Advertisement

Testing Static Analyzers with Randomly Generated Programs

  • Pascal Cuoq
  • Benjamin Monate
  • Anne Pacalet
  • Virgile Prevosto
  • John Regehr
  • Boris Yakobowski
  • Xuejun Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7226)

Abstract

Static analyzers should be correct. We used the random C-program generator Csmith, initially intended to test C compilers, to test parts of the Frama-C static analysis platform. Although Frama-C was already relatively mature at that point, fifty bugs were found and fixed during the process, in the front-end (AST elaboration and type-checking) and in the value analysis, constant propagation and slicing plug-ins. Several bugs were also found in Csmith, even though it had been extensively tested and had been used to find numerous bugs in compilers.

Keywords

Formal Method Interpreter Mode Manual Reduction Singleton State Abstract Interpreter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Brummayer, R., Biere, A.: Fuzzing and delta-debugging SMT solvers. In: Proceedings of the 7th International Workshop on Satisfiability Modulo Theories, SMT 2009. ACM, New York (2009)Google Scholar
  2. 2.
    Cachera, D., Pichardie, D.: Comparing Techniques for Certified Static Analysis. In: The NASA Formal Methods Symposium, NFM (2009)Google Scholar
  3. 3.
    Delmas, D., Cuoq, P., Moya Lamiel, V., Duprat, S.: Fan-C, a Frama-C plug-in for data flow verification. In: ERTS2 (to appear, 2012)Google Scholar
  4. 4.
    Delseny, H.: Formal Methods for Avionics Software Verification. Open-DO Conference, presentation (2010), http://www.open-do.org/2010/04/28/formal-versus-agile-survival-of-the-fittest-herve-delseny/
  5. 5.
    International Organization for Standardization: ISO/IEC 9899:TC3: Programming Languages—C (2007), http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
  6. 6.
    McKeeman, W.M.: Differential testing for software. Digital Technical Journal 10(1), 100–107 (1998)Google Scholar
  7. 7.
    Pariente, D., Ledinot, E.: Formal Verification of Industrial C Code using Frama-C: a Case Study. In: FoVeOOS (2010)Google Scholar
  8. 8.
    Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.S.: Formal methods: Practice and experience. ACM Computing Surveys 41(4) (2009)Google Scholar
  9. 9.
    Yang, X., Chen, Y., Eide, E., Regehr, J.: Finding and understanding bugs in C compilers. In: PLDI, San Jose, CA, USA (June 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Pascal Cuoq
    • 1
  • Benjamin Monate
    • 1
  • Anne Pacalet
    • 2
  • Virgile Prevosto
    • 1
  • John Regehr
    • 3
  • Boris Yakobowski
    • 1
  • Xuejun Yang
    • 3
  1. 1.CEA, LISTFrance
  2. 2.INRIA Sophia-AntipolisFrance
  3. 3.University of UtahUnited States

Personalised recommendations