A Theory for Control-Flow Graph Exploration
Detection of infeasible code has recently been identified as a scalable and automated technique to locate likely defects in software programs. Given the (acyclic) control-flow graph of a procedure, infeasible code detection depends on an exhaustive search for feasible paths through the graph. A number of encodings of control-flow graphs into logic (understood by theorem provers) have been proposed in the past for this application. In this paper, we compare the performance of these different encodings in terms of runtime and the number of queries processed by the prover. We present a theory of acyclic control-flow as an alternative method of handling control-flow graphs. Such a theory can be built into theorem provers by means of theory plug-ins. Our experiments show that such native handling of control-flow can lead to significant performance gains, compared to previous encodings.
Unable to display preview. Download preview PDF.
- 1.Arlt, S., Liu, Z., Schäf, M.: Reconstructing paths for reachable code. In: ICFEM (to appear, 2013)Google Scholar
- 4.Christ, J., Hoenicke, J., Schäf, M.: Towards bounded infeasible code detection. CoRR, abs/1205.6527 (2012)Google Scholar
- 6.Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: SOSP (2001)Google Scholar
- 9.Johnson, D.S.: Approximation algorithms for combinatorial problems, vol. 9 (1974)Google Scholar
- 12.Raz, R., Safra, S.: A sub-constant error-probability low-degree test, and a sub-constant error-probability PCP characterization of NP. In: STOC (1997)Google Scholar
- 14.Tomb, A., Flanagan, C.: Detecting inconsistencies via universal reachability analysis. In: ISSTAGoogle Scholar