Checking Properties of Heap-Manipulating Procedures with a Constraint Solver
A method for finding bugs in object-oriented code is presented. It is capable of checking complex user-defined structural properties —that is, of the configuration of objects on the heap—and generates counterexample traces with no false alarms. It requires no annotation beyond the specification to be checked, and is fully automatic.
The method relies on a three-step translation: from code to a formula in a first-order relational logic, then to a propositional formula, and finally to conjunctive normal form. An off-the-shelf SAT solver is then used to find a solution that constitutes a counterexample.
This underlying scheme, presented previously, does not scale readily. In this paper, we show how a suite of optimizations results in much improved scalability. The optimizations are based on a special treatment of relations that are known to be functional, and target all steps. The effect of the optimizations is demonstrated by application to the analysis of a red-black tree implementation.
KeywordsBoolean Variable Conjunctive Normal Form Computation Graph Propositional Variable Boolean Formula
- 1.A. Andoni, D. Daniliuc, S. Khurshid, and D. Marinov. “Evaluating the Small Scope Hypothesis”, MIT Laboratory for Computer Science, September 2002. Unpublished manuscript.Google Scholar
- 2.T. Ball, S. K. Rajamani. “The SLAM Project: Debugging System Software via Static Analysis”, Proc. POPL 2002, January 2002.Google Scholar
- 3.D. R. Chase, M. Wegman and F. Zadeck. “Analysis of Pointers and Structures”, Proc. Conf. on Programming Language Design and Implementation, 1990.Google Scholar
- 4.J. C. Corbett, M. B. Dwyer, J. Hatcli., S. Laubach, C. S. Pasareanu, Robby, H. Zheng. “Bandera: Extracting Finite-State Models from Java Source Code”, Proc. International Conference on Software Engineering, June 2000.Google Scholar
- 5.T. H. Cormen, C. E. Leiserson, R. L. Rivest. “Introduction to Algorithms”, MIT Press, 1990.Google Scholar
- 6.D. Detlefs, K. R. Leino, G. Nelson, and J. Saxe. “Extended Static Checking”. Technical Report 159, Compaq Systems Research Center, 1998.Google Scholar
- 7.Cormac Flanagan. Personal communication.Google Scholar
- 8.E. Goldberg and Y. Novikov. “BerkMin: A fast and robust SAT-solver”, In Design, Automation, and Test in Europe, March 2002.Google Scholar
- 9.G.J. Holzmann. “The Model Checker Spin”, IEEE Trans. on Software Engineering, Vol. 23, 5, May 1997.Google Scholar
- 10.G. J. Holzmann and M. H. Smith. “Automating Software Feature Verification”, Bell Labs Technical Journal, Vol. 5, 2, April-June 2000.Google Scholar
- 11.Daniel Jackson. “Automating First-Order Relational Logic”, Proc. ACM SIGSOFT Conf. Foundations of Software Engineering, San Diego, November 2000.Google Scholar
- 12.D. Jackson, I. Shlyakhter and M. Sridharan. “A Micromodularity Mechanism”, Proc. ACM SIGSOFT Conf. Foundations of Software Engineering, 2001.Google Scholar
- 13.D. Jackson and M. Vaziri. “Finding Bugs with a Constraint Solver”, Proc. International Conference on Software Testing and Analysis, August 2000.Google Scholar
- 14.R. Manevich, G. Ramalingam, J. Field, D. Goyal, M. Sagiv. “Compactly Representing First-Order Structures for Static Analysis”, In Proc. SAS 2002, 2002.Google Scholar
- 17.W. Visser, K. Havelund, G. Brat and S. Park. “Model Checking Programs”, International Conference on Automated Software Engineering, September 2000.Google Scholar