Article

Directed symbolic execution

Authors:

Khoo Yit Phang,

Jeffrey S. Foster,

Michael HicksAuthors Info & Claims

SAS'11: Proceedings of the 18th international conference on Static analysis

Pages 95 - 111

Published: 14 September 2011 Publication History

Abstract

In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortest-distance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and call-chain-backward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, Mix-CCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU Coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, Mix-CCBSE performed best on average, combining to good effect the features of its constituent components.

References

[1]

Bornat, R.: Proving pointer programs in Hoare logic. In: MPC, pp. 102-126 (2000).

Digital Library

[2]

Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT-a formal system for testing and debugging programs by symbolic execution. In: ICRS, pp. 234-245 (1975).

Digital Library

[3]

Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: ASE, pp. 443-446 (2008).

Digital Library

[4]

Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209-224 (2008).

Digital Library

[5]

Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: CCS, pp. 322-335 (2006).

Digital Library

[6]

Coreutils - GNU core utilities, http://www.gnu.org/software/coreutils/

[7]

Edelkamp, S., Leue, S., Lluch-Lafuente, A.: Directed explicit-state model checking in the validation of communication protocols. Software Tools for Technology Transfer 5(2), 247-267 (2004).

Digital Library

[8]

Edelkamp, S., Lluch-Lafuente, A., Leue, S.: Trail-directed model checking. Electrical Notes Theoretical Computer Science 55(3), 343-356 (2001).

[9]

Fähndrich, M., Rehof, J., Das, M.: Scalable context-sensitive flow analysis using instantiation constraints. In: PLDI, pp. 253-263 (2000).

Digital Library

[10]

Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519-531. Springer, Heidelberg (2007).

Digital Library

[11]

Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213-223 (2005).

Digital Library

[12]

Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: EMSOFT, pp. 207-216 (2008).

Digital Library

[13]

Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS (2008).

[14]

Groce, A., Visser, W.: Model checking Java programs using structural heuristics. In: ISSTA, pp. 12-21 (2002).

Digital Library

[15]

Howden, W.E.: Symbolic testing and the DISSECT symbolic evaluation system. IEEE Transactions on Software Engineering 3(4), 266-278 (1977).

Digital Library

[16]

Khoo, Y.P., Chang, B.-Y.E., Foster, J.S.: Mixing type checking and symbolic execution. In: PLDI, pp. 436-447 (2010).

Digital Library

[17]

King, J.C.: Symbolic execution and program testing. CACM 19(7), 385-394 (1976).

Digital Library

[18]

The KLEE Symbolic Virtual Machine, http://klee.llvm.org

[19]

Kodumal, J., Aiken, A.: The set constraint/CFL reachability connection in practice. In: PLDI, pp. 207-218 (2004).

Digital Library

[20]

Kupferschmid, S., Hoffmann, J., Dierks, H., Behrmann, G.: Adapting an AI planning heuristic for directed model checking. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 35-52. Springer, Heidelberg (2006).

Digital Library

[21]

Landi, W., Ryder, B.G.: Pointer-induced aliasing: a problem taxonomy. In: POPL, pp. 93-103 (1991).

Digital Library

[22]

Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis transformation. In: CGO, pp. 75-86 (2004).

Digital Library

[23]

Ma, K.-K., Khoo, Y.P., Foster, J.S., Hicks, M.: Directed symbolic execution. Technical Report CS-TR-4979, UMD-College Park (April 2011).

[24]

Majumdar, R., Sen, K.: Hybrid concolic testing. In: ICSE, pp. 416-426 (2007).

Digital Library

[25]

Meyering, J.: Seq: give a proper diagnostic for an invalid -format=% option (2008), http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b8108fd2ddf77ae79cd014f4f37798a52be13fd1.

[26]

Morris, J.M.: A general axiom of assignment. Assignment and linked data structure. A proof of the Schorr-Waite algorithm. In: Broy, M., Schmidt, G. (eds.) Theoretical Foundations of Programming Methodology, pp. 25-51 (1982).

[27]

Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC 2002. LNCS, vol. 2304, pp. 213-228. Springer, Heidelberg (2002).

Digital Library

[28]

The Newlib Homepage, http://sourceware.org/newlib/

[29]

Osterweil, L.J., Fosdick, L.D.: Program testing techniques using simulated execution. In: ANSS, pp. 171-177 (1976).

Digital Library

[30]

Rehof, J., Fähndrich, M.: Type-base flow analysis: from polymorphic subtyping to CFL-reachability. In: PLDI, pp. 54-66 (2001).

