Cited By
View all- Lee SBinkley DFeldt RGold NYoo S(2024)Causal Program Dependence AnalysisScience of Computer Programming10.1016/j.scico.2024.103208(103208)Online publication date: Sep-2024
Statistical Reachability Analysis
Pages 326 - 337
Abstract
Given a target program state (or statement) s, what is the probability that an input reaches s? This is the quantitative reachability analysis problem. For instance, quantitative reachability analysis can be used to approximate the reliability of a program (where s is a bad state). Traditionally, quantitative reachability analysis is solved as a model counting problem for a formal constraint that represents the (approximate) reachability of s along paths in the program, i.e., probabilistic reachability analysis. However, in preliminary experiments, we failed to run state-of-the-art probabilistic reachability analysis on reasonably large programs.
In this paper, we explore statistical methods to estimate reachability probability. An advantage of statistical reasoning is that the size and composition of the program are insubstantial as long as the program can be executed. We are particularly interested in the error compared to the state-of-the-art probabilistic reachability analysis. We realize that existing estimators do not exploit the inherent structure of the program and develop structure-aware estimators to further reduce the estimation error given the same number of samples. Our empirical evaluation on previous and new benchmark programs shows that (i) our statistical reachability analysis outperforms state-of-the-art probabilistic reachability analysis tools in terms of accuracy, efficiency, and scalability, and (ii) our structure-aware estimators further outperform (blackbox) estimators that do not exploit the inherent program structure. We also identify multiple program properties that limit the applicability of the existing probabilistic analysis techniques.
Supplementary Material
"Static analyzers use rule checkers to verify the reliability, performance, and readability of programs. One of the key limitations of static analyzers is the failure to produce accurate analysis results (i.e., they generate too many spurious warnings or miss significant defects). To ensure the reliability of a static analyzer, developers usually manually write tests involving input programs and the corresponding expected analysis results. Meanwhile, a rule checker may include example programs in its documentation to help users understand each rule. Our key insight is that we can reuse programs extracted either from the official test suite or documentation and apply semantic-preserving transformations to them to generate variants. We studied the quality of input programs from these two sources and found that most rules in static analyzers are covered by at least one input program, implying the potential of using these programs as the basis for test generation. We present Statfier, a heuristic-based automated testing approach for static analyzers that generates program variants via semantic-preserving transformations and detects inconsistencies between the original program and variants (indicate inaccurate analysis results in the static analyzer). To select variants that are more likely to lead to new bugs, Statfier leverages two key heuristics: (1) analysis report guided location selection that uses program locations in the reports produced by static analyzers to perform transformations and (2) structure diversity driven variant selection that chooses variants with different program contexts and diverse types of transformations. Our experiments with five popular static analyzers show that Statfier can find 79 bugs in these analyzers, of which 46 have been confirmed."
- Download
- 89.70 MB
References
[1]
David Binkley, Nicolas Gold, Mark Harman, Syed Islam, Jens Krinke, and Shin Yoo. 2014. ORBS: Language-independent Program Slicing. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). ACM, New York, NY, USA. 109–120. isbn:978-1-4503-3056-5 https://doi.org/10.1145/2635868.2635893
[2]
D. Binkley, N. Gold, M. Harman, S. Islam, J. Krinke, and S. Yoo. 2015. ORBS and the limits of static slicing. In 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM). 1–10. https://doi.org/10.1109/SCAM.2015.7335396
[3]
Marcel Böhme. 2018. STADS: Software Testing as Species Discovery. ACM Transactions on Software Engineering and Methodology, 27, 2 (2018), Article 7, June, 52 pages. https://doi.org/10.1145/3210309
[4]
Marcel Böhme. 2022. Statistical Reasoning About Programs. In Proceedings of the 44th International Conference on Software Engineering (ICSE 2022). 5 pages. https://doi.org/10.1145/3510455.3512796
