article

Efficient and formal generalized symbolic execution

Authors:

RobbyAuthors Info & Claims

Automated Software Engineering, Volume 19, Issue 3

Pages 233 - 301

https://doi.org/10.1007/s10515-011-0089-9

Published: 01 September 2012 Publication History

Abstract

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.

References

[1]

Alves-Foss, J. (ed.): Formal Syntax and Semantics of Java. Lecture Notes in Computer Science, vol. 1523. Springer, Berlin (1999).

Digital Library

[2]

Anand, S., Pasareanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Valmari, A. (ed.) Model Checking Software, Proceedings of 13th International SPINWorkshop, Vienna, Austria, March 30-April 1, 2006. Lecture Notes in Computer Science, vol. 3925. Springer, Berlin (2006).

[3]

Anand, S., Orso, A., Harrold, M.J.: Type-dependency analysis and program transformation for symbolic execution. In: Tools and Algorithms for Construction and Analysis of Systems (TACAS) (2007).

[4]

Barrett, C., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) Proceedings of Computer Aided Verification, 19th International Conference, CAV 2007. Lecture Notes in Computer Science, vol. 4590, pp. 298-302. Springer, Berlin (2007).

[5]

Berdine, J., Calcagno, C., O'Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1-4, 2005. Lecture Notes in Computer Science, vol. 4111, pp. 115-137. Springer, Berlin (2005).

[6]

Bertelsen, P.: Dynamic semantics of java bytecode. Future Gener. Comput. Syst. 16, 841-850 (2000).

Digital Library

[7]

Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS'99). LNCS, vol. 1579, pp. 193-207. Springer, Berlin (1999).

Digital Library

[8]

Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded model checking. Adv. Comput. 58, 117-148 (2003).

[9]

Boyapati, C., Khurshid, S., Marinov, D.: Korat: automated testing based on Java predicates. In: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), pp. 123-133. ACM, New York (2002).

[10]

Brat, G., Havelund, K., Park, S., Visser, W.: Java PathFinder--a second generation of a Java model-checker. In: Proceedings of the Workshop on Advances in Verification (2000).

[11]

Chase, D.R., Wegman, M., Zadeck, F.K.: Analysis of pointers and structures. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI'90), pp. 296-310 (1990).

[12]

Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (2000).

[13]

Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS'04). LNCS, vol. 2988, pp. 168- 176. Springer, Berlin (2004).

[14]

Cook, S.A.: Soundness and completeness of an axiom system for program verification. SIAM J. Comput. 7(1), 70-90 (1978).

[15]

Darga, P.T., Boyapati, C.: Efficient software model checking of data structure properties. In: Proceedings of the 21st Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA '06, pp. 363-382. ACM, New York (2006).

Digital Library

[16]

de Moura, L.M., Bjørner, N.: Z3: an efficient smt solver. In: Tools and Algorithms for the Construction and Analysis of Systems, TACAS08. Lecture Notes in Computer Science, vol. 4963, pp. 337-340. Springer, Berlin (2008).

[17]

Deng, X.: Contract-based verification and test case generation for open systems. PhD thesis, Kansas State University (2007).

[18]

Deng, X., Lee, J., Robby: Bogor/Kiasan: a k-bounded symbolic execution for checking strong heap properties of open systems. In: 21st IEEE/ACM International Conference on Automated Software Engineering (ASE06), pp. 157-166. IEEE Comput. Soc., Los Alamitos (2006).

[19]

Deng, X., Robby, Hatcliff, J.: Kiasan/KUnit: automatic test case generation and analysis feedback for open object-oriented systems. In: Testing: Academic and Industrial Conference--Practice and Research Techniques (TAIC-PART07) (2007a).

[20]

Deng, X., Robby, Hatcliff, J.: Towards a case-optimal symbolic execution algorithm for analyzing strong properties of object-oriented programs. In: Proceedings of the 5th IEEE International Conference on Software Engineering and Formal Methods (SEFM), pp. 273-282. IEEE Comput. Soc., London (2007b).

Digital Library

[21]

Deng, X., Walker, R., Robby: Case counting analysis for path-sensitive bounded verification techniques on standard data structure operations. Tech. Rep. SAnToS-TR2010-01-19, Kansas State University (2010).

[22]

Deutsch, A.: Interprocedural may-alias analysis for pointers: beyond k-limiting. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI'94), pp. 230-241 (1994).

[23]

Distefano, D., Parkinson, M.J.: jStar: towards practical verification for Java. In: OOPSLA '08: Proceedings of the 23rd ACM SIGPLAN Conference on Object-Oriented Programming Systems Languages and Applications, pp. 213-226. ACM, New York (2008).

[24]

Drossopoulou, S., Eisenbach, S.: Towards an operational semantics and proof of type soundness for Java. In: Formal Syntax and Semantics of Java. Springer, Berlin (1998).

