A Theory for Control-Flow Graph Exploration

Detection of infeasible code has recently been identified as a scalable and automated technique to locate likely defects in software programs. Given the (acyclic) control-flow graph of a procedure, infeasible code detection depends on an exhaustive search for feasible paths through the graph. A number of encodings of control-flow graphs into logic (understood by theorem provers) have been proposed in the past for this application. In this paper, we compare the performance of these different encodings in terms of runtime and the number of queries processed by the prover. We present a theory of acyclic control-flow as an alternative method of handling control-flow graphs. Such a theory can be built into theorem provers by means of theory plug-ins. Our experiments show that such native handling of control-flow can lead to significant performance gains, compared to previous encodings.

[1]  Frank Wolter,et al.  Monodic fragments of first-order temporal logics: 2000-2001 A.D , 2001, LPAR.

[2]  Jochen Hoenicke,et al.  Doomed program points , 2010, Formal Methods Syst. Des..

[3]  Jochen Hoenicke,et al.  Towards Bounded Infeasible Code Detection , 2012, ArXiv.

[4]  K. Rustan M. Leino,et al.  A Polymorphic Intermediate Verification Language: Design and Logical Encoding , 2010, TACAS.

[5]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[6]  Martin Schäf,et al.  Reconstructing Paths for Reachable Code , 2013, ICFEM.

[7]  Ran Raz,et al.  A sub-constant error-probability low-degree test, and a sub-constant error-probability PCP characterization of NP , 1997, STOC '97.

[8]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[9]  Cesare Tinelli,et al.  Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T) , 2006, JACM.

[10]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[11]  Daniel Kroening,et al.  Software Verification Using k-Induction , 2011, SAS.

[12]  Martin Schäf,et al.  Infeasible Code Detection , 2012, VSTTE.

[13]  Cormac Flanagan,et al.  Detecting inconsistencies via universal reachability analysis , 2012, ISSTA 2012.

[14]  David S. Johnson,et al.  Approximation algorithms for combinatorial problems , 1973, STOC.

[15]  Philipp Rümmer,et al.  A Constraint Sequent Calculus for First-Order Logic with Linear Integer Arithmetic , 2008, LPAR.

[16]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.