Automated Software Engineering

, Volume 19, Issue 3, pp 233–301 | Cite as

Efficient and formal generalized symbolic execution

Article

Abstract

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.

Keywords

Symbolic execution Operational semantics JVM Soundness Completeness 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alves-Foss, J. (ed.): Formal Syntax and Semantics of Java. Lecture Notes in Computer Science, vol. 1523. Springer, Berlin (1999) Google Scholar
  2. Anand, S., Pasareanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Valmari, A. (ed.) Model Checking Software, Proceedings of 13th International SPIN Workshop, Vienna, Austria, March 30–April 1, 2006. Lecture Notes in Computer Science, vol. 3925. Springer, Berlin (2006) Google Scholar
  3. Anand, S., Orso, A., Harrold, M.J.: Type-dependency analysis and program transformation for symbolic execution. In: Tools and Algorithms for Construction and Analysis of Systems (TACAS) (2007) Google Scholar
  4. Barrett, C., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) Proceedings of Computer Aided Verification, 19th International Conference, CAV 2007. Lecture Notes in Computer Science, vol. 4590, pp. 298–302. Springer, Berlin (2007) Google Scholar
  5. Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1–4, 2005. Lecture Notes in Computer Science, vol. 4111, pp. 115–137. Springer, Berlin (2005) CrossRefGoogle Scholar
  6. Bertelsen, P.: Dynamic semantics of java bytecode. Future Gener. Comput. Syst. 16, 841–850 (2000) CrossRefGoogle Scholar
  7. Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’99). LNCS, vol. 1579, pp. 193–207. Springer, Berlin (1999) CrossRefGoogle Scholar
  8. Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded model checking. Adv. Comput. 58, 117–148 (2003) CrossRefGoogle Scholar
  9. Boyapati, C., Khurshid, S., Marinov, D.: Korat: automated testing based on Java predicates. In: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), pp. 123–133. ACM, New York (2002) CrossRefGoogle Scholar
  10. Brat, G., Havelund, K., Park, S., Visser, W.: Java PathFinder—a second generation of a Java model-checker. In: Proceedings of the Workshop on Advances in Verification (2000) Google Scholar
  11. Chase, D.R., Wegman, M., Zadeck, F.K.: Analysis of pointers and structures. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’90), pp. 296–310 (1990) Google Scholar
  12. Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (2000) Google Scholar
  13. Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04). LNCS, vol. 2988, pp. 168–176. Springer, Berlin (2004) CrossRefGoogle Scholar
  14. Cook, S.A.: Soundness and completeness of an axiom system for program verification. SIAM J. Comput. 7(1), 70–90 (1978) MathSciNetMATHCrossRefGoogle Scholar
  15. Darga, P.T., Boyapati, C.: Efficient software model checking of data structure properties. In: Proceedings of the 21st Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA ’06, pp. 363–382. ACM, New York (2006) CrossRefGoogle Scholar
  16. de Moura, L.M., Bjørner, N.: Z3: an efficient smt solver. In: Tools and Algorithms for the Construction and Analysis of Systems, TACAS08. Lecture Notes in Computer Science, vol. 4963, pp. 337–340. Springer, Berlin (2008) CrossRefGoogle Scholar
  17. Deng, X.: Contract-based verification and test case generation for open systems. PhD thesis, Kansas State University (2007) Google Scholar
  18. Deng, X., Lee, J., Robby: Bogor/Kiasan: a k-bounded symbolic execution for checking strong heap properties of open systems. In: 21st IEEE/ACM International Conference on Automated Software Engineering (ASE06), pp. 157–166. IEEE Comput. Soc., Los Alamitos (2006) CrossRefGoogle Scholar
  19. Deng, X., Robby, Hatcliff, J.: Kiasan/KUnit: automatic test case generation and analysis feedback for open object-oriented systems. In: Testing: Academic and Industrial Conference—Practice and Research Techniques (TAIC-PART07) (2007a) Google Scholar
  20. Deng, X., Robby, Hatcliff, J.: Towards a case-optimal symbolic execution algorithm for analyzing strong properties of object-oriented programs. In: Proceedings of the 5th IEEE International Conference on Software Engineering and Formal Methods (SEFM), pp. 273–282. IEEE Comput. Soc., London (2007b) CrossRefGoogle Scholar
  21. Deng, X., Walker, R., Robby: Case counting analysis for path-sensitive bounded verification techniques on standard data structure operations. Tech. Rep. SAnToS-TR2010-01-19, Kansas State University (2010) Google Scholar
  22. Deutsch, A.: Interprocedural may-alias analysis for pointers: beyond k-limiting. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’94), pp. 230–241 (1994) Google Scholar
  23. Distefano, D., Parkinson, M.J.: jStar: towards practical verification for Java. In: OOPSLA ’08: Proceedings of the 23rd ACM SIGPLAN Conference on Object-Oriented Programming Systems Languages and Applications, pp. 213–226. ACM, New York (2008) CrossRefGoogle Scholar
  24. Drossopoulou, S., Eisenbach, S.: Towards an operational semantics and proof of type soundness for Java. In: Formal Syntax and Semantics of Java. Springer, Berlin (1998) Google Scholar
  25. Dutertre, B., de Moura, L.: The Yices SMT solver (2006). Tool paper at http://yices.csl.sri.com/tool-paper.pdf
  26. Geilen, M.: On the construction of monitors for temporal logic properties. Electr. Notes Theor. Comput. Sci. 55(2) (2001) Google Scholar