[25]

Dutertre, B., de Moura, L.: The Yices SMT solver (2006). Tool paper at http://yices.csl.sri.com/ tool-paper.pdf

[26]

Geilen, M.: On the construction of monitors for temporal logic properties. Electr. Notes Theor. Comput. Sci. 55(2) (2001).

[27]

Gligoric, M., Gvero, T., Jagannath, V., Khurshid, S., Kuncak, V., Marinov, D.: Test generation through programming in udita. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, ICSE '10, vol. 1, pp. 225-234. ACM, New York (2010).

[28]

Grieskamp, W., Tillmann, N., Schulte, W.: XRT--exploring runtime for .NET--architecture and applications. In: Workshop on Software Model Checking (SoftMC05) (2005).

[29]

Hantler, S.L., King, J.C.: An introduction to proving the correctness of programs. ACM Comput. Surv. 8(3), 331-353 (1976).

Digital Library

[30]

Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages, and Computation, 1st edn. Addison-Wesley, Reading (1979).

[31]

Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256-290 (2002).

Digital Library

[32]

Jones, N.D., Muchnick, S.S.: Flow analysis and optimization of LISP-like structures. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL'79), pp. 244-256. ACM, New York (1979).

Digital Library

[33]

Khurshid, S., Pasareanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Proceedings of 9th International Conference, TACAS 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7-11, 2003. Lecture Notes in Computer Science, vol. 2619, pp. 553-568. Springer, Berlin (2003).

[34]

King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385-394 (1976).

Digital Library

[35]

Larus, J.R., Hilfinger, P.N.: Detecting conflicts between structure accesses. In: Proceedings of the Conference on Programming Language Design and Implementation (PLDI'88), pp. 24-31 (1988).

[36]

Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA'98). ACM, New York (1998).

[37]

Lev-Ami, T., Sagiv, M.: TVLA: a framework for Kleene-based static analysis. In: Proceedings of the 7th International Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 1694, pp. 280-301. Springer, Berlin (2000).

[38]

Lindholm, T., Yellin, F.: The Java Virtual Machine Specification (2nd edn.) (1999). http://java.sun.com/ docs/books/vmspec/2nd-edition/html/VMSpecTOC.doc.html

[39]

Marinov, D., Khurshid, S.: TestEra: a novel framework for automated testing of Java programs. In: 16th IEEE Conference on Automated Software Engineering (ASE 2001), p. 22. IEEE Comput. Soc., Los Alamitos (2001).

[40]

McCarthy, J.: Towards a mathematical science of computation. Inf. Process. 62, 21-28 (1962).

[41]

Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Proceedings of the 38th Conference on Design Automation, pp. 530-535. ACM, New York (2001).

[42]

MS: Common language infrastructure (CLI). Standard ECMA-335 (2006).

[43]

Pasareanu, C.S., Visser, W.: Verification of Java programs using symbolic execution and invariant generation. In: SPIN Workshop, pp. 164-181 (2004).

[44]

Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467-1471 (1994).

Digital Library

[45]

Reynolds, J.: Separation logic: a logic for shared mutable data structures. In: 17th IEEE Symposium on Logic in Computer Science (LICS 2002), pp. 55-74. IEEE Comput. Soc., Los Alamitos (2002).

Digital Library

[46]

Robby: Sireum: a software analysis platform. http://sireum.org (2008).

[47]

Robby, Dwyer, M.B., Hatcliff, J.: Bogor: an extensible and highly-modular model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with the 11th ACM SIGSOFT Symposium on the Foundations of Software Engineering, pp. 267-276. ACM, New York (2003).

[48]

Roberson, M., Boyapati, C.: Efficient modular glass box software model checking. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA '10, pp. 4-21. ACM, New York (2010).

[49]

Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217-298 (2002). A preliminary version appeared in POPL 1999, pp. 105-118.

Digital Library

[50]

Schmidt, D.: Binary relations for abstraction and refinement. Tech. rep., Kansas State University (2000).

[51]

Sen, K., Agha, G.: CUTE: a concolic unit testing engine for C. In: Wermelinger, M., Gall, H. (eds.) ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), pp. 263-272. ACM, New York (2005).

[52]

Tillmann, N., de Halleux, J.: Pex-white box test generation for .NET. In: Beckert, B., Hähnle, R. (eds.) Tests and Proofs, 2nd International Conference (TAP08). Lecture Notes in Computer Science, vol. 4966, pp. 134-153. Springer, Berlin (2008).

[53]

Visser, W., Pasareanu, C.S., Khurshid, S.: Test input generation in Java Pathfinder. In: Avrunin, G.S., Rothermel, G. (eds.) Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004, Boston, Massachusetts, USA, July 11-14, 2004, pp. 97-107. ACM, New York (2004).

