Finding bugs efficiently with a SAT solver

We present an approach for checking code against rich specifications, based on existing work that consists of encoding the program in a relational logic and using a constraint solver to find specification violations. We improve the efficiency of this approach with a new encoding of the program that effectively slices it at the logical level with respect to the specification. We also present new encodings for integer values and arrays, enabling the verification of realistic fragments of code that manipulate both. Our technique can handle integers of much larger ranges than previously possible, and permits large sparse arrays to be handled efficiently. We present a soundness proof for our slicing algorithm and a general condition under which relational formulae may be sliced. We implemented our technique and evaluated it by checking data structure invariants of several classes taken from the Java Collections Framework. We also checked for violations of Java's equality contract in a variety of open-source programs, and found several bugs.

[1]  Myla Archer,et al.  Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications , 1998, IEEE Trans. Software Eng..

[2]  Sarfraz Khurshid,et al.  Kato: A Program Slicing Tool for Declarative Specifications , 2007, 29th International Conference on Software Engineering (ICSE'07).

[3]  Chandrasekhar Boyapati,et al.  Efficient software model checking of data structure properties , 2006, OOPSLA '06.

[4]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[5]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[6]  Emina Torlak,et al.  Kodkod: A Relational Model Finder , 2007, TACAS.

[7]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[8]  Daniel Jackson Automating first-order relational logic , 2000, SIGSOFT '00/FSE-8.

[9]  James C. Corbett,et al.  A Formal Study of Slicing for Multi-threaded Programs with JVM Concurrency Primitives , 1999, SAS.

[10]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[11]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[12]  Daniel Jackson,et al.  Checking Properties of Heap-Manipulating Procedures with a Constraint Solver , 2003, TACAS.

[13]  Matthew B. Dwyer,et al.  Slicing Software for Model Construction , 2000, High. Order Symb. Comput..

[14]  Mana Taghdiri,et al.  Inferring specifications to detect errors in code , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[15]  Fausto Giunchiglia,et al.  NUSMV: A New Symbolic Model Verifier , 1999, CAV.

[16]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[17]  Frank Tip,et al.  Declarative Object Identity Using Relation Types , 2007, ECOOP.

[18]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[19]  Lynette I. Millett,et al.  Slicing Promela and its Applications to Model Checking, Simulation, and Protocol Understanding , 2002 .

[20]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[21]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[22]  Daniel Jackson,et al.  Finding bugs with a constraint solver , 2000, ISSTA '00.

[23]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[24]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[25]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[26]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[27]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[28]  Manu Sridharan,et al.  A micromodularity mechanism , 2001, ESEC/FSE-9.

[29]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[30]  Sarfraz Khurshid,et al.  TestEra: a novel framework for automated testing of Java programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[31]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[32]  Felix Sheng-Ho Chang,et al.  Modular verification of code with SAT , 2006, ISSTA '06.