Higher-order symbolic execution via contracts

We present a new approach to automated reasoning about higher-order programs by extending symbolic execution to use behavioral contracts as symbolic values, thus enabling symbolic approximation of higher-order behavior. Our approach is based on the idea of an abstract reduction semantics that gives an operational semantics to programs with both concrete and symbolic components. Symbolic components are approximated by their contract and our semantics gives an operational interpretation of contracts-as-values. The result is an executable semantics that soundly predicts program behavior, including contract failures, for all possible instantiations of symbolic components. We show that our approach scales to an expressive language of contracts including arbitrary programs embedded as predicates, dependent function contracts, and recursive contracts. Supporting this rich language of specifications leads to powerful symbolic reasoning using existing program constructs. We then apply our approach to produce a verifier for contract correctness of components, including a sound and computable approximation to our semantics that facilitates fully automated contract verification. Our implementation is capable of verifying contracts expressed in existing programs, and of justifying contract-elimination optimizations.

[1]  Naoki Kobayashi Types and higher-order recursion schemes for verification of higher-order programs , 2009, POPL '09.

[2]  Peter Thiemann Higher-Order Redundancy Elimination , 1994, PEPM.

[3]  David A. McAllester,et al.  Sound and complete models of contracts , 2006, Journal of Functional Programming.

[4]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[5]  Dana N. Xu Hybrid contract checking via symbolic simplification , 2012, PEPM '12.

[6]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[7]  Matthias Felleisen,et al.  Modular set-based analysis from contracts , 2006, POPL '06.

[8]  Cormac Flanagan,et al.  Effective Static Debugging via Compential Set-Based Analysis , 1997 .

[9]  Anindya Banerjee A modular, polyvariant and type-based closure analysis , 1997, ICFP '97.

[10]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[11]  Matthias Felleisen,et al.  On contract satisfaction in a higher-order world , 2011, TOPL.

[12]  Matthias Felleisen,et al.  Correct blame for contracts: no more scapegoating , 2011, POPL '11.

[13]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[14]  Sam Tobin-Hochstadt,et al.  Logical types for untyped languages , 2010, ICFP '10.

[15]  Matthew Might,et al.  Abstracting abstract machines , 2010, ICFP '10.

[16]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[17]  Manuel Serrano Control flow analysis: a functional languages compilation paradigm , 1995, SAC '95.

[18]  Robert Bruce Findler,et al.  A Rewriting Semantics for Type Inference , 2007, ESOP.

[19]  Naoki Kobayashi,et al.  Predicate abstraction and CEGAR for higher-order model checking , 2011, PLDI '11.

[20]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[21]  Matthias Felleisen,et al.  How to design programs: an introduction to programming and computing , 2001 .

[22]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[23]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[24]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[25]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[26]  Ralf Hinze,et al.  Typed Contracts for Functional Programming , 2006, FLOPS.

[27]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[28]  Yunheung Paek,et al.  A proof method for the correctness of modularized 0CFA , 2002, Inf. Process. Lett..

[29]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[30]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[31]  John H. Reppy Type-sensitive control-flow analysis , 2006, ML '06.

[32]  K. Rustan M. Leino,et al.  Specification and verification , 2011, Commun. ACM.

[33]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[34]  Anindya Banerjee,et al.  Modular control-flow analysis with rank 2 intersection types , 2003, Mathematical Structures in Computer Science.

[35]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[36]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[37]  Sam Tobin-Hochstadt,et al.  Chaperones and impersonators: run-time support for reasonable interposition , 2012, OOPSLA '12.

[38]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[39]  Na Xu Static contract checking for Haskell , 2009, POPL '09.

[40]  Pierre-Louis Curien,et al.  An Abstract Framework for Environment Machines , 1991, Theor. Comput. Sci..