Program analysis via satisfiability modulo path programs

Authors:
William R. Harris;Sriram Sankaranarayanan;Franjo Ivančić;Aarti Gupta
Affiliations:
University of Wisconsin, Madison, WI, USA;University of Colorado, Boulder, CO, USA;NEC Laboratories America, Princeton, NJ, USA;NEC Laboratories America, Princeton, NJ, USA
Venue:
Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Year:
2010

Citing 25
Cited 13

Introduction to algorithms

Introduction to algorithms
Chaff: engineering an efficient SAT solver

Proceedings of the 38th annual Design Automation Conference
ESP: path-sensitive program verification in polynomial time

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Automatic discovery of linear restraints among variables of a program

POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation

PLILP '92 Proceedings of the 4th International Symposium on Programming Language Implementation and Logic Programming
Construction of Abstract State Graphs with PVS

CAV '97 Proceedings of the 9th International Conference on Computer Aided Verification
Counterexample-Guided Abstraction Refinement

CAV '00 Proceedings of the 12th International Conference on Computer Aided Verification
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams

Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Testing static analysis tools using exploitable buffer overflows from open source code

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Path slicing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T)

Journal of the ACM (JACM)
Saturn: A scalable framework for error detection using Boolean satisfiability

ACM Transactions on Programming Languages and Systems (TOPLAS) - Special issue on POPL 2005
Path invariants

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
The software model checker Blast: Applications to software engineering

International Journal on Software Tools for Technology Transfer (STTT)
Program analysis as constraint solving

Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Property-directed incremental invariant generation

Formal Aspects of Computing
Z3: an efficient SMT solver

TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Static analysis in disjunctive numerical domains

SAS'06 Proceedings of the 13th international conference on Static Analysis
A fast linear-arithmetic solver for DPLL(T)

CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Lazy abstraction with interpolants

CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Using statically computed invariants inside the predicate abstraction and refinement loop

CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Trace partitioning in abstract interpretation based static analyzers

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
F-SOFT: software verification platform

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Program analysis using symbolic ranges

SAS'07 Proceedings of the 14th international conference on Static Analysis

Loop refinement using octagons and satisfiability

SSV'10 Proceedings of the 5th international conference on Systems software verification
Numeric bounds analysis with conflict-driven learning

TACAS'12 Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Unbounded symbolic execution for program verification

RV'11 Proceedings of the Second international conference on Runtime verification
Software model checking via IC3

CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Succinct representations for abstract interpretation: combined analysis algorithms and experimental evaluation

SAS'12 Proceedings of the 19th international conference on Static Analysis
SMT-based false positive elimination in static program analysis

ICFEM'12 Proceedings of the 14th international conference on Formal Engineering Methods: formal methods and software engineering
Abstract conflict driven learning

POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Thresher: precise refutations for heap reachability

Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Program performance spectrum

Proceedings of the 14th ACM SIGPLAN/SIGBED conference on Languages, compilers and tools for embedded systems
Feedback-directed unit test generation for C/C++ using concolic execution

Proceedings of the 2013 International Conference on Software Engineering
Fissile type analysis: modular checking of almost everywhere invariants

Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Symbolic optimization with SMT solvers

Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Abstract satisfaction

Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

Quantified Score

Hi-index	0.00

Visualization

Abstract

Path-sensitivity is often a crucial requirement for verifying safety properties of programs. As it is infeasible to enumerate and analyze each path individually, analyses compromise by soundly merging information about executions along multiple paths. However, this frequently results in a loss of precision. We present a program analysis technique that we call Satisfiability Modulo Path Programs (SMPP), based on a path-based decomposition of a program. It is inspired by insights that have driven the development of modern SMT(Satisfiability Modulo Theory) solvers. SMPP symbolically enumerates path programs using a SAT formula over control edges in the program. Each enumerated path program is verified using an oracle, such as abstract interpretation or symbolic execution, to either find a proof of correctness or report a potential violation. If a proof is found, then SMPP extracts a sufficient set of control edges and corresponding interference edges, as a form of proof-based learning. Blocking clauses derived from these edges are added back to the SAT formula to avoid enumeration of other path programs guaranteed to be correct, thereby improving performance and scalability. We have applied SMPP in the F-Soft program verification framework, to verify properties of real-world C programs that require path-sensitive reasoning. Our results indicate that the precision from analyzing individual path programs, combined with their efficient enumeration by SMPP, can prove properties as well as indicate potential violations in the large.