## Program analysis via satisfiability modulo path programs (2010)

### Cached

### Download Links

Venue: | IN: POPL |

Citations: | 8 - 1 self |

### BibTeX

@INPROCEEDINGS{Harris10programanalysis,

author = {William R. Harris and Sriram Sankaranarayanan and Franjo Ivančić and Aarti Gupta},

title = { Program analysis via satisfiability modulo path programs},

booktitle = {IN: POPL},

year = {2010},

pages = {71--82},

publisher = {}

}

### OpenURL

### Abstract

Path-sensitivity is often a crucial requirement for verifying safety properties of programs. As it is infeasible to enumerate and analyze each path individually, analyses compromise by soundly merging information about executions along multiple paths. However, this frequently results in a loss of precision. We present a program analysis technique that we call Satisfiability Modulo Path Programs (SMPP), based on a path-based decomposition of a program. It is inspired by insights that have driven the development of modern SMT (Satisfiability Modulo Theory) solvers. SMPP symbolically enumerates path programs using a SAT formula over control edges in the program. Each enumerated path program is verified using an oracle, such as abstract interpretation or symbolic execution, to either find a proof of correctness or report a potential violation. If a proof is found, then SMPP extracts a sufficient set of control edges and corresponding interference edges, as a form of proof-based learning. Blocking clauses derived from these edges are added back to the SAT formula to avoid enumeration of other path programs guaranteed to be correct, thereby improving performance and scalability. We have applied SMPP in the F-Soft program verification framework, to verify properties of real-world C programs that require path-sensitive reasoning. Our results indicate that the precision from analyzing individual path programs, combined with their efficient enumeration by SMPP, can prove properties as well as indicate potential violations in the large.

### Citations

8984 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
- 2001
(Show Context)
Citation Context ...w Graph (CFG) is associated with a simple path in the MSCC (Maximal Strongly Connected Component) decomposition of the CFG, obtained by compacting loops and recurrences in the program into components =-=[9]-=-. Whereas the number of control paths in the original CFG may be infinite (due to loops and recurrences), the MSCC decomposition is acyclic with finitely may control paths. Nevertheless, this number c... |

1192 | Chaff: Engineering an Efficient SAT Solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...o support these operations for formulas with hundreds of thousands of variables and clauses. In this respect, our encoding is empirically shown to be quite amenable to existing solvers such as ZChaff =-=[28]-=-, even for large programs. 2. PRELIMINARIES We first present our approach on single-procedure programs without function calls. We assume that all variables are of type integer. The handling of functio... |

760 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...ram can be analyzed using “proof techniques” such as abstract interpretation [12, 11], or “falsification techniques” such as bounded model-checking that search for concrete error traces of violations =-=[5]-=-. We assume (w.l.o.g.) that a verification oracle presents Floyd-Hoare style proofs in the form of inductive invariants, or concrete witnesses upon violation. We present a proof-based learning techniq... |

642 | Construction of abstract state graphs with PVS
- Graf, Saidi
- 1997
(Show Context)
Citation Context ...ein the property to be proved is independent of the loops. It is possible to use other known techniques as oracles, such as lazy abstraction with interpolants [26] or predicate abstraction refinement =-=[17, 2, 3]-=-. We implemented the SMPP technique in the F-Soft program verification framework [21]. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines usin... |

598 | Automatic discovery of linear restraints among variables of a program
- Cousot, Halbwachs
(Show Context)
Citation Context ...ses a symbolic execution engine based on Yices [16], and abstract interpretation engines using a succession of numerical domains — intervals [10], octagons [27], symbolic intervals [30] and polyhedra =-=[13]-=-. We evaluated our implementation by using it to verify array overflow and string library usage properties for C programs. We used publicly available benchmarks – smaller programs in Zitser et al. [34... |

379 |
Cousot and Radhia Cousot. Abstract interpretation: a uni lattice model for static analysis of programs by construction or approximation of
- Patrick
- 1977
(Show Context)
Citation Context ...location, we enumerate a control path and use an oracle to verify the corresponding path program. Each enumerated path program can be analyzed using “proof techniques” such as abstract interpretation =-=[12, 11]-=-, or “falsification techniques” such as bounded model-checking that search for concrete error traces of violations [5]. We assume (w.l.o.g.) that a verification oracle presents Floyd-Hoare style proof... |

255 | ESP: path-sensitive program verification in polynomial time
- Das, Lerner, et al.
- 2002
(Show Context)
Citation Context ...la, which is much smaller than a typical BMC formula that encodes unwindings of a program. Abstract interpretation and path-sensitive analysis. Other approaches to path sensitive analysis include ESP =-=[14]-=-, trace partitioning [25], elaborations [31], amongst many others. These techniques employ heuristics to control the trade-off between performing a join operation or a logical disjunction at the merge... |

250 | Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
- Whaley, Lam
- 2004
(Show Context)
Citation Context ...nt calling contexts. This is achieved by first performing a context numbering of the function calls in the CFG. The context numbering scheme described by Whaley and Lam can be used for such a purpose =-=[32]-=-. Each CFG edge e then yields multiple propositions p(e, c) based on the different calling contexts c that the edge may be visited in. The rest of the encoding remains unchanged withvoid allocM (int ... |

175 |
Static determination of dynamic properties of programs
- Cousot, Cousot
(Show Context)
Citation Context ...t program verification framework [21]. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines using a succession of numerical domains — intervals =-=[10]-=-, octagons [27], symbolic intervals [30] and polyhedra [13]. We evaluated our implementation by using it to verify array overflow and string library usage properties for C programs. We used publicly a... |

170 | Comparing the Galois connection and widening/narrowing approaches to abstract interpretation
- Cousot, Cousot
- 1992
(Show Context)
Citation Context ...location, we enumerate a control path and use an oracle to verify the corresponding path program. Each enumerated path program can be analyzed using “proof techniques” such as abstract interpretation =-=[12, 11]-=-, or “falsification techniques” such as bounded model-checking that search for concrete error traces of violations [5]. We assume (w.l.o.g.) that a verification oracle presents Floyd-Hoare style proof... |

156 | Solving SAT and SAT Modulo Theories: from an Abstract Davis-Putnam-Logemann-Loveland Procedure to DPLL(T
- Nieuwenhuis, Oliveras, et al.
(Show Context)
Citation Context ...dual path programs with a SAT solver, which is used to enumerate over a Boolean abstraction of the control-flow of the program. This is similar in spirit to Satisfiability Modulo Theory (SMT) solvers =-=[29, 16, 15]-=-. To check the satisfiability of a given formula, an SMT solver integrates theory solvers (that check the satisfiability of conjunctive formulas over a theory) with a SAT solver that enumerates over a... |

155 |
The SLAM toolkit
- Ball, Rajamani
- 2001
(Show Context)
Citation Context ...ein the property to be proved is independent of the loops. It is possible to use other known techniques as oracles, such as lazy abstraction with interpolants [26] or predicate abstraction refinement =-=[17, 2, 3]-=-. We implemented the SMPP technique in the F-Soft program verification framework [21]. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines usin... |

79 | Lazy abstraction with interpolants
- McMillan
- 2006
(Show Context)
Citation Context ... over path programs without loops or wherein the property to be proved is independent of the loops. It is possible to use other known techniques as oracles, such as lazy abstraction with interpolants =-=[26]-=- or predicate abstraction refinement [17, 2, 3]. We implemented the SMPP technique in the F-Soft program verification framework [21]. The implementation uses a symbolic execution engine based on Yices... |

71 | Testing Static Analysis Tools Using Exploitable Buffer Overflows from Open Source Code
- Zitser, Lippmann, et al.
(Show Context)
Citation Context ...13]. We evaluated our implementation by using it to verify array overflow and string library usage properties for C programs. We used publicly available benchmarks – smaller programs in Zitser et al. =-=[34]-=-, and larger open source programs such as openssh, thttpd and xvidcore. Our evaluation shows that SMPP can derive proofs of properties that are beyond the reach of pathinsensitive static analysis (alr... |

64 | Trace partitioning in abstract interpretation based static analyzers
- Mauborgne, Rival
- 2005
(Show Context)
Citation Context ... than a typical BMC formula that encodes unwindings of a program. Abstract interpretation and path-sensitive analysis. Other approaches to path sensitive analysis include ESP [14], trace partitioning =-=[25]-=-, elaborations [31], amongst many others. These techniques employ heuristics to control the trade-off between performing a join operation or a logical disjunction at the merge points in the CFG. Howev... |

64 | A new numerical abstract domain based on difference-bound matrices
- Miné
(Show Context)
Citation Context ...ication framework [21]. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines using a succession of numerical domains — intervals [10], octagons =-=[27]-=-, symbolic intervals [30] and polyhedra [13]. We evaluated our implementation by using it to verify array overflow and string library usage properties for C programs. We used publicly available benchm... |

54 |
Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement
- Clarke
- 2000
(Show Context)
Citation Context ... with data predicates, e.g. Boolean programs [2, 3]. Such abstractions are more expensive to compute than our abstractions. (b) Rather than a refinement loop over false error traces (counterexamples) =-=[8, 2]-=-, our refinement loop operates over path programs associated with the enumerated control paths. (c) Our approach avoids divergences on loops in the program. This is because we enumerate over an acycli... |

33 | Saturn: A scalable framework for error detection using boolean satisfiability
- XIE, AIKEN
- 2007
(Show Context)
Citation Context ...g of programs. Efficient SAT-based techniques have been used for bounded model checking (BMC) [5] of programs in tools such as CBMC [7], F-Soft [21], and for scalable summary-based analysis in Saturn =-=[33]-=-. These techniques automatically utilize SAT-based conflict analysis and learning for pruning the search space. However, they suffer in the presence of loops, which require deep unwindings that result... |

30 | Static analysis in disjunctive numerical domains
- Sankaranarayanan, Ivancic, et al.
- 2006
(Show Context)
Citation Context ...ons suffice, in general, to prove any given property. Proofs involving disjunctions of conjunctions can be transformed into purely conjunctive proofs on a suitable elaboration of the original program =-=[31]-=-. Let η be a fixed-point map that establishes a property 〈nf, ϕ〉, i.e., η(nf) |= ϕ. Since η is a fixed-point, for every edge e : n1 → n2 ∈ Eπ, the following consecution condition holds: η(n1) ∧ ρe(V, ... |

24 | Using statically computed invariants inside the predicate abstraction and refinement loop
- Jain, Ivancic, et al.
- 2006
(Show Context)
Citation Context ...f the Boolean formula abstraction. Another approach is to use abstract interpretation to derive useful program invariants as a pre-processing step, to avoid expensive refinement iterations over loops =-=[23]-=-. Bounded model checking of programs. Efficient SAT-based techniques have been used for bounded model checking (BMC) [5] of programs in tools such as CBMC [7], F-Soft [21], and for scalable summary-ba... |

23 |
Flavio Lerda. A tool for checking ANSI-C programs
- Clarke, Kroening
- 2004
(Show Context)
Citation Context ...pensive refinement iterations over loops [23]. Bounded model checking of programs. Efficient SAT-based techniques have been used for bounded model checking (BMC) [5] of programs in tools such as CBMC =-=[7]-=-, F-Soft [21], and for scalable summary-based analysis in Saturn [33]. These techniques automatically utilize SAT-based conflict analysis and learning for pruning the search space. However, they suffe... |

18 |
Rupak Majumdar, and Andrey Rybalchenko. Invariant synthesis for combined theories
- Beyer, Henzinger
- 2007
(Show Context)
Citation Context ...iability Modulo Path Programs (SMPP) approach to program analysis for property verification. Our approach decomposes the verification of a given program to verification of its component path programs =-=[4]-=-. A path program represents a set of program executions, all of which traverse the same set of edges in a control flow graph, but may vary in the number of iterations of loops/recurrences encountered.... |

17 |
Ranjit Jhala, and Rupak Majumdar. The software model checker blast
- Beyer, Henzinger
(Show Context)
Citation Context ...ein the property to be proved is independent of the loops. It is possible to use other known techniques as oracles, such as lazy abstraction with interpolants [26] or predicate abstraction refinement =-=[17, 2, 3]-=-. We implemented the SMPP technique in the F-Soft program verification framework [21]. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines usin... |

15 | InvGen: An Efficient Invariant Generator
- Gupta, Rybalchenko
- 2009
(Show Context)
Citation Context ...underlined above) suffices. The remaining invariants are extraneous. In principle, we can use other techniques that (attempt to) generate minimal sets of invariants required to prove a given property =-=[6, 18, 19]-=-. These techniques can generate strong invariants for small but complex loops. However, they are currently unsuitable for generating simple global invariants for large path programs. We provide a gene... |

