Automatic generation and management of interprocedural program analyses
POPL '93 Proceedings of the 20th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Dependent types in practical programming
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Bandera: extracting finite-state models from Java source code
Proceedings of the 22nd international conference on Software engineering
Simplification by Cooperating Decision Procedures
ACM Transactions on Programming Languages and Systems (TOPLAS)
Symbolic execution and program testing
Communications of the ACM
The SLAM project: debugging system software via static analysis
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Composing dataflow analyses and transformations
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Systematic design of program analysis frameworks
POPL '79 Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
Proving Pointer Programs in Hoare Logic
MPC '00 Proceedings of the 5th International Conference on Mathematics of Program Construction
Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Error checking with client-driven pointer analysis
Science of Computer Programming - Special issue: Static analysis symposium (SAS 2003)
LOCKSMITH: context-sensitive correlation analysis for race detection
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
Combining abstract interpreters
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
Flow-insensitive type qualifiers
ACM Transactions on Programming Languages and Systems (TOPLAS)
Compositional dynamic test generation
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A decision procedure for bit-vectors and arrays
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Using symbolic evaluation to understand behavior in configurable software systems
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Incremental type-checking for type-reflective metaprograms
GPCE '10 Proceedings of the ninth international conference on Generative programming and component engineering
Dynamic inference of static types for ruby
Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
SAS'11 Proceedings of the 18th international conference on Static analysis
Hybrid contract checking via symbolic simplification
PEPM '12 Proceedings of the ACM SIGPLAN 2012 workshop on Partial evaluation and program manipulation
Fissile type analysis: modular checking of almost everywhere invariants
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Hi-index | 0.00 |
Static analysis designers must carefully balance precision and efficiency. In our experience, many static analysis tools are built around an elegant, core algorithm, but that algorithm is then extensively tweaked to add just enough precision for the coding idioms seen in practice, without sacrificing too much efficiency. There are several downsides to adding precision in this way: the tool's implementation becomes much more complicated; it can be hard for an end-user to interpret the tool's results; and as software systems vary tremendously in their coding styles, it may require significant algorithmic engineering to enhance a tool to perform well in a particular software domain. In this paper, we present Mix, a novel system that mixes type checking and symbolic execution. The key aspect of our approach is that these analyses are applied independently on disjoint parts of the program, in an off-the-shelf manner. At the boundaries between nested type checked and symbolically executed code regions, we use special mix rules to communicate information between the off-the-shelf systems. The resulting mixture is a provably sound analysis that is more precise than type checking alone and more efficient than exclusive symbolic execution. In addition, we also describe a prototype implementation, Mixy, for C. Mixy checks for potential null dereferences by mixing a null/non-null type qualifier inference system with a symbolic executor.