[54]

Weiss, MA: Data Structures and Algorithm Analysis in Java, 2nd edn. Addison-Wesley, Reading (2006).

[55]

Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(3) (2007).

[56]

Zhang, H.: SATO: an efficient prepositional prover. In: Proceedings of the International Conference on Automated Deduction. LNCS, vol. 1249, pp. 272-275. Springer, Berlin (1997).

Cited By

Fragoso Santos JMaksimović PSampaio GGardner P(2019)JaVerT 2.0: compositional symbolic execution for JavaScriptProceedings of the ACM on Programming Languages10.1145/32903793:POPL(1-31)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290379
Rutledge RPark SKhan HOrso APrvulovic MZajic AAtlee JBultan TWhittle J(2019)Zero-overhead path prediction with progressive symbolic executionProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00039(234-245)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00039
Álvarez-Rodríguez JAlor-Hernández GMejía-Miranda J(2018)Survey of Scientific Programming Techniques for the Management of Data-Intensive Engineering EnvironmentsScientific Programming10.1155/2018/84674132018Online publication date: 30-Oct-2018
https://dl.acm.org/doi/10.1155/2018/8467413
Show More Cited By

Index Terms

Efficient and formal generalized symbolic execution
1. Mathematics of computing
  1. Probability and statistics
    1. Statistical paradigms
      1. Exploratory data analysis
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
      2. Software defect analysis
        Software testing and debugging

Index terms have been assigned to the content through auto-classification.

Recommendations

Denotational Semantics for Symbolic Execution
Theoretical Aspects of Computing – ICTAC 2023
Abstract
Symbolic execution is a technique to systematically explore all possible paths through a program. This technique can be formally explained by means of small-step transition systems that update symbolic states and compute a precondition ...
Two Formal Semantics of a Subset of the AADL
ICECCS '11: Proceedings of the 2011 16th IEEE International Conference on Engineering of Complex Computer Systems

The analysis and verification of an AADL model usually requires its transformation into the meta-model of this model-checker or that schedulability analysis tool. However, one challenging problem is to prove that the transformation into the target model ...
Formal semantics of a classical-quantum language
Highlights
- A classical-quantum imperative language with an operational and denotational semantics.
Abstract
We investigate the formal semantics of a simple imperative language that has both classical and quantum constructs. More specifically, we provide an operational semantics, a denotational semantics and two Hoare-style proof systems: an ...

Comments

Information & Contributors

Information

Published In

cover image Automated Software Engineering

Automated Software Engineering Volume 19, Issue 3

September 2012

146 pages

ISSN:0928-8910

Issue’s Table of Contents

Copyright © Copyright © 2012 Springer Science+Business Media, LLC.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 September 2012

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fragoso Santos JMaksimović PSampaio GGardner P(2019)JaVerT 2.0: compositional symbolic execution for JavaScriptProceedings of the ACM on Programming Languages10.1145/32903793:POPL(1-31)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290379
Rutledge RPark SKhan HOrso APrvulovic MZajic AAtlee JBultan TWhittle J(2019)Zero-overhead path prediction with progressive symbolic executionProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00039(234-245)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00039
Álvarez-Rodríguez JAlor-Hernández GMejía-Miranda J(2018)Survey of Scientific Programming Techniques for the Management of Data-Intensive Engineering EnvironmentsScientific Programming10.1155/2018/84674132018Online publication date: 30-Oct-2018
https://dl.acm.org/doi/10.1155/2018/8467413
Baldoni RCoppa ED’elia DDemetrescu CFinocchi I(2018)A Survey of Symbolic Execution TechniquesACM Computing Surveys10.1145/318265751:3(1-39)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3182657
Li LLu YXue JWu PHack S(2017)Dynamic symbolic execution for polymorphismProceedings of the 26th International Conference on Compiler Construction10.1145/3033019.3033029(120-130)Online publication date: 5-Feb-2017
https://dl.acm.org/doi/10.1145/3033019.3033029
Storm TBalland EVarro D(2016)Proceedings of the 2016 ACM SIGPLAN International Conference on Software Language EngineeringundefinedOnline publication date: 20-Oct-2016
Romano AEngler DCrnkovic IChechik MGrünbacher P(2014)symMMUProceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering10.1145/2642937.2642974(247-258)Online publication date: 15-Sep-2014
https://dl.acm.org/doi/10.1145/2642937.2642974
Hillery BMercer ERungta NPerson S(2014)Towards a lazier symbolic pathfinderACM SIGSOFT Software Engineering Notes10.1145/2557833.256057939:1(1-5)Online publication date: 11-Feb-2014
https://dl.acm.org/doi/10.1145/2557833.2560579

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents