Efficient modular glass box software model checking

Roberson, Michael; Boyapati, Chandrasekhar

doi:10.1145/1932682.1869461

Cited by 4 publications

(5 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One specialized kind of type fuzzer does make some exhaustiveness guarantees. Pipal [43,44] requires a typechecker to be encoded as a set of constraints imposed on a nite set of intermediate program states. At each iteration, Pipal queries a constraint solver for a well-typed state and performs a single step of evaluation to see whether progress or preservation were violated.…”

Section: Handling Non-exhaustiveness With Pipalmentioning

confidence: 99%

See 1 more Smart Citation

Bonsai: synthesis-based reasoning for type systems

Chandra

Bodík

2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

When designing a type system, we may want to mechanically check the design to guide its further development. We describe algorithms that perform symbolic reasoning about executable models of type systems. The algorithms support three queries. First, they check type soundness and synthesize a counterexample program if such a soundness bug is found. Second, they compare two versions of a type system, synthesizing a program accepted by one but rejected by the other. Third, they minimize the size of synthesized counterexample programs.These algorithms symbolically evaluate typecheckers and interpreters, producing formulas that characterize the set of programs that fail or succeed in the typechecker and the interpreter. However, symbolically evaluating interpreters poses efficiency challenges, which are caused by having to merge execution paths of the various possible input programs. Our main contribution is the bonsai tree, a novel symbolic representation of programs and program states that addresses these challenges. Bonsai trees encode complex syntactic information in terms of logical constraints, enabling more efficient merging.We implement these algorithms in the Bonsai tool, an assistant for type system designers. We perform case studies on how Bonsai helps test and explore a variety of type systems. Bonsai efficiently synthesizes counterexamples for soundness bugs previously inaccessible to automatic tools and is the first automated tool to find a counterexample for the recently discovered Scala soundness bug SI-9633.

show abstract

Section: Handling Non-exhaustiveness With Pipalmentioning

confidence: 99%

“…More recent "syntax fuzzers" such as Redex [28] generate only syntactically correct programs, thus shrinking the candidate space. Further advancements allow us to generate only type-safe programs [14,15,19,43]. ese "type fuzzers" use constraint solvers to search for a Fig.…”

Section: Introductionmentioning

confidence: 99%

Bonsai: synthesis-based reasoning for type systems

Chandra

Bodík

2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Systematic testing was able to find subtle bugs in a number of applications [6]. The ideas at the heart of Korat provided the foundation for other complementary techniques, including symbolic execution of programs with structurally complex inputs [5], glass-box software model checking [9], and runtime error recovery using data structure repair [2]. Korat has been used for parallel and incremental test generation and execution for enhanced efficiency and effectiveness [8,10].…”

Section: Brief Korat Storymentioning

confidence: 99%

ACM SIGSOFT Impact Paper Award 2012

Boyapati

Khurshid

Marinov

2012

Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering

Self Cite

View full text Add to dashboard Cite

Testing, the most commonly used methodology for validating the quality of software, is conceptually simple: create some inputs, run them against the program, and check its outputs. In practice, however, testing is expensive, often requiring much manual effort, and ineffective, often failing to find crucial bugs. Automated testing can substantially reduce the cost of software development and maintenance.A promising approach for automation is specification-based testing, where specifications, which describe expected program behavior, provide the basis for test input generation and correctness checking. Researchers realized the importance of specifications in testing over three decades ago [3]. However, effective techniques for programs written in commonly used languages remained scarce and ad hoc.At ASE 2001, the second and third authors published TestEra [7], which was the first specification-based technique for bounded-exhaustive testing of object-oriented programs.The key idea of TestEra was to capture the properties of the desired inputs using a logical formula, termed an input constraint, enumerate the desired inputs using systematic constraint solving, and check the correctness of the program under test by (1) running it against all non-isomorphic inputs within a given bound on the input size and (2) checking each input/output pair using an output constraint, which states the expected relation between inputs and outputs and serves as a test oracle. TestEra used declarative constraints written in the Alloy language [4], based on first-order logic, and used Alloy's SAT-based back-end for input generation and correctness checking. TestEra enabled systematic testing of Java programs in the spirit of the bounded-exhaustive checking that the Alloy tool-set provided for declarative models.During a research presentation on TestEra by the third author, the first author, who was not familiar with the Alloy language, asked whether constraints written in Java could be used to provide the same functionality as TestEra. The ensuing effort to support Java constraints resulted in the Korat approach for systematic testing, which was first presented at ISSTA 2002 [1]. Korat introduced the idea of using declarative constraints written in an imperative language for bounded-exhaustive testing and presented a dedicated solver for such constraints. The main insight into the Korat solver was execution-driven pruning and isomorphism breaking, where executions of the given input constraint on select candidate inputs provided the basis of pruning the space of all possible inputs and generating exactly those inputs that were valid and non-isomorphic. A key contribution of Korat was enabling specification-based testing without requiring the specifications to be written in a language greatly different from the underlying programming language -a requirement of all previous approaches for specification-based generation of test inputs.Systematic test generation using input constraints brought the spirit of model checking to checking properti...

show abstract

“…There have been other BMC techniques and tools, such as Alloy (Jackson 2002), TestEra (Marinov and Khurshid 2001), Korat (Boyapati et al 2002), PIPAL (Darga and Boyapati 2006;Roberson and Boyapati 2010) that bound on data. Similarly to Kiasan, they exhaustively explore some bounded search space.…”

Section: [Model Checking]mentioning

confidence: 99%

Efficient and formal generalized symbolic execution

2011

View full text Add to dashboard Cite

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.

show abstract

Efficient modular glass box software model checking

Cited by 4 publications

References 49 publications

Bonsai: synthesis-based reasoning for type systems

Bonsai: synthesis-based reasoning for type systems

ACM SIGSOFT Impact Paper Award 2012

Efficient and formal generalized symbolic execution

Contact Info

Product

Resources

About