research-article

Regular property guided dynamic symbolic execution

Authors:

Zhiming LiuAuthors Info & Claims

ICSE '15: Proceedings of the 37th International Conference on Software Engineering - Volume 1

May 2015

Pages 643 - 653

Published: 16 May 2015 Publication History

Abstract

A challenging problem in software engineering is to check if a program has an execution path satisfying a regular property. We propose a novel method of dynamic symbolic execution (DSE) to automatically find a path of a program satisfying a regular property. What makes our method distinct is when exploring the path space, DSE is guided by the synergy of static analysis and dynamic analysis to find a target path as soon as possible. We have implemented our guided DSE method for Java programs based on JPF and WALA, and applied it to 13 real-world open source Java programs, a total of 225K lines of code, for extensive experiments. The results show the effectiveness, efficiency, feasibility and scalability of the method. Compared with the pure DSE on the time to find the first target path, the average speedup of the guided DSE is more than 258X when analyzing the programs that have more than 100 paths.

References

[1]

M. Das, S. Lerner, and M. Seigle, "ESP: Path-sensitive program verification in polynomial time," in PLDI, pp. 57--68, ACM, 2002.

Digital Library

[2]

S. Cherem, L. Princehouse, and R. Rugina, "Practical memory leak detection using guarded value-flow analysis," in PLDI, pp. 480--491, ACM, 2007.

Digital Library

[3]

G. V. Bochmann, "Finite state description of communication protocols," Computer Networks, vol. 2, no. 4, pp. 361--372, 1978.

[4]

G. Myers, C. Sandler, and T. Badgett, The art of software testing. Wiley, 2011.

Digital Library

[5]

S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay, "Effective typestate verification in the presence of aliasing," in ISSTA, pp. 133--144, ACM, 2006.

Digital Library

[6]

M. Pradel and T. R. Gross, "Automatic generation of object usage specifications from large method traces," in ASE, pp. 371--382, IEEE, 2009.

Digital Library

[7]

D. R. Engler, B. Chelf, A. Chou, and S. Hallem, "Checking system rules using system-specific, programmer-written compiler extensions," in OSDI, pp. 1--16, USENIX Association, 2000.

Digital Library

[8]

C. Allan, P. Avgustinov, A. S. Christensen, L. J. Hendren, S. Kuzins, O. Lhoták, O. de Moor, D. Sereni, G. Sittampalam, and J. Tibbie, "Adding trace matching with free variables to AspectJ," in OOPSLA, pp. 345--364, ACM, 2005.

Digital Library

[9]

F. Chen and G. Rosu, "MOP: an efficient and generic runtime verification framework," in OOPSLA, pp. 569--588, ACM, 2007.

Digital Library

[10]

C. Artho, H. Barringer, A. Goldberg, K. Havelund, S. Khurshid, M. Lowry, C. Pasareanu, G. Roşu, K. Sen, W. Visser, et al., "Combining test case generation and runtime verification," Theoretical Computer Science, vol. 336, no. 2, pp. 209--234, 2005.

Digital Library

[11]

P. Godefroid, N. Klarlund, and K. Sen, "DART: directed automated random testing," in PLDI, pp. 213--223, ACM, 2005.

Digital Library

[12]

K. Sen, D. Marinov, and G. Agha, "CUTE: a concolic unit testing engine for C," in FSE, pp. 263--272, ACM, 2005.

Digital Library

[13]

J. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, no. 7, pp. 385--394, 1976.

Digital Library

[14]

K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun, "jFuzz: A concolic whitebox fuzzer for java," in NFM, pp. 121--125, Springer, 2009.

[15]

IBM, "T.J. Watson Libraries for Analysis (WALA)". http://wala.sf.net/.

[16]

F. Nielson, H. R. Nielson, and C. Hankin, Principles of program analysis. Springer, 1999.

Digital Library

[17]

E. Bodden, "Efficient hybrid typestate analysis by determining continuation-equivalent states," in ICSE, pp. 5--14, ACM, 2010.

Digital Library

[18]

M. Leucker and C. Schallhart, "A brief account of runtime verification," J. Log. Algebr. Program., vol. 78, no. 5, pp. 293--303, 2009.

[19]

J. E. Hopcroft, R. Motwani, and J. D. Ullman, Introduction to automata theory, languages, and computation. Addison-Wesley, 2003.

Digital Library

[20]

T. Reps, S. Horwitz, and M. Sagiv, "Precise interprocedural dataflow analysis via graph reachability," in POPL, pp. 49--61, ACM, 1995.

Digital Library

[21]

Jesse Wilson, "Glazed Lists Library". http://www.glazedlists.com/, 2014.

[22]

N. Shafiei and F. van Breugel, "Automatic handling of native methods in java pathfinder," in SPIN, pp. 97--100, Springer, 2014.

