Proceedings Article10.1109/ASE.2011.6100046
DC2: A framework for scalable, scope-bounded software verification
Franjo Ivancic,Gogul Balakrishnan,Aarti Gupta,Sriram Sankaranarayanan,Naoto Maeda,Hiroki Tokuoka,Takashi Imoto,Yoshiaki Miyazaki +7 more
- 06 Nov 2011
- pp 133-142
TL;DR: An experimental evaluation that demonstrates the effectiveness of DC2 on several open-source and industrial software projects and enables iterative reasoning over the calling environment, to help in finding non-trivial bugs and fewer false alarms.
read more
Abstract: Software model checking and static analysis have matured over the last decade, enabling their use in automated software verification. However, lack of scalability makes these tools hard to apply. Furthermore, approximations in the models of program and environment lead to a profusion of false alarms. This paper proposes DC2, a verification framework using scope-bounding to bridge these gaps. DC2 splits the analysis problem into manageable parts, relying on a combination of three automated techniques: (a) techniques to infer useful specifications for functions in the form of pre- and post-conditions; (b) stub inference techniques that infer abstractions to replace function calls beyond the verification scope; and (c) automatic refinement of pre- and post-conditions from false alarms identified by a user. DC2 enables iterative reasoning over the calling environment, to help in finding non-trivial bugs and fewer false alarms. We present an experimental evaluation that demonstrates the effectiveness of DC2 on several open-source and industrial software projects.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Efficient state merging in symbolic execution
Volodymyr Kuznetsov,Johannes Kinder,Stefan Bucur,George Candea +3 more
- 11 Jun 2012
TL;DR: A way to automatically choose when and how to merge states such that the performance of symbolic execution is significantly increased and query count estimation, a method for statically estimating the impact that each symbolic variable has on solver queries that follow a potential merge point, is presented.
Efficient State Merging in Symbolic Execution.
Volodymyr Kuznetsov,Johannes Kinder,Stefan Bucur,George Candea +3 more
- 01 Jan 2014
TL;DR: In this article, the authors present query count estimation, a method for statically estimating the impact that each symbolic variable has on solver queries that follow a potential merge point; states are then merged only when doing so promises to be advantageous.
165
Efficient state merging in symbolic execution
TL;DR: Symbolic execution has proven to be a practical technique for building automated test case generation and bug finding tools, but due to state explosion, these tools still struggle to achi...
•Proceedings Article
Corral: A Solver for Reachability Modulo Theories
Akash Lal,Shaz Qadeer,Shuvendu K. Lahiri +2 more
- 01 Jan 2012
TL;DR: The architecture of Corral is described, a semi-algorithm for the reachability-modulo-theories problem, which uses novel algorithms for inlining procedures on demand and abstraction refinement and consistently outperforms its competitors on most benchmarks.
Theory in practice for system design and verification
Rajeev Alur,Thomas A. Henzinger,Moshe Y. Vardi +2 more
- 28 Jan 2015
TL;DR: Methodology and tools for assisting developers in building high-confidence hardware and software at a reasonable cost and to develop analysis tools to check that the implementation works correctly as intended are presented.
References
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
Patrick Cousot,Radhia Cousot +1 more
- 01 Jan 1977
TL;DR: In this paper, the abstract interpretation of programs is used to describe computations in another universe of abstract objects, so that the results of abstract execution give some information on the actual computations.
Symbolic Model Checking without BDDs
Armin Biere,Alessandro Cimatti,Edmund M. Clarke,Yunshan Zhu +3 more
- 22 Mar 1999
TL;DR: This paper shows how boolean decision procedures, like Stalmarck's Method or the Davis & Putnam Procedure, can replace BDDs, and introduces a bounded model checking procedure for LTL which reduces model checking to propositional satisfiability.
Counterexample-guided abstraction refinement
Edmund M. Clarke
- 08 Jul 2003
TL;DR: Counterexample-guided abstraction refinement is an automatic abstraction method where the key step is to extract information from false negatives ("spurious counterexamples") due to over-approximation.
A Tool for Checking ANSI-C Programs
Edmund M. Clarke,Daniel Kroening,Flavio Lerda +2 more
- 29 Mar 2004
TL;DR: The tool supports almost all ANSI-C language features, including pointer constructs, dynamic memory allocation, recursion, and the float and double data types, and is integrated into a graphical user interface.
Extended static checking for Java
Cormac Flanagan,K. Rustan M. Leino,Mark Lillibridge,Greg Nelson,James B. Saxe,Raymie Stata +5 more
- 17 May 2002
TL;DR: The Extended Static Checker for Java (ESC/Java) is introduced, an experimental compile-time program checker that finds common programming errors and provides programmers with a simple annotation language with which programmer design decisions can be expressed formally.
Related Papers (5)
Edmund M. Clarke,Daniel Kroening,Flavio Lerda +2 more
- 29 Mar 2004
Domagoj Babić,Alan J. Hu +1 more
- 10 May 2008
Evgeny Novikov,I. S. Zakharov +1 more
- 26 Jun 2017