Symbolic Execution for Verification

In previous work, we presented a symbolic execution method which starts with a concrete model of the program but progressively abstracts away details only when these are known to be irrelevant using interpolation. In this paper, we extend the technique to handle unbounded loops. The central idea is to progressively discover the strongest invariants through a process of loop unrolling. The key feature of this technique, called the minimax algorithm, is intelligent backtracking which directs the search for the next invariant. We then present an analysis of the main differences between our symbolic execution method and mainstream techniques mainly based on abstract refinement (CEGAR). Finally, we evaluate our technique against available state-of-the-art systems.

[1]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[2]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[3]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[4]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[5]  Andrew E. Santosa,et al.  An Interpolation Method for CLP Traversal , 2009, CP.

[6]  Thomas A. Henzinger,et al.  SYNERGY: a new algorithm for property checking , 2006, SIGSOFT '06/FSE-14.

[7]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[8]  Hassen Saïdi,et al.  Model Checking Guided Abstraction and Analysis , 2000, SAS.

[9]  Andrew E. Santosa,et al.  Efficient Memoization for Dynamic Programming with Ad-Hoc Constraints , 2008, AAAI.

[10]  Michael J. Maher,et al.  Constraint Logic Programming: A Survey , 1994, J. Log. Program..

[11]  Kenneth L. McMillan Lazy Annotation for Program Testing and Verification , 2010, CAV.

[12]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[13]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[14]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[15]  Robert J. Simmons,et al.  Proofs from Tests , 2008, IEEE Transactions on Software Engineering.

[16]  Patrick Cousot,et al.  Fixpoint-Guided Abstraction Refinements , 2007, SAS.

[17]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.

[18]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.