Abstract
This article presents Saturn, a general framework for building precise and scalable static error detection systems. Saturn exploits recent advances in Boolean satisfiability (SAT) solvers and is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, which we achieve using two techniques. First, for each program function, several optimizations compress the size of the Boolean formulas that model the control flow and data flow and the heap locations accessed by a function. Second, summaries in the spirit of type signatures are computed for each function, allowing interprocedural analysis without a dramatic increase in the size of the Boolean constraints to be solved.
We have experimentally validated our approach by conducting two case studies involving a Linux lock checker and a memory leak checker. Results from the experiments show that our system scales well, parallelizes well, and finds more errors with fewer false positives than previous static error detection systems.
- Aho, A. V., Sethi, R., and Ullman, J. D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading, MA. Google Scholar
Digital Library
- Aiken, A., Foster, J. S., Kodumal, J., and Terauchi, T. 2003. Checking and inferring local non-aliasing. In Proceedings of the 2003 ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, New York, NY, 129--140. Google Scholar
Digital Library
- Ball, T., Cook, B., Levin, V., and Rajamani, S. 2004. SLAM and Static Driver Verifier: Technology transfer of formal methods inside Microsoft. In Proceedings of Fourth International Conference on Integrated Formal Methods. Springer, Berlin, Germany.Google Scholar
- Ball, T. and Rajamani, S. K. 2001. Automatically validating temporal safety properties of interfaces. In Proceedings of the SPIN 2001 Workshop on Model Checking of Software. Lecture Notes in Computer Science, vol. 2057. Springer, Berlin, Germany, 103--122. Google Scholar
Digital Library
- Bryant, R. E. 1986. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. C-35, 8 (Aug.), 677--691. Google Scholar
Digital Library
- Bush, W., Pincus, J., and Sielaff, D. 2000. A static analyzer for finding dynamic programming errors. Softw. Pract. Exper. 30, 7 (Jun.), 775--802. Google Scholar
Digital Library
- Chilimbi, T. and Hauswirth, M. 2004. Low-overhead memory leak detection using adaptive statistical profiling. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems. Google Scholar
Digital Library
- Chou, A. 2003. Static analysis for bug finding in systems software. Ph.D. dissertation. Stanford University, Stanford, CA. Google Scholar
Digital Library
- Clarke, E., Kroening, D., and Lerda, F. 2004a. A tool for checking ANSI-C programs. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), K. Jensen and A. Podelski, Eds. Lecture Notes in Computer Science, vol. 2988. Springer, Berlin, Germany, 168--176.Google Scholar
- Clarke, E., Kroening, D., Sharygina, N., and Yorav, K. 2004b. Predicate abstraction of ANSI-C programs using SAT. Form. Meth. Syst. Des. 25, 2-3 (Sept.), 105--127. Google Scholar
Digital Library
- Das, M., Lerner, S., and Seigle, M. 2002. Path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany). Google Scholar
Digital Library
- Emami, M., Ghiya, R., and Hendren, L. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Engler, D., Chelf, B., Chou, A., and Hallem, S. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the Conference on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Evans, D. 1996. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Foster, J. S., Terauchi, T., and Aiken, A. 2002. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation. 1--12. Google Scholar
Digital Library
- Hackett, B. and Aiken, A. 2005. How is aliasing used in systems software? Tech. rep. Stanford University, Stanford, CA.Google Scholar
- Hackett, B. and Rugina, R. 2005. Region-based shape analysis with tracked locations. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Hallem, S., Chelf, B., Xie, Y., and Engler, D. 2002. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany). Google Scholar
Digital Library
- Hastings, R. and Joyce, B. 1992. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference.Google Scholar
- Heine, D. L. and Lam, M. S. 2003. A practical flow-sensitive and context-sensitive C and C++ memory leak detector. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation. 168--181. Google Scholar
Digital Library
- Henzinger, T. A., Jhala, R., and Majumdar, R. 2002. Lazy abstraction. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Henzinger, T. A., Jhala, R., Majumdar, R., and Sutre, G. 2003. Software verification with Blast. In Proceedings of the SPIN 2003 Workshop on Model Checking Software. Lecture Notes in Computer Science, vol. 2648. Springer, Berlin, Germany, 235--239.Google Scholar
- Jackson, D. and Vaziri, M. 2000. Finding bugs with a constraint solver. In Proceedings of the 2000 ACM SIGSOFT International Symposium on Software Testing and Analysis. Google Scholar
Digital Library
- Khurshid, S., Pasareanu, C., and Visser, W. 2003. Generalized symbolic execution for model checking and testing. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, Berlin, Germany.Google Scholar
- Kroening, D., Clarke, E., and Yorav, K. 2003. Behavioral consistency of C and Verilog programs using bounded model checking. In Proceedings of the 40th Design Automation Conference. ACM Press, New York, NY, 368--371. Google Scholar
Digital Library
- Landi, W. and Ryder, B. 1992. A safe approximation algorithm for interprocedural pointer aliasing. In Proceedings of the ACM SIGPLAN 1992 Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Liang, D. and Harrold, M. 2001. Efficient computation of parameterized pointer information for interprocedural analysis. In Proceedings of the 8th Static Analysis Symposium. Google Scholar
Digital Library
- Moskewicz, M., Madigan, C., Zhao, Y., Zhang, L., and Malik, S. 2001. Chaff: Engineering an efficient sat solver. In Proceedings of the 39th Conference on Design Automation Conference. Google Scholar
Digital Library
- Ruf, E. 2000. Effective synchronization removal for Java. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Whaley, J. and Rinard, M. 1999. Compositional pointer and escape analysis for Java programs. In Proceedings of the 14th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. Google Scholar
Digital Library
- Wilson, R. and Lam, M. 1995. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Xie, Y. and Chou, A. 2002. Path sensitive analysis using Boolean satisfiability. Tech. rep. Stanford University, Stanford, CA.Google Scholar
- Zhang, L., Madigan, C., Moskewicz, M., and Malik, S. 2001. Efficient conflict driven learning in a Boolean satisfiability solver. In Proceedings of the International Conference on Computer-Aided Design (San Jose, CA). Google Scholar
Digital Library
Index Terms
Saturn: A scalable framework for error detection using Boolean satisfiability
Recommendations
Scalable error detection using boolean satisfiability
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe describe a software error-detection tool that exploits recent advances in boolean satisfiability (SAT) solvers. Our analysis is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, ...
An overview of the saturn project
PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineeringWe present an overview of the Saturn program analysis system, including a rationale for three major design decisions: the use of function-at-a-time, or summary-based, analysis, the use of constraints, and the use of a logic programming language to ...
Scalable error detection using boolean satisfiability
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe describe a software error-detection tool that exploits recent advances in boolean satisfiability (SAT) solvers. Our analysis is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, ...






Comments