Skip to main content
SpringerLink
Log in

Checking Properties Described by State Machines: On Synergy of Instrumentation, Slicing, and Symbolic Execution

  • Conference paper
Formal Methods for Industrial Critical Systems (FMICS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7437))

Abstract

We introduce a novel technique for checking properties described by finite state machines. The technique is based on a synergy of three well-known methods: instrumentation, program slicing, and symbolic execution. More precisely, we instrument a given program with a code that tracks runs of state machines representing various properties. Next we slice the program to reduce its size without affecting runs of state machines. And then we symbolically execute the sliced program to find real violations of the checked properties, i.e. real bugs. Depending on the kind of symbolic execution, the technique can be applied as a stand-alone bug finding technique, or to weed out some false positives from an output of another bug-finding tool. We provide several examples demonstrating the practical applicability of our technique.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anand, S., Godefroid, P., Tillmann, N.: Demand-Driven Compositional Symbolic Execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Andersen, L.O.: Program analysis and specialization for the C programming language. PhD thesis, DIKU, University of Copenhagen, report 94/19 (1994)

    Google Scholar 

  3. Ball, T., Bounimova, E., Kumar, R., Levin, V.: SLAM2: Static driver verification with under 4% false alarms. In: Proceedings of FMCAD, pp. 35–42. IEEE (2010)

    Google Scholar 

  4. Ball, T., Levin, V., Rajamani, S.K.: A decade of software model checking with SLAM. Journal on Commun. ACM 54(7) (2011)

    Google Scholar 

  5. Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker BLAST. Journal on Software Tools for Technology Transfer 9(5), 505–525 (2007)

    Article  Google Scholar 

  6. Binkley, D.W., Gallanger, K.B.: Program slicing. Advances in Computers 43 (1996)

    Google Scholar 

  7. Bjørner, N., Tillmann, N., Voronkov, A.: Path Feasibility Analysis for String-Manipulating Programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Boonstoppel, P., Cadar, C., Engler, D.: RWset: Attacking Path Explosion in Constraint-Based Test Generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Cadar, C., Dunbar, D., Engler, D.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, pp. 209–224. USENIX Association (2008)

    Google Scholar 

  10. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. 12, 1–38 (2008)

    Article  Google Scholar 

  11. Chelf, B., Hallem, S., Engler, D.: How to write system-specific, static checkers in metal. In: Proceedings of PASTE, pp. 51–60. ACM (2002)

    Google Scholar 

  12. Chou, A., Chelf, B., Engler, D., Heinrich, M.: Using meta-level compilation to check FLASH protocol code. ACM SIGOPS Oper. Syst. Rev. 34(5), 59–70 (2000)

    Article  Google Scholar 

  13. Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided Abstraction Refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  14. Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proceedings of PLDI. SIGPLAN, vol. 37(5). ACM Press (2002)

    Google Scholar 

  15. De Lucia, A.: Program slicing: methods and applications. In: Proceedings of SCAM, pp. 142–149. IEEE Computer Society (2001)

    Google Scholar 

  16. Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of OSDI, pp. 1–16. ACM (2000)

    Google Scholar 

  17. Engler, D., Chen, D., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: A general approach to inferring errors in systems code. In: Proceedings of SOSP, pp. 57–72. ACM (2001)

    Google Scholar 

  18. Godefroid, P.: Compositional dynamic test generation. In: Proceedings of POPL, pp. 47–54. ACM (2007)

    Google Scholar 

  19. Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. In: Proceedings of PLDI, pp. 206–215. ACM (2008)

    Google Scholar 

  20. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of PLDI, pp. 213–223. ACM (2005)

    Google Scholar 

  21. Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: Proceedings of EMSOFT, pp. 207–216. ACM (2008)

    Google Scholar 

  22. Godefroid, P., Nori, A.V., Rajamani, S.K., Tetali, S.D.: Compositional must program analysis: unleashing the power of alternation. In: Proceedings of POPL, pp. 43–56. ACM (2010)

    Google Scholar 

  23. Gupta, R., Harrold, M.J., Soffa, M.L.: An approach to regression testing using slicing. In: Proceedings of ICSM, pp. 299–308. IEEE (1992)

    Google Scholar 

  24. Hallem, S., Chelf, B., Xie, Y., Engler, D.R.: A system and language for building system-specific, static analyses. In: Proceedings of PLDI, pp. 69–82. ACM (2002)

    Google Scholar 

  25. King, J.C.: Symbolic execution and program testing. Communications of ACM 19(7), 385–394 (1976)

    Article  MATH  Google Scholar 

  26. Nori, A.V., Rajamani, S.K., Tetali, S., Thakur, A.V.: The Yogi Project: Software Property Checking via Static Analysis and Testing. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 178–181. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  27. Obdržálek, J., Slabý, J., Trtík, M.: STANSE: Bug-Finding Framework for C Programs. In: Kotásek, Z., Bouda, J., Černá, I., Sekanina, L., Vojnar, T., Antoš, D. (eds.) MEMICS 2011. LNCS, vol. 7119, pp. 167–178. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  28. Ramos, D.A., Engler, D.R.: Practical, Low-Effort Equivalence Verification of Real Code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 669–685. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  29. Reps, T., Horowitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of POPL, pp. 49–61. ACM (1995)

    Google Scholar 

  30. Saxena, P., Poosankam, P., McCamant, S., Song, D.: Loop-extended symbolic execution on binary programs. In: Proceedings of ISSTA, pp. 225–236. ACM (2009)

    Google Scholar 

  31. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE, vol. 30, pp. 263–272. ACM (2005)

    Google Scholar 

  32. Tip, F.: A survey of program slicing techniques. Journal of Programming Languages 3, 121–189 (1995)

    Google Scholar 

  33. Weiser, M.: Program slicing. IEEE Transactions on Software Engineering 10(4), 352–357 (1984)

    Article  MATH  Google Scholar 

  34. Xu, R.G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of ISSTA, pp. 27–38. ACM (2008)

    Google Scholar 

  35. LLVM, http://llvm.org/

Download references

Author information

Authors and Affiliations

  1. Faculty of Informatics, Masaryk University, Botanická 68a, 60200, Brno, Czech Republic

    Jiří Slabý, Jan Strejček & Marek Trtík

Authors
  1. Jiří Slabý
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Strejček
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marek Trtík
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Formal Methods and Tools, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Mariëlle Stoelinga

  2. Infrastructure and Cities Sector, Mobility and Logistics Division, Rail Automation, Siemens AG, Ackerstraße 22, 38126, Braunschweig, Germany

    Ralf Pinger

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Slabý, J., Strejček, J., Trtík, M. (2012). Checking Properties Described by State Machines: On Synergy of Instrumentation, Slicing, and Symbolic Execution. In: Stoelinga, M., Pinger, R. (eds) Formal Methods for Industrial Critical Systems. FMICS 2012. Lecture Notes in Computer Science, vol 7437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32469-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32469-7_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32468-0

  • Online ISBN: 978-3-642-32469-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation