Static Analysis - Automated Bug Hunting and Beyond

Speaker Julian Erhard, Michael Schwarz
Location TBD
Time TBD
Module IN0012, IN2106, IN4239

Together with colleagues at the University of Tartu, we develop and maintain the Static Analyzer Goblint, that is based on Abstract Interpretation. The tool is capable of analyzing real-world C programs and show properties such as the absence of buffer overruns or data races in multi-threaded code without requiring any user interaction at all. Goblint won the Data Race Category of the Software Verification Competition in 2023.

In the course of this practical, you (in teams of 2-4) will be able to enhance Goblint with your own static analysis. Possible topics include:

a) Termination Analysis

Usually, we want to be sure that our programs terminate. The Halting Problem states that deciding whether a program terminates or not is not possible in all cases. However, in benign cases, one can show that all loops occurring in a program are only iterated a finite number of times. One approach to do this is to add an additional variable, that is incremented in each iteration of the loop. If the static analyzer is able to prove that the value range for this variable has an upper bound, the loop is proven to be terminating. For programs that contain procedure calls, one has to additionally show that no infinite recursion is possible.

Your task will be to implement an analysis that is able to prove termination of loops, and checks the call graph for cycles. As a result, your analysis will be able to show termination for suitable programs.

b) Analyzing state-of-the-art C Code

While the C language community is slow to adapt new standards, usage of features introduced in C11 is on the rise. While Goblint has full support for C99 features, the support for analyzing programs written in C11 is incomplete. In particular, C11 introduced features for multithreading, including standard functions for thread creation, joining, as well as thread local variables. These features are of particular interest for us, as one of the core strengths of Goblint that sets us apart from many competitors in the same field is the analysis of multithreaded (pthread) programs.

Your task will be to implement support for the analysis of code that uses C11 features, in particular related to the C11 multithreading library.

This will:

  • Deepen your understanding of the semantics of C and typical programming errors
  • Deepen your understanding of static analysis by Abstract Interpretation
  • Level up your functional programming skills
  • Become connected to the research we do day-to-day


  • Program Optimization (IN2053) (or a similar course at another university)
  • Knowledge of a functional programming language (we use OCaml, but the basics are not so different from other functional programming languages)
  • Be in your Master's (Advanced Bachelor's students welcome)


This course will stretch over most of the lecture time. On top of working in your team, you will have weekly to biweekly meetings with us. At the end of the practical all teams will present their results. We expect you to attend and participate in the Q&A.

There will be a pre-meeting on Feb 07, 1pm at:

Slides from Pre-Meeting