Tool-supported Program Abstraction for Finite-state Verification Matthew B. Dwyer, John Hatcliff, Robby Joehanes, Shawn Laubach, Corina S. P ˘ as˘ areanu, Robby, Hongjun Zheng Kansas State University Department of Computing and Information Sciences Manhattan, KS 66506, USA dwyer,hatcliff,robbyjo,laubach,pcorina,robby,zheng @cis.ksu.edu Willem Visser RIACS/NASA Ames Research Center Moffet Field, CA 94035, USA wvisser@ptolemy.arc.nasa.gov ABSTRACT Numerous researchers have reported success in reasoning about properties of small programs using finite-state verifi- cation techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realis- tic programs, aggressive abstraction of program data will be necessary. Furthermore, we believe that to make abstraction- based verification usable by non-experts significant tool sup- port will be required. In this paper, we describe how several different program analysis and transformation techniques are integrated into the Bandera toolset to provide facilities for abstracting Java programs to produce compact, finite-state models that are amenable to verification, for example via model checking. We illustrate the application of Bandera’s abstraction facili- ties to analyze a realistic multi-threaded Java program. Keywords program analysis, model checking, abstract interpretation 1 INTRODUCTION Finite-state verification techniques, such as model checking, are rekindling interest in program verification. Such tech- niques exhaustively check a finite-state model of a system for violations of a system requirement formally specified as an assertion or in a temporal logic (e.g., LTL [13]). This approach allows for a very high-level of confidence in sys- tem correctness to be achieved essentially automatically— once the model and property specification are constructed, the verification is fully automatic, albeit potentially time- consuming. There are several obstacles to applying existing model checking [11, 14] directly to the reason about programs; for example, how to efficiently express modern object-oriented language features in the somewhat restrictive verifier input languages. Perhaps the greatest obstacle to scaling finite- state verification technology to reason about realistic pro- grams, however, is the exponential increase in the size of a finite-state model as the number of program components grows. A variety of methods exist for curbing this state ex- plosion when analyzing certain types of systems, and these methods have proven sufficient to make analysis of many hardware designs tractable. Unfortunately, software systems tend to have much more state than hardware components and thus must be more aggressively abstracted to produce tractable models. In this paper, we describe an approach to user-guided ab- straction of programs written in Java; this approach is imple- mented as part of the Bandera toolset [4]. Our goal is to en- able non-experts in program verification to generate abstract program models that are compact enough for tractable ver- ification. While fully-automatic verification is conceptually attractive, we believe that minimal input from users at key points in the abstraction process will provide significantly more flexibility in producing compact program models. Our approach has been influenced by a large body of work on abstraction in program analysis and computer-aided ver- ification. Specifically, we adopt the framework of abstract interpretation [5], in which an abstraction maps the values of a program data type to a set of abstract values and the op- erations on that data type to a function over abstract values; abstraction of program control is handled in Bandera using program slicing and partial evaluation techniques. While there has been much foundational work on defining sound abstractions in transition system models, there has been very little work on developing tool support for effec- tively applying abstract interpretations for model-reduction to large code bases written in modern programming lan- guages like Java. We believe that there are four central is- sues that need to be addressed in this setting: (i) providing facilities for easily defining new abstractions, (ii) providing tool support and methodologies for selecting appropriate ab- stractions, (iii) generating abstract programs from concrete ones, and (iv) interpreting the results of model-checking ab- stract programs. We use a combination of predicate abstrac- tion [18] and manual techniques for creating the definitions of abstractions and we store these definitions in a library for use in subsequent program verification activities. Users are guided in selecting abstractions based on the property un-