Skip to main content
SpringerLink
Log in

A General Lattice Model for Merging Symbolic Execution Branches

  • Conference paper
  • First Online:
Formal Methods and Software Engineering (ICFEM 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10009))

Included in the following conference series:

Abstract

Symbolic execution is a software analysis technique that has been used with success in the past years in program testing and verification. A main bottleneck of symbolic execution is the path explosion problem: the number of paths in a symbolic execution tree is exponential in the number of static branches of the executed program. Here we put forward an abstraction-based framework for state merging in symbolic execution. We show that it subsumes existing approaches and prove soundness. The method was implemented in the verification system KeY. Our empirical evaluation shows that reductions in proof size of up to 80 % are possible by state merging when applied to complex verification problems; new proofs become feasible that were out of reach so far.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.eecs.ucf.edu/~leavens/JML//OldReleases/jmlrefman.pdf.

  2. 2.

    Our notion of Kripke structure is derived from that commonly used in modal logic [13] and slightly differs from the one often used in model checking. E.g., we require no fixed set of initial states, and the labeling function is given implicitly by the interpretation and Kripke state which is natural for imperative programs. There is no essential difference, however.

  3. 3.

    denotes the substitution of the terms \({\overline{t}}\) for the free variables \({\overline{v}}\) in \(\psi _{{\overline{v}}}\).

  4. 4.

    Available at http://www.key-project.org/timsort/stats.html.

References

  1. Ahrendt, W., et al.: The KeY platform for verification and analysis of Java programs. In: Giannakopoulou, D., Kroening, D. (eds.) VSTTE 2014. LNCS, vol. 8471, pp. 55–71. Springer, Heidelberg (2014)

    Google Scholar 

  2. Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  3. Anand, S., Păsăreanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 163–181. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Beckert, B., Hähnle, R.: Reasoning and verification. IEEE Intell. Syst. 29(1), 20–29 (2014)

    Article  Google Scholar 

  5. Beckert, B., Hähnle, R. (eds.): Verification of Object-Oriented Software: The KeY Approach. Springer, Berlin (2006)

    Google Scholar 

  6. Bubel, R., Hähnle, R., Weiß, B.: Abstract interpretation of symbolic execution with explicit state updates. In: Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 247–277. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  7. Burstall, R.M.: Program proving as hand simulation with a little induction. In: Information Processing, pp. 308–312. Elsevier (1974)

    Google Scholar 

  8. Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)

    Article  Google Scholar 

  9. Chu, D.-H., Jaffar, J., Murali, V.: Lazy symbolic execution for enhanced learning. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 323–339. Springer, Heidelberg (2014)

    Google Scholar 

  10. Clarke, E.M., Grumberg, O., et al.: Model Checking. The MIT Press, Cambridge (1999)

    MATH  Google Scholar 

  11. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th Symposium of POPL, pp. 238–252. ACM Press, January 1977

    Google Scholar 

  12. Fitting, M.C.: First-Order Logic and Automated Theorem Proving, 2nd edn. Springer, Berlin (1996)

    Book  MATH  Google Scholar 

  13. Fitting, M.C., Mendelsohn, R.: First-Order Modal Logic. Kluwer, Dordrecht (1998)

    Book  MATH  Google Scholar 

  14. Gosling, J., Joy, B., et al.: The Java (TM) Language Specification, 3rd edn. Addison-Wesley Professional, Wokingham (2005). http://psc.informatik.uni-jena.de/languages/Java/javaspec-3.pdf

    MATH  Google Scholar 

  15. de Gouw, S., Rot, J., de Boer, F.S., Bubel, R., Hähnle, R.: OpenJDK’s Java.utils.Collection.sort() is broken: the good, the bad and the worst case. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 273–289. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  16. Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  17. Hähnle, R., Wasser, N., et al.: Array abstraction with symbolic pivots. In: Ábrahám, E., Bonsangue, M., et al. (eds.) Theory and Practice of Formal Methods. LNCS, vol. 9660, pp. 104–121. Springer, Berlin (2016)

    Chapter  Google Scholar 

  18. Hansen, T., Schachte, P., Søndergaard, H.: State joining and splitting for the symbolic execution of binaries. In: Bensalem, S., Peled, D.A. (eds.) RV 2009. LNCS, vol. 5779, pp. 76–92. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Harel, D., Tiuryn, J., et al.: Dynamic Logic. MIT Press, Cambridge (2000)

    MATH  Google Scholar 

  20. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  21. Kuznetsov, V., Kinder, J., et al.: Efficient state merging in symbolic execution. In: Proceedings of the 33rd Conference on PLDI, pp. 193–204. ACM (2012)

    Google Scholar 

  22. Scheurer, D.: From trees to DAGs: a general lattice model for symbolic execution. Master’s thesis, Technische Universität Darmstadt (2015). http://tinyurl.com/Trees2DAGs

  23. Sen, K., Necula, G., et al.: MultiSE: multi-path symbolic execution using value summaries. In: 10th Joint Meeting on Foundations of Software Engineering, pp. 842–853. ACM (2015)

    Google Scholar 

  24. Shoenfield, J.R.: Mathematical Logic. Addison-Wesley, Wokingham (1967)

    MATH  Google Scholar 

  25. Weiß, B.: Predicate abstraction in a program logic calculus. In: Leuschel, M., Wehrheim, H. (eds.) IFM 2009. LNCS, vol. 5423, pp. 136–150. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

Download references

Acknowledgment

We would like to thank the authors of [15] for the permission to quote data from the extended journal version of their paper under preparation.

Author information

Authors and Affiliations

  1. Department of Computer Science, TU Darmstadt, Darmstadt, Germany

    Dominic Scheurer, Reiner Hähnle & Richard Bubel

Authors
  1. Dominic Scheurer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Reiner Hähnle
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Richard Bubel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dominic Scheurer .

Editor information

Editors and Affiliations

  1. School of Information Science, Japan Advanced Institute of Science and Technology (JAIST), Nomi, Japan

    Kazuhiro Ogata

  2. Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada

    Mark Lawford

  3. Department of Computer Science, Hosei University, Tokyo, Japan

    Shaoying Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Scheurer, D., Hähnle, R., Bubel, R. (2016). A General Lattice Model for Merging Symbolic Execution Branches. In: Ogata, K., Lawford, M., Liu, S. (eds) Formal Methods and Software Engineering. ICFEM 2016. Lecture Notes in Computer Science(), vol 10009. Springer, Cham. https://doi.org/10.1007/978-3-319-47846-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47846-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47845-6

  • Online ISBN: 978-3-319-47846-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation