The SLAM project: debugging system software via static analysis

DMCA

The SLAM project: debugging system software via static analysis

Cached

Download Links

Other Repositories/Bibliography

DBLP

by Thomas Ball , Sriram K. Rajamani

Venue:	SIGPLAN Not
Citations:	472 - 17 self

Citations

2318	Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints - COUSOT, COUSOT - 1977 (Show Context) Citation Context .../31P(P,E) with respect to a set of predicates E [2, 3]. C2Bp translates each procedure of the C program separately, enabling it to scale to large programs. Using the theory of abstract interpretation =-=[13]-=-, we have characterized the precision of the boolean program abstractions created by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs [6, 8]. BEBOe combines interproc...
742	Construction of abstract state graphs with pvs - Graf, Saidi - 1997 (Show Context) Citation Context ...h boolean variable in B' conservatively tracks the state of a predicate (boolean expression) in the C program. Boolean programs are created automatically using the technique of predicate abstr~ctior~ =-=[20]-=-. If a teachability analysis of B' determines that the label ERROR is not reachable in B' then it is not reachable in P'. It is possible that B' may be too coarse an abstraction of P' (that is, ERROR ...
606	Enforceable security policies - Schneider (Show Context) Citation Context ...ernatingly acquired and released. }¥~ encode temporal sat~ty properties in a language called Sac (Specification Language for Interface Checking) [9], which allows the definition of a sat~ty automaton =-=[30, 29]-=- that monitors the execution behavior of a program at the level of function calls and returns. The *Presented by the first author. Permission to make digital or hard copies of all or part of this work...
534	G.: Lazy abstraction - Henzinger, Jhala, et al. - 2002 (Show Context) Citation Context ...s and pertbrm testing. A number of projects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis [18, 19], model checking =-=[21, 17, 22]-=-, and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are thos...
487	S.: Automatic predicate abstraction of C programs - Ball, Majumdar, et al. - 2001 (Show Context) Citation Context ...Three basic tools comprise the SLAM toolkit (in addition to the SLI¢ preprocessor): • C2Be, a tool that transtbrms a C program P into a boolean program /31P(P,E) with respect to a set of predicates E =-=[2, 3]-=-. C2Bp translates each procedure of the C program separately, enabling it to scale to large programs. Using the theory of abstract interpretation [13], we have characterized the precision of the boole...
395	Checking system rules using system-specific programmer-written compiler extensions. - Engler, Chelf, et al. - 2000 (Show Context) Citation Context ...grammers to use assertions and pertbrm testing. A number of projects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis =-=[18, 19]-=-, model checking [21, 17, 22], and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, tempor...
391	Proving the correctness of multiprocess programs,” - Lamport - 1977 (Show Context) Citation Context ...ject is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are those properties whose violation is witnessed by a finite execution trace (see =-=[24]-=- ibr a formal definition). A simple example of a sat>ty property is that a lock should be alternatingly acquired and released. }¥~ encode temporal sat~ty properties in a language called Sac (Specifica...
366	Mining specifications - Ammons, Bodik, et al. - 2002 (Show Context) Citation Context ...river API meant that it took considerable eflbrt to arrive at a useful specification that tbund real detects. The "chicken and egg" problem of specifications is the topic of a paper in this symposium =-=[1]-=-. Annotation burden. By "annotation", we mean a modification to the program text inserted by a programmer explicitly to help an analysis tool make progress. Examples of such annotations include loop i...
323	Extended static checking - Detlefs, Leino, et al. - 1998 (Show Context) Citation Context ...jects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis [18, 19], model checking [21, 17, 22], and automated deduction =-=[16, 12]-=-. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are those properties whose violation is wi...
216	Unification-based Pointer Analysis with Directional Assignments - DAS (Show Context) Citation Context ...iven the set of predicates present in the SLI¢ specification, determines what other predicates in the C program will very likely be needed in the future. This technique, based on the value-flow graph =-=[14]-=-, greatly reduces the number of iterations of the SLAM process. Challenges, ~¥~ summarize by discussing some of the challenges inherent in the endeavor of checking user-supplied properties of sottware...
194	Boolean and cartesian abstractions for model checking C programs,” in - Ball, Podelski, et al. (Show Context) Citation Context ...C program separately, enabling it to scale to large programs. Using the theory of abstract interpretation [13], we have characterized the precision of the boolean program abstractions created by C2ge =-=[4]-=-. • BEBOP, a too1 for performing reachability analysis of boolean programs [6, 8]. BEBOe combines interprocedural dataflow analysis in the style of [26] with Binary Decision Diagrams [10, 11] (BDDs) t...
47	Bebop: A path-sensitive interprocedural dataflow engine - Ball, Rajamani - 2001 (Show Context) Citation Context ... of abstract interpretation [13], we have characterized the precision of the boolean program abstractions created by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs =-=[6, 8]-=-. BEBOe combines interprocedural dataflow analysis in the style of [26] with Binary Decision Diagrams [10, 11] (BDDs) to etficiently represent the reachable states of the boolean program at each progr...
25	Polymorphic predicate abstraction - Ball, Millstein, et al. - 2000 (Show Context) Citation Context ...Three basic tools comprise the SLAM toolkit (in addition to the SLI¢ preprocessor): • C2Be, a tool that transtbrms a C program P into a boolean program /31P(P,E) with respect to a set of predicates E =-=[2, 3]-=-. C2Bp translates each procedure of the C program separately, enabling it to scale to large programs. Using the theory of abstract interpretation [13], we have characterized the precision of the boole...
8	Symbolic model checking: 102 ◦ states and beyond - Burch, Clarke, et al. - 1990 (Show Context) Citation Context ...eated by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs [6, 8]. BEBOe combines interprocedural dataflow analysis in the style of [26] with Binary Decision Diagrams =-=[10, 11]-=- (BDDs) to etficiently represent the reachable states of the boolean program at each program point. • NEWTON, a too1 that discovers additional predicates to refine the boolean program, by analyzing th...
4	Oil the relative completeness of abstraction refinement - Ball, Podelski, et al. - 2001 (Show Context) Citation Context ...ement of abstractions (such as in SLAM) and traditional fixpoint analyses with widening (which is used to ensure the termination of abstract interpretations in domains with infinite ascending chains) =-=[5]-=-. Using widening, the latter process always will terminate, but it may not give a definite result ("error found" or "program validated"). ~V~ have shown that if there is an oracle that can provide a "...
3	Tool-supported program abstraction for finite-state verification - Pasareanu, Zheng, et al. - 2000 (Show Context) Citation Context ...s and pertbrm testing. A number of projects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis [18, 19], model checking =-=[21, 17, 22]-=-, and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are thos...
2	An automata theoretic apporach to automatic program verification - Vardi, YVolper - 1996 (Show Context) Citation Context ...ernatingly acquired and released. }¥~ encode temporal sat~ty properties in a language called Sac (Specification Language for Interface Checking) [9], which allows the definition of a sat~ty automaton =-=[30, 29]-=- that monitors the execution behavior of a program at the level of function calls and returns. The *Presented by the first author. Permission to make digital or hard copies of all or part of this work...
1	Bebop: A symbolic model checker tbr Boolean programs - Ball, ttajamani - 2000 (Show Context) Citation Context ... of abstract interpretation [13], we have characterized the precision of the boolean program abstractions created by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs =-=[6, 8]-=-. BEBOe combines interprocedural dataflow analysis in the style of [26] with Binary Decision Diagrams [10, 11] (BDDs) to etficiently represent the reachable states of the boolean program at each progr...
1	AutomaticMly validating temporM sM'ety properties of interfaces - Ball, Ru, et al. - 2001 (Show Context) Citation Context ...m program analysis [18, 19], model checking [21, 17, 22], and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs =-=[7]-=-. Roughly stated, temporal sat~ty properties are those properties whose violation is witnessed by a finite execution trace (see [24] ibr a formal definition). A simple example of a sat>ty property is ...
1	SLIC: A specification language tbr interface checking - Ball, Rajamani - 2001 (Show Context) Citation Context ...ample of a sat>ty property is that a lock should be alternatingly acquired and released. }¥~ encode temporal sat~ty properties in a language called Sac (Specification Language for Interface Checking) =-=[9]-=-, which allows the definition of a sat~ty automaton [30, 29] that monitors the execution behavior of a program at the level of function calls and returns. The *Presented by the first author. Permissio...
1	Graph-based algorithms tbr boolean function manipulation - Bryant - 1986 (Show Context) Citation Context ...eated by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs [6, 8]. BEBOe combines interprocedural dataflow analysis in the style of [26] with Binary Decision Diagrams =-=[10, 11]-=- (BDDs) to etficiently represent the reachable states of the boolean program at each program point. • NEWTON, a too1 that discovers additional predicates to refine the boolean program, by analyzing th...
1	A static analyzer tbr finding dynamic programming errors, b'@ware-Prac~ice and Experience - Bush, Pincus, et al. - 2000 (Show Context) Citation Context ...jects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis [18, 19], model checking [21, 17, 22], and automated deduction =-=[16, 12]-=-. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are those properties whose violation is wi...
1	Successive approximation of abstract trailsition relations - Das, Dill - 2001 (Show Context) Citation Context ...y to scaling for the SLAM process is in controlling the complexity of the boolean program abstraction. Satyaki Das has implemented a predicate abstraction technique based on successive approximations =-=[15]-=- in the SLAM toolkit, which has proven quite useful in this regard. Also relevant here is the paper on "lazy abstraction" in this symposium [21]. Additionally, there is substantial overhead in having ...
1	Static detection of dynamic memory errors - lvans - 1996 (Show Context) Citation Context ...grammers to use assertions and pertbrm testing. A number of projects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis =-=[18, 19]-=-, model checking [21, 17, 22], and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, tempor...
1	Logic verification of ANSI-C code with Spin - tIolzmann - 2000 (Show Context) Citation Context ...s and pertbrm testing. A number of projects have started to tbcus on statically checking programs against user-supplied specifications, using techniques from program analysis [18, 19], model checking =-=[21, 17, 22]-=-, and automated deduction [16, 12]. Specification. The goal of the SLAM project is to check temporal sat>ty properties of sequential C programs [7]. Roughly stated, temporal sat~ty properties are thos...
1	Co~pu~er-eided Verijic~ion of Coordinating Processes - Kurshan - 1994 (Show Context) Citation Context ...t B' may be too coarse an abstraction of P' (that is, ERROR is reachable in B' via a path p but ERROR is not reachable in P' via p). V~ apply a method known as cour~terw'arr~ple-driver~ ~vfir~err~er~t=-=[23, 28, 27]-=- to create a more precise boolean program (by adding new predicates/boolean variables) that does not contain the spurious path p (or other paths that are spurious tbr the same reason p is). Terminatio...
1	CCured: Type-sM:e retrofitting of legacy code - YVeinler - 2002 (Show Context) Citation Context ... the assumption that the C program obeys a "logical memory model' in which the expressions p and (p+i) refer to the same object. Another analysis (see the work on CCured presented at this symposium =-=[25]-=-) is needed to discharge the "logical memory" assumption. 1or validate the code. For example, while a video card driver may have a huge data path, most of this data has no bearing on the driver's int...
1	Precise interprocedural dataflow analysis via graph reachability - leps, ttorwitz, et al. - 1995 (Show Context) Citation Context ...the boolean program abstractions created by C2ge [4]. • BEBOP, a too1 for performing reachability analysis of boolean programs [6, 8]. BEBOe combines interprocedural dataflow analysis in the style of =-=[26]-=- with Binary Decision Diagrams [10, 11] (BDDs) to etficiently represent the reachable states of the boolean program at each program point. • NEWTON, a too1 that discovers additional predicates to refi...
1	Oil proving safety properties by integrating static analysis, theorem proving and abstraction - lusu (Show Context) Citation Context ...t B' may be too coarse an abstraction of P' (that is, ERROR is reachable in B' via a path p but ERROR is not reachable in P' via p). V~ apply a method known as cour~terw'arr~ple-driver~ ~vfir~err~er~t=-=[23, 28, 27]-=- to create a more precise boolean program (by adding new predicates/boolean variables) that does not contain the spurious path p (or other paths that are spurious tbr the same reason p is). Terminatio...
1	Abstract and model check while you prove - Shanhm - 1999 (Show Context) Citation Context ...t B' may be too coarse an abstraction of P' (that is, ERROR is reachable in B' via a path p but ERROR is not reachable in P' via p). V~ apply a method known as cour~terw'arr~ple-driver~ ~vfir~err~er~t=-=[23, 28, 27]-=- to create a more precise boolean program (by adding new predicates/boolean variables) that does not contain the spurious path p (or other paths that are spurious tbr the same reason p is). Terminatio...