Abstract

We consider the problem of automatically inferring likely program invariants from execution traces. In this paper, we focus on inference of invariants that hold over data structures in the program. Properties of data structures can be specified by means of local axioms asserted over a bounded fragment of a data structure around a memory cell. These include predicates over scalar fields, pointer equalities, and pointer disequalities. It has been shown that such local invariants are both natural and sufficient for describing a large class of data structures. This paper explores a novel technique, called KRYSTAL, to infer likely local data structure invariants using a variant of symbolic execution, called universal symbolic execution. Universal symbolic execution is like traditional symbolic execution except the fact that we create a fresh symbolic variable for every read of a lvalue that has no mapping in the symbolic state rather than creating a symbolic variable only for inputs. This helps universal symbolic execution to symbolically track data flow for all memory locations along an execution even if input values do not flow directly into those memory locations. We have implemented our algorithm and applied it to several data structure implementations in Java. Our experimental results show that we can infer many interesting local invariants for these data structures.

Citations