14 |
de Moura and Nikolaj Bjørner. Z3: An efficient SMT solver
- Mendonça
- 2008
(Show Context)
Citation Context ...dual path programs with a SAT solver, which is used to enumerate over a Boolean abstraction of the control-flow of the program. This is similar in spirit to Satisfiability Modulo Theory (SMT) solvers =-=[29, 16, 15]-=-. To check the satisfiability of a given formula, an SMT solver integrates theory solvers (that check the satisfiability of conjunctive formulas over a theory) with a SAT solver that enumerates over a... |

14 |
Dutertre and Leonardo Mendonça de Moura. A fast linear-arithmetic solver for DPLL(T
- Bruno
- 2006
(Show Context)
Citation Context ...or predicate abstraction refinement [17, 2, 3]. We implemented the SMPP technique in the F-Soft program verification framework [21]. The implementation uses a symbolic execution engine based on Yices =-=[16]-=-, and abstract interpretation engines using a succession of numerical domains — intervals [10], octagons [27], symbolic intervals [30] and polyhedra [13]. We evaluated our implementation by using it t... |

14 | 2007, ‘Program Analysis Using Symbolic Ranges
- Sankaranarayanan, Ivančić, et al.
(Show Context)
Citation Context ...he implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines using a succession of numerical domains — intervals [10], octagons [27], symbolic intervals =-=[30]-=- and polyhedra [13]. We evaluated our implementation by using it to verify array overflow and string library usage properties for C programs. We used publicly available benchmarks – smaller programs i... |

13 |
Ramarathnam Venkatesan. Program analysis as constraint solving
- Gulwani, Srivastava
- 2008
(Show Context)
Citation Context ...underlined above) suffices. The remaining invariants are extraneous. In principle, we can use other techniques that (attempt to) generate minimal sets of invariants required to prove a given property =-=[6, 18, 19]-=-. These techniques can generate strong invariants for small but complex loops. However, they are currently unsuitable for generating simple global invariants for large path programs. We provide a gene... |

10 | SLR: PathSensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement. springer verlag
- Balakrishnan, S
- 2008
(Show Context)
Citation Context ...ve analyses such as constant folding, interval analysis, and various numerical domain analyses. F-Soft implements many abstract domains in a partially path-sensitive abstract interpretation framework =-=[30, 1]-=-. The analysis uses these domains in combination or in succession to attempt to prove a property, each run of the analysis reusing the invariants obtained by the previous runs. F-soft re-slices the pr... |

10 |
Z.: Property-directed incremental invariant generation
- Bradley, Manna
- 2008
(Show Context)
Citation Context ...underlined above) suffices. The remaining invariants are extraneous. In principle, we can use other techniques that (attempt to) generate minimal sets of invariants required to prove a given property =-=[6, 18, 19]-=-. These techniques can generate strong invariants for small but complex loops. However, they are currently unsuitable for generating simple global invariants for large path programs. We provide a gene... |

7 | Refinement of trace abstraction
- Heizmann, Hoenicke, et al.
- 2009
(Show Context)
Citation Context ...and abstract interpretation to handle path programs with loops. Other oracles, such as predicate abstraction refinement, can also be used. Our work is closely related to recent work by Heizmann et al =-=[20]-=- . They propose an abstraction refinement scheme for trace abstractions. An over-approximation of the set of possible traces is successively refined by means of an interpolant automaton that recognize... |

1 |
Aarti Gupta, Ilya Shlyakhter, and Pranav Ashar. F-soft: Software verification platform
- Ivancic, Yang, et al.
- 2005
(Show Context)
Citation Context ...n techniques as oracles, such as lazy abstraction with interpolants [26] or predicate abstraction refinement [17, 2, 3]. We implemented the SMPP technique in the F-Soft program verification framework =-=[21]-=-. The implementation uses a symbolic execution engine based on Yices [16], and abstract interpretation engines using a succession of numerical domains — intervals [10], octagons [27], symbolic interva... |

1 |
Sriram Sankaranarayanan, Ilya Shlyakhter, and Aarti Gupta. Buffer overflow analysis using environment refinement. Draft (2009), Available Upon Request
- Ivančić
(Show Context)
Citation Context ... such that the paths in this graph are related to fragments in the original CFG. 4. IMPLEMENTATION We have implemented our approach as a part of the FSoft program verification platform for C programs =-=[21, 22]-=-. F-Soft checks C programs for buffer overflows, string API usage, NULL pointer dereferences, user-defined type-state properties, memory leaks and so on. For a detailed description of our modeling of ... |