Reducing False Positives by Combining Abstract Interpretation and Bounded Model Checking

Fully automatic source code analysis tools based on abstract interpretation have become an integral part of the embedded software development process in many companies. And although these tools are of great help in identifying residual errors, they still possess a major drawback: analyzing industrial code comes at the cost of many spurious errors that must be investigated manually. The need for efficient development cycles prohibits extensive manual reviews, however. To overcome this problem, the combination of different software verification techniques has been suggested in the literature. Following this direction, we present a novel approach combining abstract interpretation and source code bounded model checking, where the model checker is used to reduce the number of false error reports. We apply our methodology to source code from the automotive industry written in C, and show that the number of spurious errors emitted by an abstract interpretation product can be reduced considerably.

[1]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[2]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[3]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[4]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[5]  Kedar S. Namjoshi,et al.  Orion: High-Precision Methods for Static Error Analysis of C and C++ Programs , 2005, FMCO.

[6]  Wolfgang Küchlin,et al.  Integrated Static Analysis for Linux Device Driver Verification , 2007, IFM.

[7]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[8]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[9]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[10]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[11]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[12]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[13]  David A. Schmidt Data flow analysis is model checking of abstract interpretations , 1998, POPL '98.

[14]  James J. Hunt,et al.  A case study of specification and verification using JML in an avionics application , 2006, JTRES '06.

[15]  Yannis Smaragdakis,et al.  Check 'n' crash: combining static checking and testing , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..