IEEE Transactions on Software Engineering (special issue on the ISSTA 2008 best papers)
2010
We present an algorithm DASH to check if a program P satisfies a safety property \varphi.
The unique feature of this algorithm is that it uses only test generation operations,
and it refines and maintains a sound program abstraction as a consequence of failed
test generation operations. Thus, each iteration of the algorithm is inexpensive,
and can be implemented without any global may-alias information.
In particular, we introduce a new refinement operator WP_\alpha that uses only the
alias information obtained by symbolically executing a test to refine
abstractions in a sound manner. We present a full exposition of the DASH algorithm
and its theoretical properties. We have implemented DASH in a tool called
YOGI that
plugs into Microsoft's Static Driver Verifier framework.
We have used this framework to run YOGI on 69 Windows Vista drivers with 85 properties
and find that YOGI scales much better than SLAM,
the current engine driving Microsoft's Static Driver Verifier.
