Dual analysis for proving safety and finding bugs

Program bugs remain a major challenge for software developers and various tools have been proposed to help with their localization and elimination. Most present-day tools are based either on over-approximating techniques that can prove safety but may report false positives, or on under-approximating techniques that can find real bugs but with possible false negatives. In this paper, we propose a dual static analysis that is based on only over-approximation. Its main novelty is to concurrently derive conditions that lead to either success or failure outcomes and thus we provide a comprehensive solution for both proving safety and finding real program bugs. We have proven the soundness of our approach and have implemented a prototype system that is validated by a set of experiments.

[1]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[2]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[3]  Wei-Ngan Chin,et al.  Inferring Disjunctive Postconditions , 2006, ASIAN.

[4]  François Bourdoncle,et al.  Abstract debugging of higher-order imperative languages , 1993, PLDI '93.

[5]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[6]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[7]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[8]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[9]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[10]  M Mernik,et al.  When and how to develop domain-specific languages , 2005, CSUR.

[11]  C. Csallner,et al.  Check 'n' crash: combining static checking and testing , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[13]  Josef Svenningsson,et al.  Constraint Abstractions , 2001, PADO.

[14]  Simon L. Peyton Jones,et al.  The Glasgow Haskell Compiler: A Retrospective , 1992, Functional Programming.

[15]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[16]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[17]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[18]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[19]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[20]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[21]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[22]  Xavier Rival,et al.  Abstract Dependences for Alarm Diagnosis , 2005, APLAS.

[24]  Tijs van der Storm,et al.  RASCAL: A Domain Specific Language for Source Code Analysis and Manipulation , 2009, 2009 Ninth IEEE International Working Conference on Source Code Analysis and Manipulation.

[25]  Kim Marriott,et al.  Bottom-Up Dataflow Analysis of Normal Logic Programs , 1992, J. Log. Program..

[26]  Michal Young,et al.  Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2006, Portland, Oregon, USA, November 5-11, 2006 , 2006, SIGSOFT FSE.

[27]  Alexander Aiken,et al.  How is aliasing used in systems software? , 2006, SIGSOFT '06/FSE-14.

[28]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[29]  Corina S. Pasareanu,et al.  Concrete Model Checking with Abstract Matching and Refinement , 2005, CAV.

[30]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[31]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[32]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[33]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[34]  Thomas A. Henzinger,et al.  Proving non-termination , 2008, POPL '08.

[35]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[36]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[37]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[38]  Thomas A. Henzinger,et al.  SYNERGY: a new algorithm for property checking , 2006, SIGSOFT '06/FSE-14.

[39]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[40]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[41]  Patrick Cousot,et al.  Modular Static Program Analysis , 2002, CC.

[42]  Monica Lam Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation , 2000, PLDI 2000.

[43]  William Pugh,et al.  Constraint-based array dependence analysis , 1998, TOPL.

[44]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[45]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[46]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[47]  Norihisa Suzuki,et al.  Implementation of an array bound checker , 1977, POPL.

[48]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[49]  Jack J. Dongarra,et al.  The LINPACK Benchmark: past, present and future , 2003, Concurr. Comput. Pract. Exp..

[50]  Wei-Ngan Chin,et al.  A practical and precise inference and specializer for array bound checks elimination , 2008, PEPM '08.

[51]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[52]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.