Symbolic Execution and Model Checking for Testing

Subsumption • Symbolic execution with subsumption checking – Not enough to ensure termination – An infinite number of symbolic states • Our solution – Abstraction • Store abstract versions of explored symbolic states • Subsumption checking to determine if an abstract state is re-visited • Decide if the search should continue or backtrack – Enables analysis of under-approximation of program behavior – Preserves errors to safety properties/ useful for testing • Automated support for two abstractions: – Shape abstraction for singly linked lists – Shape abstraction for arrays – Inspired by work on shape analysis (e.g. [TVLA]) • No refinement! Abstractions for Lists and Arraysions for Lists and Arrays • Shape abstraction for singly linked lists – Summarize contiguous list elements not pointed to by program variables into summary nodes – Valuation of a summary node • Union of valuations of summarized nodes – Subsumption checking between abstracted states • Same algorithm as subsumption checking for symbolic states • Treat summary node as an “ordinary” node • Abstraction for arrays – Represent array as a singly linked list – Abstraction similar to shape abstraction for linked lists Abstraction for Listsion for Lists E1 = V0 (E2 = V1 E2 = V2) E3 = V3 PC: V0 v V1 v V2 v Symbolic states Abstracted states