Finding bugs in software with a constraint solver

We present a static technique for finding bugs in object-oriented procedures. It is capable of checking complex user-defined structural properties—that is, of the configuration of objects on the heap—and generates counterexample and is fully automatic. It is based on the Alloy modelling language and analyzer. The method relies on a three-step translation: from code to a formula in Alloy, which is a first-order relational logic, then to a propositional formula, and finally to conjunctive normal form. An off-the-shelf SAT solver is then used to find a solution that constitutes a counterexample. Modularity comes at the price of intermediate specifications. To minimize such annotations, the analysis contains a suite of optimizations that allow checking larger procedures with fewer annotations. The optimizations are based on a special treatment of relations that are known to be functional, and target all steps of the translation to CNF. Their effect is demonstrated with a prototype tool that can handle a subset of Java, by analyzing real code. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  Gerard J. Holzmann,et al.  Automating software feature verification , 2000, Bell Labs Technical Journal.

[2]  Xinming Ou,et al.  Theorem Proving Using Lazy Proof Explication , 2003, CAV.

[3]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[4]  Manu Sridharan,et al.  Exploiting subformula sharing in automatic analysis of quantified formulas , 2003 .

[5]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[6]  David A. Plaisted,et al.  A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[7]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[8]  Daniel Jackson Automating first-order relational logic , 2000, SIGSOFT '00/FSE-8.

[9]  Alan Fekete,et al.  Lightweight Analysis of Object Interactions , 2001, TACS.

[10]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[11]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[12]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[13]  Roman Manevich,et al.  Compactly Representing First-Order Structures for Static Analysis , 2002, SAS.

[14]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[15]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[16]  Tina Ann Nolte,et al.  Exploring filesystem synchronization with lightweight modeling and analysis , 2002 .

[17]  Somesh Jha,et al.  Faster checking of software specifications by eliminating isomorphs , 1996, POPL '96.

[18]  Alexandr Andoni,et al.  Evaluating the “ Small Scope Hypothesis ” , 2002 .

[19]  Ilya Shlyakhter,et al.  Generating effective symmetry-breaking predicates for search problems , 2001, Discrete Applied Mathematics.

[20]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[21]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[22]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[23]  Daniel Jackson,et al.  Checking Properties of Heap-Manipulating Procedures with a Constraint Solver , 2003, TACAS.

[24]  Daniel Jackson,et al.  Finding bugs with a constraint solver , 2000, ISSTA '00.

[25]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[26]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[27]  Manu Sridharan,et al.  A micromodularity mechanism , 2001, ESEC/FSE-9.

[28]  Mana Taghdiri Lightweight Modelling and Automatic Analysis of Multicast Key Management Schemes , 2002 .

[29]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[30]  Sarfraz Khurshid,et al.  TestEra: a novel framework for automated testing of Java programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[31]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[32]  Barbara Liskov,et al.  Program Development in Java - Abstraction, Specification, and Object-Oriented Design , 1986 .

[33]  Sarfraz Khurshid,et al.  Exploring the design of an intentional naming scheme with an automatic constraint analyzer , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[34]  Eugene Goldberg,et al.  BerkMin: A Fast and Robust Sat-Solver , 2002, Discret. Appl. Math..