Article

Checking properties of heap-manipulating procedures with a constraint solver

Authors:

Mandana Vaziri,

Daniel JacksonAuthors Info & Claims

TACAS'03: Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems

Pages 505 - 520

Published: 07 April 2003 Publication History

Abstract

A method for finding bugs in object-oriented code is presented. It is capable of checking complex user-defined structural properties - that is, of the configuration of objects on the heap - and generates counterexample traces with no false alarms. It requires no annotation beyond the specification to be checked, and is fully automatic.

The method relies on a three-step translation: from code to a formula in a first-order relational logic, then to a propositional formula, and finally to conjunctive normal form. An off-the-shelf SAT solver is then used to find a solution that constitutes a counter example.

This underlying scheme, presented previously, does not scale readily. In this paper, we show how a suite of optimizations results in much improved scalability. The optimizations are based on a special treatment of relations that are known to be functional, and target all steps. The effect of the optimizations is demonstrated by application to the analysis of a red-black tree implementation.

References

[1]

A. Andoni, D. Daniliuc, S. Khurshid, and D. Marinov. "Evaluating the Small Scope Hypothesis", MIT Laboratory for Computer Science, September 2002. Unpublished manuscript.

[2]

T. Ball, S. K. Rajamani. "The SLAM Project: Debugging System Software via Static Analysis", Proc. POPL 2002, January 2002.

Digital Library

[3]

D. R. Chase, M. Wegman and F. Zadeck. "Analysis of Pointers and Structures", Proc. Conf. on Programming Language Design and Implementation, 1990.

Digital Library

[4]

J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Pasareanu, Robby, H. Zheng. "Bandera: Extracting Finite-State Models from Java Source Code", Proc. International Conference on Software Engineering, June 2000.

Digital Library

[5]

T. H. Cormen, C. E. Leiserson, R. L. Rivest. "Introduction to Algorithms", MIT Press, 1990.

Digital Library

[6]

D. Detlefs, K. R. Leino, G. Nelson, and J. Saxe. "Extended Static Checking". Technical Report 159, Compaq Systems Research Center, 1998.

[7]

Cormac Flanagan. Personal communication.

[8]

E. Goldberg and Y. Novikov. "BerkMin: A fast and robust SAT-solver", In Design, Automation, and Test in Europe, March 2002.

Digital Library

[9]

G.J. Holzmann. "The Model Checker Spin", IEEE Trans. on Software Engineering, Vol. 23, 5, May 1997.

Digital Library

[10]

G. J. Holzmann and M. H. Smith. "Automating Software Feature Verification", Bell Labs Technical Journal, Vol. 5, 2, April-June 2000.

[11]

Daniel Jackson. "Automating First-Order Relational Logic", Proc. ACM SIGSOFT Conf. Foundations of Software Engineering, San Diego, November 2000.

Digital Library

[12]

D. Jackson, I. Shlyakhter and M. Sridharan. "A Micromodularity Mechanism", Proc. ACM SIGSOFT Conf. Foundations of Software Engineering, 2001.

Digital Library

[13]

D. Jackson and M. Vaziri. "Finding Bugs with a Constraint Solver", Proc. International Conference on Software Testing and Analysis, August 2000.

Digital Library

[14]

R. Manevich, G. Ramalingam, J. Field, D. Goyal, M. Sagiv. "Compactly Representing First-Order Structures for Static Analysis", In Proc. SAS 2002, 2002.

Digital Library

[15]

D. A. Plaisted and S. Greenbaum. "A Structure-Preserving Clause Form Translation", Journal of Symbolic Computation, 2:293-304, 1986.

Digital Library

[16]

M. Sagiv, T. Reps, and R. Wilhelm. "Parametric shape analysis via 3-valued logic", In ACM Transactions on Programming Languages and Systems, 24(3), 217-298, 2002.

Digital Library

[17]

W. Visser, K. Havelund, G. Brat and S. Park. "Model Checking Programs", International Conference on Automated Software Engineering, September 2000.

