Article

Demand-driven compositional symbolic execution

Authors:

Patrice Godefroid,

Nikolai TillmannAuthors Info & Claims

TACAS'08/ETAPS'08: Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems

Pages 367 - 381

Published: 29 March 2008 Publication History

Abstract

We discuss how to perform symbolic execution of large programs in a manner that is both compositional (hence more scalable) and demand-driven. Compositional symbolic execution means finding feasible interprocedural program paths by composing symbolic executions of feasible intraprocedural paths. By demand-driven, we mean that as few intraprocedural paths as possible are symbolically executed in order to form an interprocedural path leading to a specific target branch or statement of interest (like an assertion). A key originality of this work is that our demand-driven compositional interprocedural symbolic execution is performed entirely using first-order logic formulas solved with an off-the-shelf SMT (Satisfiability-Modulo-Theories) solver - no procedure in-lining or custom algorithm is required for the interprocedural part. This allows a uniform and elegant way of summarizing procedures at various levels of detail and of composing those using logic formulas.

We have implemented a prototype of this novel symbolic execution technique as an extension of Pex, a general automatic testing framework for .NET applications. Preliminary experimental results are encouraging. For instance, our prototype was able to generate tests triggering assertion violations in programs with large numbers of program paths that were beyond the scope of non-compositional test generation.

References

[1]

Alur, R., Yannakakis, M.: Model Checking of Hierarchical State Machines. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 175-188. Springer, Heidelberg (1998).

Digital Library

[2]

Babic, D., Hu, A.J.: Structural Abstraction of Software Verification Conditions. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, Springer, Heidelberg (2007).

Digital Library

[3]

Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic Predicate Abstraction of C Programs. In: Proceedings of PLDI 2001 (2001).

Digital Library

[4]

Bush, W.R., Pincus, J.D., Sielaff, D.J.: A static analyzer for finding dynamic programming errors. Software Practice and Experience 30(7), 775-802 (2000).

Digital Library

[5]

Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically Generating Inputs of Death. In: ACM CCS (2006).

Digital Library

[6]

Clarke, E., Kroening, D., Lerda, F.: A Tool for Checking ANSI-C Programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, Springer, Heidelberg (2004).

[7]

Csallner, C., Smaragdakis, Y.: Check'n Crash: Combining Static Checking and Testing. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, Springer, Heidelberg (2006).

Digital Library

[8]

de Moura, L., Bjørner, N.: Z3, 2007. Web page: http://research.microsoft.com/projects/Z3

[9]

Engler, D., Dunbar, D.: Under-constrained execution: making automatic code destruction easy and scalable. In: Proceedings of ISSTA 2007 (2007).

Digital Library

[10]

Godefroid, P.: Compositional Dynamic Test Generation. In: POPL 2007, pp. 47-54 (January 2007).

Digital Library

[11]

Godefroid, P., Klarlund, N., Sen, K.: DART: Directed Automated Random Testing. In: PLDI 2005, Chicago, pp. 213-223 (June 2005).

Digital Library

[12]

Gopan, D., Reps, T.: Low-level Library Analysis and Summarization. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 68-81. Springer, Heidelberg (2007).

Digital Library

[13]

Gupta, N., Mathur, A.P., Soffa, M.L.: Generating Test Data for Branch Coverage. In: Proceedings of ASE 2000, pp. 219-227 (September 2000).

Digital Library

[14]

Khurshid, S., Suen, Y.L.: Generalizing Symbolic Execution to Library Classes. In: PASTE 2005, Lisbon (September 2005).

Digital Library

[15]

King, J.C.: Symbolic Execution and Program Testing. Journal of the ACM 19(7), 385-394 (1976).

Digital Library

[16]

Korel, B.: A Dynamic Approach of Test Data Generation. In: ICSM, pp. 311-317 (November 1990).

[17]

Livshits, V.B., Lam, M.: Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, Springer, Heidelberg (2003).

Digital Library

[18]

Majumdar, R., Sen, K.: Latest: Lazy dynamic test input generation. Technical report, UC Berkeley (2007).

[19]

Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of POPL 1995, pp. 49-61 (1995).

Digital Library

[20]

Tillmann, N., de Halleux, J.: Pex (2007), http://research.microsoft.com/Pex

[21]

Tillmann, N., Schulte, W.: Parameterized unit tests. In: ESEC-FSE 2005, pp. 253- 262. ACM, New York (2005).

Digital Library

[22]

Visser, W., Pasareanu, C., Khurshid, S.: Test Input Generation with Java PathFinder. In: ISSTA 2004, Boston (July 2004).

Digital Library

[23]

Xie, Y., Aiken, A.: Scalable Error Detection Using Boolean Satisfiability. In: Proceedings of POPL 2005 (2005).

Digital Library

Cited By

Smaragdakis YGrech NLagouvardos STriantafyllou KTsatiris I(2021)Symbolic value-flow static analysis: deep, precise, complete modeling of Ethereum smart contractsProceedings of the ACM on Programming Languages10.1145/34855405:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485540
Loring BMitchell DKinder JMcKinley KFisher K(2019)Sound regular expression semantics for dynamic symbolic execution of JavaScriptProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314645(425-438)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314645
Chowdhury SBorle SRomansky SHindle A(2019)GreenScalerEmpirical Software Engineering10.1007/s10664-018-9640-724:4(1649-1692)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10664-018-9640-7
Show More Cited By

Demand-driven compositional symbolic execution
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning

Recommendations

Demand-driven pointer analysis

Known algorithms for pointer analysis are “global” in the sense that they perform an exhaustive analysis of a program or program component. In this paper we introduce a demand-driven approach for pointer analysis. Specifically, we describe a demand-...
Symbolic heap abstraction with demand-driven axiomatization of memory invariants
OOPSLA '10

Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and ...
Demand-driven pointer analysis
PLDI '01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation

Known algorithms for pointer analysis are “global” in the sense that they perform an exhaustive analysis of a program or program component. In this paper we introduce a demand-driven approach for pointer analysis. Specifically, we describe a demand-...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

TACAS'08/ETAPS'08: Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems

March 2008

518 pages

ISBN:3540787992

Editors:
C. R. Ramakrishnan
Stony Brook University, Department of Computer Science, Stony Brook, NY
,
Jakob Rehof
Universität Dortmund, Fachbereich Informatik, Dortmund, Germany

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 March 2008

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

74
Total Citations
View Citations
6
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Smaragdakis YGrech NLagouvardos STriantafyllou KTsatiris I(2021)Symbolic value-flow static analysis: deep, precise, complete modeling of Ethereum smart contractsProceedings of the ACM on Programming Languages10.1145/34855405:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485540
Loring BMitchell DKinder JMcKinley KFisher K(2019)Sound regular expression semantics for dynamic symbolic execution of JavaScriptProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314645(425-438)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314645
Chowdhury SBorle SRomansky SHindle A(2019)GreenScalerEmpirical Software Engineering10.1007/s10664-018-9640-724:4(1649-1692)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10664-018-9640-7
Liu XWu ZWei Q(2018)An Improved Offline Symbolic Execution ApproachProceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence10.1145/3297156.3297276(314-320)Online publication date: 8-Dec-2018
https://dl.acm.org/doi/10.1145/3297156.3297276
Mora FLi YRubin JChechik MHuchard MKästner CFraser G(2018)Client-specific equivalence checkingProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238178(441-451)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238178
Lemieux CPadhye RSen KSong DTip FBodden E(2018)PerfFuzz: automatically generating pathological inputsProceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3213846.3213874(254-265)Online publication date: 12-Jul-2018
https://dl.acm.org/doi/10.1145/3213846.3213874
Baldoni RCoppa ED’elia DDemetrescu CFinocchi I(2018)A Survey of Symbolic Execution TechniquesACM Computing Surveys10.1145/318265751:3(1-39)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3182657
Trabish DMattavelli ARinetzky NCadar CChaudron MCrnkovic IChechik MHarman M(2018)Chopped symbolic executionProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180251(350-360)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180251
Wang XSun JChen ZZhang PWang JLin YChaudron MCrnkovic IChechik MHarman M(2018)Towards optimal concolic testingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180177(291-302)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180177
Fuchs AKuchen HHaddad HWainwright RChbeir R(2018)Test-case generation for web-service clientsProceedings of the 33rd Annual ACM Symposium on Applied Computing10.1145/3167132.3167294(1518-1527)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3167132.3167294
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents