Advertisement

A General Lattice Model for Merging Symbolic Execution Branches

  • Dominic Scheurer
  • Reiner Hähnle
  • Richard Bubel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10009)

Abstract

Symbolic execution is a software analysis technique that has been used with success in the past years in program testing and verification. A main bottleneck of symbolic execution is the path explosion problem: the number of paths in a symbolic execution tree is exponential in the number of static branches of the executed program. Here we put forward an abstraction-based framework for state merging in symbolic execution. We show that it subsumes existing approaches and prove soundness. The method was implemented in the verification system KeY. Our empirical evaluation shows that reductions in proof size of up to 80 % are possible by state merging when applied to complex verification problems; new proofs become feasible that were out of reach so far.

Keywords

Path Condition Symbolic Execution Kripke Structure Program Counter Symbolic State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgment

We would like to thank the authors of [15] for the permission to quote data from the extended journal version of their paper under preparation.

References

  1. 1.
    Ahrendt, W., et al.: The KeY platform for verification and analysis of Java programs. In: Giannakopoulou, D., Kroening, D. (eds.) VSTTE 2014. LNCS, vol. 8471, pp. 55–71. Springer, Heidelberg (2014)Google Scholar
  2. 2.
    Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Anand, S., Păsăreanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 163–181. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Beckert, B., Hähnle, R.: Reasoning and verification. IEEE Intell. Syst. 29(1), 20–29 (2014)CrossRefGoogle Scholar
  5. 5.
    Beckert, B., Hähnle, R. (eds.): Verification of Object-Oriented Software: The KeY Approach. Springer, Berlin (2006)Google Scholar
  6. 6.
    Bubel, R., Hähnle, R., Weiß, B.: Abstract interpretation of symbolic execution with explicit state updates. In: Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 247–277. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Burstall, R.M.: Program proving as hand simulation with a little induction. In: Information Processing, pp. 308–312. Elsevier (1974)Google Scholar
  8. 8.
    Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)CrossRefGoogle Scholar
  9. 9.
    Chu, D.-H., Jaffar, J., Murali, V.: Lazy symbolic execution for enhanced learning. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 323–339. Springer, Heidelberg (2014)Google Scholar
  10. 10.
    Clarke, E.M., Grumberg, O., et al.: Model Checking. The MIT Press, Cambridge (1999)zbMATHGoogle Scholar
  11. 11.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th Symposium of POPL, pp. 238–252. ACM Press, January 1977Google Scholar
  12. 12.
    Fitting, M.C.: First-Order Logic and Automated Theorem Proving, 2nd edn. Springer, Berlin (1996)CrossRefzbMATHGoogle Scholar
  13. 13.
    Fitting, M.C., Mendelsohn, R.: First-Order Modal Logic. Kluwer, Dordrecht (1998)CrossRefzbMATHGoogle Scholar
  14. 14.
    Gosling, J., Joy, B., et al.: The Java (TM) Language Specification, 3rd edn. Addison-Wesley Professional, Wokingham (2005). http://psc.informatik.uni-jena.de/languages/Java/javaspec-3.pdf zbMATHGoogle Scholar
  15. 15.
    de Gouw, S., Rot, J., de Boer, F.S., Bubel, R., Hähnle, R.: OpenJDK’s Java.utils.Collection.sort() is broken: the good, the bad and the worst case. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 273–289. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  16. 16.
    Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  17. 17.
    Hähnle, R., Wasser, N., et al.: Array abstraction with symbolic pivots. In: Ábrahám, E., Bonsangue, M., et al. (eds.) Theory and Practice of Formal Methods. LNCS, vol. 9660, pp. 104–121. Springer, Berlin (2016)CrossRefGoogle Scholar
  18. 18.
    Hansen, T., Schachte, P., Søndergaard, H.: State joining and splitting for the symbolic execution of binaries. In: Bensalem, S., Peled, D.A. (eds.) RV 2009. LNCS, vol. 5779, pp. 76–92. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Harel, D., Tiuryn, J., et al.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  20. 20.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Kuznetsov, V., Kinder, J., et al.: Efficient state merging in symbolic execution. In: Proceedings of the 33rd Conference on PLDI, pp. 193–204. ACM (2012)Google Scholar
  22. 22.
    Scheurer, D.: From trees to DAGs: a general lattice model for symbolic execution. Master’s thesis, Technische Universität Darmstadt (2015). http://tinyurl.com/Trees2DAGs
  23. 23.
    Sen, K., Necula, G., et al.: MultiSE: multi-path symbolic execution using value summaries. In: 10th Joint Meeting on Foundations of Software Engineering, pp. 842–853. ACM (2015)Google Scholar
  24. 24.
    Shoenfield, J.R.: Mathematical Logic. Addison-Wesley, Wokingham (1967)zbMATHGoogle Scholar
  25. 25.
    Weiß, B.: Predicate abstraction in a program logic calculus. In: Leuschel, M., Wehrheim, H. (eds.) IFM 2009. LNCS, vol. 5423, pp. 136–150. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Dominic Scheurer
    • 1
  • Reiner Hähnle
    • 1
  • Richard Bubel
    • 1
  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations