Combining Static Analysis and Test Generation for C Program Debugging

  • Omar Chebaro
  • Nikolai Kosmatov
  • Alain Giorgetti
  • Jacques Julliand
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6143)


This paper presents our ongoing work on a tool prototype called sante (Static ANalysis and TEsting), implementing a combination of static analysis and structural program testing for detection of run-time errors in C programs. First, a static analysis tool (Frama-C) is called to generate alarms when it cannot ensure the absence of run-time errors. Second, these alarms guide a structural test generation tool (PathCrawler) trying to confirm alarms by activating bugs on some test cases. Our experiments on real-life software show that this combination can outperform the use of each technique independently.


all-paths test generation static analysis run-time errors C program debugging alarm-guided test generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pasareanu, C., Pelanek, R., Visser, W.: Concrete model checking with abstract matching and refinement. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 52–66. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker Blast: Applications to software engineering. Int. J. Softw. Tools Technol. Transfer 9(5-6), 505–525 (2007)CrossRefGoogle Scholar
  3. 3.
    Gulavani, B.S., Henzinger, T.A., Kannan, Y., Nori, A.V., Rajamani, S.K.: SYNERGY: a new algorithm for property checking. In: FSE, pp. 117–127 (2006)Google Scholar
  4. 4.
    Ernst, M.D., Perkins, J.H., Guo, P.J., McCamant, S., Pacheco, C., Tschantz, M.S., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program 69(1-3), 35–45 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Smaragdakis, Y., Csallner, C.: Combining static and dynamic reasoning for bug detection. In: Gurevich, Y., Meyer, B. (eds.) TAP 2007. LNCS, vol. 4454, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: EMSOFT, pp. 207–216 (2008)Google Scholar
  7. 7.
    Frama-C: Framework for static analysis of C programs (2007-2010),
  8. 8.
    Botella, B., Delahaye, M., Hong-Tuan-Ha, S., Kosmatov, N., Mouy, P., Roger, M., Williams, N.: Automating structural testing of C programs: Experience with PathCrawler. In: AST, pp. 70–78 (2009)Google Scholar
  9. 9.
    Ku, K., Hart, T.E., Chechik, M., Lie, D.: A buffer overflow benchmark for software model checkers. In: ASE, pp. 389–392 (2007)Google Scholar
  10. 10.
    Ball, T.: A theory of predicate-complete test coverage and generation. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2004. LNCS, vol. 3657, pp. 1–22. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: CCS, pp. 322–335 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Omar Chebaro
    • 1
    • 2
  • Nikolai Kosmatov
    • 1
  • Alain Giorgetti
    • 2
    • 3
  • Jacques Julliand
    • 2
  1. 1.Software Safety LaboratoryCEA, LISTGif-sur-YvetteFrance
  2. 2.LIFCUniversity of Franche-ComtéBesançon CedexFrance
  3. 3.INRIA Nancy - Grand Est, CASSIS projectVillers-lès-NancyFrance

Personalised recommendations