ABSTRACT
Symbolic execution is a powerful static program analysis technique that has been used for the automated generation of test inputs. Directed Automated Random Testing (DART) is a dynamic variant of symbolic execution that initially uses random values to execute a program and collects symbolic path conditions during the execution. These conditions are then used to produce new inputs to execute the program along different paths. It has been argued that DART can handle situations where classical static symbolic execution fails due to incompleteness in decision procedures and its inability to handle external library calls.
We propose here a technique that mitigates these previous limitations of classical symbolic execution. The proposed technique splits the generated path conditions into (a) constraints that can be solved by a decision procedure and (b) complex non-linear constraints with uninterpreted functions to represent external library calls. The solutions generated from the decision procedure are used to simplify the complex constraints and the resulting path conditions are checked again for satisfiability. We also present heuristics that can further improve our technique. We show how our technique can enable classical symbolic execution to cover paths that other dynamic symbolic execution approaches cannot cover. Our method has been implemented within the Symbolic PathFinder tool and has been applied to several examples, including two from the NASA domain.
- W. Bush, J. Pincus, and D. Sielaff. A static analyzer for finding dynamic programming errors. Software: Practice and Experience, 30(7):775--802, 2000. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, pages 209--224. USENIX Association, 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. EXE: automatically generating inputs of death. TISSEC, 12(2):1--38, 2008. Google ScholarDigital Library
- Choco Solver. http://www.emn.fr/z-info/choco-solver/.Google Scholar
- L. A. Clarke. A program testing system. In Proceedings of the 1976 annual conference, ACM '76, pages 488--491, 1976. Google ScholarDigital Library
- A. Coen-Porisini, G. Denaro, C. Ghezzi, and M. Pezzé. Using symbolic execution for verifying safety-critical systems. In ESEC/FSE, page 151. ACM, 2001. Google ScholarDigital Library
- X. Deng, Robby, and J. Hatcliff. Kiasan/KUnit: Automatic test case generation and analysis feedback for open object-oriented systems. In TAICPART-MUTATION, pages 3--12, 2007. Google ScholarDigital Library
- D. Giannakopoulou, D. Bushnell, J. Schumann, H. Erzberger, and K. Heere. Formal testing for separation assurance. In To Appear, Annals of Mathematics and Artificial Intelligence. Springer, 2011. Google ScholarDigital Library
- P. Godefroid. Compositional dynamic test generation. In POPL, pages 47--54. ACM, 2007. Google ScholarDigital Library
- P. Godefroid. Higher-Order Test Generation. Proc. PLDI, 2011. Google ScholarDigital Library
- P. Godefroid, P. de Halleux, A. Nori, S. Rajamani, W. Schulte, N. Tillmann, and M. Levin. Automating software testing using program analysis. Software, IEEE, 25(5):30--37, 2008. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. SIGPLAN Not., 40(6):213--223, 2005. Google ScholarDigital Library
- Java PathFinder Tool-set. http://babelfish.arc.nasa.gov/trac/jpf.Google Scholar
- S. Khurshid, C. Păsăreanu, and W. Visser. Generalized symbolic execution for model checking and testing. Proc. TACAS, pages 553--568, 2003. Google ScholarDigital Library
- J. C. King. Symbolic execution and program testing. Comm. ACM, 19(7):385--394, 1976. Google ScholarDigital Library
- K. Lakhotia, N. Tillmann, M. Harman, and J. De Halleux. Flopsy: search-based floating point constraint solving for symbolic execution. In ICTSS, pages 142--157, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarDigital Library
- T. Menzies and Y. Hu. Just enough learning (of association rules): the tar2 "treatment" learner. Artif. Intell. Rev., 25(3):211--229, 2006. Google ScholarDigital Library
- C. Păsăreanu and N. Rungta. Symbolic PathFinder: symbolic execution of Java bytecode. In ASE, pages 179--180. ACM, 2010. Google ScholarDigital Library
- C. S. Păsăreanu, P. C. Mehlitz, D. H. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Proc. ISSTA, 2008. Google ScholarDigital Library
- C. S. Păsăreanu, J. Schumann, P. Mehlitz, M. Lowry, G. Karsai, H. Nine, and S. Neema. Model based analysis and test generation for flight software. In Proceedings of the Third IEEE International Conference on Space Mission Challenges for Information Technology, pages 83--90, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- R. Santelices and M. J. Harrold. Exploiting program dependencies for scalable multiple-path symbolic execution. In ISSTA, pages 195--206, 2010. Google ScholarDigital Library
- K. Sen and G. Agha. A race-detection and flipping algorithm for automated testing of multi-threaded programs. In Proc. HVC, volume 4383 of LNCS, pages 166--182. Springer, 2007. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Proc. ESEC/FSE-13, pages 263--272, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- S. Siegel, A. Mironova, G. Avrunin, and L. Clarke. Using model checking with symbolic execution to verify parallel numerical programs. In ISSTA, pages 157--168. ACM, 2006. Google ScholarDigital Library
- M. Souza, M. Borges, M. d'Amorim, and C. S. Păsăreanu. CORAL: solving complex constraints for Symbolic Pathfinder. Proc. NFM, 2011. Google ScholarDigital Library
- N. Tillmann and J. De Halleux. Pex: white box test generation for. NET. In TAP, pages 134--153. Springer-Verlag, 2008. Google ScholarDigital Library
- A. Tomb, G. Brat, and W. Visser. Variably interprocedural program analysis for runtime error detection. In Proc. ISSTA, pages 97--107, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
- W. Visser, C. Păsăreanu, and R. Pelánek. Test input generation for Java containers using state matching. In ISSTA, pages 37--48. ACM New York, NY, USA, 2006. Google ScholarDigital Library
- T. Xie, D. Marinov, W. Schulte, and D. Notkin. Symstra: A framework for generating object-oriented unit tests using symbolic execution. TACAS, pages 365--381, 2005. Google ScholarDigital Library
Index Terms
- Symbolic execution with mixed concrete-symbolic solving
Recommendations
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any ...
Symbolic execution and program testing
This paper describes the symbolic execution of programs. Instead of supplying the normal inputs to a program (e.g. numbers) one supplies symbols representing arbitrary values. The execution proceeds as in a normal execution except that values may be ...
Symbolic execution for software testing: three decades later
The challenges---and great promise---of modern symbolic execution techniques, and the tools to help implement them.
Comments