Symbolic Execution with Abstraction

Transcription

1 Software Tools for Techology Trasfer mauscript No. (will be iserted by the editor) Symbolic Executio with Abstractio Saswat Aad 1, Coria S. Păsăreau 2, Willem Visser 3 1 College of Computig, Georgia Istitute of Techology saswat@gatech.edu 2 NASA Ames Research Ceter, Moffett Field, CA pcoria@ .arc.asa.gov 3 SEVEN Networks willem@gmail.com The date of receipt ad acceptace will be iserted by the editor Abstract. We address the problem of error detectio for programs that take recursive data structures ad arrays as iput. Previously we proposed a combiatio of symbolic executio ad model checkig for the aalysis of such programs: we put a boud o the size of the program iputs ad/or the search depth of the model checker to limit the search state space. Here we look beyod bouded model checkig ad cosider state matchig techiques to limit the state space. We describe a method for examiig whether a symbolic state that arises durig symbolic executio is subsumed by aother symbolic state. Sice the umber of symbolic states may be ifiite, subsumptio is ot eough to esure termiatio. Therefore, we also cosider abstractio techiques for computig ad storig abstract states durig symbolic executio. Subsumptio checkig determies whether a abstract state is beig revisited, i which case the model checker backtracks eables aalysis of a uder-approximatio of the program behaviors. We illustrate the techique with abstractios for lists ad arrays. We also discuss abstractios for more geeral data structures. The abstractios ecode both the shape of the program heap ad the costraits o umeric data. We have implemeted the techiques i the Java PathFider tool ad we show their effectiveess o Java programs. This paper is a exteded versio of [2]. 1 Itroductio The problem of fidig errors for programs that have heap structures ad arrays as iputs is difficult sice these programs typically have ubouded state spaces. Amog the program aalysis techiques that have gaied promiece i the past few years are model checkig with abstractio, most otably predicate abstractio [6, 7, 15], ad static aalysis [11, 27]. Both these techiques ivolve computig a property preservig abstractio that over-approximates all feasible program behaviors. While the techiques are usually used for provig properties of software, they are ot particularly well suited for error detectio the reported errors may be spurious due to over-approximatio, i which case the abstractio eeds to be refied. Furthermore, predicate abstractio hadles cotrol-depedet properties of a program well, but it is less effective i hadlig dyamically allocated data structures ad arrays [22]. the other had, static program aalyses, ad i particular shape aalysis, use powerful shape abstractios that are especially desiged to model properties of ubouded recursive heap structures ad arrays, ofte igorig the umeric program data. A drawback is that, ulike model checkig, static aalyses typically do t report couter-examples exhibitig errors. We propose a alterative approach that eables discovery of errors i programs that maipulate recursive data structures ad arrays, as well as umeric data. The approach uses symbolic executio to execute programs o u-iitialized iputs ad it uses model checkig to systematically explore the program paths ad to report couter-examples that are guarateed to be feasible. We use abstractios to compute uder-approximatios of the feasible program behaviors, hece couter-examples to safety properties are preserved. ur abstractios ecode iformatio about the shape of the program heap (as i shape aalysis) ad the costraits o the umeric data. We build upo our previous work where we proposed a combiatio of symbolic executio ad model checkig for aalyzig programs with complex iputs [18, 23]. I that work we put a boud o the iput size ad (or) the search depth of the model checker. Here we look beyod bouded model checkig ad we study state matchig techiques to limit the state space search. We propose a techique for checkig whe a symbolic state is sub-

2 2 Saswat Aad et al.: Symbolic Executio with Abstractio sumed by aother symbolic state. The techique hadles u-iitialized, or partially iitialized, data structures (e.g. liked lists or trees) as well as arrays. Costraits o umeric program data are hadled with the help of a off-the-shelf decisio procedure. Subsumptio is used to determie whe a symbolic state is revisited, i which case the model checker backtracks, thus pruig the state space search. Eve with subsumptio, the umber of symbolic states may still be ubouded. We therefore defie abstractio mappigs to be used durig state matchig. More precisely, for each explored state, the model checker computes ad stores a abstract versio of the state, as specified by the abstractio mappigs. Subsumptio checkig the determies if a abstract state is beig revisited. This effectively explores a uder-approximatio of the (feasible) paths through the program. We illustrate symbolic executio with abstract subsumptio checkig for sigly liked lists ad arrays. ur abstractios are similar to the oes used i shape aalysis: they are based o the idea of summarizig heap objects that have commo properties, for example, summarizig list elemets o ushared list segmets ot poited to by local variables [22]. To the best of our kowledge, is the first time shape abstractios are used i software model checkig, with the goal of error detectio. We summarize our cotributios as follows: Method for comparig symbolic states, which takes ito accout uiitialized data. The method hadles recursive structures, arrays ad costraits o umeric data. The method is icorporated i our framework that performs symbolic executio durig model checkig. Abstractios for lists ad arrays that ecode the shape of the heap ad the umeric costraits for the data stored i the summarized objects. Implemetatio i the Java PathFider tool ad examples illustratig the applicatio of the framework o Java programs. 