Abductive, Inductive and Deductive Reasoning about Resources

We describe a method for reasoning about programs that uses a mixture of abductive, inductive and deductive inference. It allows us to synthesize a pre/post spec for a program procedure, without requiring any information about the procedure’s calling context. The method can be used to obtain partial specifications for portions of large code bases in the millions of lines of code. The method begins by trying to deductively prove a procedure, with a precondition describing empty or no resources. If at some point we have insufficient information to perform an internal operation – perhaps a lock must be held, or a memory cell must be allocated – we perform abductive inference to infer what is missing, and hypothesize that this is part of the precondition that you need to describe the resources that the program requires. There is the possibility, though, that an unbounded number of abduced preconditions could be generated, if the procedure has a loop. To enable convergence of this process we apply an abstraction operation, which generalizes the more specific abduced facts that have been discovered. In this setup it is the job of abduction to discover descriptions of missing resource, where abstraction computes a generalization of the specific facts discovered by abduction: abstraction used in this way is a form of inductive generalization, rather than deductive reasoning about program behaviour. Thus, our automated reasoning method involves a mixture of all three of the forms of reasoning – deductive, inductive, and abductive – that Charles Peirce identified in his analysis of the scientific process [5]. This talk presents a survey and further development of recent joint work with Cristiano Calcagno, Dino Distefano and Hongseok Yang on automatic program analysis [1–3]. Among other things, the current work automates ideas about local reasoning and footprints I put forward in a talk at the 2001 CSL conference [4]. In particular, our new inference technique attempts to discover assertions describing the footprint (the resources that a program component accesses), where previously the human was left to find them.