  27. Gligoric, M., Gvero, T., Jagannath, V., Khurshid, S., Kuncak, V., Marinov, D.: Test generation through programming in udita. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, ICSE ’10, vol. 1, pp. 225–234. ACM, New York (2010) CrossRefGoogle Scholar
  28. Grieskamp, W., Tillmann, N., Schulte, W.: XRT—exploring runtime for .NET—architecture and applications. In: Workshop on Software Model Checking (SoftMC05) (2005) Google Scholar
  29. Hantler, S.L., King, J.C.: An introduction to proving the correctness of programs. ACM Comput. Surv. 8(3), 331–353 (1976) MathSciNetMATHCrossRefGoogle Scholar
  30. Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation, 1st edn. Addison-Wesley, Reading (1979) MATHGoogle Scholar
  31. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002) CrossRefGoogle Scholar
  32. Jones, N.D., Muchnick, S.S.: Flow analysis and optimization of LISP-like structures. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL’79), pp. 244–256. ACM, New York (1979) CrossRefGoogle Scholar
  33. Khurshid, S., Păsăreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Proceedings of 9th International Conference, TACAS 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7–11, 2003. Lecture Notes in Computer Science, vol. 2619, pp. 553–568. Springer, Berlin (2003) Google Scholar
  34. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976) MATHCrossRefGoogle Scholar
  35. Larus, J.R., Hilfinger, P.N.: Detecting conflicts between structure accesses. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI’88), pp. 24–31 (1988) Google Scholar
  36. Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA’98). ACM, New York (1998) Google Scholar
  37. Lev-Ami, T., Sagiv, M.: TVLA: a framework for Kleene-based static analysis. In: Proceedings of the 7th International Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 1694, pp. 280–301. Springer, Berlin (2000) Google Scholar
  38. Lindholm, T., Yellin, F.: The Java Virtual Machine Specification (2nd edn.) (1999). http://java.sun.com/docs/books/vmspec/2nd-edition/html/VMSpecTOC.doc.html
  39. Marinov, D., Khurshid, S.: TestEra: a novel framework for automated testing of Java programs. In: 16th IEEE Conference on Automated Software Engineering (ASE 2001), p. 22. IEEE Comput. Soc., Los Alamitos (2001) CrossRefGoogle Scholar
  40. McCarthy, J.: Towards a mathematical science of computation. Inf. Process. 62, 21–28 (1962) Google Scholar
  41. Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Proceedings of the 38th Conference on Design Automation, pp. 530–535. ACM, New York (2001) Google Scholar
  42. MS: Common language infrastructure (CLI). Standard ECMA-335 (2006) Google Scholar
  43. Păsăreanu, C.S., Visser, W.: Verification of Java programs using symbolic execution and invariant generation. In: SPIN Workshop, pp. 164–181 (2004) Google Scholar
  44. Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994) CrossRefGoogle Scholar
  45. Reynolds, J.: Separation logic: a logic for shared mutable data structures. In: 17th IEEE Symposium on Logic in Computer Science (LICS 2002), pp. 55–74. IEEE Comput. Soc., Los Alamitos (2002) CrossRefGoogle Scholar
  46. Robby: Sireum: a software analysis platform. http://sireum.org (2008)
  47. Robby, Dwyer, M.B., Hatcliff, J.: Bogor: an extensible and highly-modular model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with the 11th ACM SIGSOFT Symposium on the Foundations of Software Engineering, pp. 267–276. ACM, New York (2003) Google Scholar
  48. Roberson, M., Boyapati, C.: Efficient modular glass box software model checking. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’10, pp. 4–21. ACM, New York (2010) CrossRefGoogle Scholar
  49. Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002). A preliminary version appeared in POPL 1999, pp. 105–118 CrossRefGoogle Scholar
  50. Schmidt, D.: Binary relations for abstraction and refinement. Tech. rep., Kansas State University (2000) Google Scholar
  51. Sen, K., Agha, G.: CUTE: a concolic unit testing engine for C. In: Wermelinger, M., Gall, H. (eds.) ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), pp. 263–272. ACM, New York (2005) Google Scholar
  52. Tillmann, N., de Halleux, J.: Pex–white box test generation for .NET. In: Beckert, B., Hähnle, R. (eds.) Tests and Proofs, 2nd International Conference (TAP08). Lecture Notes in Computer Science, vol. 4966, pp. 134–153. Springer, Berlin (2008) Google Scholar
  53. Visser, W., Pasareanu, C.S., Khurshid, S.: Test input generation in Java Pathfinder. In: Avrunin, G.S., Rothermel, G. (eds.) Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004, Boston, Massachusetts, USA, July 11–14, 2004, pp. 97–107. ACM, New York (2004) CrossRefGoogle Scholar
  54. Weiss, MA: Data Structures and Algorithm Analysis in Java, 2nd edn. Addison-Wesley, Reading (2006) Google Scholar
  55. Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(3) (2007) Google Scholar
  56. Zhang, H.: SATO: an efficient prepositional prover. In: Proceedings of the International Conference on Automated Deduction. LNCS, vol. 1249, pp. 272–275. Springer, Berlin (1997) Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Pennsylvania State University at HarrisburgMiddletownUSA
  2. 2.Google Inc.Mountain ViewUSA
  3. 3.Korea UniversitySeoulKorea
  4. 4.Kansas State UniversityManhattanUSA

Personalised recommendations