1.1 Related Work ur work follows a recet tred i software model checkig, which proposes uder-approximatio based abstractios for the purpose of falsificatio [4, 5, 16, 25]. These methods are complemetary to the usual over-approximatio based abstractio techiques, which are geared towards provig properties. There are some importat differeces betwee our work ad [4, 5, 16, 25]. The works preseted i [16, 25] address aalysis of closed programs, ot programs with iputs as we do here, ad use abstractio mappigs for state matchig durig cocrete executio, ot symbolic executio. Moreover, the approaches preseted i [16,25] do ot address abstractios for recursive data structures ad arrays. The approach preseted i [4, 5] uses predicate abstractio to compute uder-approximatios of programs. I cotrast, we use symbolic executio ad shape abstractios with the goal of error detectio. Ad ulike [4, 5] ad also overapproximatio based predicate abstractio techiques, which require the a priori computatio of the abstract program trasitios, regardless of the size of the reachable state space, our approach uses abstractio oly durig state matchig ad it ivolves oly the reachable states uder aalysis. I previous work [24] we developed a techique for fidig guarateed feasible couter-examples i abstracted Java programs. That work addresses simple umeric abstractios (ot shape abstractios as we do here) ad it did ot use symbolic executio for program aalysis. Program aalysis based o symbolic executio has received a lot of attetio recetly, e.g. [12,19,28] - however all these approaches do t address state matchig. Symstra [30] uses symbolic executio over umeric data ad subsumptio checkig for test geeratio; we geeralize that work with subsumptio for u-iitialized complex data; i additio, we use abstractio to further reduce the explored symbolic state space. The works i [22, 31] propose abstractios for sigly liked lists that are similar to the oe described i paper; however, ulike ours, these abstractios do t accout for the umeric data stored i the summarized list elemets. Recet work for summarizig umeric domais [13,14] addresses that i the cotext of arrays ad recursive data structures. The work preseted i [8] proposes to use predicate abstractio based model checkig to programs that maipulate heap structures. However, these approaches use over-approximatio based abstractios ad it is ot clear how to geerate feasible couterexamples that expose errors. 1.2 Paper Layout The rest of the paper is orgaized as follows. I the sectio we give some backgroud o the Java PathFider model checker ad its symbolic executio capability. Sectio 3 illustrates our approach o a example. Sectio 4 presets our algorithm for checkig subsumptio betwee symbolic states ad Sectio 5 describes a geeral model checkig procedure that uses symbolic executio with (abstract) subsumptio checkig. Sectio 6 describes abstractios for lists ad arrays, Sectio 7 illustrates the applicatio of the preseted techique to two o-trivial examples cotaiig lists ad arrays ad Sectio 8 cocludes the paper. 2 Backgroud Java PathFider JPF [17,29] is a explicit-state model checker for Java programs that is built o top of a custommade Java Virtual Machie (JVM). By default, JPF

3 Saswat Aad et al.: Symbolic Executio with Abstractio 3 Decisio procedures cotiue/backtrack source program Code istrumetatio istrumeted program Model checkig state path coditio (data) heap cofiguratio thread schedulig correctess specificatio couterexample(s)/test suite [heap + path coditio + thread schedulig] Fig. 1. Symbolic Executio i Java PathFider. stores all the explored states, ad it backtracks whe it visits a previously explored state. Alteratively, the user ca customize the search (by forcig the search to backtrack o user-specified coditios) ad it ca specify what part of the state (if ay) to be stored ad used for matchig. We used these features to implemet (abstract) subsumptio checkig. 2.1 Symbolic Executio i Java PathFider Symbolic executio [20] allows oe to aalyze programs with ukow iputs. The mai idea is to use symbolic values, istead of actual (cocrete) data, as iput values ad to represet the values of program variables as symbolic expressios. As a result, the outputs computed by a program are expressed as a fuctio of the symbolic iputs. The state of a symbolically executed program icludes the (symbolic) values of program variables, a path coditio (PC) ad a program couter. The path coditio accumulates costraits which the iputs must satisfy i order for a executio to follow the correspodig path. I previous work [18, 23], we exteded JPF to perform symbolic executio for Java programs. The approach hadles recursive data structures, arrays, umeric data ad cocurrecy. The approach is illustrated i Figure 1. Programs are trasformed to eable JPF to perform symbolic executio cocrete types are replaced with correspodig symbolic types ad cocrete operatios, such as arithmetic ad logical operatios, are replaced with calls to methods that implemet correspodig operatios o symbolic expressios 1. The path coditio is updated at every brach statemet i the program that compares symbolic values of program variables. Wheever the path coditio is updated, it is checked for satisfiability usig a appropriate decisio 1 The iterested reader is referred to [1, 18] for a detailed descriptio of the code trasformatio. procedure. I work, we used the mega library [26] for liear iteger costraits, but other decisio procedures ca also be used [3]. If the path coditio is usatisfiable, the model checker backtracks. Note that if the satisfiability of the path coditio caot be determied as the problem of checkig satisfiability is udecidable i geeral, the model checker still backtracks. Therefore, the model checker explores oly feasible program behaviors, ad all couterexamples to safety properties are preserved. As described i [18], the approach is used for fidig couterexamples to safety properties ad for test iput geeratio. For every couterexample, the model checker reports the iput heap cofiguratio (ecodig costraits o referece fields ad array elemets), the umeric path coditio (ad a satisfyig solutio), ad thread schedulig, which ca be used to reproduce the error. 2.2 Lazy Iitializatio Symbolic executio for complex data uses lazy iitializatio. The executio of a method that takes structurally complex iputs starts with iputs that have uiitialized fields of referece types. These fields are iitialized lazily whe they are first accessed durig the method s symbolic executio. This allows symbolic executio of methods without requirig a a priori boud o the size of the structure of iput. Whe the executio accesses a u-iitialized referece field, the framework odetermiistically iitializes the field to ull, or a referece to a ew object with uiitialized fields of referece types, or a referece of a object created durig a prior field iitializatio This systematically accouts for all possible aliasig that may exist i the iput structure. If a ew object is cre-

4 4 Saswat Aad et al.: Symbolic Executio with Abstractio class Node { it elem ; Node ;... Node f i d ( it v ){ 1 : Node = ; 2 : while (!= ull ){ 3 : i f (. elem > v ) retur ; 4 : =. ; 5 : retur ull ; Fig. 2. Example illustratig symbolic executio with abstract subsumptio checkig ated, ad it has a field of primitive type the the field is assiged a symbolic value of appropriate type. Arrays are hadled i a similar way. Durig symbolic executio, a array is represeted by a pair cosistig of a symbolic value represetig array s legth ad a associatio list of array cells. Each cell i the list cosists of a symbolic iteger represetig the cell s idex i the array ad a symbolic value represetig the value stored i the correspodig idex i the array. Whe a array elemet is accessed (durig read or write to the array), the framework o-determiistically chooses a array cell, which may be (1) a ew cell that is created ad added to the list, or (2) a existig cell from the list. The path coditio is updated to ecode the fact that idex of the chose cell equals to the idex that was accessed. If the updated path coditio becomes ifeasible o ay of the paths, that path is ot explored. If the array access ivolves readig a elemet, the value of chose cell is retured. therwise, if the access ivolves updatig a elemet, the value of the chose cell is updated appropriately. The fact that a array is represeted as a list (liked list i particular) eables us to apply state matchig algorithms (with ad without abstractios) developed for liked lists to arrays with mior modificatios. Method precoditios are used durig lazy iitializatio to esure that the method is executed oly o valid iputs if the iput structure violates the precoditio, the model checker backtracks. 3 Example We illustrate symbolic executio with abstract subsumptio checkig o the example from Figure 2. Class Node implemets sigly-liked lists of itegers; fields elem ad represet, respectively, the ode s value ad a referece to the ode i the list. Method fid returs the first ode i the list whose elem field is greater tha v. Let us assume for simplicity that the method has as precoditio that the iput list (poited to by ) is o-empty ad acyclic. We check if ull poiter exceptios ca be throw i program. Figure 3 illustrates the paths that are geerated durig the symbolic executio of method fid (we have omitted some itermediate states). Each symbolic state cosists of a heap structure ad the path coditio (PC) accumulated alog the executio path. A cloud i the figure idicates that the segmet of the list poited to by the field is ot yet iitialized. The heap structures represet costraits o program variables ad referece fields, e.g. the structure i s 1 represets all the lists that have at least oe (o-ull) elemet such that poits to the head of the list. Brachig correspods to a odetermiistic choice that is made at brach poits i the program that compare symbolic values, or to hadle aliasig, durig lazy iitializatio. For example, whe the umeric coditio at lie 3 is executed symbolically executio splits ito two paths leadig to states s 2 ad s 3 correspodig to each possible outcome of the coditio s evaluatio. As metioed, brachig is also itroduced by lazy iitializatio. For example, at lie 4, the field of the Node object poited to by i state s 2 is accessed for the first time. So the field is iitialized to take ito accout all possible aliasig relatioships i the iput: o oe brach (leadig to state s 4 ), the cloud is replaced with a ew ode, whose field poits to a cloud, while o the other brach (leadig to s 5 ), the cloud is replaced with ull. Note that if we did ot impose the precoditio that the iput list is acyclic, there would have bee a third brach correspodig to poitig to the object poited to by. For example, the (symbolic) state space is ifiite the umber of times the loop is executed is determied the legth of the iput liked list. Ad, the ew states visited by the model checker i example caot be matched with previously visited sates (we defie state matchig o symbolic states, or symbolic state subsumptio i sectio 4). So a model checker with symbolic executio ad state matchig will ot termiate. However, if we use abstractio, the symbolic state space becomes fiite. The list abstractio summarizes cotiguous ode segmets that are ot poited to by local variables ito a summary ode. Sice the umber of local variables is fiite, the umber of abstract heap cofiguratios is also fiite. For the example, two odes i state s 12 are mapped to a summary ode. As a result, the abstract state is subsumed by previously stored state s 8, at which poit the model checker backtracks. The aalysis termiates reportig that there are o ull poiter exceptios. Note that due to abstract matchig, the model checker might miss feasible behaviors. However, for example, the abstractio is i fact exact there is o loss of precisio due to abstractio (all the successors of s 12 are abstracted to states that are subsumed by the states depicted i Figure 3).

5 Saswat Aad et al.: Symbolic Executio with Abstractio 5 s 1 s 2 PC: true s 3 Update PC at lie 3 s 4 v 2 È v È > v s 5 ull Iitialize at lie 4 s 6 È v È v s 7 v 2 v 2 È v v 2 v È v v 2 > v s 8 s 9 Matched v 2 v 3 È v v 2 v v 2 ull È v v 2 v s 10 s 12 v 2 v 3 v 2 v 3 È v v 2 v v 3 v È v v 2 v v 3 > v Summary s 13 s 11 v 2 v 3 v 4 v 2 v 3 ull È v v 2 v v 3 v È v v 2 v v 3 v Fig. 3. State space geerated durig symbolic executio of fid (excerpts) 4 Subsumptio of Symbolic States 4.1 Symbolic State Represetatio I sectio we describe a method for comparig symbolic states. This method is used i our framework for state matchig, durig symbolic executio. The method is also used for comparig abstracted symbolic states as described i Sectio 6. Symbolic states represet multiple cocrete states, therefore state matchig ivolves checkig subsumptio betwee states. Ituitively, a symbolic state s 1 subsumes aother symbolic state s 2, if the set of cocrete states represeted by s 1 is a superset of the set of cocrete states represeted by s 2. A symbolic state s cosists of a symbolic heap H, the valuatio of the primitive typed fields, the path coditio P C ad the program couter. The symbolic state also cotais the thread schedulig iformatio, which we igore here for simplicity. Heaps may be partially iitialized, ad are assumed to be free of garbage objects. Defiitio 1. A symbolic heap H is a graph represeted by a tuple (N, E).

6 6 Saswat Aad et al.: Symbolic Executio with Abstractio N is the set of odes i the graph, where each ode correspods to a heap object or to a referece variable i the program. N = N R {ull, uiit 2 where: ull ad uiit are distiguished odes that represet respectively, ull ad uiitialized objects. N is the set of odes represetig o-ull iitialized heap objects. R is the set of of odes, each of which represet a referece variable i the program, ad is referred to as root of the heap. E is the set of edges i H such that E = E F E R where: F deotes the set of fields of referece types i the program. Ad, E F (N F (N \ R)) represet field edges. A edge ( 1, f, 2 ) E F deotes that field f of the object represeted by 1 poits to the object represeted by 2. E R (R (N {ull)) represet poits-to edges. A edge (r, 1 ) E R represets the fact that referece variable r poits to the object represeted by 1. Note that there ca be at most oe outgoig edge per field from a ode. By symbolic heap, we mea a heap that has uiit odes. A symbolic heap represets a potetially ifiite umber of cocrete heaps through the uiit ode. We treat a cocrete heap as a special symbolic heap that does ot cotai uiit odes. I rest of the paper, symbolic heaps (e.g., H 1, H 2, etc.) represet the heap of the aalyzed program, ad thus have the same F ad R sets that represet the set of fields ad referece variables i the program respectively. Defiitio 2. We defie a partial order over symbolic heaps, such that H 1 H 2 iff there exists a ijective (total) fuctio µ : N H2 N H1 such that for odes x, y N H 2, f F, ad v R, followig coditios hold: 1. (x, f, y) E H2 F 2. (x, f, ull) E H2 F (µ(x), f, µ(y)) EH1 F (µ(x), f, ull) EH1 3. (v, x) E H 2 R (v, µ(x)) EH 1 R Ituitively, H 2 H 1 if there is a subgraph of H 1 cotaiig all odes poited to by the odes i R, which is isomorphic to H 2 modulo all uiit odes ad all edges icidet o them. We say a cocrete heap H c is represeted by a symbolic heap H s iff H c H s. Defiitio 3. A symbolic heap H 2 subsumes a symbolic heap H 1, deoted by H 1 H 2, iff the set of cocrete heaps represeted by a H 2 cotais all cocrete heaps represeted by H 1. Formally, H 1 H 2 H c. H c H1 H c H2. Corollary 1. H 1 H 2 H 1 H 2. 2 without loss of geerality, we assume that the sets N 0, R, ad {ull,uiit are mutually disjoit. F As metioed, a symbolic state also icludes the valuatio for the primitive typed fields, e.g, elem field i Figure 2, (described later i sectio) ad the program couter. We check subsumptio oly for states that have the same program couter. Checkig subsumptio ivolves checkig (1) subsumptio for heap shape ad (2) valid implicatio betwee the state costraits o the the symbolic states. While checkig for shape subsumptio, oly the structure of the heap is cosidered (the symbolic values of primitive type fields are igored). The symbolic values of the primitive typed fields are take ito accout while checkig implicatio betwee state costraits. 4.2 Subsumptio of Heap Shapes Data: Heaps H 1 = (N H 1, E H 1 ), H 2 = (N H 2, E H 2 ) Result: true if H 2 subsumes H 1, false otherwise. Also builds labelig l for matched odes. l : (N H 1 N H 2 ) L {olbl, where L is a set of labels {l 1, l 2, l begi 2 for N H 1 N H 2 do l() := olbl; 3 wl 1 := mklist({ such that (r, ) E H R 1); 4 wl 2 := mklist({ such that (r, ) E H 2 R ); 5 while wl 2 is ot empty do 6 if wl 1 is empty the retur false; 7 1 := remove(wl 1 ), 2 := remove(wl 2 ); 8 if 2 = uiit the cotiue; 9 if 1 = uiit the retur false; 10 if 1 = ull 2 = ull the cotiue; 11 if 1 = ull 2 = ull the retur false; 12 if (l( 2 ) olbl l( 1 ) olbl) the 13 if l( 2) l( 1) the retur false; 14 cotiue; 15 ed 16 l( 2 ) := l( 1 ) := ew uique label(); 17 add (wl 1, succs ( 1)); 18 add (wl 2, succs ( 2 )); 19 ed 20 if wl 1 is ot empty the retur false; 21 retur true; 22 ed Algorithm 1: Subsumptio for Heap Shape I order to check if a program state s 2 subsumes aother program state s 1, we first check if the heap shape H 2 of s 2 subsumes the heap shape H 1 of s 1. Ituitively, H 2 subsumes H 1 if H 2 is more geeral (i.e., represets more cocrete heap shapes) tha H 1. Subsumptio for heap shape is checked by Algorithm 1. The algorithm traverses the two heap graphs at the same time, i the same order, startig from the roots (odes i R) ad tryig to match the odes i the two structures. For simplicity, we cosider here a depth first

7 Saswat Aad et al.: Symbolic Executio with Abstractio 7 search traversal. We impose a orderig o the referece variables ad the heap graph is traversed from each of the roots i that order. The algorithm maitais two work lists wl 1 ad wl 2 to record the visited odes; The lists are iitialized (through call to mklist) to a ordered list of heap objects poited to by the variables i R. remove ad add are list operatios that remove the first elemet ad add a elemet to the ed of the list, respectively. We also impose a orderig o the fields of referece type from F. So the successors of a ode, N, ca be ordered by the order o their respective fields. succs i the algorithm returs the successors of a ode usig orderig. The algorithm labels the heap odes durig traversal, such that two matched odes have the same uique label. These labels are used for checkig state subsumptio (as discussed below). If the algorithm fids two odes that caot be matched, it returs false. Moreover, wheever a uiitialized H 2 ode is visited durig traversal, the algorithm backtracks, i.e., successors of the ode i H 1 that matches uiitialized ode are ot added to the worklist (lie 8); the ituitio is that a uiitialized ode uiit i H 2 ca be matched with a arbitrary subgraph i H 1. However, a uiitialized ode i H 1 ca oly match a uiitialized ode i H 2 (lie 9), ad a ull ode i oe heap ca oly match a ull ode i the other (lies 10,11). Lies esures that the matchig is oe-to-oe. I other words, if either of 1 or 2 is already labeled because it is beig revisited, the both of them must have bee visited before ad have same labels. Note that, if the algorithm returs true, odes i H 1 that are ot visited due to matchig with uiitialized odes have olbl labels; o the other had, every ode, N H2 is visited ad thus has a label other tha olbl. As a example, Figure 4 illustrates the shapes of several tree data structures. The double-headed dotted arrows coect the matched odes i the structures. I the example, the tree subsumes the tree. Whereas, i the example, there is o subsumptio relatio betwee the two trees. Theorem 1. If Algorithm 1 returs true ad labelig l for iputs H 1 ad H 2 the H 2 subsumes H 1. Proof. (Sketch) Let µ : N H 2 N H 1 be such that µ( 2 ) = 1 iff l( 2 ) = l( 1 ). We show that µ satisfies the coditios i Defiitio 2, therefore H 1 H 2 ad, accordig to Corollary 1, H 1 H 2. Note that µ is ijective because two odes i N H 2 ca ot have the same label (lie 16 i Algorithm 1). Moreover, µ is total: all odes i N H 2 are labeled (sice Algorithm 1 performs a depth first search traversal of H 2 ad it returs true oly whe wl 2 is empty). We cosider two cases: Let (r, 2 ) E H 2 R ad (r, 1) E H 1 R. The successors of r are added i the same order to wl 2 ad wl 1 respectively. Therefore 2 ad 1 are removed at the same time from wl 2 ad wl 1 respectively at lie 7. Therefore, either 2 = 1 = ull (lie 10) or l( 2 ) = l( 1 ) (lie 14 or 16) or 2 = uiit (lie 8) (i ay other case, Algorithm 1 returs false). Let ( 2, f, 2) E H 2 F ad ( 1, f, 1) E H 1 F such that l( 2 ) = l( 1 ). Sice 1 ad 2 have the same label, it follows that their label was assiged i lie 16 of the algorithm, their successors are added i the same order to wl 1 ad wl 2, therefore 2 ad 1 are removed from wl 2 ad wl 1 respectively at lie 7. Therefore, similar to the above, either 2 = 1 = ull (lie 10) or l( 2) = l( 1) or 2 = uiit (lie 8). If H 2 subsumes H 1 with a labelig l, we write H 2 l H 1. Note that Algorithm 1 works o shapes represeted as graphs that are determiistic, i.e. for each ode, there is at most oe outgoig edge for each field f, f F. Therefore, the algorithm applies to cocrete heap shapes as well as partially iitialized symbolic heap shapes (represetig, liked lists, trees, etc.). The same algorithm also works o the abstractios for sigly liked lists ad arrays that we preset i the Sectio 6 (sice our abstractios preserve the determiistic ature of the heap). 4.3 Checkig Subsumptio of Numeric Costraits Shape subsumptio is oly a pre-requisite of state subsumptio: we also eed to compare the umeric data stored i the symbolic states. I symbolic executio, the state cotais symbolic values istead of cocrete values for umeric variables ad fields. The path coditio of the state ecodes costraits o these symbolic values. Due to the symbolic values, each symbolic state may represet a potetially ifiite umber of cocrete states. Let primfld() deote all the fields of ode that have primitive types. For the purpose of paper, we cosider oly iteger types, but other primitive types ca be hadled similarly, provided that we have appropriate decisio procedures. Ad let v s (, f) deote the (symbolic) value stored i the iteger field f of ode i state s. Defiitio 4. The valuatio of a ode N i state s with respect to labelig l : N L is a costrait, defied as: val s (, l) := f(l(), f) = v s (, f) f primfld() where, f(label, field) returs a fresh ame that is uique to (label, field) pair. Defiitio 5. The state costrait SCs l of a state s with heap shape H ad path coditio P C is defied as: SC l := v s. val s (, l) P C N H s.t. l() olbl

8 8 Saswat Aad et al.: Symbolic Executio with Abstractio matched umatched ull ull ull ull ull ull ull ull ull ull Fig. 4. Matched ad umatched heap shapes where l is a labelig l : N H L {olbl ad v s deotes all the symbolic ames that are used i symbolic state s; icludes both the values stored i the heap ad the values that appear i the path coditio. As a example, cosider two symbolic states i Figure 5, where s 1 is subsumed by s 2. The matched odes from the two heaps have matchig labels l 1 ad l 2. The valuatios for the two odes labeled l 1 ad l 2 i the had side list are e 1 = ad e 2 = v 3 respectively; e 1 ad e 2 are the ames computed by the fuctio f. Similarly, valuatios for the two odes with labels l 1 ad l 2 i the -had side list are e 1 = ad e 2 = v 2 respectively. The state costrait for s 1 ad s 2 are respectively, v 3, v 2 : e 1 = e 2 = v 3 < v 3 v 3 < v 2 ad, v 2, v 5 : e 1 = e 2 = v 2 v 5 v 5 v 2. Note that the path coditios may cotai symbolic values that are ot stored i the heap (e.g. v 5 i s 2 ) accordig to the program path that led to the symbolic state. Defiitio 6. Let Sol(SCs) l deote the set of satisfyig solutios for the state costrait SCs l of state s for a labelig l. SCs l 2 subsumes SCs l 1 iff Sol(SCs l 1 ) Sol(SCs l 2 ) for same labelig l : N H1 N H2 L {olbl. Sice i geeral, it may be computatioally expesive/impossible to eumerate all the solutios of SC 1 ad SC 2 ad check for set iclusio, we rather check SC 1 SC 2, which if valid esures that Sol(SC 1 ) Sol(SC 2 ). Now we combie the defiitios of heap shape subsumptio ad state costrait subsumptio to defie state subsumptio as follows: Defiitio 7. A state s 1 is subsumed by aother state s 2 (or s 2 subsumes s 1 ) iff H 2 l H 1 ad SC l s 1 SC l s 2. I the example from Figure 5, as described before, Algorithm 1 returs true idicatig that the heap shape of s 2 subsumes that of s 1. Matchig odes from the two states are labeled with l 1 ad l 2. Notice that the third ode i s 1 is ot labeled due to the uiit ode i s 2. To check for subsumptio of state costraits we check if the implicatio betwee the state costrait of s 2 ad that of s 1 is valid. State costrait of s 1 ad s 2 simplifies to e 1 < e 2 ad e 1 <= e 2 respectively. Sice e 1 < e 2 e 1 <= e 2 is valid, s 2 subsumes s 1. The complexity for oe subsumptio step icludes the complexity of heap traversal (() where is the size of the heap) ad the complexity for checkig umeric costraits. While the cost of checkig umerical costraits caot be avoided, we believe that the cost of heap traversal ca be somewhat alleviated if it is performed durig garbage collectio. However we eed to experimet further with idea. 5 Symbolic Executio with (Abstract) Subsumptio Checkig Algorithm 2 illustrates the procedure for performig symbolic executio with (abstract) subsumptio checkig. The procedure checks if the iput program P ca reach a error state φ from iitial state s 0. The procedure uses a depth first search order state exploratio ad it maitais a set of VisitedStates for the states visited so far ad a Stack for storig the states to be explored. The procedure is similar to classical model checkig state exploratio, except that the explored states are symbolic, rather tha cocrete. The path coditio o umeric data is checked for satisfiability to esure exploratio of feasible paths. As discussed, we use state subsumptio to determie if a state was visited before. Performig symbolic executio ad subsumptio checkig durig model checkig may yield a ubouded umber of symbolic states space. Therefore, we use abstractios to limit the model checker s search space. For each explored symbolic state s, the model checker computes a abstract state α(s ), which is the stored for state compariso. Subsumptio checkig is used to compare the abstracted states, to determie if a abstract state is beig re-visited. This effectively explores a uder-approximatio of the feasible paths through the program. Therefore, all the reported

9 Saswat Aad et al.: Symbolic Executio with Abstractio 9 s 1 : s 2 : l 1 : l 2 : l 1 : l 2 : v 3 v 2 v 2 valuatio : e 1 = e 2 = v 3 PC : < v 3 v 3 < v 2 valuatio : e 1 = e 2 = v 2 PC : v 5 v 5 v 2 Fig. 5. State Subsumptio Data: Program P ad error state φ Result: Couterexample if φ is reachable 1 begi 2 add (α(s 0 ), V isitedstates); 3 push (s 0, Stack); 4 while Stack is ot empty do 5 s := pop (Stack); 6 if s = φ the retur couterexample; 7 foreach trasitio t eabled i s do 8 s := successor (s, t); 9 if P athcoditio(s ) is ot satisfiable the cotiue; 10 if there exists s V isitedstates s.t. α(s ) subsumed by s the cotiue; 11 // s ot subsumed by ay of the visited states 12 add (α(s ), V isitedstates); 13 push (s, Stack); 14 ed 15 ed 16 ed Algorithm 2: Symbolic Executio with (Abstract) Subsumptio Checkig errors correspod to real errors i the aalyzed program. Note however that the aalysis might miss some errors, due to the imprecisio of the abstractio. 6 Abstractios 6.1 Abstractio for Sigly Liked Lists The abstractio that we have implemeted is ispired by [22,31] ad it is based o the idea of summarizig all the odes i a maximally uiterrupted list segmet with a summary ode. The mai differece betwee [22, 31] ad the abstractio preseted here is that we also summarize the umeric data stored i the summarized odes ad we give special treatmet to u-iitialized odes. The umeric data stored i the abstracted list is summarized by settig the valuatio for the summary ode to be a disjuctio of the valuatios of the summarized odes. Ituitively, the umeric data stored i a summary ode ca be equal to that of ay of the summarized odes. Shape subsumptio betwee abstract states is doe by Algorithm 1 as before, which treats summary ode as ay other ode i the heap. For checkig subsumptio betwee umeric costraits, we itroduce a ew valuatio fuctio for the summary odes as described before. Defiitio 8. A ode is defied as a iterruptig ode, or simply a iterruptio if satisfies at least oe of followig coditios: 1. = ull 2. = uiit 3. {m such that (r, m) E R, i.e., is poited to by at least oe referece variable. 4. 1, 2 such that ( 1,, ), ( 2,, ) E F. I other words, is poited-to by at least two odes (cyclic list). A uiterrupted list segmet is a segmet of the list that does ot cotai a iterruptio. A uiterrupted list segmet [u, v] is maximal if, (a,, u) E F a is a iterruptio ad (v,, b) E F b is a iterruptio. The abstractio for liked list replaces all maximally uiterrupted list segmets i heap H with a summary ode i the abstract state. If [u, v] is a maximally uiterrupted list segmet i H, the followig trasformatios o H produces its abstract mappig. 1. A ew summary ode sum is added to the set of odes N H. 2. If there is a edge (a,, u) EF H, a ew edge (a,, sum ) is added to EF H. 3. If there is a edge (v,, b) EF H, a ew edge ( sum,, b) is added to EF H. 4. All odes m i the list segmet [u, v], ad all edges icidet o or goig out of each m are removed from H. Note that the edges betwee the odes i the list segmet, which are summarized by a summary ode, are ot represeted i the abstractio state. With abstractio, Algorithm 1 is used to check subsumptio of shapes for abstracted heaps. I order to check subsumptio of umeric costraits, we defie a valuatio fuctio for the summary odes as follows. Let N S, N S N, deote the set of summary odes itroduced i the heap durig abstractio.

10 10 Saswat Aad et al.: Symbolic Executio with Abstractio s 8 Summary l 1 : l 2 : l 3 : l 1 : l 2 : l 3 : v v 2 v 3 1 v 2 v 3 s 12 v4 Ú ÐÙ Ø ÓÒ e 1 = e 2 = v 2 e 3 = v 3 Ú ÐÙ Ø ÓÒ e 1 = (e 2 = v 2 e 2 = v 3 ) e 3 = v 4 È v v 2 v È v v 2 v v 3 v Fig. 6. Abstract subsumptio betwee s 8 ad s 12 Defiitio 9. The valuatio of a summary ode sum N S i state s, with respect to labelig l : N L is defied as: val s ( sum, l) := f(l( sum ), f) = v s (t, f) t sumodes( sum ) f primflds(t) where, sumodes( sum ) deotes the set of odes that are summarized by sum Example To illustrate the approach, let us go back to the example preseted i Sectio 3. Figure 6 depicts the abstract heap shape ad the valuatios of matched odes for state s 12. The abstracted state is subsumed by state s 8 as there is a subsumptio of heap shape, as represeted by labeligs of respective matchig odes ad a valid implicatio betwee the ormalized umeric costraits of the two states. Note that we do t explicitly summarize list segmets of size oe (e.g. the secod list elemet i s 8 ); the abstracted ad the u-abstracted states for s 8 are i fact the same Discussio Note that the list abstractio esures that the umber of possible abstract heap cofiguratios is fiite; however, it is still possible to have a ifiite umber of states due to the umeric costraits. To address issue, we pla to use predicate abstractio i cojuctio with the abstractios preseted here, to further abstract the umeric costraits. This is the subject of future work. Also ote that the focus here is o abstractig heap structures. Therefore we igored the umeric values of local program variables, which may also be ubouded (they are curretly discarded i the abstracted state). Predicate abstractio ca also be used for the local umeric variables. 6.2 Abstractio for Arrays We exteded our framework with subsumptio checkig ad a abstractio for arrays of itegers. The basic idea is to represet symbolic arrays as sigly liked lists ad to apply the (abstract) subsumptio checkig methods developed for lists. Specifically, we maitai the arrays as sigly liked lists; odes i the list represet idividual array cells ad their orderig i the list correspod to the order of idices of array cells they represet. Cosecutive (iitialized) array elemets are represeted as liked odes. Summary odes are itroduced betwee array elemets that are ot cosecutive. These summary odes model zero or more uiitialized array elemets that may possibly exist i the (cocrete) array. With the list represetatio of arrays we determie subsumptio of program states with arrays as before. However, the roots are ow iteger program variables that are used to idex the array, ad the special summary odes represetig uiitialized array segmets are treated as ay other ode i the heap N H while checkig for shape subsumptio i Algorithm 1. Abstractio is applied i a way similar to abstractio for liked lists. The defiitio of iterruptio is exteded to cotai the special summary odes. We must ote that is oly oe particular abstractio, ad there may be others for example, abstractios based o array represetatios as ordered sequeces of updates. We adopt particular represetatio because i way we ca leverage o our abstractio techiques for lists. Note that subsumptio becomes approximate, i.e., we might miss the fact that a state subsumes aother Array represetatio A symbolic array A is represeted by a symbolic value le represetig the array legth ad a associatio list of array cells. Each array cell c is a pair (idex, elem): idex is a symbolic value represetig the idex i the array ad elem is a symbolic value represetig the value stored i the array at positio idex. The array cells are stored i a sigly liked list which is sorted accordig to the relative order of the idices of the cells. Each list elemet correspods to a array cell i A. Give array cell c, let idex(c) ad elem(c) deote the idex ad the value of c respectively; also let (c) deote the cell that is to c i the list. The followig ivariats hold for the list i a program state with path coditio P C. 1. P C idex(f) >= 0 is valid, where f is the first cell i the list.

11 Saswat Aad et al.: Symbolic Executio with Abstractio P C idex(l) < le is valid, where l is the last cell i the list. 3. P C idex(c) < idex((c)) is valid, where c is a cell other tha the last cell i the list. Note that our framework maitais these ivariats through lazy iitializatio whe array elemets are accessed durig symbolic executio. Whe a array is accessed with a symbolic idex, the framework odetermiistically chooses (1) a existig cell from the list, or (2) a ew cell, which is placed either at the begiig or ed of the list, or betwee two cells that may ot correspod to two cosecutive elemets of the array. I all cases the path coditio is updated so that the above ivariats hold for the ew list. Ad as usual, if for ay of the cases the updated path coditio becomes usatisfiable, the path is ot explored. To be able to check for subsumptio betwee states cotaiig arrays, we first apply a trasformatio (Algorithm 3) to the heaps. The trasformatio itroduces special summary odes, deoted by, i the lists of array cells to represet uiitialized array segmets. A array segmet may be uiitialized if oe of the array elemets i that segmet have bee accessed so far. Algorithm 3 takes i the heap H A that represets the heap of the program state cotaiig a list of array cells represetig a array A, ad returs a trasformed heap H A that cotais additioal special summary odes. The trasformatio esures that if two adjacet array cell c ad (c) i H A may represet o-cosecutive array elemets, the they are separated by a special summary ode i H A. the other had, if c ad (c) must represet two cosecutive array elemets, they are coected directly by a lik i H A (as i H A ). Whether two adjacet array cells c ad (c) i H A may represet o-cosecutive array elemets is determied by checkig whether P C idex(c) = idex((c)) 1 is ivalid; The formula is ivalid if there exists some solutio of P C that does ot satisfy the costrait idex(c) = idex((c)) 1, idicatig that for that particular solutio, idices of array cells c ad (c) are ot cosecutive. The trasformatio also esures that if the first(last) cell i H A may ot represet the first(last) elemet of the array A, a special summary ode is added before(after) the cell i H A. If P C idex(f) = 0 is ivalid, the it idicates that the first array cell f may ot represet the first elemet of the array. Similarly, if P C idex(l) = le 1 is ivalid, the it idicates that the last cell l may ot represet the last elemet of the array. While checkig for heap shape subsumptio (Algorithm 1), the heap is traversed from the elemets of R; each of which represets a referece-type variable i the program. However, with arrays elemets of R may also represet iteger-type program variables that idex ito a array. Formally, let I deote the set of itegertype program variables that idex ito a array, ad v s (i), i I deote the (symbolic) value of i i state s. Data: Sorted liked list H A = (N, E) represetig array A Result: Sorted liked list H A = (N, E ) that cotais additioal summary odes represetig uiitialized cosecutive array elemets 1 begi 2 foreach c i N do 3 add c to N ; 4 if c is the first elemet i H A P C idex(c) = 0 is ivalid the 5 add a special summary ode before c i H A ; 6 ed 7 if c is the last elemet i A P C idex(c) = le 1 is ivalid the 8 add a special summary ode after c i H A ; 9 else 10 (c) := cell followig c i A; 11 if P C idex(c) = idex((c)) 1 is ivalid the 12 add a special summary ode after c i A ; 13 ed 14 ed 15 ed 16 ed Algorithm 3: Buildig sorted liked lists represetig symbolic arrays Alog with odes represetig referece-type (icludig array-type) variables, ow the heap also cotais oe ode for each variable i i I such it poits to array cell c if v s (i) = idex(c); R cotais all such odes, ad as before, a arbitrary orderig o the elemets of R is imposed for the traversal i Algorithm 1. Abstractio over arrays is very similar to the oe used for lists. It summarizes maximally uiterrupted segmets correspodig to cosecutive array elemets. However, the defiitio for a iterruptio is slightly differet, as it cosiders the special summary odes itroduced by Algorithm 3 as iterruptios. Furthermore, we do ot have to take ito accout heap shared odes as i case of liked lists because arrays are represeted by acyclic liked lists. Defiitio 10. A ode c i is a iterruptio if c =, or c = ull, or c is poited to by a root r R. Abstractio ivolves replacig all uiterrupted segmets with a summary ode (similar to list abstractio) Example Cosider the symbolic array i Figure 7 (a); v 0..v 5 are symbolic values stored i the iitialized array elemets. The cocrete values 0..3 ad the symbolic values j ad

12 12 Saswat Aad et al.: Symbolic Executio with Abstractio (b) List represetatio: (a) Symbolic array: a v 0 v 2 v 3 v 4 v 5 a: v 0 v 2 v 3 v 4 v j lo hi lo È Ø ÓÒ Ø ÓÒ 3 < j < le = le 1 hi (c) Abstractio: a v 0 {, v 2 v 3 v 4 v 5 lo hi Fig. 7. A symbolic array (a), its list represetatio (b) ad its abstractio (c) are array idices. Note that j ad are costraied by the path coditio; le is a symbolic value represetig the array legth. Local program variables lo ad hi are used to idex the array. Figure 7 (b) shows the list represetatio for the symbolic array. The list is sorted accordig to the relative order of idices. The first four array elemets are represeted by odes that are directly coected, because they represet cosecutive array elemets from idices 0 to 3. However, the 5th array elemet (cotaiig value v 4 ) is separated from the other odes a summary ode (marked with a * ) o each side; it represets the fact that there may exist array elemets before ad after elemet (i.e., betwee elemet ad the elemet with value v 3 ad similarly, betwee elemet ad the elemet with value v 5 ), but have ot bee accessed so far durig executio. Figure 7 (c) shows the abstracted list. The special summary odes ad the odes poited to by odes represetig the program variables a, lo, hi are cosidered as iterruptios. Ad thus, the secod ad third odes of the list i (b) form a maximally uiterrupted segmet ad hece is summarized ito a ew ode that is costraied to store a value that may be equal to the cotets of either of the summarized odes (i.e., or v 2 ). 6.3 Abstractio for Geeral Data Structures ur approach ca be exteded to more geeral data structures, e.g. by usig a abstractio that is similar to the list abstractio. The idea agai is to summarize all uiterrupted heap segmets ito summary odes, where a iterruptio is oe of the followig: a ode poited to by a referece variable a ode that is heap shared (i.e., a ode that is poited to by at least two other odes) a ode that represets ull or uiit As metioed, the list abstractio that we use preserves the determiistic ature of the heap; therefore we ca use Algorithm 1 for checkig subsumptio for abstract heap structures. However, may ot hold i geeral for other abstractios. For example, cosider the abstractio of a tree structure. Each selector field of a summary ode ca ow have a set of values (istead of oly oe) represetig multiple outgoig heap edges. To address issue, Algorithm 1 ca be exteded to support set of values of each selector field of summary odes (i.e., by comparig the set sizes ad by fixig a order for each set). This will yield a coservative approximatio of subsumptio checkig: Algorithm 1 may fail to determie that a structure is i fact subsumed by aother. We leave extesio for our future work. I future, we also pla to study the decidability of subsumptio checkig for more geeral heap abstractios (e.g., [21]) ad exted our approach to these cases. 7 Experimets We have implemeted (abstract) subsumptio checkig o top of the symbolic executio framework implemeted i JPF; the implemetatio uses the mega library as a decisio procedure. We applied our framework for error detectio i two Java programs, that maipulate lists ad arrays respectively. The first program, show i Fig. 8(a), is a list partitio take from [9]. The method takes as iput a acyclic liked list l ad a iteger v ad it removes all the odes whose elem fields are greater tha v; the removed elemets are stored i a ew list, which is poited to by ewl. A post-coditio of the method is that each elemet i the list poited to by l after method s executio must be less tha or equal to v. We itroduced a bug i the program so that the post-coditio is ot satisfied for the buggy program. The bug is activated by ucommetig the lie L1. I order to apply symbolic executio, we first istrumeted the code, as show i Fig. 8(b). Cocrete types

13 Saswat Aad et al.: Symbolic Executio with Abstractio 13 class Node{ Node ; it elem ;... Node p a r t i t i o ( Node l, it v ){ Node curr, prev, ewl, Curr ; prev = ewl = ull ; c u r r = l ; while ( c u r r!= ull ){ Curr = c u r r. ; i f ( c u r r. elem > v ){ i f ( prev!= ull ) L1 : // i f ( Curr!= u l l ) // bug prev. =Curr ; i f ( c u r r == l ) l = Curr ; c u r r. =ewl ; ewl = c u r r ; else prev = c u r r ; c u r r = Curr ; check ( ) ; retur l ; (a) rigial code class SymNode{ SymNode ; Expressio elem ;... SymNode p a r t i t i o (SymNode l, Expressio v ){ SymNode curr, prev, ewl, Curr ; prev = ewl = ull ; c u r r = l ; while ( c u r r!= ull ){ V e r i f y. i g o r e I f ( ifsubsumed ( 1 ) ) ; Curr = c u r r. g e t e x t ( ) ; i f ( c u r r. g e t e l e m ( ). GT( v ) ) { i f ( prev!= ull ) L1 : // i f ( Curr!= u l l ) // bug prev. s e t e x t ( Curr ) ; i f ( c u r r == l ) l = Curr ; c u r r. s e t e x t ( ewl ) ; ewl = c u r r ; else prev = c u r r ; c u r r = Curr ; symcheck ( ) ; retur l ; (b) Istrumeted code Fig. 8. List Partitio Example. are replaced with symbolic types (library classes that we provide), ad cocrete operatios are replaced with method calls that implemet equivalet symbolic operatios. For example, classes SymList ad SymNode implemet symbolic Lists ad Nodes respectively, while class Expressio supports maipulatio of symbolic itegers. Method ifsubsumed checks for state subsumptio. It takes a iteger argumet that deotes the program couter, ad it returs true oly if the curret program state is subsumed by a state which was observed before at that program poit. If ifsubsumed returs true, the the model checker backtracks (as istructed by the Verify.igoreIf method); otherwise, the curret state is stored for further matchig ad the search cotiues. check() ad its symbolic versio symcheck() checks if the method s post-coditio is satisfied. Symbolic executio with abstract subsumptio checkig discovers the bug ad it reports a couterexample of 10 steps, for a iput list that has two elemets, such that the first elemet is v, ad the secod elemet is > v. The secod program, show i Fig. 9(a), is a array partitio take from [4]. It is a buggy versio of the partitio fuctio used i the QuickSort algorithm, a classic example used to study test geeratio. The fuctio permutes the elemets of the iput array so that the resultig array has two parts: the first part cotais values that are less tha or equal to the chose pivot value a[0]; while the secod part has elemets that are greater tha the pivot value. There is a array boud check missig i the code at lie L2 that ca lead to a array bouds error. The correspodig istrumeted code is show i Fig. 9(b) class SymbolicItArray implemets symbolic arrays of iteger, while ArrayIdex implemets symbolic itegers that are array idexes. Symbolic executio with abstract subsumptio checkig reports a couterexample of 30 steps, for a iput array that has four elemets. We also aalyzed the corrected versios of the two partitio programs to see whether symbolic executio with abstract subsumptio checkig termiates whe the state-space is ifiite, which is the case for the two programs. The state-exploratio ideed termiates without reportig ay error. For the list partitio the aalysis checked subsumptio 23 times of which 11 states were foud to be subsumed (12 uique states were stored). For the array partitio the respective umbers were: 30 checks, with 17 subsumed ad 13 states stored. This demostrates the effectiveess of the abstractios i limitig the state space. We should ote that subsumptio checkig without abstractio is ot sufficiet to limit the state space. This is i geeral the case for loopig pro-