Witness Generation for Data-flow Analysis

Abstract

A program analyzer, which determines whether a given program satisfies or violates the specification, may itself contain bugs and thus be untrustworthy. Hence, the analyzer should back its claims with witnesses, which can be understood by the programmer and automatically checked by independent tools. Interprocedural data-flow analysis is well-suited for certain problems but its abstractions do not directly correspond to required witnesses. We show that witnesses can be generated with data-flow analysis by designing the necessary methods to handle interprocedurality and adapting a technique from model checking to increase precision of the generated witnesses. The ideas are implemented and experimentally evaluated in the data-flow analyzer Goblint. This allows improving trustworthiness and usability of data-flow analyzers and enables their comparison with other verifiers.