Skip to main content
SpringerLink
Log in

Handling Heap Data Structures in Backward Symbolic Execution

  • Conference paper
  • First Online:
Formal Methods. FM 2019 International Workshops (FM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12233))

Included in the following conference series:

Abstract

Backward symbolic execution (BSE), also known as weakest precondition computation, is a useful technique to determine validity of assertions in program code by transforming its semantics into boolean conditions for an SMT solver. Regrettably, the literature does not cover various challenges which arise during its implementation, especially when we want to reason about heap objects using the theory of arrays and to use the SMT solver efficiently. In this paper, we present our achievements in this area. Our contribution is threefold. First, we summarize the two most popular state-of-the-art approaches used for BSE, denoting them as disjunct propagation and conjunct combination. Second, we present a novel method for modelling heap operations in BSE using the theory of arrays, optimized for incremental checking during the analysis and handling the input heap. Third, we compare both approaches with our heap handling implementation on a set of program examples, presenting their strengths and weaknesses. The evaluation shows that conjunct combination is the most efficient variant, exceeding the straightforward implementation of disjunct propagation in an order of magnitude.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We did not put reference comparison directly in the edge conditions so that we can describe its processing later in the unified manner with the other heap operations, see Sect. 4.

  2. 2.

    We expect that null cannot be on the left side of the assignment.

  3. 3.

    We conducted the experiments on a desktop with an Intel Core i7 CPU and 6 GB RAM.

References

  1. Albarghouthi, A., Gurfinkel, A., Chechik, M.: From under-approximations to over-approximations and back. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 157–172. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5_12

    Chapter  MATH  Google Scholar 

  2. Baldoni, R., Coppa, E., D’elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 50 (2018)

    Article  Google Scholar 

  3. Bjørner, N.: Engineering theories with Z3. In: Yang, H. (ed.) APLAS 2011. LNCS, vol. 7078, pp. 4–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25318-8_3

    Chapter  Google Scholar 

  4. Bradley, A.R., Manna, Z.: The Calculus of Computation: Decision Procedures with Applications to Verification. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74113-8

    Book  MATH  Google Scholar 

  5. Braione, P., Denaro, G., Pezzè, M.: JBSE: a symbolic executor for java programs with complex heap inputs. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 1018–1022. ACM (2016)

    Google Scholar 

  6. Cadar, C., Dunbar, D., Engler, D.: Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008). http://dl.acm.org/citation.cfm?id=1855741.1855756

  7. Chandra, S., Fink, S.J., Sridharan, M.: Snugglebug: a powerful approach to weakest preconditions. SIGPLAN Not. 44(6), 363–374 (2009). http://doi.acm.org/10.1145/1543135.1542517

  8. De Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008/ETAPS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24. http://dl.acm.org/citation.cfm?id=1792734.1792766

  9. Dinges, P., Agha, G.: Targeted test input generation using symbolic-concrete backward execution. In: 29th IEEE/ACM International Conference on Automated Software Engineering (ASE), Västerås, Sweden. ACM, 15–19 September 2014

    Google Scholar 

  10. Goel, A., Krstić, S., Fuchs, A.: Deciding array formulas with frugal axiom instantiation. In: Proceedings of the Joint Workshops of the 6th International Workshop on Satisfiability Modulo Theories and 1st International Workshop on Bit-Precise Reasoning, SMT 2008/BPR 2008, pp. 12–17. ACM, New York (2008). http://doi.acm.org/10.1145/1512464.1512468

  11. Hovemeyer, D., Pugh, W.: Finding bugs is easy. SIGPLAN Not. 39, 92–106 (2004). https://doi.org/10.1145/1028664.1028717

    Article  Google Scholar 

  12. Husák, R., Kofroň, J., Zavoral, F.: AskTheCode: interactive call graph exploration for error fixing and prevention. Electron. Commun. EASST 77 (2019). https://doi.org/10.14279/tuj.eceasst.77.1109. InterAVT 2019

  13. Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO 2004, pp. 75–86. IEEE Computer Society, Washington, DC (2004). http://dl.acm.org/citation.cfm?id=977395.977673

  14. Pham, L.H., Le, Q.L., Phan, Q.S., Sun, J., Qin, S.: Testing heap-based programs with java starfinder. In: Proceedings of the 40th International Conference on Software Engineering: Companion Proceedings, pp. 268–269. ACM (2018)

    Google Scholar 

  15. Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002). https://doi.org/10.1145/514188.514190. http://doi.acm.org/10.1145/514188.514190

  16. Sinha, N., Singhania, N., Chandra, S., Sridharan, M.: Alternate and learn: finding witnesses without looking all over. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 599–615. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_42

    Chapter  Google Scholar 

  17. Sridharan, M., Chandra, S., Dolby, J., Fink, S.J., Yahav, E.: Alias analysis for object-oriented programs. In: Clarke, D., Noble, J., Wrigstad, T. (eds.) Aliasing in Object-Oriented Programming. Types, Analysis and Verification. LNCS, vol. 7850, pp. 196–232. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36946-9_8

    Chapter  Google Scholar 

  18. Tillmann, N., De Halleux, J.: Pex–white box test generation for.NET. In: Beckert, B., Hähnle, R. (eds.) TAP 2008. LNCS, vol. 4966, pp. 134–153. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79124-9_10

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was supported by the project PROGRESS Q48, the Czech Science Foundation project 17-12465S and the grant SVV-2017-260451.

Author information

Authors and Affiliations

  1. Faculty of Mathematics and Physics, Charles University, Prague, Czech Republic

    Robert Husák, Jan Kofroň & Filip Zavoral

Authors
  1. Robert Husák
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Kofroň
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Filip Zavoral
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Robert Husák .

Editor information

Editors and Affiliations

  1. McMaster University, Hamilton, ON, Canada

    Emil Sekerinski

  2. University of Porto, Porto, Portugal

    Nelma Moreira

  3. University of Minho, Braga, Portugal

    José N. Oliveira

  4. Argo Ai, Munich, Germany

    Daniel Ratiu

  5. University of Pisa, Pisa, Italy

    Riccardo Guidotti

  6. University of Liverpool, Liverpool, UK

    Marie Farrell

  7. University of Liverpool, Liverpool, UK

    Matt Luckcuck

  8. University of Exeter, Exeter, UK

    Diego Marmsoler

  9. University of Minho, Braga, Portugal

    José Campos

  10. University of Newcastle, Newcastle upon Tyne, UK

    Troy Astarte

  11. Claude Bernard University, Lyon, France

    Laure Gonnord

  12. Nazarbayev University, Nur-Sultan, Kazakhstan

    Antonio Cerone

  13. University of Surrey, Guildford, UK

    Luis Couto

  14. University of Surrey, Guildford, UK

    Brijesh Dongol

  15. University of Giessen, Giessen, Germany

    Martin Kutrib

  16. University of Lisbon, Lisbon, Portugal

    Pedro Monteiro

  17. Airbus Operations S.A.S., Toulouse, France

    David Delmas

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Husák, R., Kofroň, J., Zavoral, F. (2020). Handling Heap Data Structures in Backward Symbolic Execution. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12233. Springer, Cham. https://doi.org/10.1007/978-3-030-54997-8_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-54997-8_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-54996-1

  • Online ISBN: 978-3-030-54997-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation