TY - GEN
T1 - Conflict-directed graph coverage
AU - Schwartz-Narbonne, Daniel
AU - Schäf, Martin
AU - Jovanović, Dejan
AU - Rümmer, Philipp
AU - Wies, Thomas
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2015.
PY - 2015
Y1 - 2015
N2 - Many formal method tools for increasing software reliability apply Satisfiability Modulo Theories (SMT) solvers to enumerate feasible paths in a program subject to certain coverage criteria. Examples include inconsistent code detection tools and concolic test case generators. These tools have in common that they typically treat the SMT solver as a black box, relying on its ability to efficiently search through large search spaces. However, in practice the performance of SMT solvers often degrades significantly if the search involves reasoning about complex control-flow. In this paper, we open the black box and devise a new algorithm for this problem domain that we call conflict-directed graph coverage. Our algorithm relies on two core components of an SMT solver, namely conflict-directed learning and deduction by propagation, and applies domain-specific modifications for reasoning about control-flow graphs. We implemented conflict-directed coverage and used it for detecting code inconsistencies in several large Java open-source projects with over one million lines of code in total. The new algorithm yields significant performance gains on average compared to previous algorithms and reduces the running times on hard search instances from hours to seconds.
AB - Many formal method tools for increasing software reliability apply Satisfiability Modulo Theories (SMT) solvers to enumerate feasible paths in a program subject to certain coverage criteria. Examples include inconsistent code detection tools and concolic test case generators. These tools have in common that they typically treat the SMT solver as a black box, relying on its ability to efficiently search through large search spaces. However, in practice the performance of SMT solvers often degrades significantly if the search involves reasoning about complex control-flow. In this paper, we open the black box and devise a new algorithm for this problem domain that we call conflict-directed graph coverage. Our algorithm relies on two core components of an SMT solver, namely conflict-directed learning and deduction by propagation, and applies domain-specific modifications for reasoning about control-flow graphs. We implemented conflict-directed coverage and used it for detecting code inconsistencies in several large Java open-source projects with over one million lines of code in total. The new algorithm yields significant performance gains on average compared to previous algorithms and reduces the running times on hard search instances from hours to seconds.
UR - http://www.scopus.com/inward/record.url?scp=84942588923&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84942588923&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-17524-9_23
DO - 10.1007/978-3-319-17524-9_23
M3 - Conference contribution
AN - SCOPUS:84942588923
SN - 9783319175232
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 327
EP - 342
BT - NASA Formal Methods - 7th International Symposium, NFM 2015, Proceedings
A2 - Havelund, Klaus
A2 - Holzmann, Gerard
A2 - Joshi, Rajeev
PB - Springer Verlag
T2 - 7th International Symposium on NASA Formal Methods, NFM 2015
Y2 - 27 April 2015 through 29 April 2015
ER -