Failure-directed program trimming

This paper describes a new program simplification technique called program trimming that aims to improve the scalability and precision of safety checking tools. Given a program P, program trimming generates a new program P' such that P and P' are equi-safe (i.e., P' has a bug if and only if P has a bug), but P' has fewer execution paths than P. Since many program analyzers are sensitive to the number of execution paths, program trimming has the potential to improve the effectiveness of safety checking tools. In addition to introducing the concept of program trimming, this paper also presents a lightweight static analysis that can be used as a pre-processing step to remove program paths while retaining equi-safety. We have implemented the proposed technique in a tool called Trimmer and evaluate it in the context of two program analysis techniques, namely abstract interpretation and dynamic symbolic execution. Our experiments show that program trimming significantly improves the effectiveness of both techniques.

[1]  Joxan Jaffar,et al.  A path-sensitively sliced control flow graph , 2014, SIGSOFT FSE.

[2]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[3]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[4]  Koushik Sen,et al.  GuideSE: Annotations for Guiding Concolic Testing , 2015, 2015 IEEE/ACM 10th International Workshop on Automation of Software Test.

[5]  Maria Christakis Narrowing the gap between verification and systematic testing , 2017 .

[6]  Johnson M. Hart,et al.  Program Slicing Using Weakest Preconditions , 1996, FME.

[7]  Frank Tip,et al.  Parametric program slicing , 1995, POPL '95.

[8]  Armin Biere,et al.  Bounded Model Checking Using Satisfiability Solving , 2001, Formal Methods Syst. Des..

[9]  Michael Hicks,et al.  Directed Symbolic Execution , 2011, SAS.

[10]  Isil Dillig,et al.  Inductive invariant generation via abductive inference , 2013, OOPSLA.

[11]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[12]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[13]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[14]  Marsha Chechik,et al.  Model Checking Recursive Programs with Exact Predicate Abstraction , 2008, ATVA.

[15]  Antoine Miné Weakly Relational Numerical Abstract Domains. (Domaines numériques abstraits faiblement relationnels) , 2004 .

[16]  Heike Wehrheim,et al.  Just Test What You Cannot Verify! , 2015, FASE.

[17]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[18]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[19]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[20]  Isil Dillig,et al.  Optimal Guard Synthesis for Memory Safety , 2014, CAV.

[21]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[22]  Jorge A. Navas,et al.  Exploiting Sparsity in Difference-Bound Matrices , 2016, SAS.

[23]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[24]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[25]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[26]  Aniello Cimitile,et al.  Conditioned program slicing , 1998, Inf. Softw. Technol..

[27]  Isil Dillig,et al.  Synthesis of Circular Compositional Program Proofs via Abduction , 2013, TACAS.

[28]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[29]  Jorge A. Navas,et al.  An Abstract Domain of Uninterpreted Functions , 2016, VMCAI.

[30]  Thomas Ball,et al.  Modular and verified automatic program repair , 2012, OOPSLA '12.

[31]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[32]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[33]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[34]  Akash Lal,et al.  A program transformation for faster goal-directed search , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[35]  Valentin Tobias Wüstholz Partial Verification Results , 2015 .

[36]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[37]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[38]  Matthew B. Dwyer,et al.  Slicing Software for Model Construction , 2000, High. Order Symb. Comput..

[39]  Hongseok Yang,et al.  Abstractions from tests , 2012, POPL '12.

[40]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[41]  Isil Dillig,et al.  Explain: A Tool for Performing Abductive Inference , 2013, CAV.

[42]  Valentin Wüstholz,et al.  Bounded Abstract Interpretation , 2016, SAS.

[43]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[44]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[45]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[46]  Xin Zhang,et al.  Finding optimum abstractions in parametric dataflow analysis , 2013, PLDI.

[47]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[48]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[49]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[50]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[51]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[52]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[53]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[54]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[55]  Patrick Cousot,et al.  Automatic Inference of Necessary Preconditions , 2013, VMCAI.

[56]  Isil Dillig,et al.  Maximal specification synthesis , 2016, POPL.

[57]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.

[58]  Peter Müller,et al.  Collaborative Verification and Testing with Explicit Assumptions , 2012, FM.

[59]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[60]  Yannick Moy,et al.  Sufficient Preconditions for Modular Assertion Checking , 2008, VMCAI.

[61]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[62]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[63]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[64]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[65]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[66]  Lynette I. Millett,et al.  Issues in slicing PROMELA and its applications to model checking, protocol understanding, and simulation , 2000, International Journal on Software Tools for Technology Transfer.

[67]  Isil Dillig,et al.  Automated Inference of Library Specifications for Source-Sink Property Verification , 2013, APLAS.

[68]  K. Rustan M. Leino,et al.  Specification and verification , 2011, Commun. ACM.

[69]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[70]  Eran Yahav,et al.  Generating precise and concise procedure summaries , 2008, POPL '08.

[71]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[72]  Mark Harman,et al.  Pre/post conditioned slicing , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[73]  Patrick Cousot,et al.  Precondition Inference from Intermittent Assertions and Application to Contracts on Collections , 2011, VMCAI.

[74]  Noam Rinetzky,et al.  Property Directed Abstract Interpretation , 2016, VMCAI.

[75]  Isil Dillig,et al.  Failure-Directed Program Trimming (Extended Version) , 2017, ArXiv.

[76]  Isil Dillig,et al.  Simplifying Loop Invariant Generation Using Splitter Predicates , 2011, CAV.

[77]  Thomas A. Henzinger,et al.  Conditional model checking: a technique to pass information between verifiers , 2012, SIGSOFT FSE.

[78]  Thomas A. Henzinger,et al.  Abstraction-driven Concolic Testing , 2015, VMCAI.

[79]  C. A. R. Hoare,et al.  The Weakest Prespecification , 1987, Information Processing Letters.

[80]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[81]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[82]  Dongwoo Kim,et al.  Efficient safety checking for automotive operating systems using property-based slicing and constraint-based environment generation , 2015, Sci. Comput. Program..

[83]  Isil Dillig,et al.  Fluid Updates: Beyond Strong vs. Weak Updates , 2010, ESOP.

[84]  Aditya V. Thakur,et al.  The Yogi Project : Software Property Checking via Static Analysis and Testing , 2009 .

[85]  Nikolai Kosmatov,et al.  Program slicing enhances a verification technique combining static and dynamic analysis , 2012, SAC '12.

[86]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[87]  Frank Tip,et al.  Finding bugs efficiently with a SAT solver , 2007, ESEC-FSE '07.

[88]  Dirk Beyer,et al.  Competition on Software Verification - (SV-COMP) , 2012, TACAS.

[89]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.

[90]  Sam Blackshear,et al.  Verification modulo versions: towards usable verification , 2014, PLDI.

[91]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.