Abstract
Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alves-Foss, J. (ed.): Formal Syntax and Semantics of Java. Lecture Notes in Computer Science, vol. 1523. Springer, Berlin (1999)
Anand, S., Pasareanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Valmari, A. (ed.) Model Checking Software, Proceedings of 13th International SPIN Workshop, Vienna, Austria, March 30–April 1, 2006. Lecture Notes in Computer Science, vol. 3925. Springer, Berlin (2006)
Anand, S., Orso, A., Harrold, M.J.: Type-dependency analysis and program transformation for symbolic execution. In: Tools and Algorithms for Construction and Analysis of Systems (TACAS) (2007)
Barrett, C., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) Proceedings of Computer Aided Verification, 19th International Conference, CAV 2007. Lecture Notes in Computer Science, vol. 4590, pp. 298–302. Springer, Berlin (2007)
Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1–4, 2005. Lecture Notes in Computer Science, vol. 4111, pp. 115–137. Springer, Berlin (2005)
Bertelsen, P.: Dynamic semantics of java bytecode. Future Gener. Comput. Syst. 16, 841–850 (2000)
Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’99). LNCS, vol. 1579, pp. 193–207. Springer, Berlin (1999)
Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded model checking. Adv. Comput. 58, 117–148 (2003)
Boyapati, C., Khurshid, S., Marinov, D.: Korat: automated testing based on Java predicates. In: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), pp. 123–133. ACM, New York (2002)
Brat, G., Havelund, K., Park, S., Visser, W.: Java PathFinder—a second generation of a Java model-checker. In: Proceedings of the Workshop on Advances in Verification (2000)
Chase, D.R., Wegman, M., Zadeck, F.K.: Analysis of pointers and structures. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’90), pp. 296–310 (1990)
Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (2000)
Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04). LNCS, vol. 2988, pp. 168–176. Springer, Berlin (2004)
Cook, S.A.: Soundness and completeness of an axiom system for program verification. SIAM J. Comput. 7(1), 70–90 (1978)
Darga, P.T., Boyapati, C.: Efficient software model checking of data structure properties. In: Proceedings of the 21st Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA ’06, pp. 363–382. ACM, New York (2006)
de Moura, L.M., Bjørner, N.: Z3: an efficient smt solver. In: Tools and Algorithms for the Construction and Analysis of Systems, TACAS08. Lecture Notes in Computer Science, vol. 4963, pp. 337–340. Springer, Berlin (2008)
Deng, X.: Contract-based verification and test case generation for open systems. PhD thesis, Kansas State University (2007)
Deng, X., Lee, J., Robby: Bogor/Kiasan: a k-bounded symbolic execution for checking strong heap properties of open systems. In: 21st IEEE/ACM International Conference on Automated Software Engineering (ASE06), pp. 157–166. IEEE Comput. Soc., Los Alamitos (2006)
Deng, X., Robby, Hatcliff, J.: Kiasan/KUnit: automatic test case generation and analysis feedback for open object-oriented systems. In: Testing: Academic and Industrial Conference—Practice and Research Techniques (TAIC-PART07) (2007a)
Deng, X., Robby, Hatcliff, J.: Towards a case-optimal symbolic execution algorithm for analyzing strong properties of object-oriented programs. In: Proceedings of the 5th IEEE International Conference on Software Engineering and Formal Methods (SEFM), pp. 273–282. IEEE Comput. Soc., London (2007b)
Deng, X., Walker, R., Robby: Case counting analysis for path-sensitive bounded verification techniques on standard data structure operations. Tech. Rep. SAnToS-TR2010-01-19, Kansas State University (2010)
Deutsch, A.: Interprocedural may-alias analysis for pointers: beyond k-limiting. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’94), pp. 230–241 (1994)
Distefano, D., Parkinson, M.J.: jStar: towards practical verification for Java. In: OOPSLA ’08: Proceedings of the 23rd ACM SIGPLAN Conference on Object-Oriented Programming Systems Languages and Applications, pp. 213–226. ACM, New York (2008)
Drossopoulou, S., Eisenbach, S.: Towards an operational semantics and proof of type soundness for Java. In: Formal Syntax and Semantics of Java. Springer, Berlin (1998)
Dutertre, B., de Moura, L.: The Yices SMT solver (2006). Tool paper at http://yices.csl.sri.com/tool-paper.pdf
Geilen, M.: On the construction of monitors for temporal logic properties. Electr. Notes Theor. Comput. Sci. 55(2) (2001)
Gligoric, M., Gvero, T., Jagannath, V., Khurshid, S., Kuncak, V., Marinov, D.: Test generation through programming in udita. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, ICSE ’10, vol. 1, pp. 225–234. ACM, New York (2010)
Grieskamp, W., Tillmann, N., Schulte, W.: XRT—exploring runtime for .NET—architecture and applications. In: Workshop on Software Model Checking (SoftMC05) (2005)
Hantler, S.L., King, J.C.: An introduction to proving the correctness of programs. ACM Comput. Surv. 8(3), 331–353 (1976)
Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation, 1st edn. Addison-Wesley, Reading (1979)
Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002)
Jones, N.D., Muchnick, S.S.: Flow analysis and optimization of LISP-like structures. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL’79), pp. 244–256. ACM, New York (1979)
Khurshid, S., Păsăreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Proceedings of 9th International Conference, TACAS 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7–11, 2003. Lecture Notes in Computer Science, vol. 2619, pp. 553–568. Springer, Berlin (2003)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Larus, J.R., Hilfinger, P.N.: Detecting conflicts between structure accesses. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’88), pp. 24–31 (1988)
Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA’98). ACM, New York (1998)
Lev-Ami, T., Sagiv, M.: TVLA: a framework for Kleene-based static analysis. In: Proceedings of the 7th International Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 1694, pp. 280–301. Springer, Berlin (2000)
Lindholm, T., Yellin, F.: The Java Virtual Machine Specification (2nd edn.) (1999). http://java.sun.com/docs/books/vmspec/2nd-edition/html/VMSpecTOC.doc.html
Marinov, D., Khurshid, S.: TestEra: a novel framework for automated testing of Java programs. In: 16th IEEE Conference on Automated Software Engineering (ASE 2001), p. 22. IEEE Comput. Soc., Los Alamitos (2001)
McCarthy, J.: Towards a mathematical science of computation. Inf. Process. 62, 21–28 (1962)
Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Proceedings of the 38th Conference on Design Automation, pp. 530–535. ACM, New York (2001)
MS: Common language infrastructure (CLI). Standard ECMA-335 (2006)
Păsăreanu, C.S., Visser, W.: Verification of Java programs using symbolic execution and invariant generation. In: SPIN Workshop, pp. 164–181 (2004)
Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)
Reynolds, J.: Separation logic: a logic for shared mutable data structures. In: 17th IEEE Symposium on Logic in Computer Science (LICS 2002), pp. 55–74. IEEE Comput. Soc., Los Alamitos (2002)
Robby: Sireum: a software analysis platform. http://sireum.org (2008)
Robby, Dwyer, M.B., Hatcliff, J.: Bogor: an extensible and highly-modular model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with the 11th ACM SIGSOFT Symposium on the Foundations of Software Engineering, pp. 267–276. ACM, New York (2003)
Roberson, M., Boyapati, C.: Efficient modular glass box software model checking. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’10, pp. 4–21. ACM, New York (2010)
Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002). A preliminary version appeared in POPL 1999, pp. 105–118
Schmidt, D.: Binary relations for abstraction and refinement. Tech. rep., Kansas State University (2000)
Sen, K., Agha, G.: CUTE: a concolic unit testing engine for C. In: Wermelinger, M., Gall, H. (eds.) ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), pp. 263–272. ACM, New York (2005)
Tillmann, N., de Halleux, J.: Pex–white box test generation for .NET. In: Beckert, B., Hähnle, R. (eds.) Tests and Proofs, 2nd International Conference (TAP08). Lecture Notes in Computer Science, vol. 4966, pp. 134–153. Springer, Berlin (2008)
Visser, W., Pasareanu, C.S., Khurshid, S.: Test input generation in Java Pathfinder. In: Avrunin, G.S., Rothermel, G. (eds.) Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004, Boston, Massachusetts, USA, July 11–14, 2004, pp. 97–107. ACM, New York (2004)
Weiss, MA: Data Structures and Algorithm Analysis in Java, 2nd edn. Addison-Wesley, Reading (2006)
Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(3) (2007)
Zhang, H.: SATO: an efficient prepositional prover. In: Proceedings of the International Conference on Automated Deduction. LNCS, vol. 1249, pp. 272–275. Springer, Berlin (1997)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Deng, X., Lee, J. & Robby Efficient and formal generalized symbolic execution. Autom Softw Eng 19, 233–301 (2012). https://doi.org/10.1007/s10515-011-0089-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10515-011-0089-9