Abstract
A new technique is presented to statically check a given procedure against a user-provided property. The method requires no annotations; it automatically infers a context-dependent specification for each procedure call, so that only as much information about a procedure is used as is needed to analyze its caller. Specifications are inferred iteratively. Empty specifications are initially used to over-approximate the effects of all procedure calls; these are later refined in response to spurious counterexamples. When the analysis terminates, any remaining counterexample is guaranteed to be valid. However, since the heap is finitized, the absence of a counterexample does not guarantee the validity of the given property in general.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig1_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig2_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig3_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig4_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig5_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig6_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig7_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig8_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig9_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig10_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig11_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig12_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig13_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig14_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig15_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig16_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig17_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig18_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10515-006-0005-x/MediaObjects/10515_2006_5_Fig19_HTML.gif)
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
Special cases, e.g. updating arrays which are passed as parameters, can be easily added to this algorithm.
References
Balaban, I., Pnueli, A., Zuck, L.: Shape analysis by predicate abstraction. In: Proc. of VMCAI (2005)
Ball, T., Rajamani, S.: Bebop: A symbolic model checker for boolean programs. In: SPIN 2000 Workshop on Model Checking of Software, pp. 113–130 (2000)
Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: SPIN Workshop on Model Checking of Software, pp. 103–122 (2001)
Ball, T., Rajamani, S.K.: Generating abstract explanations of spurious counterexamples in C programs, MSR-TR-2002-09, pp. 113–130 (2002)
Chaki, S., Clarke, E., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. In: International Conference on Software Engineering (2003)
Chase, D.R., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: Proc. Programming Languages Design and Implementation (1990)
Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Proc. International Conference on Computer-Aided Verification, pp. 154–169 (2000)
Corbett, J.C., Dwyer, M.B., Hatcliff, J., Laubach, S., Pasareanu, C.S., Robby, Zheng, H.: Bandera: extracting finite-state models from java source code. In: Proc. International Conference on Software Engineering (2000)
Cormen, T.H., Leiserson, C.E., Rivest, R.L.: Introduction to Algorithms. MIT Press (1990)
Detlefs, D.L., Nelson, G., Saxe, J.B.: A theorem prover for program checking. Research Report 178, Compaq SRC (2002)
Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ (1976)
Ernst, M.D., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. IEEE Trans. Softw. Eng. 27(2), (2001)
Flanagan, C.: Software model checking via iterative abstraction refinement of constraint logic queries. In: Workshop on Constraint Programming and Constraints for Verification (2004)
Flanagan, C., Joshi, R., Ou, X., Saxe, J.B.: Theorem proving using lazy proff explication. In: International Conference on Computer Aided Verification (2003)
Flanagan, C., Leino, K., Lillibridge, M., Nelson, G., Saxe, J., Stata, R.: Extended static checking for java. In: Proc. Conference on Programming Language Design and Implementation, pp. 234–245 (2002)
Graf, S., Saidi, H.: Construction of abstract state graphs via PVS. In: Proc. International Conference on Computer Aided Verification, pp. 72–83 (1997)
Hatcliff, J., Dwyer, M.: Slicing software for model construction. In: Proc. ACM Workshop of Partial Evaluation and Program Manipulation (1999)
Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Proc. International Conference on Computer-Aided Verification, pp. 526–538 (2002)
Holzmann, G.J.: The model checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–294 (1997)
Jackson, D., Schechter, I., Shlyakhter, I.: Alcoa: the alloy constraint analyzer. In: Proc. International Conference on Software Engineering (2000)
Jackson, D., Shlyakhter, I., Sridharan, M.: A micromodularity mechanism. In: Proc. ACM SIGSOFT Conference on Foundations of Software Engineering (2001)
Jaffar, J., Maher, M.J.: Constraint logic programing: a survey. J. Log. Program. 19(20), 503–581 (1994)
Jeannet, B., Loginov, A., Reps, T., Sagiv, M.: A relational approach to interprocedural shape analysis. In: Proc. of SAS (2004)
McMillan, K.: Symbolic Model Checking. Kluwer Academic Publishers (1993)
Moskewicz, M., Madigan, C., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Design Automation Conference (2001)
Plaisted, D.A., Greenbaum, S.: A structure-preserving clause form translation. J. Symb. Comput. 2, 293–304 (1986)
Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst. 20(1), 1–50 (1998)
Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)
Shlyakhter, I.: Declarative symbolic pure logic model checking. Ph.D Thesis, Electrical Engineering and Computer Science Department, MIT (2005)
Shlyakhter, I., Seater, R., Jackson, D., Sridharan, M., Taghdiri, M.: Debugging declarative models using unsatisfiable core. Autom. Softw. Engine. (2003)
Sitaraman, M., Gandi, D.P., Kuchlin, W., Sinz, C., Weide, B.W.: The humane bugfinder: modular static analysis using a SAT solver. Technical Report RSRG-03-05, Dept. of Computer Science, Clemson Univ. (2003)
Taghdiri, M.: Inferring specifications to detect errors in code. Autom. Softw. Engin. (2004)
Vaziri, M.: Finding bugs in software with a constraint solver. Ph.D Thesis, Electrical Engineering and Computer Science Department, MIT (2004)
Visser, W., Brat, G., Havelund, K., Park, S.: Model checking programs. In: Proc. IEEE International Conference on Automated Software Engineering (2000)
Xie, Y., Aiken, A.: Scalable error detection using boolean satisfiability. In: Proc. Symposium on Principles of Programming Languages, pp. 351–363 (2005)
Zhang, L., Malik, S.: Validating SAT solvers using an independent resolution-based checker: practical implementations and other applications. In: Design, Automation and Test in Europe(DATE) (2003)
Acknowledgments
We are grateful to Mandana Vaziri for helping us to use her algorithm, and for her advice and useful discussions, and to Sharad Malik and Zhaohui Fu for their help for using ZChaff. We would also like to thank the anonymous referees for comments that helped us significantly improve our paper. This work is supported by the National Science Foundation under Grant No. 0086154 and Grant No. 0325283.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Taghdiri, M., Jackson, D. Inferring specifications to detect errors in code. Autom Softw Eng 14, 87–121 (2007). https://doi.org/10.1007/s10515-006-0005-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10515-006-0005-x