Hybrid Program Analysis for Error Detection

Michael Achenbach

University of AarhusDenmark

Hypothesis

• Combine program verification techniques to get a good verification tool

Examples from Literature

Static Analysis

Fixed Point CalculationAbstract Interpretation

Dynamic Analysis

TestingRuntime Monitoring

Theorem Proving

Full Logical ProofConstraint Solving

Decision Procedures

Model Checking

Type Checkers

• Testing, abstraction, theorem proving: better together! (T. Ball et al, 2006)

• Generalized symbolic execution for model checking and testing (S. Khurshid et al, 2003)

• DART (P. Godefroid et al, 2005)• CUTE / jCUTE (K. Sen et al, 2005)

Hypothesis

• Combine program verification techniques to get a good verification tool

• Combine static analysis and testing– One framework for both methods– Check for safety properties

• Enable syntax for abstractions on the programming level

Testing

normal execution

buggy execution

abstraction boundaries

Static Analysis

normal execution

buggy execution

buggy abstraction

abstraction boundaries

Hybrid Program Analysis

normal execution

buggy execution

buggy abstraction

abstraction boundaries

Seamless Scaling

Run 1

TestingStatic Analysis

Run 3

Run 4

Run 2

TVLAESP…

DARTCUTE

…

Outline

• Extended Monotone Framework

• Examples and Usage Scenarios

• Future Work

Extended Monotone Framework

loop cond

assert

stmt 1

stmt n

truefalse

• Prototype for WHILE language with MFP algorithm

• Lattice over sets of states

• Specifications from assertions become transfer functions

while(?){

assert …;

stmt 1;

…

stmt n;

}

Problem:State explosion in

concrete evaluations!

Extended Monotone Framework

loop cond

stmt 1

stmt 2

stmt n

truefalse

• Each state contains:– Stack of loop evaluations– Abstraction of the store

• Introduce merge operator that overwrites old state with new state

• Drops monotonicity

New termination issues

ov

Example: Test Stubs// Method under testString critical(Permission pm, Domain dom, String user){

if(pm.hasAccess(user)) return access(dom);else return "permission denied";

}

// Partially abstract test stubclass APermission implements Permission{ boolean hasAccess(String user){

if(user <<= VALID) return true; if(user <<= INVALID) return false; return ?; }

}

// Test case testCritical(){ assert critical(new APermission(),..., INVALID)

.equals("permission denied");}

Specify partially abstract test stub

Perform concreteunit testing

Example: Invariantsprocedure probabilisticExtension(x){

r := 0;while(x > 0){ y := x * x; z := random(x, y);

// Invariant and safety property check assert z <<= [x,y]; assert z != 0;

x := x - (x / z); r := r + 1; } return r;

}

procedure test(){ assert probabilisticExtension([-inf,0]) = 0; assert probabilisticExtension([1,1]) = 1; assert probabilisticExtension([2,+inf]) >= 1;

}

Specify invariantsand safetyproperties

Define partitions ofabstract input values

Other Usage Scenarios

• Iterative refinement of test input– Compare with predicate refinement

• Partially abstract tests as pointcut specification language in AOP (compare with H. Masuhara et al, 2008)

• Non-standard interpretations (compare with J. M. Siskind et al, 2007)

Future Work

• Cope with more language features

• Make abstractions easily pluggable– Make use of analysis definition languages– Define syntax and semantics of abstractions

as Embedded Domain Specific Language

• Automated partially abstract test case generation– Compare with SYNERGY (A. Nori et al, 2006)

Questions?