Abstract
We introduce a novel technique for checking properties described by finite state machines. The technique is based on a synergy of three well-known methods: instrumentation, program slicing, and symbolic execution. More precisely, we instrument a given program with a code that tracks runs of state machines representing various properties. Next we slice the program to reduce its size without affecting runs of state machines. And then we symbolically execute the sliced program to find real violations of the checked properties, i.e. real bugs. Depending on the kind of symbolic execution, the technique can be applied as a stand-alone bug finding technique, or to weed out some false positives from an output of another bug-finding tool. We provide several examples demonstrating the practical applicability of our technique.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anand, S., Godefroid, P., Tillmann, N.: Demand-Driven Compositional Symbolic Execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)
Andersen, L.O.: Program analysis and specialization for the C programming language. PhD thesis, DIKU, University of Copenhagen, report 94/19 (1994)
Ball, T., Bounimova, E., Kumar, R., Levin, V.: SLAM2: Static driver verification with under 4% false alarms. In: Proceedings of FMCAD, pp. 35–42. IEEE (2010)
Ball, T., Levin, V., Rajamani, S.K.: A decade of software model checking with SLAM. Journal on Commun. ACM 54(7) (2011)
Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker BLAST. Journal on Software Tools for Technology Transfer 9(5), 505–525 (2007)
Binkley, D.W., Gallanger, K.B.: Program slicing. Advances in Computers 43 (1996)
Bjørner, N., Tillmann, N., Voronkov, A.: Path Feasibility Analysis for String-Manipulating Programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009)
Boonstoppel, P., Cadar, C., Engler, D.: RWset: Attacking Path Explosion in Constraint-Based Test Generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008)
Cadar, C., Dunbar, D., Engler, D.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, pp. 209–224. USENIX Association (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. 12, 1–38 (2008)
Chelf, B., Hallem, S., Engler, D.: How to write system-specific, static checkers in metal. In: Proceedings of PASTE, pp. 51–60. ACM (2002)
Chou, A., Chelf, B., Engler, D., Heinrich, M.: Using meta-level compilation to check FLASH protocol code. ACM SIGOPS Oper. Syst. Rev. 34(5), 59–70 (2000)
Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided Abstraction Refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)
Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proceedings of PLDI. SIGPLAN, vol. 37(5). ACM Press (2002)
De Lucia, A.: Program slicing: methods and applications. In: Proceedings of SCAM, pp. 142–149. IEEE Computer Society (2001)
Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of OSDI, pp. 1–16. ACM (2000)
Engler, D., Chen, D., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: A general approach to inferring errors in systems code. In: Proceedings of SOSP, pp. 57–72. ACM (2001)
Godefroid, P.: Compositional dynamic test generation. In: Proceedings of POPL, pp. 47–54. ACM (2007)
Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. In: Proceedings of PLDI, pp. 206–215. ACM (2008)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of PLDI, pp. 213–223. ACM (2005)
Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: Proceedings of EMSOFT, pp. 207–216. ACM (2008)
Godefroid, P., Nori, A.V., Rajamani, S.K., Tetali, S.D.: Compositional must program analysis: unleashing the power of alternation. In: Proceedings of POPL, pp. 43–56. ACM (2010)
Gupta, R., Harrold, M.J., Soffa, M.L.: An approach to regression testing using slicing. In: Proceedings of ICSM, pp. 299–308. IEEE (1992)
Hallem, S., Chelf, B., Xie, Y., Engler, D.R.: A system and language for building system-specific, static analyses. In: Proceedings of PLDI, pp. 69–82. ACM (2002)
King, J.C.: Symbolic execution and program testing. Communications of ACM 19(7), 385–394 (1976)
Nori, A.V., Rajamani, S.K., Tetali, S., Thakur, A.V.: The Yogi Project: Software Property Checking via Static Analysis and Testing. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 178–181. Springer, Heidelberg (2009)
Obdržálek, J., Slabý, J., Trtík, M.: STANSE: Bug-Finding Framework for C Programs. In: Kotásek, Z., Bouda, J., Černá, I., Sekanina, L., Vojnar, T., Antoš, D. (eds.) MEMICS 2011. LNCS, vol. 7119, pp. 167–178. Springer, Heidelberg (2012)
Ramos, D.A., Engler, D.R.: Practical, Low-Effort Equivalence Verification of Real Code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 669–685. Springer, Heidelberg (2011)
Reps, T., Horowitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of POPL, pp. 49–61. ACM (1995)
Saxena, P., Poosankam, P., McCamant, S., Song, D.: Loop-extended symbolic execution on binary programs. In: Proceedings of ISSTA, pp. 225–236. ACM (2009)
Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE, vol. 30, pp. 263–272. ACM (2005)
Tip, F.: A survey of program slicing techniques. Journal of Programming Languages 3, 121–189 (1995)
Weiser, M.: Program slicing. IEEE Transactions on Software Engineering 10(4), 352–357 (1984)
Xu, R.G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of ISSTA, pp. 27–38. ACM (2008)
LLVM, http://llvm.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Slabý, J., Strejček, J., Trtík, M. (2012). Checking Properties Described by State Machines: On Synergy of Instrumentation, Slicing, and Symbolic Execution. In: Stoelinga, M., Pinger, R. (eds) Formal Methods for Industrial Critical Systems. FMICS 2012. Lecture Notes in Computer Science, vol 7437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32469-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-32469-7_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32468-0
Online ISBN: 978-3-642-32469-7
eBook Packages: Computer ScienceComputer Science (R0)