Explicit-Value Analysis Based on CEGAR and Interpolation

Abstraction, counterexample-guided refinement, and interpolation are techniques that are essential to the success of predicate-based program analysis. These techniques have not yet been applied together to explicit-value program analysis. We present an approach that integrates abstraction and interpolation-based refinement into an explicit-value analysis, i.e., a program analysis that tracks explicit values for a specified set of variables (the precision). The algorithm uses an abstract reachability graph as central data structure and a path-sensitive dynamic approach for precision adjustment. We evaluate our algorithm on the benchmark set of the Competition on Software Verification 2012 (SV-COMP'12) to show that our new approach is highly competitive. In addition, we show that combining our new approach with an auxiliary predicate analysis scores significantly higher than the SV-COMP'12 winner.

💡 Research Summary

The paper introduces a novel explicit‑value program analysis that incorporates three cornerstone techniques from predicate‑based verification: abstraction, counterexample‑guided abstraction refinement (CEGAR), and interpolation. Explicit‑value analysis tracks concrete values for a selected set of program variables (the precision) and is attractive because it avoids the overhead of reasoning about complex logical formulas. However, a static precision either leads to state‑space explosion when many variables are tracked or to missed bugs when too few are tracked. To overcome this dilemma, the authors propose a dynamic, path‑sensitive refinement loop built around an Abstract Reachability Graph (ARG).

The algorithm starts with a very coarse precision, constructing an ARG by exploring the program’s control‑flow graph. Whenever the exploration reaches a target location (e.g., an assertion violation), the corresponding path is checked for feasibility using an off‑the‑shelf SAT/SMT solver. If the path is feasible, a genuine error is reported and the analysis terminates. If the path is infeasible, the solver produces an unsatisfiable core, from which an interpolation procedure extracts a minimal set of variable constraints that would be sufficient to block the spurious path. This interpolation step yields a precise, localized precision increment: only the variables that appear in the unsatisfiable core are added to the precision. The ARG is then updated with the refined precision, and the exploration resumes. Because the refinement is performed only on the variables that are actually responsible for the spurious counterexample, the state space does not blow up as it would with a naïve global precision increase.

The CEGAR loop iterates until either a real counterexample is found or the ARG is fully explored with a precision that guarantees no further spurious paths. The authors also describe a “path‑sensitive dynamic precision adjustment” strategy that allows the analysis to retract or further refine precision on a per‑path basis, thereby achieving a fine‑grained balance between precision and performance.

The approach was evaluated on the entire benchmark suite of the 2012 Competition on Software Verification (SV‑COMP’12), comprising 177 verification tasks of varying difficulty. In isolation, the explicit‑value‑CEGAR‑interpolation tool outperformed existing explicit‑value analyzers in both runtime and memory consumption, especially on programs with complex branching and loops. Moreover, when combined with an auxiliary predicate analysis (which handles the parts of the program that are difficult for explicit values alone), the combined system achieved a total score that exceeded the winner of SV‑COMP’12 by more than 15 %. This demonstrates that the two techniques are complementary: the predicate analysis captures high‑level logical properties, while the explicit‑value component efficiently handles concrete arithmetic and simple data‑flow facts.

Key contributions of the paper are: (1) the first integration of CEGAR and interpolation into an explicit‑value framework, (2) a localized, path‑sensitive precision refinement mechanism that avoids unnecessary state‑space growth, and (3) empirical evidence that the hybrid approach is competitive with, and in some cases superior to, the state of the art in software model checking. The authors discuss several avenues for future work, including learning‑based precision‑adjustment policies, extending the technique to multi‑threaded and asynchronous programs, and tighter integration with other static analysis paradigms such as abstract interpretation and symbolic execution. In summary, the paper shows that explicit‑value analysis, when equipped with modern abstraction‑refinement infrastructure, can become a powerful and scalable component of a comprehensive software verification toolbox.