Ariadne: Hybridizing Directed Model Checking and Static Analysis

While directed model checking has proven to be a powerful tool in the fight against concurrency bugs, scalability remains a concern due to the combinatorial explosion in size of the state space. Overcoming that combinatorial explosion requires the selection and/or parameterization of meta*-heuristics, but we are left with a persistent problem of having to provide or compute specialized knowledge of the program under consideration, and this limits the practical value of the technique. To circumvent that, this paper investigates directed model checking as a platform for the synthesis of results from other analyses. We introduce an open-source tool, Ariadne, which translates reports of suspected race conditions of a static analyzer (Petablox) to instrumentation using a source-to-source compiler (ROSE) that can be exploited by a model checker (Java Pathfinder). We detail the algorithm used, present experimental results, and outline directions for future research.

[1]  Xin Zhang,et al.  A user-guided approach to program analysis , 2015, ESEC/SIGSOFT FSE.

[2]  Alex Groce,et al.  Model checking Java programs using structural heuristics , 2002, ISSTA '02.

[3]  Tukaram Muske,et al.  Efficient elimination of false positives using static analysis , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[4]  Tiziana Margaria,et al.  Property-driven benchmark generation: synthesizing programs of realistic structure , 2014, International Journal on Software Tools for Technology Transfer.

[5]  Peter Pirkelbauer,et al.  Refinement of structural heuristics for model checking of concurrent programs through data mining , 2017, Comput. Lang. Syst. Struct..

[6]  Corina S. Pasareanu,et al.  Parallel symbolic execution for structural test generation , 2010, ISSTA '10.

[7]  Priyanka Darke,et al.  Precise Analysis of Large Industry Code , 2012, 2012 19th Asia-Pacific Software Engineering Conference.

[8]  Carsten Sinz,et al.  Reducing False Positives by Combining Abstract Interpretation and Bounded Model Checking , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[9]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[10]  Willem Visser,et al.  Combining static analysis and model checking for software analysis , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[11]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[12]  Chelsea C. White,et al.  Multiobjective A* , 1991, JACM.

[13]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[14]  Håkan Grahn,et al.  Comparing Four Static Analysis Tools for Java Concurrency Bugs , 2010 .

[15]  Jeremy S. Bradbury,et al.  How Good is Static Analysis at Finding Concurrency Bugs? , 2010, 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation.

[16]  D. Qainlant,et al.  ROSE: Compiler Support for Object-Oriented Frameworks , 1999 .

[17]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[18]  Jeremy G. Siek,et al.  The Boost Graph Library - User Guide and Reference Manual , 2001, C++ in-depth series.

[19]  Jun Chen,et al.  Towards a better collaboration of static and dynamic analyses for testing concurrent programs , 2008, PADTAD '08.

[20]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[21]  Alex Groce,et al.  Extending Model Checking with Dynamic Analysis , 2008, VMCAI.

[22]  VisserWillem,et al.  Model checking Java programs using structural heuristics , 2002 .

[23]  VisserWillem,et al.  Test input generation with java PathFinder , 2004 .