Precise interprocedural dataflow analysis via graph reachability
POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A static analyzer for finding dynamic programming errors
Software—Practice & Experience
Symbolic execution and program testing
Communications of the ACM
Finding bugs with a constraint solver
Proceedings of the 2000 ACM SIGSOFT international symposium on Software testing and analysis
The SLAM project: debugging system software via static analysis
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A framework for call graph construction algorithms
ACM Transactions on Programming Languages and Systems (TOPLAS)
Extended static checking for Java
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
A Discipline of Programming
Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
Modular Static Program Analysis
CC '02 Proceedings of the 11th International Conference on Compiler Construction
A Basis for a Mathematical Theory of Computation
A Basis for a Mathematical Theory of Computation
Test input generation with java PathFinder
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Inferring Specifications to Detect Errors in Code
Proceedings of the 19th IEEE international conference on Automated software engineering
OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
PSE: explaining program failures via postmortem static analysis
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
SYNERGY: a new algorithm for property checking
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Compositional dynamic test generation
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Saturn: A scalable framework for error detection using Boolean satisfiability
ACM Transactions on Programming Languages and Systems (TOPLAS) - Special issue on POPL 2005
Finding bugs efficiently with a SAT solver
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
DSD-Crasher: A hybrid analysis tool for bug finding
ACM Transactions on Software Engineering and Methodology (TOSEM)
Calysto: scalable and precise extended static checking
Proceedings of the 30th international conference on Software engineering
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Demand-driven compositional symbolic execution
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Boogie: a modular reusable verifier for object-oriented programs
FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
Demystifying model transformations: an approach based on automated rule inference
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Has the bug really been fixed?
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
OCAT: object capture-based automated testing
Proceedings of the 19th international symposium on Software testing and analysis
Exploiting program dependencies for scalable multiple-path symbolic execution
Proceedings of the 19th international symposium on Software testing and analysis
Small formulas for large programs: on-line constraint simplification in scalable static analysis
SAS'10 Proceedings of the 17th international conference on Static analysis
Precondition inference from intermittent assertions and application to contracts on collections
VMCAI'11 Proceedings of the 12th international conference on Verification, model checking, and abstract interpretation
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Modular bug detection with inertial refinement
Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design
Statically validating must summaries for incremental compositional dynamic test generation
SAS'11 Proceedings of the 18th international conference on Static analysis
Null dereference verification via over-approximated weakest pre-conditions analysis
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Automatic inference of model fields and their representation
Proceedings of the 13th Workshop on Formal Techniques for Java-Like Programs
Inter-procedural data-flow analysis with IFDS/IDE and Soot
Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis
Object model construction for inheritance in c++ and its applications to program analysis
CC'12 Proceedings of the 21st international conference on Compiler Construction
BugRedux: reproducing field failures for in-house debugging
Proceedings of the 34th International Conference on Software Engineering
MoonBox: debugging with online slicing and dryrun
Proceedings of the Asia-Pacific Workshop on Systems
Puzzle-based automatic testing: bringing humans into the loop by solving puzzles
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Predicting recurring crash stacks
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Alternate and learn: finding witnesses without looking all over
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Predicate abstraction of Java programs with collections
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
MoonBox: debugging with online slicing and dryrun
APSys'12 Proceedings of the Third ACM SIGOPS Asia-Pacific conference on Systems
Thresher: precise refutations for heap reachability
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Reproducing and debugging field failures in house
Proceedings of the 2013 International Conference on Software Engineering
Automated debugging for arbitrarily long executions
HotOS'13 Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems
Sound input filter generation for integer overflow errors
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Hi-index | 0.00 |
Symbolic analysis shows promise as a foundation for bug-finding, specification inference, verification, and test generation. This paper addresses demand-driven symbolic analysis for object-oriented programs and frameworks. Many such codes comprise large, partial programs with highly dynamic behaviors--polymorphism, reflection, and so on--posing significant scalability challenges for any static analysis. We present an approach based on interprocedural backwards propagation of weakest preconditions. We present several novel techniques to improve the efficiency of such analysis. First, we present directed call graph construction, where call graph construction and symbolic analysis are interleaved. With this technique, call graph construction is guided by constraints discovered during symbolic analysis, obviating the need for exhaustively exploring a large, conservative call graph. Second, we describe generalization, a technique that greatly increases the reusability of procedure summaries computed during interprocedural analysis. Instead of tabulating how a procedure transforms a symbolic state in its entirety, our technique tabulates how the procedure transforms only the pertinent portion of the symbolic state. Additionally, we show how integrating an inexpensive, custom logic simplifier with weakest precondition computation dramatically improves performance. We have implemented the analysis in a tool called Snugglebug and evaluated it as a bug-report feasibility checker. Our results show that the algorithmic techniques were critical for successfully analyzing large Java applications.