Digital Library

[31]

Reisner, E., Song, C., Ma, K.-K., Foster, J.S., Porter, A.: Using symbolic evaluation to understand behavior in configurable software systems. In: ICSE, pp. 445-454 (2010).

Digital Library

[32]

Reps, T.W.: Program analysis via graph reachability. In: ILPS, pp. 5-19 (1997).

Digital Library

[33]

µClibc, http://www.uclibc.org/

[34]

Xie, T., Tillmann, N., de Halleux, J., Schulte, W.: Fitness-guided path exploration in dynamic symbolic execution. In: DSN, pp. 359-368 (2009).

[35]

Zamfir, C.: Personal communication (May 2011).

[36]

Zamfir, C., Candea, G.: Execution synthesis: a technique for automated software debugging. In: EuroSys, pp. 321-334 (2010).

Digital Library

Cited By

Busse FGharat PCadar CDonaldson ARyu SSmaragdakis Y(2022)Combining static analysis error traces with dynamic symbolic execution (experience paper)Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534384(568-579)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534384
Yang GQiu RKhurshid SPăsăreanu CWen J(2022)A synergistic approach to improving symbolic execution using test rangesInnovations in Systems and Software Engineering10.1007/s11334-019-00331-915:3-4(325-342)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/s11334-019-00331-9
Li ZChen BFeng WXie FJaeger TQian Z(2021)Concolic Execution of NMap Scripts for Honeyfarm GenerationProceedings of the 8th ACM Workshop on Moving Target Defense10.1145/3474370.3485660(33-42)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1145/3474370.3485660
Show More Cited By

Index Terms

Directed symbolic execution
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Index terms have been assigned to the content through auto-classification.

Recommendations

Memoized symbolic execution
ISSTA 2012: Proceedings of the 2012 International Symposium on Software Testing and Analysis

This paper introduces memoized symbolic execution (Memoise), a new approach for more efficient application of forward symbolic execution, which is a well-studied technique for systematic exploration of program behaviors based on bounded execution ...
Running symbolic execution forever
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

When symbolic execution is used to analyse real-world applications, it often consumes all available memory in a relatively short amount of time, sometimes making it impossible to analyse an application for an extended period. In this paper, we present a ...
Verifying systems rules using rule-directed symbolic execution
ASPLOS '13

Systems code must obey many rules, such as "opened files must be closed." One approach to verifying rules is static analysis, but this technique cannot infer precise runtime effects of code, often emitting many false positives. An alternative is ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SAS'11: Proceedings of the 18th international conference on Static analysis

September 2011

386 pages

ISBN:9783642237010

Editor:
Eran Yahav
Technion, Computer Science Department, Haifa, Israel

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 14 September 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

69
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Busse FGharat PCadar CDonaldson ARyu SSmaragdakis Y(2022)Combining static analysis error traces with dynamic symbolic execution (experience paper)Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534384(568-579)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534384
Yang GQiu RKhurshid SPăsăreanu CWen J(2022)A synergistic approach to improving symbolic execution using test rangesInnovations in Systems and Software Engineering10.1007/s11334-019-00331-915:3-4(325-342)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/s11334-019-00331-9
Li ZChen BFeng WXie FJaeger TQian Z(2021)Concolic Execution of NMap Scripts for Honeyfarm GenerationProceedings of the 8th ACM Workshop on Moving Target Defense10.1145/3474370.3485660(33-42)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1145/3474370.3485660
Zhu XBöhme MKim YKim JVigna GShi E(2021)Regression Greybox FuzzingProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484596(2169-2182)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484596
Zuo GMa JQuinn ABhatotia PFonseca PKasikci BFreund SYahav E(2021)Execution reconstruction: harnessing failure reoccurrences for failure reproductionProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454101(1155-1170)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454101
Kang QXing JQiu YChen ASherwood TBerger EKozyrakis C(2021)Probabilistic profiling of stateful data planes for adversarial testingProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446764(286-301)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446764
Nguyen KNguyen T(2021)GenTreeProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00142(1598-1609)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00142
Brown FStefan DEngler DCapkun SRoesner F(2020)SysProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489224(199-216)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489224
Wüstholz VChristakis MRothermel GBae D(2020)Targeted greybox fuzzing with static lookahead analysisProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380388(789-800)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380388
Kang QXing JChen AJansen RPeterson P(2019)Automated attack discovery in data plane systemsProceedings of the 12th USENIX Conference on Cyber Security Experimentation and Test10.5555/3359012.3359025(13-13)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359012.3359025
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents