Results 1 - 10
of
35
The software model checker BLAST: Applications to software engineering
- INTERNATIONAL JOURNAL ON SOFTWARE TOOLS TECHNOLOGY TRANSFER
, 2006
"... BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, ..."
Abstract
-
Cited by 63 (5 self)
- Add to MetaCart
(Show Context)
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use BLAST to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs.
Catchconv: Symbolic execution and run-time type inference for integer conversion errors
- UC Berkeley EECS
, 2007
"... personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires pri ..."
Abstract
-
Cited by 20 (2 self)
- Add to MetaCart
(Show Context)
personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. Catchconv: Symbolic execution and run-time type inference for integer conversion errors
H.: FShell: Systematic test case generation for dynamic analysis and measurement
- In: Computer Aided Verification (CAV). Volume 5123 of LNCS
, 2008
"... Abstract. Although the principal analogy between counterexample generation and white box testing has been repeatedly addressed, the usage patterns and per-formance requirements for software testing are quite different from formal verifi-cation. Our tool FSHELL provides a versatile testing environmen ..."
Abstract
-
Cited by 19 (5 self)
- Add to MetaCart
(Show Context)
Abstract. Although the principal analogy between counterexample generation and white box testing has been repeatedly addressed, the usage patterns and per-formance requirements for software testing are quite different from formal verifi-cation. Our tool FSHELL provides a versatile testing environment for C programs which supports both interactive explorative use and a rich scripting language. More than a frontend for software model checkers, FSHELL is designed as a database engine which dispatches queries about the program to program analysis tools. We report on the integration of CBMC into FSHELL and describe architec-tural modifications which support efficient test case generation. 1
G.: BLASTing Linux Code
- In Proc. of the 11th International Workshop on Formal Methods for Industrial Critical Systems (FMICS 06), volume 4346 of LNCS
, 2007
"... Abstract. Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioner’s point of view, the utility of the popular software model checker Blast for revealing errors in Linux kernel code. The emphasis is on important erro ..."
Abstract
-
Cited by 17 (6 self)
- Add to MetaCart
(Show Context)
Abstract. Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioner’s point of view, the utility of the popular software model checker Blast for revealing errors in Linux kernel code. The emphasis is on important errors related to memory safety in and locking behaviour of device drivers. Our conducted case studies show that, while Blast’s abstraction and refinement techniques are efficient and powerful, the tool has deficiencies regarding usability and support for analysing pointers, which are likely to prevent kernel developers from using it. 1
A Temporal Language for SystemC
"... Abstract—We describe a general approach for defining new temporal specification languages, and adopting existing languages, for SystemC. We define the concept of “underlying trace” describing the execution of a SystemC model, and then define a set of important primitive assertions about the states i ..."
Abstract
-
Cited by 15 (4 self)
- Add to MetaCart
(Show Context)
Abstract—We describe a general approach for defining new temporal specification languages, and adopting existing languages, for SystemC. We define the concept of “underlying trace” describing the execution of a SystemC model, and then define a set of important primitive assertions about the states in the trace. Our framework not only provides additional expressive power for making atomic assertions, but also provides very fine control over the temporal resolution of the language. Using the primitives defined here as clock expression allows sampling at different levels, from transaction-level to the level of individual statements. The advantage of our approach is that it defines important SystemC properties that have been overlooked previously, and also provides a uniform mechanism for specifying the sampling rate of temporal languages. I.
Prioritizing Software Inspection Results using Static Profiling
- Proc. of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation (SCAM'06
, 2006
"... Static software checking tools are useful as an additional automated software inspection step that can easily be integrated in the development cycle and assist in creating secure, reliable and high quality code. However, an often quoted disadvantage of these tools is that they generate an overly lar ..."
Abstract
-
Cited by 14 (3 self)
- Add to MetaCart
(Show Context)
Static software checking tools are useful as an additional automated software inspection step that can easily be integrated in the development cycle and assist in creating secure, reliable and high quality code. However, an often quoted disadvantage of these tools is that they generate an overly large number of warnings, including many false positives due to the approximate analysis techniques. This information overload effectively limits their usefulness. In this paper we present ELAN, a technique that helps the user prioritize the information generated by a software inspection tool, based on a demand-driven computation of the likelihood that execution reaches the locations for which warnings are reported. This analysis is orthogonal to other prioritization techniques known from literature, such as severity levels and statistical analysis to reduce false positives. We evaluate feasibility of our technique using a number of case studies and assess the quality of our predictions by comparing them to actual values obtained by dynamic profiling. 1.
R.: Instrumenting C programs with nested word monitors
- In: SPIN. (2007
"... In classical automata-theoretic model checking [6], a system model generates a language L of words modeling system executions, and verification involves ..."
Abstract
-
Cited by 11 (3 self)
- Add to MetaCart
(Show Context)
In classical automata-theoretic model checking [6], a system model generates a language L of words modeling system executions, and verification involves
Verifying Reference Counting Implementations
"... Reference counting is a widely-used resource management idiom which maintains a count of references to each resource by incrementing the count upon an acquisition, and decrementing upon a release; resources whose counts fall to zero may be recycled. We present an algorithm to verify the correctness ..."
Abstract
-
Cited by 11 (0 self)
- Add to MetaCart
(Show Context)
Reference counting is a widely-used resource management idiom which maintains a count of references to each resource by incrementing the count upon an acquisition, and decrementing upon a release; resources whose counts fall to zero may be recycled. We present an algorithm to verify the correctness of reference counting with minimal user interaction. Our algorithm performs compositional verification through the combination of symbolic temporal case splitting and predicate abstraction-based reachability. Temporal case splitting reduces the verification of an unbounded number of processes and resources to verification of a finite number through the use of Skolem variables. The finite state instances are discharged by symbolic model checking, with an auxiliary invariant correlating reference counts with the number of held references. We have implemented our algorithm in Referee, a reference counting analysis tool for C programs, and applied Referee to two real programs: the memory allocator of an OS kernel and the file interface of the Yaffs file system. In both cases our algorithm proves correct the use of reference counts in less than one minute.
H.: Query-driven program testing
, 2008
"... Abstract. We present a new approach to program testing which enables the pro-grammer to specify test suites in terms of a versatile query language. Our query language subsumes standard coverage criteria ranging from simple basic block coverage all the way to predicate complete coverage and multiple ..."
Abstract
-
Cited by 11 (3 self)
- Add to MetaCart
(Show Context)
Abstract. We present a new approach to program testing which enables the pro-grammer to specify test suites in terms of a versatile query language. Our query language subsumes standard coverage criteria ranging from simple basic block coverage all the way to predicate complete coverage and multiple condition cov-erage, but also facilitates on-the-fly requests for test suites specific to the code structure, to external requirements, or to ad hoc needs arising in program un-derstanding/exploration. The query language is supported by a model checking backend which employs the CBMC framework. Our main algorithmic contribu-tion is a method called iterative constraint strengthening which enables us to solve a query for an arbitrary coverage criterion by a single call to the model checker and a novel form of incremental SAT solving: Whenever the SAT solver finds a solution, our algorithm compares this solution against the coverage crite-rion, and strengthens the clause database with additional clauses which exclude redundant new solutions. We demonstrate the scalability of our approach and its ability to compute compact test suites with experiments involving device drivers, automotive controllers, and open source projects. 1
Verification methodologies in a TLM-to-RTL design flow
- In DAC ’07: Proceedings of the 44th annual conference on Design automation
"... ..."
(Show Context)
