Hengbiao Yu
Zhendong Su
ABSTRACT
Verifying the regular properties of programs has been a significant challenge. This paper tackles this challenge by presenting symbolic regular verification (SRV) that offers significant speedups over the state-of-the-art. SRV is based on dynamic symbolic execution (DSE) and enabled by novel techniques for mitigating path explosion: (1) a regular property-oriented path slicing algorithm, and (2) a synergistic combination of property-oriented path slicing and guiding. Slicing prunes redundant paths, while guiding boosts the search for counterexamples. We have implemented SRV for Java and evaluated it on 15 real-world open-source Java programs (totaling 259K lines of code). Our evaluation results demonstrate the effectiveness and efficiency of SRV. Compared with the state-of-the-art --- pure DSE, pure guiding, and pure path slicing --- SRV achieves average speedups of more than 8.4X, 8.6X, and 7X, respectively, making symbolic regular property verification significantly more practical.
- A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools Addison-Wesley, 1986. Google Scholar
Digital Library
- C. Allan, P. Avgustinov, A. S. Christensen, L. J. Hendren, S. Kuzins, O. Lhoták, O. de Moor, D. Sereni, G. Sittampalam, and J. Tibble. Adding trace matching with free variables to AspectJ. In OOPSLA, pages 345--364, 2005. Google ScholarDigital Library
- D. Babić, L. Martignoni, S. McCamant, and D. Song. Statically-directed dynamic automated test generation. In ISSTA, pages 12--22. ACM, 2011. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL, pages 1--3, 2002. Google ScholarDigital Library
- T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In PLDI, pages 203--213, 2001. Google ScholarDigital Library
- S. M. Blackburn, R. Garner, C. Hoffmann, A. M. Khang, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, et al. The DaCapo benchmarks: Java benchmarking development and analysis. In OOPSLA, pages 169--190, 2006. Google ScholarDigital Library
- E. Bodden. Efficient hybrid typestate analysis by determining continuation-equivalent states. In ICSE, pages 5--14, 2010. Google ScholarDigital Library
- P. Boonstoppel, C. Cadar, and D. Engler. RWset: Attacking path explosion in constraint-based test generation. In TACAS, pages 351--366, 2008. Google ScholarDigital Library
- J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In AŞE pages 443--446, 2008. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, pages 209--224, 2008. Google ScholarDigital Library
- S. Chandra, S. J. Fink, and M. Sridharan. Snugglebug: a powerful approach to weakest preconditions. In PLDI, pages 363--374, 2009. Google ScholarDigital Library
- F. Chen and G. Rosu. MOP: an efficient and generic runtime verification framework. In OOPSLA, pages 569--588, 2007. Google ScholarDigital Library
- M. Christakis, P. Müller, and V. Wüstholz. Guiding dynamic symbolic execution toward unverified program executions. In ICSE, pages 144--155, 2016. Google ScholarDigital Library
- E. M. Clarke, O. Grumberg, and D. Peled. Model checking. MIT press, 1999. Google ScholarDigital Library
- Clemens Hammacher, Martin Burger, and Valentin Dallmeier. JavaSlicer. https://www.st.cs.uni-saarland.de/javaslicer/, 2008.Google Scholar
- H. Cui, G. Hu, J. Wu, and J. Yang. Verifying systems rules using rule-directed symbolic execution. In ASPLOS, pages 329--342, 2013. Google ScholarDigital Library
- M. Das, S. Lerner, and M. Seigle. ESP: path-sensitive program verification in polynomial time. In PLDI, pages 57--68, 2002. Google ScholarDigital Library
- M. B. Dwyer, G. S. Avrunin, and J. C. Corbett. Patterns in property specifications for finite-state verification. In ICSE, pages 411--420, 1999. Google ScholarDigital Library
- D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In SOSP, pages 57--72, 2001. Google ScholarDigital Library
- D. R. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI, pages 1--16, 2000. Google ScholarDigital Library
- S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. In ISSTA, pages 133--144, 2006. Google ScholarDigital Library
- A. Gill et al. Introduction to the theory of finite-state machines. 1962.Google Scholar
- P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI, pages 213--223, 2005. Google ScholarDigital Library
- IBM. T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net/.Google Scholar
- J. Jaffar, V. Murali, and J. A. Navas. Boosting concolic testing via interpolation. In FSE, pages 48--58, 2013. Google ScholarDigital Library
- K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun. jFuzz: A concolic whitebox fuzzer for Java. In NASA Formal Methods, pages 121--125, 2009.Google Scholar
- R. Jhala and R. Majumdar. Path slicing. In PLDI, pages 38--47, 2005. Google ScholarDigital Library
- R. Just, D. Jalali, L. Inozemtseva, M. D. Ernst, R. Holmes, and G. Fraser. Are mutants a valid substitute for real faults in software testing? In FSE, pages 654--665, 2014. Google ScholarDigital Library
- U. P. Khedker, A. Sanyal, and B. Sathe. Data Flow Analysis - Theory and Practice. CRC Press, 2009. Google ScholarDigital Library
- J. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976. Google ScholarDigital Library
- M. Leucker and C. Schallhart. A brief account of runtime verification. J. Log. Algebr. Program., 78(5):293--303, 2009.Google ScholarCross Ref
- Y. Li, Z. Su, L. Wang, and X. Li. Steering symbolic execution to less traveled paths. In OOPSLA, pages 19--32, 2013. Google ScholarDigital Library
- Y. Liu, C. Xu, and S.-C. Cheung. Characterizing and detecting performance bugs for smartphone applications. In ICSE, pages 1013--1024, 2014. Google ScholarDigital Library
- K.-K. Ma, K. Y. Phang, J. S. Foster, and M. Hicks. Directed symbolic execution. In SAS, pages 95--111, 2011. Google ScholarDigital Library
- P. D. Marinescu and C. Cadar. make test-zesti: A symbolic execution solution for improving regression testing. In ICSE, pages 716--726, 2012. Google ScholarDigital Library
- G. J. Myers, C. Sandler, and T. Badgett. The art of software testing. John Wiley & Sons, 2011. Google ScholarDigital Library
- F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer, 2015. Google ScholarDigital Library
- A. V. Nori, S. K. Rajamani, S. Tetali, and A. V. Thakur. The YOGI project: Software property checking via static analysis and testing. In TACAS, pages 178--181, 2009. Google ScholarDigital Library
- S. Person, G. Yang, N. Rungta, and S. Khurshid. Directed incremental symbolic execution. In PLDI, pages 504--515, 2011. Google ScholarDigital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL, pages 49--61, 1995. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In FSE, pages 263--272, 2005. Google ScholarDigital Library
- H. Seo and S. Kim. How we get there: a context-guided search strategy in concolic testing. In FSE, pages 413--424, 2014. Google ScholarDigital Library
- R. E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE TSE, (1):157--171, 1986. Google ScholarDigital Library
- N. Tillmann and J. De Halleux. Pex - white box test generation for .NET. In TAP, pages 134--153, 2008. Google ScholarDigital Library
- F. Tip. A survey of program slicing techniques. Journal of Programming Languages, 1995.Google Scholar
- T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In DSN, pages 359--368, 2009.Google ScholarCross Ref
- H. Yu, Z. Chen, Y. Zhang, J. Wang, and W. Dong. RGSE: a regular property guided symbolic executor for java. In FSE, pages 954--958, 2017. Google ScholarDigital Library
- C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In EuroSys, pages 321--334, 2010. Google ScholarDigital Library
- Y. Zhang, Z. Chen, J. Wang, W. Dong, and Z. Liu. Regular property guided dynamic symbolic execution. In ICSE, pages 643--653, 2015. Google ScholarDigital Library
Index Terms
- Symbolic verification of regular properties
Recommendations
Practical symbolic verification of regular properties
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software EngineeringIt is challenging to verify regular properties of programs. This paper presents symbolic regular verification (SRV), a dynamic symbolic execution based technique for verifying regular properties. The key technique of SRV is a novel synergistic ...
RGSE: a regular property guided symbolic executor for Java
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software EngineeringIt is challenging to effectively check a regular property of a program. This paper presents RGSE, a regular property guided dynamic symbolic execution (DSE) engine, for finding a program path satisfying a regular property as soon as possible. The key ...
Slicing Abstractions
Fundamentals of Software Engineering 2007: Selected ContributionsAbstraction and slicing are both techniques for reducing the size of the state space to be inspected during verification. In this paper, we present a new model checking procedure for infinite-state concurrent systems that interleaves automatic ...
Comments