Automated Formal Static Analysis and Retrieval of Source Code - JKU
Automated Formal Static Analysis and Retrieval of Source Code - JKU
Automated Formal Static Analysis and Retrieval of Source Code - JKU
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.1. BACKGROUND 9<br />
From the practical point <strong>of</strong> view, ESC/Java2 is incomplete with respect to the Java language:<br />
no support for multi-threading).<br />
Theoretically, it is not sound nor complete. Incompleteness is due to the lack <strong>of</strong> power <strong>of</strong><br />
the current theorem prover, unsoundness results from the lack <strong>of</strong> support for integer overflow or<br />
multi-threaded execution.<br />
2.1.2 Symbolic Execution<br />
2.1.2.1 Method Description<br />
Before the symbolic execution technique was used in program proving, the existing approaches<br />
used the notion <strong>of</strong> a domain for the variables involved in the program execution.<br />
In program proving using symbolic execution ([Kin75]), the numeric values for the input<br />
variables are supplied with symbolic values <strong>and</strong> the expressions st<strong>and</strong>ing for the program variables<br />
are represented by symbolic expressions.<br />
Three notions are involved in the program proving using this approach: state, path condition,<br />
program counter.<br />
A state contains symbolic expressions for each variable used in the program.<br />
A path condition represents a set <strong>of</strong> assumptions that the inputs must satisfy in order to reach<br />
the respective branch. Basically, the path condition is a conjunction <strong>of</strong> predicates upon the symbolic<br />
values <strong>of</strong> the input variables. There exists a path condition corresponding to each program<br />
path.<br />
The program counter determines which statement will be executed next.<br />
For the generation <strong>of</strong> the path condition it turned out that forward reasoning (used in the the<br />
majority <strong>of</strong> the systems implementation – see Section 2.1.2.2) is more suitable than backward<br />
reasoning ([How73]), because it follows naturally the execution <strong>of</strong> a program.<br />
The symbolic execution tree can also characterize the execution <strong>of</strong> a procedure: each program<br />
statement represents a node <strong>and</strong> each transition between statements is a directed arc. From nodes<br />
representing conditionals there is more than one arc leaving it; the node associated with the first<br />
statement has not incoming arcs, the terminal node has no outgoing arcs.<br />
If the procedure contains while loops whose number <strong>of</strong> iterations depend on the input variables<br />
then the associated symbolic execution tree is infinite.<br />
Symbolic execution is used in many approaches for program analysis: path domain checking,<br />
partition analysis, program reduction, program testing, but we are interested in applying symbolic<br />
execution in program proving.<br />
2.1.2.2 Symbolic Execution Systems<br />
The early symbolic execution systems (EFFIGY, SELECT, ATTEST, Interactive Programming<br />
System, etc.) use theorem proving for checking the correctness <strong>of</strong> programs.<br />
EFFIGY ([Kin75]) follows the rules <strong>and</strong> principles <strong>of</strong> the symbolic execution approach. The<br />
language supported by EFFIGY is a simple imperative programming language. The input values<br />
for the programs can be both symbolic <strong>and</strong> concrete values.