Efficient Directionless Weakest Preconditions

Verification condition (VC) generation is a fundamental part of many program analysis and applications, including proving program correctness, automatic test case generation, and proof carrying code. One might imagine VC applications would use the theoretically most appealing VC generation algorithm. This is often not the case. The most theoretically appealing algorithms are based upon weakest preconditions, and generate VCs at most O(M 2 ) for M program statements, however they process statements from last to first. In practice, many application domains choose forward symbolic execution (FSE), which generates predicates O(2 M ) in size. FSE is chosen because it builds VCs in execution order, which allows a number of pragmatic optimizations. We reconcile the differences between FSE and WP by proposing a new directionless weakest precondition that can be run in both the forward and backward direction. Our algorithm provides the more attractive O(M 2 ) VC generation time and predicate size while allowing VC generation in execution order, which is what makes FSE attractive in practice. Thus, our algorithm can act as a “drop-in” replacement for either algorithm. We provide proofs of correctness, size, and generation time. We also show a correspondence between FSE and WP for deterministic programs, and perhaps surprisingly that they are not equivalent for the full class of GCL programs.

[1]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[2]  Dawson R. Engler,et al.  EXE: A system for automatically generating inputs of death using symbolic execution , 2006, CCS 2006.

[3]  Greg Nelson,et al.  A generalization of Dijkstra's calculus , 1989, ACM Trans. Program. Lang. Syst..

[4]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[5]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[6]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[7]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[8]  Thomas Ball,et al.  Abstraction-guided Test Generation: A Case Study , 2003 .

[9]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[10]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[11]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[12]  Thomas A. Henzinger,et al.  Generating tests from counterexamples , 2004, Proceedings. 26th International Conference on Software Engineering.

[13]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[14]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[15]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[16]  Andrew W. Appel,et al.  Modern Compiler Implementation in ML , 1997 .

[17]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[18]  Hao Wang,et al.  Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures , 2008, IEEE Transactions on Dependable and Secure Computing.

[19]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[20]  Corina S. Pasareanu,et al.  A survey of new trends in symbolic execution for software testing and analysis , 2009, International Journal on Software Tools for Technology Transfer.

[21]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[22]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[23]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[24]  Manuel Costa,et al.  Bouncer: securing software by blocking bad input , 2008, WRAITS '08.

[25]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[26]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[27]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.