Digital Library

Cited By

Rosner NGeldenhuys JAguirre NVisser WFrias M(2015)BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT SupportIEEE Transactions on Software Engineering10.1109/TSE.2015.238922541:7(639-660)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1109/TSE.2015.2389225
Rosner NGaleotti JBermúdez SBlas GDe Rosso SPizzagalli LZemín LFrias MPezzè MHarman M(2013)Parallel bounded analysis in code with rich invariants by refinement of field boundsProceedings of the 2013 International Symposium on Software Testing and Analysis10.1145/2483760.2483770(23-33)Online publication date: 15-Jul-2013
https://dl.acm.org/doi/10.1145/2483760.2483770
Samimi HAung EMillstein T(2010)Falling back on executable specificationsProceedings of the 24th European conference on Object-oriented programming10.5555/1883978.1884015(552-576)Online publication date: 21-Jun-2010
https://dl.acm.org/doi/10.5555/1883978.1884015
Show More Cited By

Checking properties of heap-manipulating procedures with a constraint solver
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods

Recommendations

Verifying Heap-Manipulating Programs in an SMT Framework
Automated Technology for Verification and Analysis
Abstract
Automated software verification has made great progress recently, and a key enabler of this progress has been the advances in efficient, automated decision procedures suitable for verification (Boolean satisfiability solvers and satisfiability-...
Verifying heap-manipulating programs in an SMT framework
ATVA'07: Proceedings of the 5th international conference on Automated technology for verification and analysis

Automated software verification has made great progress recently, and a key enabler of this progress has been the advances in efficient, automated decision procedures suitable for verification (Boolean satisfiability solvers and satisfiability-modulo-...
Model checking recursive programs interacting via the heap

Almost all modern imperative programming languages include operations for dynamically manipulating the heap, for example by allocating and deallocating objects, and by updating reference fields. In the presence of recursive procedures and local ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

TACAS'03: Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems

April 2003

603 pages

ISBN:3540008985

Editors:
Hubert Garavel
INRIA Rhôe-Alpes, Montbonnot Saint Martin, France
,
John Hatcliff
Kansas State University, Department of Computing and Information Sciences, Manhattan, KS

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 April 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rosner NGeldenhuys JAguirre NVisser WFrias M(2015)BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT SupportIEEE Transactions on Software Engineering10.1109/TSE.2015.238922541:7(639-660)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1109/TSE.2015.2389225
Rosner NGaleotti JBermúdez SBlas GDe Rosso SPizzagalli LZemín LFrias MPezzè MHarman M(2013)Parallel bounded analysis in code with rich invariants by refinement of field boundsProceedings of the 2013 International Symposium on Software Testing and Analysis10.1145/2483760.2483770(23-33)Online publication date: 15-Jul-2013
https://dl.acm.org/doi/10.1145/2483760.2483770
Samimi HAung EMillstein T(2010)Falling back on executable specificationsProceedings of the 24th European conference on Object-oriented programming10.5555/1883978.1884015(552-576)Online publication date: 21-Jun-2010
https://dl.acm.org/doi/10.5555/1883978.1884015
Roberson MBoyapati C(2010)Efficient modular glass box software model checkingACM SIGPLAN Notices10.1145/1932682.186946145:10(4-21)Online publication date: 17-Oct-2010
https://dl.acm.org/doi/10.1145/1932682.1869461
Roberson MBoyapati CCook WClarke SRinard MSullivan KSteinberg D(2010)Efficient modular glass box software model checkingProceedings of the ACM international conference on Object oriented programming systems languages and applications10.1145/1869459.1869461(4-21)Online publication date: 17-Oct-2010
https://dl.acm.org/doi/10.1145/1869459.1869461
Galeotti JRosner NLópez Pombo CFrias MTonella POrso A(2010)Analysis of invariants for efficient bounded verificationProceedings of the 19th international symposium on Software testing and analysis10.1145/1831708.1831712(25-36)Online publication date: 12-Jul-2010
https://dl.acm.org/doi/10.1145/1831708.1831712
Roberson MHarries MDarga PBoyapati C(2008)Efficient software model checking of soundness of type systemsACM SIGPLAN Notices10.1145/1449955.144980343:10(493-504)Online publication date: 19-Oct-2008
https://dl.acm.org/doi/10.1145/1449955.1449803
Roberson MHarries MDarga PBoyapati CHarris GKiczales GRiehle DBlack A(2008)Efficient software model checking of soundness of type systemsProceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications10.1145/1449764.1449803(493-504)Online publication date: 19-Oct-2008
https://dl.acm.org/doi/10.1145/1449764.1449803
Csallner CSmaragdakis YXie T(2008)DSD-CrasherACM Transactions on Software Engineering and Methodology10.1145/1348250.134825417:2(1-37)Online publication date: 5-May-2008
https://dl.acm.org/doi/10.1145/1348250.1348254
Torlak EJackson D(2007)KodkodProceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems10.5555/1763507.1763571(632-647)Online publication date: 24-Mar-2007
https://dl.acm.org/doi/10.5555/1763507.1763571
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents