TY - GEN
T1 - Program analysis via satisfiability modulo path programs
AU - Harris, William R.
AU - Sankaranarayanan, Sriram
AU - Ivančić, Franjo
AU - Gupta, Aarti
PY - 2010
Y1 - 2010
N2 - Path-sensitivity is often a crucial requirement for verifying safety properties of programs. As it is infeasible to enumerate and analyze each path individually, analyses compromise by soundly merging information about executions along multiple paths. However, this frequently results in a loss of precision. We present a program analysis technique that we call Satisfiability Modulo Path Programs (SMPP), based on a path-based decomposition of a program. It is inspired by insights that have driven the development of modern SMT(Satisfiability Modulo Theory) solvers. SMPP symbolically enumerates path programs using a SAT formula over control edges in the program. Each enumerated path program is verified using an oracle, such as abstract interpretation or symbolic execution, to either find a proof of correctness or report a potential violation. If a proof is found, then SMPP extracts a sufficient set of control edges and corresponding interference edges, as a form of proof-based learning. Blocking clauses derived from these edges are added back to the SAT formula to avoid enumeration of other path programs guaranteed to be correct, thereby improving performance and scalability. We have applied SMPP in the F-Soft program verification framework, to verify properties of real-world C programs that require path-sensitive reasoning. Our results indicate that the precision from analyzing individual path programs, combined with their efficient enumeration by SMPP, can prove properties as well as indicate potential violations in the large.
AB - Path-sensitivity is often a crucial requirement for verifying safety properties of programs. As it is infeasible to enumerate and analyze each path individually, analyses compromise by soundly merging information about executions along multiple paths. However, this frequently results in a loss of precision. We present a program analysis technique that we call Satisfiability Modulo Path Programs (SMPP), based on a path-based decomposition of a program. It is inspired by insights that have driven the development of modern SMT(Satisfiability Modulo Theory) solvers. SMPP symbolically enumerates path programs using a SAT formula over control edges in the program. Each enumerated path program is verified using an oracle, such as abstract interpretation or symbolic execution, to either find a proof of correctness or report a potential violation. If a proof is found, then SMPP extracts a sufficient set of control edges and corresponding interference edges, as a form of proof-based learning. Blocking clauses derived from these edges are added back to the SAT formula to avoid enumeration of other path programs guaranteed to be correct, thereby improving performance and scalability. We have applied SMPP in the F-Soft program verification framework, to verify properties of real-world C programs that require path-sensitive reasoning. Our results indicate that the precision from analyzing individual path programs, combined with their efficient enumeration by SMPP, can prove properties as well as indicate potential violations in the large.
KW - Abstract interpretation
KW - Path sensitivity
KW - Program analysis
KW - SMT solvers
KW - Satisfiability solvers
KW - Symbolic execution
UR - http://www.scopus.com/inward/record.url?scp=77950906922&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77950906922&partnerID=8YFLogxK
U2 - 10.1145/1706299.1706309
DO - 10.1145/1706299.1706309
M3 - Conference contribution
AN - SCOPUS:77950906922
SN - 9781605584799
T3 - Conference Record of the Annual ACM Symposium on Principles of Programming Languages
SP - 71
EP - 81
BT - POPL'10 - Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
T2 - 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL'10
Y2 - 17 January 2010 through 23 January 2010
ER -