Behind the scenes in SANTE: a combination of static and dynamic analyses

Chebaro, Omar; Cuoq, Pascal; Kosmatov, Nikolaï; Marre, Bruno; Pacalet, Anne; Williams, Nicky; Yakobowski, Boris

doi:10.1007/s10515-013-0127-x

Cited by 17 publications

(5 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It allows us to formally justify V&V on relaxed slices instead of the initial program, and to give a complete sound interpretation of presence or absence of errors in slices. First experiments with Sante [12,13], where all-path testing is used on relaxed slices to confirm or invalidate alarms initially detected by value analysis, show that using relaxed slicing allowed to reduce the program in average by 51 % (going up to 97 % for some examples) and accelerated V&V in average by 43 %.…”

Section: Resultsmentioning

confidence: 99%

Cut Branches Before Looking for Bugs: Sound Verification on Relaxed Slices

Léchenet

Kosmatov

Gall

2016

Fundamental Approaches to Software Engineering

Self Cite

View full text Add to dashboard Cite

Program slicing can be used to reduce a given initial program t oas m a l l e ro n e(aslice) which preserves the behavior of the initial program with respect to a chosen criterion. Verification and validation (V&V) of software can become easier on slices, but require particular care in presence of errors or non-termination in order to avoid unsound results or a poor level of reduction in slices. This article proposes a theoretical foundation for conducting V&V activities on a slice instead of the initial program. We introduce the notion of relaxed slicing that remains efficient even in presence of errors or non-termination, and establish an appropriate soundness property. It allows us to give a precise interpretation of verification results (absence or presence of errors) obtained for a slice in terms of the initial program. Our results have been proved in Coq.

show abstract

Section: Resultsmentioning

confidence: 99%

Cut Branches Before Looking for Bugs: Sound Verification on Relaxed Slices

Léchenet

Kosmatov

Gall

2016

Fundamental Approaches to Software Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…Post et al [28] describe a semi-automatic process in which they use CBMC repeatedly on larger and larger code slices around potential error locations identified by Polyspace. 4 They report a reduction of false alarms by 25% to 75%, depending on the amount of manual intervention. Chebaro et al [5,4] describe the SANTE tool, which uses dynamic symbolic execution or concolic testing to try and construct concrete test inputs that confirm the warnings.…”

Section: Related Workmentioning

confidence: 99%

“…4 They report a reduction of false alarms by 25% to 75%, depending on the amount of manual intervention. Chebaro et al [5,4] describe the SANTE tool, which uses dynamic symbolic execution or concolic testing to try and construct concrete test inputs that confirm the warnings. The main difference to our work is that such approaches use abstract interpretation only to "guide" the more precise post-processing phase towards possible error locations but do not inject information from the abstractions into the post-processing in the same way as in our work.…”

Section: Related Workmentioning

confidence: 99%

“…In particular, if memory is freed only during the "elimination" phase, then exhibiting a violation (an instance of the infamous ABA problem) requires a seven thread client where three push operations are concurrently executed with four pops. To witness the violation, the implementation is annotated with several assertions that manipulate counters as described in [4]. Lazy-CSeq is the only tool we are aware of that can automatically find bugs in this benchmark and requires 5h:35m:13s time and 2.39 GB of memory to find a bug.…”

Section: Complex Benchmarksmentioning

confidence: 99%

See 1 more Smart Citation

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

et al. 2017

View full text Add to dashboard Cite

Abstract. Lazy sequentialization has proven to be one of the most effective techniques for concurrent program verification. The Lazy-CSeq sequentialization tool performs a "lazy" code-to-code translation from a concurrent program into an equivalent non-deterministic sequential program, i.e., it preserves the valuations of the program variables along its executions. The obtained program is then analyzed using sequential bounded model checking tools. However, the sizes of the individual states still pose problems for further scaling. We therefore use abstract interpretation to minimize the representation of the concurrent program's (shared global and thread-local) state variables. More specifically, we run the Frama-C abstract interpretation tool over the programs constructed by Lazy-CSeq to compute overapproximating intervals for all (original) state variables and then exploit CBMC's bitvector support to reduce the number of bits required to represent these in the sequentialized program. We have implemented this approach in the last release of Lazy-CSeq and demonstrate the effectiveness of this approach; in particular, we show that it leads to large performance gains for very hard verification problems.

show abstract

“…A representative example of this family of techniques is the work by Pengfei et al [34] that uses pattern-based matching to detect double fetch vulnerabilities in the Linux kernel; other examples of available tools for static analysis are Clang [20], Flawfinder [22], Checkmarx [35] and Cppcheck [21]. Dynamic analysisbased detectors assess a program by injecting data in realtime or simulating conditions that could trigger states leading to vulnerabilities (see e.g., AddressSanitizer [36], SANTE [37], DR. CHECKER [38], OPIA [39], and DroidForensics [40]). Moreover, hybrid software techniques have also been proposed: Concolic testing approaches use dynamic symbolic execution to reach a trade off between the costs and benefits of dynamic and static analysis.…”

Section: Related Workmentioning

confidence: 99%