论文信息 - Checking Properties of Heap-Manipulating Procedures with a Constraint Solver

Checking Properties of Heap-Manipulating Procedures with a Constraint Solver

A method for finding bugs in object-oriented code is presented. It is capable of checking complex user-defined structural properties - that is, of the configuration of objects on the heap - and generates counterexample traces with no false alarms. It requires no annotation beyond the specification to be checked, and is fully automatic. The method relies on a three-step translation: from code to a formula in a first-order relational logic, then to a propositional formula, and finally to conjunctive normal form. An off-the-shelf SAT solver is then used to find a solution that constitutes a counter example. This underlying scheme, presented previously, does not scale readily. In this paper, we show how a suite of optimizations results in much improved scalability. The optimizations are based on a special treatment of relations that are known to be functional, and target all steps. The effect of the optimizations is demonstrated by application to the analysis of a red-black tree implementation.

Daniel Jackson | Mandana Vaziri | M. Vaziri | D. Jackson

[1] K. Rustan M. Leino,et al. Extended static checking , 1998, PROCOMET.

[2] Manu Sridharan,et al. A micromodularity mechanism , 2001, ESEC/FSE-9.

[3] Ronald L. Rivest,et al. Introduction to Algorithms , 1990 .

[4] Roman Manevich,et al. Compactly Representing First-Order Structures for Static Analysis , 2002, SAS.

[5] David A. Plaisted,et al. A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[6] James C. Corbett,et al. Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[7] Mark N. Wegman,et al. Analysis of pointers and structures , 1990, SIGP.

[8] Klaus Havelund,et al. Model Checking Programs , 2004, Automated Software Engineering.

[9] Eugene Goldberg,et al. BerkMin: A Fast and Robust Sat-Solver , 2002 .

[10] Sriram K. Rajamani,et al. The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[11] Gerard J. Holzmann,et al. Automating software feature verification , 2000, Bell Labs Technical Journal.

[12] Daniel Jackson,et al. Automating first-order relational logic , 2000, SIGSOFT '00/FSE-8.

[13] Reinhard Wilhelm,et al. Parametric shape analysis via 3-valued logic , 2002, TOPL.

[14] Gerard J. Holzmann,et al. The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[15] Daniel Jackson,et al. Finding bugs with a constraint solver , 2000, ISSTA '00.