[5]
Marcel Böhme and Brandon Falk. 2020. Fuzzing: On the Exponential Cost of Vulnerability Discovery. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2020). Association for Computing Machinery, New York, NY, USA. 713–724. isbn:9781450370431 https://doi.org/10.1145/3368089.3409729
[6]
Marcel Böhme, Danushka Liyanage, and Valentin Wüstholz. 2021. Estimating Residual Risk in Greybox Fuzzing. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA. 230–241. isbn:9781450385626 https://doi.org/10.1145/3468264.3468570
[7]
Sergey Brin and Lawrence Page. 1998. The anatomy of a large-scale hypertextual Web search engine. Computer Networks and ISDN Systems, 30, 1 (1998), 107–117. issn:0169-7552 https://doi.org/10.1016/S0169-7552(98)00110-X Proceedings of the Seventh International World Wide Web Conference
[8]
Michael B. Cohen, Jonathan Kelner, John Peebles, Richard Peng, Aaron Sidford, and Adrian Vladu. 2016. Faster Algorithms for Computing the Stationary Distribution, Simulating Random Walks, and More. In 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS). 583–592. https://doi.org/10.1109/FOCS.2016.69
[9]
Hyunsook Do, Sebastian Elbaum, and Gregg Rothermel. 2005. Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and Its Potential Impact. Empirical Softw. Engg., 10, 4 (2005), Oct., 405–435. issn:1382-3256 https://doi.org/10.1007/s10664-005-3861-2
[10]
R. Dum, P. Zoller, and H. Ritsch. 1992. Monte Carlo simulation of the atomic master equation for spontaneous emission. Phys. Rev. A, 45 (1992), Apr, 4879–4887. https://doi.org/10.1103/PhysRevA.45.4879
[11]
Antonio Filieri, Corina S. Păsăreanu, Willem Visser, and Jaco Geldenhuys. 2014. Statistical Symbolic Execution with Informed Sampling. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). Association for Computing Machinery, New York, NY, USA. 437–448. isbn:9781450330565 https://doi.org/10.1145/2635868.2635899
[12]
Jaco Geldenhuys, Matthew B. Dwyer, and Willem Visser. 2012. Probabilistic Symbolic Execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012). Association for Computing Machinery, New York, NY, USA. 166–176. isbn:9781450314541 https://doi.org/10.1145/2338965.2336773
[13]
Mitchell Gerrard, Mateus Borges, Matthew B. Dwyer, and Antonio Filieri. 2022. Conditional Quantitative Program Analysis. IEEE Transactions on Software Engineering, 48, 4 (2022), 1212–1227. https://doi.org/10.1109/TSE.2020.3016778
[14]
Carla P Gomes, Ashish Sabharwal, and Bart Selman. 2021. Model counting. In Handbook of satisfiability. IOS press, 993–1014. https://doi.org/10.3233/FAIA201009
[15]
I. J. Good. 1953. The Population Frequencies of Species and the Estimation of Population Parameters. Biometrika, 40, 3/4 (1953), 237–264. issn:00063444 http://www.jstor.org/stable/2333344
[16]
William Landi. 1992. Undecidability of Static Analysis. ACM Lett. Program. Lang. Syst., 1, 4 (1992), dec, 323–337. issn:1057-4514 https://doi.org/10.1145/161494.161501
[17]
Seongmin Lee. 2022. Statistical program dependence approximation. Ph. D. Dissertation. Korea Advanced Institute of Science and Technology (KAIST), Daejeon.
[18]
Seongmin Lee. 2023. Artifact for "Statistical Reachability Analysis". https://doi.org/10.5281/zenodo.8267404
[19]
S. Lee, D. Binkley, R. Feldt, N. Gold, and S. Yoo. 2019. MOAD: Modeling Observation-Based Approximate Dependency. In 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM). 12–22. https://doi.org/10.1109/SCAM.2019.00011
[20]
Seongmin Lee, David Binkley, Robert Feldt, Nicolas Gold, and Shin Yoo. 2021. Observation-based approximate dependency modeling and its use for program slicing. Journal of Systems and Software, 179 (2021), 110988. issn:0164-1212 https://doi.org/10.1016/j.jss.2021.110988
[21]
Danushka Liyanage, Marcel Böhme, Chakkrit Tantithamthavorn, and Stephan Lipp. 2023. Reachable Coverage: Estimating Saturation in Fuzzing. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 371–383. https://doi.org/10.1109/ICSE48619.2023.00042
[22]
Kasper Luckow, Corina S. Păsăreanu, and Willem Visser. 2018. Monte Carlo Tree Search for Finding Costly Paths in Programs. In Software Engineering and Formal Methods, Einar Broch Johnsen and Ina Schaefer (Eds.). Springer International Publishing, Cham. 123–138. isbn:978-3-319-92970-5 https://doi.org/10.1007/978-3-319-92970-5_8
[23]
Metodi Mazhdrakov, Dobriyan Benov, and Nikolai Valkanov. 2018. The Monte Carlo method: engineering applications. ACMO Academic Press. isbn:978-619-90684-3-4
[24]
Nikhil Parasaram, Earl T. Barr, Sergey Mechtaev, and Marcel Böhme. 2023. Precise Data-Driven Approximation for Program Analysis via Fuzzing. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023). Association for Computing Machinery, 1–12.