Digital Library

[23]

C. S. Păsăreanu and N. Rungta, "Symbolic PathFinder: symbolic execution of java bytecode," in ASE, pp. 179--180, ACM, 2010.

Digital Library

[24]

C. Păsăreanu, P. Mehlitz, D. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape, "Combining unit-level symbolic execution and system-level concrete execution for testing nasa software," in ISSTA, pp. 15--26, ACM, 2008.

Digital Library

[25]

Metrics. http://metrics.sourceforge.net, 2014.

[26]

AOST, "Tellurium UID Description Language (UDL)". http://code.google.com/p/aost/wiki/TelluriumUIDDescriptionLanguage, 2014.

[27]

S. M. Blackburn and et al., "The dacapo benchmarks: java benchmarking development and analysis," in OOPSLA, pp. 169--190, ACM, 2006.

Digital Library

[28]

Jamm, "Java agent for memory measurements". https://github.com/jbellis/jamm, 2014.

[29]

C. Cadar, D. Dunbar, and D. Engler, "KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs," in OSDI, pp. 209--224, USENIX Association, 2008.

Digital Library

[30]

J. Burnim and K. Sen, "Heuristics for scalable dynamic test generation," in ASE, pp. 443--446, IEEE, 2008.

Digital Library

[31]

T. Xie, N. Tillmann, J. de Halleux, and W. Schulte, "Fitness-guided path exploration in dynamic symbolic execution," in DSN, pp. 359--368, IEEE, 2009.

[32]

Y. Li, Z. Su, L. Wang, and X. Li, "Steering symbolic execution to less traveled paths," in OOPSLA, pp. 19--32, ACM, 2013.

Digital Library

[33]

H. Seo and S. Kim, "How we get there: A context-guided search strategy in concolic testing," in FSE, ACM, 2014.

Digital Library

[34]

K.-K. Ma, Y. P. Khoo, J. S. Foster, and M. Hicks, "Directed symbolic execution," in SAS, pp. 95--111, Springer, 2011.

Digital Library

[35]

D. Babic, L. Martignoni, S. McCamant, and D. Song, "Statically-directed dynamic automated test generation," in ISSTA, pp. 12--22, 2011.

Digital Library

[36]

C. Zamfir and G. Candea, "Execution synthesis: a technique for automated software debugging," in EuroSys, pp. 321--334, 2010.

Digital Library

[37]

S. Chandra, S. J. Fink, and M. Sridharan, "Snugglebug: a powerful approach to weakest preconditions," in PLDI, pp. 363--374, 2009.

Digital Library

[38]

H. Cui, G. Hu, J. Wu, and J. Yang, "Verifying systems rules using rule-directed symbolic execution," in ASPLOS, pp. 329--342, ACM, 2013.

Digital Library

[39]

J. Slaby, J. Strejček, and M. Trtík, "Checking properties described by state machines: On synergy of instrumentation, slicing, and symbolic execution," in FMICS, pp. 207--221, Springer, 2012.

[40]

S. Person, G. Yang, N. Rungta, and S. Khurshid, "Directed incremental symbolic execution," in PLDI, pp. 504--515, ACM, 2011.

Digital Library

[41]

P. D. Marinescu and C. Cadar, "make test-zesti: A symbolic execution solution for improving regression testing," in ICSE, pp. 716--726, IEEE, 2012.

Digital Library

[42]

A. Lal, J. Lim, M. Polishchuk, and B. Liblit, "Path optimization in programs and its application to debugging," in ESOP, pp. 246--263, 2006.

Digital Library

[43]

H. Chen and D. Wagner, "MOPS: an infrastructure for examining security properties of software," in CCS, pp. 235--244, ACM, 2002.

Digital Library

[44]

P. Cousot and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints," in POPL, pp. 238--252, ACM, 1977.

Digital Library

[45]

Y. Xie and A. Aiken, "Scalable error detection using boolean satisfiability," in POPL, pp. 351--363, ACM, 2005.

Digital Library

[46]

D. Babic and A. J. Hu, "Calysto: scalable and precise extended static checking," in ICSE, pp. 211--220, ACM, 2008.

Digital Library

[47]

T. Ball, R. Majumdar, T. D. Millstein, and S. K. Rajamani, "Automatic predicate abstraction of C programs," in PLDI, pp. 203--213, ACM, 2001.

Digital Library

[48]

B. S. Gulavani, T. A. Henzinger, Y. Kannan, A. V. Nori, and S. K. Rajamani, "Synergy: a new algorithm for property checking," in FSE, pp. 117--127, ACM, 2006.

