Verification-based software-fault detection

Software is used in many safetyand security-critical systems. Software development is, however, an error-prone task where a software developer tries to precisely formalize in a programming language their imprecise ideas about a program. Formal methods help to reduce this problem. These methods add another layer to the software development allowing to formalize and to check desired properties of a program. Deductive software verification is a formal method for proving the correctness of a program with respect to a requirement specification. However, since programs often have faults, i.e., they do not satisfy the required program properties, program correctness proofs often do not succeed. The ability to detect software faults is therefore important to increase the efficiency of software verification. Another deficiency of software verification is that it is often not practical to apply software verification rigorously to a program and all other components that are critical for the the correct behavior of the program. The combination of software verification with software testing is therefore important even if a correctness proof for a program (subset) has been established. In this dissertation new techniques for the detection of software faults (or software “bugs”) are developed which are based on a formal deductive verification technology. The general approach is to start with a verification attempt in order to gain information about the respective program and then to use this information for software fault detection. The techniques are divided into two categories. The first category consists of purely deductive techniques that solve specific problems for detecting software faults if a verification attempt is not successful. The most significant contributions are (a) a technique for counterexample generation from first-order logic formulas with quantifiers, and (b) a technique for deducing the existence of software faults from a failed verification attempt when loop invariants and method contracts are used. The second category consists of test case generation techniques that are based on the techniques from the first category. We extend existing work for the generation of test cases from proof structures and describe tool-chains that combine verification-based test generation with more traditional test generation approaches. The described approaches take advantage of information obtained during verification and in this way combine verification technology with deductive fault detection and test generation in a very unified way.