Symbolic execution with abstraction

被引：38

作者：

Anand S. ^{[1
]}

Pǎsǎreanu C.S. ^{[2
]}

Visser W. ^{[3
]}

机构：

[1] College of Computing, Georgia Institute of Technology, Atlanta, GA

[2] NASA Ames Research Center, Mountain View, CA 94035, Moffett Field

[3] SEVEN Networks, Redwood City, CA

来源：

International Journal on Software Tools for Technology Transfer | 2009年 / 11卷 / 01期

关键词：

Model Check; Array Element; Path Condition; Symbolic Execution; Symbolic State;

D O I：

10.1007/s10009-008-0090-1

中图分类号：

学科分类号：

摘要：

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks - this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of Anand et al. (Proceedings of SPIN, pp. 163-181, 2006). © Springer-Verlag 2008.

引用

页码：53 / 67

页数：14

共 31 条

[1]

Anand S., Orso A., Harrold M.J., Type-dependence analysis and program transformation for symbolic execution, Proceedings of TACAS, pp. 117-133, (2007)

[2]

Anand S., Pasareanu C.S., Visser W., Symbolic execution with abstract subsumption checking, Proceedings of SPIN, pp. 163-181, (2006)

[3]

Anand S., Pasareanu C.S., Visser W., JPF-SE: A symbolic execution extension to Java Pathfinder, Proceedings of TACAS, pp. 134-138, (2007)

[4]

Ball T., A theory of predicate-complete test coverage and generation, (2004)

[5]

Ball T., Kupferman O., Yorsh G., Abstraction for falsification, Proceedings of CAV, pp. 67-81, (2005)

[6]

Ball T., Rajamani S.K., The SLAM toolkit, Proceedings of CAV, (2001)

[7]

Chaki S., Clarke E., Groce A., Jha S., Veith H., Modular verification of software components in C, ACM Trans. Comput. Syst., 30, 6, pp. 388-402, (2004)

[8]

Dams D., Namjoshi K.S., Shape analysis through predicate abstraction and model checking, Proceedings of VMCAI, pp. 310-324, (2003)

[9]

Flanagan C., Qadeer S., Predicate abstraction for software verification, Proceedings of POPL, pp. 191-202, (2002)

[10]

Flyod R.W., Assigning meanings to programs, Proceedings of Symposia in Applied Mathematics, 19, pp. 19-32, (1967)

← 1 2 3 4 →