Digital Library

[49]

N. E. Beckman, A. V. Nori, S. K. Rajamani, and R. J. Simmons, "Proofs from tests," in ISSTA, pp. 3--14, ACM, 2008.

Digital Library

[50]

P. Godefroid, A. V. Nori, S. K. Rajamani, and S. Tetali, "Compositional may-must program analysis: unleashing the power of alternation," in POPL, pp. 43--56, 2010.

Digital Library

[51]

A. V. Nori and S. K. Rajamani, "An empirical study of optimizations in YOGI," in ICSE, pp. 355--364, 2010.

Digital Library

[52]

Q. Zhang, M. R. Lyu, H. Yuan, and Z. Su, "Fast algorithms for Dyck-CFL-reachability with applications to alias analysis," in PLDI, pp. 435--446, 2013.

Digital Library

[53]

Y. Lu, L. Shang, X. Xie, and J. Xue, "An incremental points-to analysis with CFL-reachability," in CC, pp. 61--81, 2013.

Digital Library

Cited By

Meng RDong ZLi JBeschastnikh IRoychoudhury ADwyer MDamian DZeller A(2022)Linear-time temporal logic guided greybox fuzzingProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510082(1343-1355)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510082
Zhang YChen ZShuai ZZhang TLi KWang JGrundy JLe Goues CLo D(2020)Multiplex symbolic executionProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416645(846-857)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416645
Wang DHoffmann J(2019)Type-guided worst-case input generationProceedings of the ACM on Programming Languages10.1145/32903263:POPL(1-30)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290326
Show More Cited By

Index Terms

Regular property guided dynamic symbolic execution

Recommendations

RGSE: a regular property guided symbolic executor for Java
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

It is challenging to effectively check a regular property of a program. This paper presents RGSE, a regular property guided dynamic symbolic execution (DSE) engine, for finding a program path satisfying a regular property as soon as possible. The key ...
Read More
Dependence Guided Symbolic Execution

Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored ...
Read More
Concrete Constraint Guided Symbolic Execution
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

Symbolic execution is a popular program analysis technique. It systematically explores all feasible paths of a program but its scalability is largely limited by the path explosion problem, which causes the number of paths proliferates at runtime. A key ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '15: Proceedings of the 37th International Conference on Software Engineering - Volume 1

May 2015

999 pages

ISBN:9781479919345

General Chair:
Antonia Bertolino
ISTI-CNR, Italy
,
Program Chairs:
Gerardo Canfora
University of Sannio, Italy
,
Sebastian Elbaum
University of Nebraska-Lincoln

Sponsors

ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS\DATC: IEEE Computer Society
TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

IEEE Press

Publication History

Published: 16 May 2015

Check for updates

Qualifiers

Research-article

Conference

ICSE '15

Sponsor:

ACM
SIGSOFT
IEEE-CS\DATC
TCSE

ICSE '15: 37th International Conference on Software Engineering

May 16 - 24, 2015

Florence, Italy

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
283
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)8

Other Metrics

View Author Metrics

Citations

Cited By

Meng RDong ZLi JBeschastnikh IRoychoudhury ADwyer MDamian DZeller A(2022)Linear-time temporal logic guided greybox fuzzingProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510082(1343-1355)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510082
Zhang YChen ZShuai ZZhang TLi KWang JGrundy JLe Goues CLo D(2020)Multiplex symbolic executionProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416645(846-857)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416645
Wang DHoffmann J(2019)Type-guided worst-case input generationProceedings of the ACM on Programming Languages10.1145/32903263:POPL(1-30)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290326
Baldoni RCoppa ED’elia DDemetrescu CFinocchi I(2018)A Survey of Symbolic Execution TechniquesACM Computing Surveys10.1145/318265751:3(1-39)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3182657
Yu HChen ZWang JSu ZDong WChaudron MCrnkovic IChechik MHarman M(2018)Symbolic verification of regular propertiesProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180227(871-881)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180227
Cha SHong SLee JOh HChaudron MCrnkovic IChechik MHarman M(2018)Automatically generating search heuristics for concolic testingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180166(1244-1254)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180166
Yu HChen ZZhang YWang JDong WBodden ESchäfer WDeursen AZisman A(2017)RGSE: a regular property guided symbolic executor for JavaProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3122830(954-958)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3122830
Yu HBodden ESchäfer WDeursen AZisman A(2017)Practical symbolic verification of regular propertiesProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3121275(1053-1055)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3121275
Wang HLiu TGuan XShen CZheng QYang Z(2017)Dependence Guided Symbolic ExecutionIEEE Transactions on Software Engineering10.1109/TSE.2016.258406343:3(252-271)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1109/TSE.2016.2584063
Feist JMounier LBardin SDavid RPotet MMcDonald JPreda MStakhanova N(2016)Finding the needle in the heapProceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering10.1145/3015135.3015137(1-12)Online publication date: 5-Dec-2016
https://dl.acm.org/doi/10.1145/3015135.3015137
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents