ACM Digital Library home
ACM home
Advanced Search
research-article

Snugglebug: a powerful approach to weakest preconditions

ACM SIGPLAN NoticesVolume 44Issue 6June 2009 pp 363–374https://doi.org/10.1145/1543135.1542517
Published:15 June 2009Publication History
  • 113citation
  • 983
  • Downloads
Metrics
Total Citations113
Total Downloads983
Last 12 Months55
Last 6 weeks2

Abstract

Symbolic analysis shows promise as a foundation for bug-finding, specification inference, verification, and test generation. This paper addresses demand-driven symbolic analysis for object-oriented programs and frameworks. Many such codes comprise large, partial programs with highly dynamic behaviors--polymorphism, reflection, and so on--posing significant scalability challenges for any static analysis.

We present an approach based on interprocedural backwards propagation of weakest preconditions. We present several novel techniques to improve the efficiency of such analysis. First, we present directed call graph construction, where call graph construction and symbolic analysis are interleaved. With this technique, call graph construction is guided by constraints discovered during symbolic analysis, obviating the need for exhaustively exploring a large, conservative call graph. Second, we describe generalization, a technique that greatly increases the reusability of procedure summaries computed during interprocedural analysis. Instead of tabulating how a procedure transforms a symbolic state in its entirety, our technique tabulates how the procedure transforms only the pertinent portion of the symbolic state. Additionally, we show how integrating an inexpensive, custom logic simplifier with weakest precondition computation dramatically improves performance.

We have implemented the analysis in a tool called Snugglebug and evaluated it as a bug-report feasibility checker. Our results show that the algorithmic techniques were critical for successfully analyzing large Java applications.

References

  1. S. Anand, P. Godefroid, and N. Tillmann. Demand-driven compositional symbolic execution. In TACAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, DIKU, 1994.Google ScholarGoogle Scholar
  3. D. Babic and A. J. Hu. Calysto: scalable and precise extended static checking. In ICSE, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Barnett, B. E. Chang, R. Deline, B. Jacobs, and K. R. Leino. Boogie: A modular reusable verifier for object-oriented programs. In FMCO, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. C. Barrett and C. Tinelli. CVC3. In CAV, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. N. E. Beckman, A. V. Nori, S. K. Rajamani, and R. J. Simmons. Proofs from tests. In ISSTA, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Softw. Pract. Exper., 30(7):775--802, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P. Cousot and R. Cousot. Modular static program analysis. In CC, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. C. Csallner, Y. Smaragdakis, and T. Xie. Dsd-crasher: A hybrid analysis tool for bug finding. ACM TOSEM, 17(2):1--37, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. E. W. Dijkstra. A Discipline of Programming. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. Dolby, M. Vaziri, and F. Tip. Finding bugs efficiently with a SAT solver. In FSE, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. C. Flanagan and K. R. M. Leino. Houdini, an annotation assistant for ESC/Java. In FME, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In PLDI, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P. Godefroid. Compositional dynamic test generation. In POPL, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. D. Grove and C. Chambers. A framework for call graph construction algorithms. ACM Trans. Program. Lang. Syst., 23(6):685--746, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. B. S. Gulavani, T. A. Henzinger, Y. Kannan, A. V. Nori, and S. K. Rajamani. SYNERGY: a new algorithm for property checking. In FSE, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Hovemeyer and W. Pugh. Finding bugs is easy. In OOPSLA Companion, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. D. Jackson and M. Vaziri. Finding bugs with a constraint solver. In ISSTA, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. PSE: explaining program failures via postmortem static analysis. FSE, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. J. McCarthy. A basis for a mathematical theory of computation. Technical report, MIT, Cambridge, MA, USA, 1962. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In FSE, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis, chapter 7, pages 189--233. Prentice-Hall, 1981.Google ScholarGoogle Scholar
  30. M. Taghdiri. Inferring specifications to detect errors in code. Automated Software Engineering, International Conference on, 0:144--153, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. W. Visser, C. S. Pǎsǎareanu, and S. Khurshid. Test input generation with java pathfinder. In ISSTA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net.Google ScholarGoogle Scholar
  33. Y. Xie and A. Aiken. Saturn: A scalable framework for error detection using boolean satisfiability. ACM TOPLAS, 29(3):16, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Snugglebug: a powerful approach to weakest preconditions

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              Get this Article

              • Published in

                cover image ACM SIGPLAN Notices
                ACM SIGPLAN Notices  Volume 44, Issue 6
                PLDI '09
                June 2009
                478 pages
                ISSN:0362-1340
                EISSN:1558-1160
                DOI:10.1145/1543135
                Issue’s Table of Contents
                • cover image ACM Conferences
                  PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation
                  June 2009
                  492 pages
                  ISBN:9781605583921
                  DOI:10.1145/1542476

                Copyright © 2009 ACM

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 15 June 2009

                Check for updates

                Author Tags

                Qualifiers

                • research-article

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              View Issue’s Table of Contents
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!