[25]
Corina S. Păsăreanu and Neha Rungta. 2010. Symbolic PathFinder: Symbolic Execution of Java Bytecode. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE ’10). Association for Computing Machinery, New York, NY, USA. 179–180. isbn:9781450301169 https://doi.org/10.1145/1858996.1859035
[26]
Seemanta Saha. 2022. PReach: A probabilistic reachability analyzer to identify hard to reach program statements. https://doi.org/10.5281/zenodo.5915206
[27]
Seemanta Saha, Mara Downing, Tegan Brennan, and Tevfik Bultan. 2022. PReach: A Heuristic for Probabilistic Reachability to Identify Hard to Reach Statements. In International Conference on Software Engineering (ICSE). https://doi.org/10.1145/3510003.3510227
[28]
Mathematics UC Davis. [n. d.]. Latte integrale. http://www.math.ucdavis.edu/~latte
[29]
Xinyu Wang, Jun Sun, Zhenbang Chen, Peixin Zhang, Jingyi Wang, and Yun Lin. 2018. Towards optimal concolic testing. In Proceedings of the 40th International Conference on Software Engineering. 291–302. https://doi.org/10.1145/3180155.3180177
[30]
Edwin B Wilson. 1927. Probable inference, the law of succession, and statistical inference. J. Amer. Statist. Assoc., 22, 158 (1927), 209–212. https://doi.org/10.1080/01621459.1927.10502953
[31]
Lei Zhao, Yue Duan, Heng Yin, and J. Xuan. 2019. Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing. Proceedings 2019 Network and Distributed System Security Symposium, https://doi.org/10.14722/ndss.2019.23504
Index Terms
- Statistical Reachability Analysis
Recommendations
Reachability and reverse reachability analysis of CFSMs
Reachability analysis and the recently proposed reverse reachability analysis are two important verification techniques for communicating finite state machines (CFSM). The issue of the relative efficiency of reachability analysis and reverse ...
Deadlock Detection of EFSMs Using Simultaneous Reachability Analysis
DSN '00: Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)Simultaneous reachability analysis (SRA) is a recently proposed technique to alleviate the state space explosion problem in reachability analysis of concurrent systems. Its goal is to reduce the number of generated states while guaranteeing the ...
Deadlock Detection in Communicating Finite State Machines by Even Reachability Analysis
ICCCN '95: Proceedings of the 4th International Conference on Computer Communications and NetworksFair reachability is a very useful technique in detecting errors of deadlocks and unspecified receptions in networks of communicating finite state machines (CFSMs) consisting of two machines. The paper extends the classical fair reachability technique, ...
Comments
Information & Contributors
Information
Published In
November 2023
2215 pages
ISBN:9798400703270
DOI:10.1145/3611643
- General Chair:
- Satish Chandra,
- Program Chairs:
- Kelly Blincoe,
- Paolo Tonella
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 November 2023
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- German Research Foundation
Conference
ESEC/FSE '23
Sponsor:
ESEC/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
December 3 - 9, 2023
CA, San Francisco, USA
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 529Total Downloads
- Downloads (Last 12 months)442
- Downloads (Last 6 weeks)76
Reflects downloads up to 11 Feb 2025
Other Metrics
Citations
Cited By
View all- Lee SBinkley DFeldt RGold NYoo S(2024)Causal Program Dependence AnalysisScience of Computer Programming10.1016/j.scico.2024.103208(103208)Online publication date: Sep-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in