Is it a tree, a DAG, or a cyclic graph? A shape analysis for heap-directed pointers in C
POPL '96 Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Symbolic execution and program testing
Communications of the ACM
Predicate abstraction for software verification
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Parametric shape analysis via 3-valued logic
ACM Transactions on Programming Languages and Systems (TOPLAS)
Automated Software Engineering
Shape Analysis through Predicate Abstraction and Model Checking
VMCAI 2003 Proceedings of the 4th International Conference on Verification, Model Checking, and Abstract Interpretation
Automated Verification of Concurrent Linked Lists with Counters
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
CAV '01 Proceedings of the 13th International Conference on Computer Aided Verification
Modular Verification of Software Components in C
IEEE Transactions on Software Engineering
A framework for numeric analysis of array operations
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Generalizing symbolic execution to library classes
PASTE '05 Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Existential heap abstraction entailment is undecidable
SAS'03 Proceedings of the 10th international conference on Static analysis
Generalized symbolic execution for model checking and testing
TACAS'03 Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems
Software verification with BLAST
SPIN'03 Proceedings of the 10th international conference on Model checking software
Predicate abstraction and canonical abstraction for singly-linked lists
VMCAI'05 Proceedings of the 6th international conference on Verification, Model Checking, and Abstract Interpretation
Symstra: a framework for generating object-oriented unit tests using symbolic execution
TACAS'05 Proceedings of the 11th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Concrete model checking with abstract matching and refinement
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Test input generation for java containers using state matching
Proceedings of the 2006 international symposium on Software testing and analysis
Automatic Inference of Frame Axioms Using Static Analysis
ASE '08 Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering
JPF-SE: a symbolic execution extension to Java PathFinder
TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
Symbolic execution and model checking for testing
HVC'07 Proceedings of the 3rd international Haifa verification conference on Hardware and software: verification and testing
Efficient and formal generalized symbolic execution
Automated Software Engineering
Hybrid learning: interface generation through static, dynamic, and symbolic analysis
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Input-covering schedules for multithreaded programs
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
| Hi-index | 0.00 |
We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since subsumption is in general not enough to ensure termination, as the number of symbolic states may be infinite, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks – this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs.