ABSTRACT
In this paper, we describe PSE (Postmortem Symbolic Evaluation), a static analysis algorithm that can be used by programmers to diagnose software failures. The algorithm requires minimal information about a failure, namely its kind (e.g. NULL dereference), and its location in the program's source code. It produces a set of execution traces along which the program can be driven to the given failure.
PSE tracks the flow of a single value of interest from the point in the program where the failure occurred back to the points in the program where the value may have originated. The algorithm combines a novel dataflow analysis and memory alias analysis in a manner that allows for precise exploration of the program's behavior in polynomial time.
We have applied PSE to the problem of diagnosing potential NULL-dereference errors in a suite of C programs, including several SPEC benchmarks and a large commercial operating system. In most cases, the analysis is able to either validate a pointer dereference, or find precise error traces demonstrating a NULL value for the pointer, in less than a second.
- Hiralal Agrawal and Joseph R. Horgan. Dynamic Program Slicing. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 1990.]] Google ScholarDigital Library
- Hiraral Agrawal, Joseph R. Horgan, Saul London, and W. Eric Wong. Fault Localization using Execution Slices and Dataflow Tests. In Proceedings of the IEEE International Symposium on Software Reliability Engineering, October 1995.]]Google ScholarCross Ref
- Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 1986.]] Google ScholarDigital Library
- Thomas Ball, Mayur Naik, and Sriram Rajamani. From Symptom to Cause: Localizing Errors in Counterexample Traces. In Conference Record of the Thirtieth ACM Symposium on Principles of Programming Languages, 2003.]] Google ScholarDigital Library
- Thomas Ball and Sriram K. Rajamani. Automatically Validating Temporal Safety Properties of Interfaces. In Proceedings of SPIN '01, 8th Annual SPIN Workshop on Model Checking of Software, May 2001.]] Google ScholarDigital Library
- Peter Bunus and Peter Fritzson. Semi-Automatic Fault Localization and Behavior Verification for Physical System Simulation Models. In Proceedings of the IEEE International Conference on Automated Software Engineering, October 2003.]]Google Scholar
- William R. Bush, Jonathan D. Pincus, and David J. Sielaff. A Static Analyzer for Finding Dynamic Programming Errors. Software - Practice and Experience, 30(7):775--802, 2000.]] Google ScholarDigital Library
- J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting Finite-state Models from Java Source Code. In Proceedings of the 22nd International Conference on Software Engineering, 2000.]] Google ScholarDigital Library
- Microsoft Corporation. Microsoft Online Crash Analysis. http://oca.microsoft.com/en/dcp20.asp.]]Google Scholar
- Manuvir Das. Unification-based pointer analysis with directional assignments. In ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, 2000.]] Google ScholarDigital Library
- Manuvir Das, Sorin Lerner, and Mark Seigle. ESP: Path-sensitive Program Verification in Polynomial Time. In ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]] Google ScholarDigital Library
- Manuvir Das, Ben Liblit, Manuel Fähndrich, and Jakob Rehof. Estimating the Impact of Scalable Pointer Analysis on Optimization. In 8th International Symposium on Static Analysis, 2001.]] Google ScholarDigital Library
- Richard A. DeMillo, Hsin Pan, and Eugene H. Spafford. Critical Slicing for Software Fault Localization. In Proceedings of the International Symposium on Software Testing and Analysis, January 1996.]] Google ScholarDigital Library
- E. W. Dijkstra. A Discipline of programming. Prentice-Hall, 1976.]] Google ScholarDigital Library
- Nurit Dor, Stephen Adams, Manuvir Das, and Zhe Yang. Software Validation via Scalable Path-Sensitive Value Flow Analysis. In International Symposium on Software Testing and Analysis, 2004. Also available as Microsoft Research Technical Report MSR-TR-2003-58.]] Google ScholarDigital Library
- Margaret Francel and Spencer Rugaber. Fault Localization using Execution Traces. In Proceedings of the ACM Annual Southeast Regional Conference, 1992.]] Google ScholarDigital Library
- Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]] Google ScholarDigital Library
- Ben Liblit and Alex Aiken. Building a better backtrace: Techniques for postmortem program analysis. Technical Report UCB/CSD 02/1203, UC Berkeley Computer Science Division, October 2002.]] Google ScholarDigital Library
- Hsin Pan and Eugene H. Spafford. Toward Automatic Localization of Software Faults. In Proceedings of the Pacific Northwest Software Quality Conference, October 1992.]]Google Scholar
- Brock Pytlik, Manos Renieris, Shriram Krishnamurthi, and Steven P. Reiss. Automated Fault Localization Using Potential Invariants. In Proceedings of the International Workshop on Automated and Algorithmic Debugging, September 2003.]]Google Scholar
- Thomas Reps, Susan Horwitz, and Mooly Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proc. ACM Symp. on Principles of Programming Languages, pages 49--61. ACM Press, January 1995.]] Google ScholarDigital Library
- R. Strom and S. Yemini. Typestate: A Programming Language Concept for Enhancing Software Reliability. IEEE Transactions on Software Engineering, 12(1):157--171, 1986.]] Google ScholarDigital Library
- Robert E. Strom and Daniel M. Yellin. Extending Typestate Checking Using Conditional Liveness Analysis. IEEE Transactions on Software Engineering, May 1993.]] Google ScholarDigital Library
- Frank Tip. A survey of program slicing techniques. Journal of programming languages, 3:121--189, 1995.]]Google Scholar
- Mark Weiser. Program slicing. In Proceedings of the 5th international conference on Software engineering, pages 439--449. IEEE Press, March 1981.]] Google ScholarDigital Library
Index Terms
- PSE: explaining program failures via postmortem static analysis
Recommendations
PSE: explaining program failures via postmortem static analysis
In this paper, we describe PSE (Postmortem Symbolic Evaluation), a static analysis algorithm that can be used by programmers to diagnose software failures. The algorithm requires minimal information about a failure, namely its kind (e.g. NULL ...
Software validation via scalable path-sensitive value flow analysis
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysisIn this paper, we present a new algorithm for tracking the flow of values through a program. Our algorithm represents a substantial improvement over the state of the art. Previously described value flow analyses that are control-flow sensitive do not ...
Precise flow-insensitive may-alias analysis is NP-hard
Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...
Comments