Article

Generalized symbolic execution for model checking and testing

Authors:

Sarfraz Khurshid,

Corina S. Păsăreanu, and

Willem VisserAuthors Info & Claims

TACAS'03: Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems

April 2003

Pages 553 - 568

Published: 07 April 2003 Publication History

Abstract

Modern software systems, which often are concurrent and manipulate complex data structures must be extremely reliable. We present a novel framework based on symbolic execution, for automated checking of such systems. We provide a two-fold generalization of traditional symbolic execution based approaches. First, we define a source to source translation to instrument a program, which enables standard model checkers to perform symbolic execution of the program. Second, we give a novel symbolic execution algorithm that handles dynamically allocated structures (e.g., lists and trees), method preconditions (e.g., acyclicity), data (e.g., integers and strings) and concurrency. The program instrumentation enables a model checker to automatically explore different program heap configurations and manipulate logical formulae on program data (using a decision procedure). We illustrate two applications of our framework: checking correctness of multi-threaded programs that take inputs from unbounded domains with complex structure and generation of non-isomorphic test inputs that satisfy a testing criterion. Our implementation for Java uses the Java PathFinder model checker.

References

[1]

T. Ball, R. Majumdar, T. Millstein, and S. Rajamani. Automatic predicate abstraction of C programs. In Proc. 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), volume 36-5 of ACM SIGPLAN Notices, pages 203-213. ACM Press, June 2001.

Digital Library

[2]

C. Boyapati, S. Khurshid, and D. Marinov. Korat: Automated testing based on Java predicates. In Proc. International Symposium on Software Testing and Analysis (ISSTA), July 2002.

Digital Library

[3]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software: Practice and Experience, 30(7):775-802, 2000.

Digital Library

[4]

A. Cimatti, E. M. Clarke, F. Giunchiglia, and M. Roveri. NuSMV: A new symbolic model checker. International Journal on Software Tools for Technology Transfer, 2(4):410-425, 2000.

[5]

A. Coen-Porisini, G. Denaro, C. Ghezzi, and M. Pezze. Using symbolic execution for verifying safety-critical systems. In Proc. 8th European Software Engineering Conference held jointly with 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 142-151. ACM Press, 2001.

Digital Library

[6]

J. Corbett, M. Dwyer, J. Hatcliff, S. Laubach, C. Pasareanu, Robby, and H. Zheng. Bandera : Extracting finite-state models from Java source code. In C. Ghezzi, M. Jazayeri, and A. Wolf, editors, Proc. 22nd International Conference on Software Engineering (ICSE), pages 439-448. ACM, 2000.

Digital Library

[7]

D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Research Report 159, Compaq Systems Research Center, 1998.

[8]

A. Gargantini and C. Heitmeyer. Using model checking to generate tests from requirements specifications. In Proc. 7th European Engineering Conference held jointly with the 7th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 146-162. Springer-Verlag, 1999.

Digital Library

[9]

P. Godefroid. Model checking for programming languages using VeriSoft. In Proc. 24th Annual ACM Symposium on the Principles of Programming Languages (POPL), pages 174-186, Paris, France, Jan. 1997.

Digital Library

[10]

A. Groce and W. Visser. Model checking java programs using structural heuristics. In Proc. International Symposium on Software Testing and Analysis (ISSTA). ACM Press, July 2002.

Digital Library

[11]

M. P. E. Heimdahl, Y. Choi, and M. Whalen. Deviation analysis through model checking. In Proc. 17th IEEE International Conference on Automated Software Engineering (ASE), 2002.

Digital Library

[12]

G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering , 23(5):279-294, May 1997.

Digital Library

[13]

H. Hong, I. Lee, O. Sokolsky, and H. Ural. A temporal logic based theory of test coverage and generation. In Proc. 8th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS), Apr. 2002.

Digital Library

[14]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385-394, 1976.

Digital Library

[15]

A. Moeller and M. I. Schwartzbach. The pointer assertion logic engine. In Proc. SIGPLAN Conference on Programming Languages Design and Implementation (PLDI), Snowbird, UT, June 2001.

Digital Library

[16]

W. Pugh. A Practical Algorithm for Exact Array Dependence Analysis. Communications of the ACM, 35(8):102-114, 1992.

Digital Library

[17]

M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. ACM Transactions on Programming Languages and Systems, Jan. 1998.

Digital Library

[18]

M. Vaziri and D. Jackson. Checking properties of heap-manipulating procedures with a constraint solver. In Proc. 9th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS), Poland, Apr. 2003.

Digital Library

[19]

W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In Proc. 15th IEEE International Conference on Automated Software Engineering (ASE), Grenoble, France, 2000.

Digital Library

[20]

T. Yavuz-Kahveci and T. Bultan. Automated verification of concurrent linked lists with counters. In G. P. M. Hermenegildo, editor, Proc. 9th International Static Analysis Symposium (SAS), volume 2477 of Lecture Notes in Computer Science. Springer-Verlag, 2002.

Digital Library

Cited By

Copia JPonzio PAguirre NGorla AFrias M(2022)LISSA: Lazy Initialization with Specialized Solver AidProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556965(1-12)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3556965
Le QRaad AVillard JBerdine JDreyer DO'Hearn P(2022)Finding real bugs in big programs with incorrectness logicProceedings of the ACM on Programming Languages10.1145/35273256:OOPSLA1(1-27)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527325
Utture ALiu SKalhauge CPalsberg JDwyer MDamian DZeller A(2022)Striking a balanceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510166(2043-2055)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510166
Show More Cited By

Index Terms

Index terms have been assigned to the content through auto-classification.

Recommendations

Symbolic Execution and Model Checking for Testing
Hardware and Software: Verification and Testing
Abstract
Techniques for checking complex software range from model checking and static analysis to testing. We aim to use the power of exhaustive techniques, such as model checking and symbolic execution, to enable thorough testing of complex software. In ...
Read More
Bisimulation Minimization and Symbolic Model Checking

State space minimization techniques are crucial for combating state explosion. A variety of explicit-state verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a ...
Read More
Parallel property checking with staged symbolic execution
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

While annotating functional correctness properties of code is useful in many bug finding techniques, efficiently checking properties in practice remains challenging. Symbolic execution is a powerful technique for systematically checking properties; ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

TACAS'03: Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems

April 2003

603 pages

ISBN:3540008985

Editors:
Hubert Garavel
INRIA Rhôe-Alpes, Montbonnot Saint Martin, France
,
John Hatcliff
Kansas State University, Department of Computing and Information Sciences, Manhattan, KS

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 April 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

217
Total Citations
View Citations
10
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Copia JPonzio PAguirre NGorla AFrias M(2022)LISSA: Lazy Initialization with Specialized Solver AidProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556965(1-12)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3556965
Le QRaad AVillard JBerdine JDreyer DO'Hearn P(2022)Finding real bugs in big programs with incorrectness logicProceedings of the ACM on Programming Languages10.1145/35273256:OOPSLA1(1-27)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527325
Utture ALiu SKalhauge CPalsberg JDwyer MDamian DZeller A(2022)Striking a balanceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510166(2043-2055)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510166
Lauko HKorenčik LRočkai P(2022)Verification of Programs Sensitive to Heap LayoutACM Transactions on Software Engineering and Methodology10.1145/350836331:4(1-27)Online publication date: 8-Sep-2022
https://dl.acm.org/doi/10.1145/3508363
Winkelmann HTroost LKuchen HHong JBures MPark JCerny T(2022)Constraint-logic object-oriented programming for test case generationProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507015(1499-1508)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507015
Zhang HPu B(2022)Testing Vehicle-Mounted Systems: A Stepwise Symbolic Execution Approach for OSEK/VDX ProgramsTheoretical Aspects of Software Engineering10.1007/978-3-031-10363-6_15(205-219)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1007/978-3-031-10363-6_15
Dageförde JWinkelmann HKuchen H(2021)Free Objects in Constraint-logic Object-oriented ProgrammingProceedings of the 23rd International Symposium on Principles and Practice of Declarative Programming10.1145/3479394.3479409(1-13)Online publication date: 6-Sep-2021
https://dl.acm.org/doi/10.1145/3479394.3479409
Winkelmann HKuchen HHung CHong JBechini ASong E(2021)Symbolic execution of NoSQL applications using versioned schemasProceedings of the 36th Annual ACM Symposium on Applied Computing10.1145/3412841.3442050(1778-1787)Online publication date: 22-Mar-2021
https://dl.acm.org/doi/10.1145/3412841.3442050
Samak MKim DRinard M(2019)Synthesizing replacement classesProceedings of the ACM on Programming Languages10.1145/33711204:POPL(1-33)Online publication date: 20-Dec-2019
https://dl.acm.org/doi/10.1145/3371120
Song DLee MOh H(2019)Automatic and scalable detection of logical errors in functional programming assignmentsProceedings of the ACM on Programming Languages10.1145/33606143:OOPSLA(1-30)Online publication date: 10-Oct-2019
https://dl.acm.org/doi/10.1145/3360614
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents