2,082 research outputs found
Fault Localization in Multi-Threaded C Programs using Bounded Model Checking (extended version)
Software debugging is a very time-consuming process, which is even worse for
multi-threaded programs, due to the non-deterministic behavior of
thread-scheduling algorithms. However, the debugging time may be greatly
reduced, if automatic methods are used for localizing faults. In this study, a
new method for fault localization, in multi-threaded C programs, is proposed.
It transforms a multi-threaded program into a corresponding sequential one and
then uses a fault-diagnosis method suitable for this type of program, in order
to localize faults. The code transformation is implemented with rules and
context switch information from counterexamples, which are typically generated
by bounded model checkers. Experimental results show that the proposed method
is effective, in such a way that sequential fault-localization methods can be
extended to multi-threaded programs.Comment: extended version of paper published at SBESC'1
Precise static analysis of untrusted driver binaries
Most closed source drivers installed on desktop systems today have never been exposed to formal analysis. Without vendor support, the only way to make these often hastily written, yet critical programs accessible to static analysis is to directly work at the binary level. In this paper, we describe a full architecture to perform static analysis on binaries that does not rely on unsound external components such as disassemblers. To precisely calculate data and function pointers without any type information, we introduce Bounded Address Tracking, an abstract domain that is tailored towards machine code and is path sensitive up to a tunable bound assuring termination. We implemented Bounded Address Tracking in our binary analysis platform Jakstab and used it to verify API specifications on several Windows device drivers. Even without assumptions about executable layout and procedures as made by state of the art approaches, we achieve more precise results on a set of drivers from the Windows DDK. Since our technique does not require us to compile drivers ourselves, we also present results from analyzing over 300 closed source drivers
S2TD: a Separation Logic Verifier that Supports Reasoning of the Absence and Presence of Bugs
Heap-manipulating programs are known to be challenging to reason about. We
present a novel verifier for heap-manipulating programs called S2TD, which
encodes programs systematically in the form of Constrained Horn Clauses (CHC)
using a novel extension of separation logic (SL) with recursive predicates and
dangling predicates. S2TD actively explores cyclic proofs to address the path
explosion problem. S2TD differentiates itself from existing CHC-based verifiers
by focusing on heap-manipulating programs and employing cyclic proof to
efficiently verify or falsify them with counterexamples. Compared with existing
SL-based verifiers, S2TD precisely specifies the heaps of de-allocated pointers
to avoid false positives in reasoning about the presence of bugs. S2TD has been
evaluated using a comprehensive set of benchmark programs from the SV-COMP
repository. The results show that S2TD is more effective than state-of-art
program verifiers and is more efficient than most of them.Comment: 24 page
- …