loops). For a detailed proof of soundness of the abstraction algorithm presented in this paper, the interested reader is referred to our technical report =-=[3]-=-. In work with Andreas Podelski [4] we have used the framework of abstraction interpretation to formalize the precision of the C2bp algorithm for single procedure programs with no pointers. Section 4.... |

25 | Interprocedural side effect analysis with pointer aliasing - Landi, Ryder, et al. - 1993 |

24 |
A general axiom of assignment
- Morris
- 1982
(Show Context)
Citation Context ... true after the assignment to x. A similar problem occurs when a pointer dereference is on the left-hand side of the assignment. To handle these problems, we adapt Morris' general axiom of assignment =-=[25]-=-. A location is either a variable, a int bar(int* q, int y) { bar { int l1, l2; y >= 0, ... *q <= y, return l1; y == l1, } y > l2 } void foo(int* p, int x) { foo { int r; *p <= 0, if (*p <= x) x == 0,... |

17 |
Precise interprocedural data analysis via graph reachability
- Reps, Horwitz, et al.
- 1995
(Show Context)
Citation Context ...at conservatively represent the eect of s on the predicates in E. The resulting boolean program can be analyzed precisely using a tool called Bebop [5] that performs interprocedural data ow analysis =-=[31, 28]-=- using binary decision diagrams. We present the details of the C2bp algorithm, as well as results from applying C2bp to a variety of problems and programs: We have applied C2bp and Bebop to pointerm... |

14 |
Techniques for program veri
- Nelson
- 1981
(Show Context)
Citation Context ... involves a call to a theorem prover implementing the required decision procedures. Our implementation of C2bp uses two theorem provers: Simplify [15] and Vampyre [7], both Nelson-Oppen style provers =-=[27]-=-. A naive computation of F V () and G V () requires exponentially many calls to the theorem prover in the worst case. Section 5 describes several optimizations that make the F V and G V computations... |

13 |
Two approaches to interprocedural data analysis
- Sharir, Pnueli
- 1981
(Show Context)
Citation Context ...at conservatively represent the eect of s on the predicates in E. The resulting boolean program can be analyzed precisely using a tool called Bebop [5] that performs interprocedural data ow analysis =-=[31, 28]-=- using binary decision diagrams. We present the details of the C2bp algorithm, as well as results from applying C2bp to a variety of problems and programs: We have applied C2bp and Bebop to pointerm... |

12 |
Simplify theorem prover. http://research.compaq.com/SRC/esc/Simplify.html
- Detlefs, Nelson, et al.
(Show Context)
Citation Context ... is implied by '. For each cube, the implication check involves a call to a theorem prover implementing the required decision procedures. Our implementation of C2bp uses two theorem provers: Simplify =-=[15]-=- and Vampyre [7], both Nelson-Oppen style provers [27]. A naive computation of F V () and G V () requires exponentially many calls to the theorem prover in the worst case. Section 5 describes severa... |

10 | Two approaches to interprocedural data dalow analysis - Sharir, Pnueli - 1981 |

8 |
Vampyre: A proof generating theorem prover | http://www.eecs.berkeley.edu/~ rupak/vampyre
- Blei
(Show Context)
Citation Context ... For each cube, the implication check involves a call to a theorem prover implementing the required decision procedures. Our implementation of C2bp uses two theorem provers: Simplify [15] and Vampyre =-=[7]-=-, both Nelson-Oppen style provers [27]. A naive computation of F V () and G V () requires exponentially many calls to the theorem prover in the worst case. Section 5 describes several optimizations ... |

7 |
Annotation inference for modular checkers. Information Processing Letters (to appear
- Flanagan, Joshi, et al.
- 2001
(Show Context)
Citation Context ...s, augmented with widening heuristics [32, 33]. The Houdini tool guesses a candidate set of annotations (invariants) and uses the ESC/Java checker to refute inconsistent annotations until convergence =-=[18]-=-. In contrast, the tools C2bp andBebop use a combination of abstraction (from C program to boolean program) and iterative analysis of the abstracted C program tosnd loop invariants expressible as bool... |

7 |
Parameterized veri of multithreaded software libraries
- Ball, Chaki, et al.
- 2001
(Show Context)
Citation Context ... the number of threads in advance. If we were tosrst abstract boolean programs tosnite-state machines, then it is possible to use parameterized model checking to handle an arbitrary number of threads =-=[2]-=-. It is not clear if these abstractions can be performed automatically. We have chosen C as our source language for predicate abstraction. However, our fundamental contribution is a set of techniques ... |

6 |
Improving Data- Analysis with Path Pro
- Ammons, Larus
- 1998
(Show Context)
Citation Context ...que that can be used to add predicate (read \path") sensitivity to program analyses. Ammons and Larus use code duplication followed by a traditional data ow analysis to achieve path-sensitive results =-=[1]-=-. Bodik and Anik use symbolic back-substitution (i.e., weakest preconditions) followed by value numbering to improve the results of a subsequent three-valued data ow analysis [8]. The combination of p... |

6 |
Tool-supported program abstraction for veri
- Dwyer, Hatcli, et al.
- 2001
(Show Context)
Citation Context ...predicate abstraction on a general-purpose programming language is the novel aspect of our work. A method for constructing abstract models from Java programs has been developed in the Bandera project =-=[17]-=-. Their tool requires the user to providesnitedomain abstractions of data types. Predicate abstraction as implemented in C2bp is more general, as it allows thesnite partitioning of a variable's possib... |

5 |
A schema for interprocedural side eect analysis with pointer aliasing
- Ryder, Landi, et al.
- 1998
(Show Context)
Citation Context ...an 4 For simplicity, we assume that each formal still refers to the same value as its corresponding actual at the end of the call. This can be checked using a standard modication side-eect analysis =-=[24]-=-. If a formal cannot be proven to refer to the same value as its corresponding actual at the end of the call, then any predicates that mention the formal must be removed from E r in the signature of R... |

1 |
Path-sensitive value- analysis
- Bodik, Anik
- 1998
(Show Context)
Citation Context ...ath-sensitive results [1]. Bodik and Anik use symbolic back-substitution (i.e., weakest preconditions) followed by value numbering to improve the results of a subsequent three-valued data ow analysis =-=[8]-=-. The combination of predicate abstraction by C2bp and path-sensitive data ow analyses in Bebop could be used to achieve similar results. Prior work for generating loop invariants has used symbolic ex... |