Formal Verification of a Flash Memory Device Driver --- An Experience Report
SPIN '08 Proceedings of the 15th international workshop on Model Checking Software
Directed incremental symbolic execution
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Information and Software Technology
Abstract analysis of symbolic executions
CAV'10 Proceedings of the 22nd international conference on Computer Aided Verification
Symbolic execution of Reo circuits using constraint automata
Science of Computer Programming
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Symbolic execution of communicating and hierarchically composed UML-RT state machines
NFM'12 Proceedings of the 4th international conference on NASA Formal Methods
S2PF: speculative symbolic PathFinder
ACM SIGSOFT Software Engineering Notes
An orchestrated survey of methodologies for automated software test case generation
Journal of Systems and Software
Scaling symbolic execution using staged analysis
Innovations in Systems and Software Engineering
Verification of complex dynamic data tree with mu-calculus
Automated Software Engineering
Predicate abstraction in Java Pathfinder
ACM SIGSOFT Software Engineering Notes
Hi-index | 0.00 |
We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks—this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of Anand et al. (Proceedings of SPIN, pp. 163–181, 2006).