JaVerT 2.0: compositional symbolic execution for JavaScript

We propose a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. Using this approach, we build JaVerT 2.0, a symbolic analysis tool for JavaScript that follows the language semantics without simplifications. JaVerT 2.0 supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during whole-program symbolic testing and guides the inference of resource of the bi-abductive execution. We evaluate the performance of JaVerT 2.0 on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic testing; an improvement over the state-of-the-art in JavaScript verification; and the feasibility of automatic compositional testing for JavaScript.

[1]  Nazareno Aguirre,et al.  BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT Support , 2015, IEEE Transactions on Software Engineering.

[2]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[3]  Dawn Xiaodong Song,et al.  BLITZ: Compositional bounded model checking for real-world programs , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[5]  Emina Torlak,et al.  Growing solver-aided languages with rosette , 2013, Onward!.

[6]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[7]  Ranjit Jhala,et al.  Type Targeted Testing , 2014, ESOP.

[8]  Shengchao Qin,et al.  Shape Analysis via Second-Order Bi-Abduction , 2014, CAV.

[9]  Wei-Ngan Chin,et al.  Bi-Abduction with Pure Properties for Specification Inference , 2013, APLAS.

[10]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[12]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[13]  John Hatcliff,et al.  Towards A Case-Optimal Symbolic Execution Algorithm for Analyzing Strong Properties of Object-Oriented Programs , 2007, Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007).

[14]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[15]  Matthew J. Parkinson,et al.  jStar: towards practical verification for java , 2008, OOPSLA.

[16]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[17]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[18]  Juan Chen,et al.  Verifying higher-order programs with the dijkstra monad , 2013, PLDI.

[19]  Dawson R. Engler,et al.  Under-constrained execution: making automatic code destruction easy and scalable , 2007, ISSTA '07.

[20]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[21]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[22]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[23]  Wei-Ngan Chin,et al.  Runtime Checking for Separation Logic , 2008, VMCAI.

[24]  Manu Sridharan,et al.  Alternate and Learn: Finding Witnesses without Looking All over , 2012, CAV.

[25]  Frank Tip,et al.  Finding bugs efficiently with a SAT solver , 2007, ESEC-FSE '07.

[26]  Sarfraz Khurshid,et al.  Korat: A Tool for Generating Structurally Complex Test Inputs , 2007, 29th International Conference on Software Engineering (ICSE'07).

[27]  Peter W. O'Hearn,et al.  Continuous Reasoning: Scaling the impact of formal methods , 2018, LICS.

[28]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[29]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[30]  Philippa Gardner,et al.  JaVerT: JavaScript verification toolchain , 2017, Proc. ACM Program. Lang..

[31]  Julian Dolby,et al.  Statically Checking Web API Requests in JavaScript , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[32]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[33]  Colin Runciman,et al.  Smallcheck and lazy smallcheck: automatic exhaustive testing for small values , 2008, Haskell '08.

[34]  Corina S. Pasareanu,et al.  Symbolic execution with abstraction , 2008, International Journal on Software Tools for Technology Transfer.

[35]  Isil Dillig,et al.  Automated error diagnosis using abductive inference , 2012, PLDI.

[36]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[37]  Matthew Might,et al.  Abstracting abstract machines , 2010, ICFP '10.

[38]  Julian Dolby,et al.  Symbolic Execution for JavaScript , 2018, PPDP.

[39]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[40]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[41]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[42]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[43]  Viktor Vafeiadis,et al.  Bi-abductive Resource Invariant Synthesis , 2009, APLAS.

[44]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[45]  Shuvendu K. Lahiri,et al.  A Solver for Reachability Modulo Theories , 2012, CAV.

[46]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[47]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[48]  Koen Claessen,et al.  Generating constrained random data with uniform distribution , 2014, Journal of Functional Programming.

[49]  Koushik Sen,et al.  MultiSE: multi-path symbolic execution using value summaries , 2015, ESEC/SIGSOFT FSE.

[50]  Jooyong Yi,et al.  Efficient and formal generalized symbolic execution , 2012, Automated Software Engineering.

[51]  Peter W. O'Hearn,et al.  From Start-ups to Scale-ups: Opportunities and Open Problems for Static and Dynamic Program Analysis , 2018, 2018 IEEE 18th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[52]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[53]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[54]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[55]  David Darais,et al.  Galois transformers and modular abstract interpreters: reusable metatheory for program analysis , 2014, OOPSLA.

[56]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[57]  Grigore Rosu,et al.  Semantics-based program verifiers for all languages , 2016, OOPSLA.

[58]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[59]  Daejun Park,et al.  KJS: a complete formal semantics of JavaScript , 2015, PLDI.

[60]  Shengchao Qin,et al.  Automated Verification of Shape and Size Properties Via Separation Logic , 2007, VMCAI.

[61]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[62]  Koen Claessen,et al.  Generating Constrained Random Data with Uniform Distribution , 2014, FLOPS.

[63]  Nazareno Aguirre,et al.  Bounded Lazy Initialization , 2013, NASA Formal Methods.

[64]  David Pichardie,et al.  An abstract memory functor for verified C static analyzers , 2016, ICFP.

[65]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[66]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[67]  Philippa Gardner,et al.  Local Hoare reasoning about DOM , 2008, PODS.

[68]  David Darais,et al.  Galois Transformers and Modular Abstract Interpreters , 2014, ArXiv.

[69]  Cristiano Calcagno,et al.  Infer: An Automatic Program Verifier for Memory Safety of C Programs , 2011, NASA Formal Methods.

[70]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.