Failure-Directed Program Trimming (Extended Version)

This paper describes a new program simplification technique called program trimming that aims to improve the scalability and precision of safety checking tools. Given a program ${\mathcal P}$, program trimming generates a new program ${\mathcal P}'$ such that ${\mathcal P}$ and ${\mathcal P}'$ are equi-safe (i.e., ${\mathcal P}'$ has a bug if and only if ${\mathcal P}$ has a bug), but ${\mathcal P}'$ has fewer execution paths than ${\mathcal P}$. Since many program analyzers are sensitive to the number of execution paths, program trimming has the potential to improve the effectiveness of safety checking tools. In addition to introducing the concept of program trimming, this paper also presents a lightweight static analysis that can be used as a pre-processing step to remove program paths while retaining equi-safety. We have implemented the proposed technique in a tool called Trimmer and evaluate it in the context of two program analysis techniques, namely abstract interpretation and dynamic symbolic execution. Our experiments show that program trimming significantly improves the effectiveness of both techniques.

[1]  Isil Dillig,et al.  Synthesis of Circular Compositional Program Proofs via Abduction , 2013, TACAS.

[2]  Sam Blackshear,et al.  Verification modulo versions: towards usable verification , 2014, PLDI.

[3]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[4]  Mark Harman,et al.  Pre/post conditioned slicing , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[5]  Patrick Cousot,et al.  Precondition Inference from Intermittent Assertions and Application to Contracts on Collections , 2011, VMCAI.

[6]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[7]  Jorge A. Navas,et al.  An Abstract Domain of Uninterpreted Functions , 2016, VMCAI.

[8]  Jorge A. Navas,et al.  Exploiting Sparsity in Difference-Bound Matrices , 2016, SAS.

[9]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[10]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[11]  Armin Biere,et al.  Bounded Model Checking Using Satisfiability Solving , 2001, Formal Methods Syst. Des..

[12]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.

[13]  Noam Rinetzky,et al.  Property Directed Abstract Interpretation , 2016, VMCAI.

[14]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[15]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[16]  Nikolai Kosmatov,et al.  Program slicing enhances a verification technique combining static and dynamic analysis , 2012, SAC '12.

[17]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[18]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[19]  Akash Lal,et al.  A program transformation for faster goal-directed search , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[20]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[21]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[22]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[23]  C. A. R. Hoare,et al.  The Weakest Prespecification , 1987, Information Processing Letters.

[24]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[25]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[26]  Isil Dillig,et al.  Fluid Updates: Beyond Strong vs. Weak Updates , 2010, ESOP.

[27]  Aditya V. Thakur,et al.  The Yogi Project : Software Property Checking via Static Analysis and Testing , 2009 .

[28]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[29]  Koushik Sen,et al.  GuideSE: Annotations for Guiding Concolic Testing , 2015, 2015 IEEE/ACM 10th International Workshop on Automation of Software Test.

[30]  Maria Christakis Narrowing the gap between verification and systematic testing , 2017 .

[31]  Isil Dillig,et al.  Optimal Guard Synthesis for Memory Safety , 2014, CAV.

[32]  Thomas Ball,et al.  Modular and verified automatic program repair , 2012, OOPSLA '12.

[33]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[34]  Joxan Jaffar,et al.  A path-sensitively sliced control flow graph , 2014, SIGSOFT FSE.

[35]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[36]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[37]  Aniello Cimitile,et al.  Conditioned program slicing , 1998, Inf. Softw. Technol..

[38]  Frank Tip,et al.  Finding bugs efficiently with a SAT solver , 2007, ESEC-FSE '07.

[39]  Dongwoo Kim,et al.  Efficient safety checking for automotive operating systems using property-based slicing and constraint-based environment generation , 2015, Sci. Comput. Program..

[40]  Johnson M. Hart,et al.  Program Slicing Using Weakest Preconditions , 1996, FME.

[41]  Isil Dillig,et al.  Inductive invariant generation via abductive inference , 2013, OOPSLA.

[42]  Michael Hicks,et al.  Directed Symbolic Execution , 2011, SAS.

[43]  Antoine Miné Weakly Relational Numerical Abstract Domains. (Domaines numériques abstraits faiblement relationnels) , 2004 .

[44]  Heike Wehrheim,et al.  Just Test What You Cannot Verify! , 2015, FASE.

[45]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[46]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[47]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[48]  Xin Zhang,et al.  Finding optimum abstractions in parametric dataflow analysis , 2013, PLDI.

[49]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[50]  Marsha Chechik,et al.  Model Checking Recursive Programs with Exact Predicate Abstraction , 2008, ATVA.

[51]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[52]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[53]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[54]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[55]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[56]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[57]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[58]  K. Rustan M. Leino,et al.  Specification and verification , 2011, Commun. ACM.

[59]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[60]  Isil Dillig,et al.  Simplifying Loop Invariant Generation Using Splitter Predicates , 2011, CAV.

[61]  Frank Tip,et al.  Parametric program slicing , 1995, POPL '95.

[62]  Thomas A. Henzinger,et al.  Conditional model checking: a technique to pass information between verifiers , 2012, SIGSOFT FSE.

[63]  Dirk Beyer,et al.  Competition on Software Verification - (SV-COMP) , 2012, TACAS.

[64]  Matthew B. Dwyer,et al.  Slicing Software for Model Construction , 2000, High. Order Symb. Comput..

[65]  Thomas A. Henzinger,et al.  Abstraction-driven Concolic Testing , 2015, VMCAI.

[66]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[67]  Lynette I. Millett,et al.  Issues in slicing PROMELA and its applications to model checking, protocol understanding, and simulation , 2000, International Journal on Software Tools for Technology Transfer.

[68]  Isil Dillig,et al.  Automated Inference of Library Specifications for Source-Sink Property Verification , 2013, APLAS.

[69]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[70]  Valentin Wüstholz,et al.  Bounded Abstract Interpretation , 2016, SAS.

[71]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[72]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[73]  Eran Yahav,et al.  Generating precise and concise procedure summaries , 2008, POPL '08.

[74]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[75]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[76]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[77]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[78]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[79]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[80]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[81]  Patrick Cousot,et al.  Automatic Inference of Necessary Preconditions , 2013, VMCAI.

[82]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[83]  Valentin Tobias Wüstholz Partial Verification Results , 2015 .

[84]  Hongseok Yang,et al.  Abstractions from tests , 2012, POPL '12.

[85]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.

[86]  Peter Müller,et al.  Collaborative Verification and Testing with Explicit Assumptions , 2012, FM.

[87]  Yannick Moy,et al.  Sufficient Preconditions for Modular Assertion Checking , 2008, VMCAI.

[88]  Isil Dillig,et al.  Explain: A Tool for Performing Abductive Inference , 2013, CAV.

[89]  Isil Dillig,et al.  Maximal specification synthesis , 2016, POPL.

[90]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.