skip to main content
article
Free Access

Saturn: A scalable framework for error detection using Boolean satisfiability

Published:01 May 2007Publication History
Skip Abstract Section

Abstract

This article presents Saturn, a general framework for building precise and scalable static error detection systems. Saturn exploits recent advances in Boolean satisfiability (SAT) solvers and is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, which we achieve using two techniques. First, for each program function, several optimizations compress the size of the Boolean formulas that model the control flow and data flow and the heap locations accessed by a function. Second, summaries in the spirit of type signatures are computed for each function, allowing interprocedural analysis without a dramatic increase in the size of the Boolean constraints to be solved.

We have experimentally validated our approach by conducting two case studies involving a Linux lock checker and a memory leak checker. Results from the experiments show that our system scales well, parallelizes well, and finds more errors with fewer false positives than previous static error detection systems.

References

  1. Aho, A. V., Sethi, R., and Ullman, J. D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Aiken, A., Foster, J. S., Kodumal, J., and Terauchi, T. 2003. Checking and inferring local non-aliasing. In Proceedings of the 2003 ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, New York, NY, 129--140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Ball, T., Cook, B., Levin, V., and Rajamani, S. 2004. SLAM and Static Driver Verifier: Technology transfer of formal methods inside Microsoft. In Proceedings of Fourth International Conference on Integrated Formal Methods. Springer, Berlin, Germany.Google ScholarGoogle Scholar
  4. Ball, T. and Rajamani, S. K. 2001. Automatically validating temporal safety properties of interfaces. In Proceedings of the SPIN 2001 Workshop on Model Checking of Software. Lecture Notes in Computer Science, vol. 2057. Springer, Berlin, Germany, 103--122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bryant, R. E. 1986. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. C-35, 8 (Aug.), 677--691. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bush, W., Pincus, J., and Sielaff, D. 2000. A static analyzer for finding dynamic programming errors. Softw. Pract. Exper. 30, 7 (Jun.), 775--802. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Chilimbi, T. and Hauswirth, M. 2004. Low-overhead memory leak detection using adaptive statistical profiling. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Chou, A. 2003. Static analysis for bug finding in systems software. Ph.D. dissertation. Stanford University, Stanford, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Clarke, E., Kroening, D., and Lerda, F. 2004a. A tool for checking ANSI-C programs. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), K. Jensen and A. Podelski, Eds. Lecture Notes in Computer Science, vol. 2988. Springer, Berlin, Germany, 168--176.Google ScholarGoogle Scholar
  10. Clarke, E., Kroening, D., Sharygina, N., and Yorav, K. 2004b. Predicate abstraction of ANSI-C programs using SAT. Form. Meth. Syst. Des. 25, 2-3 (Sept.), 105--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Das, M., Lerner, S., and Seigle, M. 2002. Path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany). Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Emami, M., Ghiya, R., and Hendren, L. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Engler, D., Chelf, B., Chou, A., and Hallem, S. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the Conference on Operating Systems Design and Implementation (OSDI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Evans, D. 1996. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Foster, J. S., Terauchi, T., and Aiken, A. 2002. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation. 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hackett, B. and Aiken, A. 2005. How is aliasing used in systems software? Tech. rep. Stanford University, Stanford, CA.Google ScholarGoogle Scholar
  17. Hackett, B. and Rugina, R. 2005. Region-based shape analysis with tracked locations. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Hallem, S., Chelf, B., Xie, Y., and Engler, D. 2002. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hastings, R. and Joyce, B. 1992. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference.Google ScholarGoogle Scholar
  20. Heine, D. L. and Lam, M. S. 2003. A practical flow-sensitive and context-sensitive C and C++ memory leak detector. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation. 168--181. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Henzinger, T. A., Jhala, R., and Majumdar, R. 2002. Lazy abstraction. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Henzinger, T. A., Jhala, R., Majumdar, R., and Sutre, G. 2003. Software verification with Blast. In Proceedings of the SPIN 2003 Workshop on Model Checking Software. Lecture Notes in Computer Science, vol. 2648. Springer, Berlin, Germany, 235--239.Google ScholarGoogle Scholar
  23. Jackson, D. and Vaziri, M. 2000. Finding bugs with a constraint solver. In Proceedings of the 2000 ACM SIGSOFT International Symposium on Software Testing and Analysis. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Khurshid, S., Pasareanu, C., and Visser, W. 2003. Generalized symbolic execution for model checking and testing. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, Berlin, Germany.Google ScholarGoogle Scholar
  25. Kroening, D., Clarke, E., and Yorav, K. 2003. Behavioral consistency of C and Verilog programs using bounded model checking. In Proceedings of the 40th Design Automation Conference. ACM Press, New York, NY, 368--371. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Landi, W. and Ryder, B. 1992. A safe approximation algorithm for interprocedural pointer aliasing. In Proceedings of the ACM SIGPLAN 1992 Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Liang, D. and Harrold, M. 2001. Efficient computation of parameterized pointer information for interprocedural analysis. In Proceedings of the 8th Static Analysis Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Moskewicz, M., Madigan, C., Zhao, Y., Zhang, L., and Malik, S. 2001. Chaff: Engineering an efficient sat solver. In Proceedings of the 39th Conference on Design Automation Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Ruf, E. 2000. Effective synchronization removal for Java. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Whaley, J. and Rinard, M. 1999. Compositional pointer and escape analysis for Java programs. In Proceedings of the 14th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Wilson, R. and Lam, M. 1995. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Xie, Y. and Chou, A. 2002. Path sensitive analysis using Boolean satisfiability. Tech. rep. Stanford University, Stanford, CA.Google ScholarGoogle Scholar
  33. Zhang, L., Madigan, C., Moskewicz, M., and Malik, S. 2001. Efficient conflict driven learning in a Boolean satisfiability solver. In Proceedings of the International Conference on Computer-Aided Design (San Jose, CA). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Saturn: A scalable framework for error detection using Boolean satisfiability

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Programming Languages and Systems
                  ACM Transactions on Programming Languages and Systems  Volume 29, Issue 3
                  Special issue on POPL 2005
                  May 2007
                  140 pages
                  ISSN:0164-0925
                  EISSN:1558-4593
                  DOI:10.1145/1232420
                  Issue’s Table of Contents

                  Copyright © 2007 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 1 May 2007
                  Published in toplas Volume 29, Issue 3

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • article

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!