An Incremental Approach to Scope-Bounded Checking Using a Lightweight Formal Method

Shao, Danhua; Khurshid, Sarfraz; Perry, Dewayne E.

doi:10.1007/978-3-642-05089-3_48

Cited by 11 publications

(12 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One strategy partitions a program into multiple subprograms at the outset (each with a subset of paths), and solve all of them in parallel [20]. Though amendable to a parallel architecture, it may generate a prohibitively large number of subprograms.…”

Section: E Evaluation Of Blitz Featuresmentioning

confidence: 99%

BLITZ: Compositional bounded model checking for real-world programs

Cho

D’Silva

Song

2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Abstract-Bounded Model Checking (BMC) for software is a precise bug-finding technique that builds upon the efficiency of modern SAT and SMT solvers. BMC currently does not scale to large programs because the size of the generated formulae exceeds the capacity of existing solvers. We present a new, compositional and property-sensitive algorithm that enables BMC to automatically find bugs in large programs. A novel feature of our technique is to decompose the behaviour of a program into a sequence of BMC instances and use a combination of satisfying assignments and unsatisfiability proofs to propagate information across instances. A second novelty is to use the control-and data-flow of the program as well as information from proofs to prune the set of variables and procedures considered and hence, generate smaller instances. Our tool BLITZ outperforms existing tools and scales to programs with over 100,000 lines of code. BLITZ automatically and efficiently discovers bugs in widely deployed software including new vulnerabilities in Internet infrastructure software.

show abstract

Section: E Evaluation Of Blitz Featuresmentioning

confidence: 99%

BLITZ: Compositional bounded model checking for real-world programs

Cho

D’Silva

Song

2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

show abstract

“…The implementation and correctness proofs for the gothrough-sub() and bypass-sub() functions have been discussed in our previous work [33].…”

Section: Algorithmmentioning

confidence: 99%

“…While the JAlloy tool interfaced with the Alloy Analyzer for translation of the constraints to boolean logic, Forge employs the Kodkod model finder for faster translation. Our earlier work [33] proposed algorithms for splitting the computation graph into sub-graphs and solving them incrementally. Sub-graphs are constructed by transforming branch statements into assume statements.…”

Section: Introductionmentioning

confidence: 99%

“…Recently, we introduced an incremental approach based on the program's control-flow to increase the efficiency and effectiveness of scope-bounded checking [33]. The key idea is to partition the set of executions of the bounded code fragment into a number of subsets and encode each subset into a sub-formula.…”

Section: Introductionmentioning

confidence: 99%

“…Our previous work [33] introduces splitting strategies to embody the sliding rule. However, this work uses solely the program's control-flow to define the strategies, and is therefore limited to the syntactical structure of the program and fails to exploit the program semantics.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Optimizing Incremental Scope-Bounded Checking with Data-Flow Analysis

Shao

Gopinath

Khurshid

et al. 2010

2010 IEEE 21st International Symposium on Software Reliability Engineering

Self Cite

View full text Add to dashboard Cite

Abstract-We present a novel approach to optimize incremental scope-bounded checking of programs using a relational constraint solver. Given a program and its correctness specification, scope-bounded checking encodes control-flow and data-flow of bounded code segments into declarative formulas and uses constraint solvers to search for correctness violations. For non-trivial programs, the formulas are often complex and represent a heavy workload that can choke the solvers. To scale scope-bounded checking, our previous work introduced an incremental approach that uses the program's control-flow as a basis of partitioning the program and generating several sub-formulas, which represent simpler problem instances for the underlying solvers. This paper introduces a new approach that uses the program's dataflow, specifically variable-definitions, as a basis for incremental checking. Experimental results show that the use of data-flow provides a significant reduction in the number of variables in the encoded formulas over the previous control-flow-based approach, thereby further improving scalability of scopebounded checking.

show abstract