research-article

Precise pointer reasoning for dynamic test generation

Authors:

Bassem Elkarablieh,

Patrice Godefroid,

Michael Y. LevinAuthors Info & Claims

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

Pages 129 - 140

https://doi.org/10.1145/1572272.1572288

Published: 19 July 2009 Publication History

Abstract

Dynamic test generation consists of executing a program while gathering symbolic constraints on inputs from predicates encountered in branch statements, and of using a constraint solver to infer new program inputs from previous constraints in order to steer next executions towards new program paths. Variants of this technique have recently been adopted in several bug detection tools, including our whitebox fuzzer SAGE, which has found dozens of new expensive security-related bugs in many Windows applications and is now routinely used in various Microsoft groups.

In this paper, we discuss how to perform precise symbolic pointer reasoning in the context of dynamic test generation. We present a new memory model for representing arbitrary symbolic pointer dereferences to memory regions accessible by a program during its execution, and show that this memory model is the most precise one can hope for in our context, under some realistic assumptions. We also describe how the symbolic constraints generated by our model can be solved using modern SMT solvers, which provide powerful constructs for reasoning about bit-vectors and arrays. This new memory model has been implemented in SAGE, and we present results of experiments with several large Windows applications showing that an increase in precision can often be obtained at a reasonable cost. Better precision in symbolic pointer reasoning means more relevant constraints and fewer imprecise ones, hence better test coverage, more bugs found and fewer redundant test cases.

References

[1]

D. Babic and A. J. Hu. Structural Abstraction of Software Verification Conditions. In Proceedings of CAV'2007 (19th Conference on Computer Aided Verification), Berlin, July 2007.

Digital Library

[2]

M. Barnett, B. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proceedings of FMCO'2005 (4th International Symposium on Formal Methods for Components and Objects), volume 4111 of LNCS, pages 364--387. Springer, September 2006.

Digital Library

[3]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically Generating Inputs of Death. In ACM CCS, 2006.

Digital Library

[4]

E. Clarke, D. Kroening, and F. Lerda. A Tool for Checking ANSI-C Programs. In Proceedings of TACAS'2004 (Tools and Algorithms for the Construction and Analysis of Systems), volume 2988 of Lecture Notes in Computer Science, pages 168--176. Springer, 2004.

[5]

P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the Fourth Annual ACM Symposium on Principles of Programming Languages, January 1977.

Digital Library

[6]

L. de Moura and N. Bjorner. Z3: An Efficient SMT Solver. In TACAS '08: Tools and Algorithms for the Construction and Analysis of Systems, 2008.

Digital Library

[7]

P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In Proceedings of PLDI'2005 (ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation), pages 213--223, Chicago, June 2005.

Digital Library

[8]

P. Godefroid, M.Y. Levin, and D. Molnar. Active Property Checking. In Proceedings of EMSOFT'2008 (8th Annual ACM&IEEE Conference on Embedded Software), pages 207--216, Atlanta, October 2008. ACM Press.

Digital Library

[9]

P. Godefroid, M.Y. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In Proceedings of NDSS'2008 (Network and Distributed Systems Security), pages 151--166, San Diego, February 2008.

[10]

S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, and B. Calder. Automatically classifying benign and harmful data races using replay analysis. In Programming Languages Design and Implementation (PLDI), 2007.

Digital Library

[11]

Pex. Web page: http://research.microsoft.com/Pex.

[12]

M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. In Proceedings of the 23rd ACM Symposium on Principles of Programming Languages, pages 16--31, St. Petersburg, Florida, January 1996. ACM Press.

Digital Library

[13]

K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing Engine for C. In Proceedings of FSE'2005 (13th International Symposium on the Foundations of Software Engineering), Lisbon, September 2005.

Digital Library

[14]

D. Vanoverberghe, N. Tillmann, and F. Piessens. Test Input Generation for Programs with Pointers. In Proceedings of TACAS'2009 (15th Conference on Tools and Algorithms for the Construction and Analysis of Systems), York, April 2009.

Digital Library

[15]

Y. Xie and A. Aiken. Scalable Error Detection Using Boolean Satisfiability. In Proceedings of POPL'2005, 2005.

Digital Library

[16]

R. Xu, P. Godefroid, and R. Majumdar. Testing for Buffer Overflows with Length Abstraction. In Proceedings of ISSTA'08 (ACM SIGSOFT International Symposium on Software Testing and Analysis), pages 27--38, Seattle, July 2008.

Digital Library

Cited By

Nguyen Tung LBinh Duong NLe KHung P(2024)Automated test data generation and stubbing method for C/C++ embedded projectsAutomated Software Engineering10.1007/s10515-024-00449-631:2Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1007/s10515-024-00449-6
He NZhao ZWang JHu YGuo SWang HLiang GLi DChen XGuo YJust RFraser G(2023)Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598064(385-397)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598064
Borzacchiello LCoppa EDemetrescu C(2022)Handling Memory-Intensive Operations in Symbolic ExecutionProceedings of the 15th Innovations in Software Engineering Conference10.1145/3511430.3511453(1-5)Online publication date: 24-Feb-2022
https://dl.acm.org/doi/10.1145/3511430.3511453
Show More Cited By

Index Terms

Precise pointer reasoning for dynamic test generation

Recommendations

Compositional dynamic test generation
Proceedings of the 2007 POPL Conference

Dynamic test generation is a form of dynamic program analysis that attempts to compute test inputs to drive a program along a specific program path. Directed Automated Random Testing, or DART for short, blends dynamic test generation with model checking ...
Accelerating Taint-Based Concolic Testing by Pruning Pointer Overtaint
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability

Taint-based Concolic testing is a software testing technique, which combines dynamic taint analysis, symbolic testing and concrete execution. Concolic testing is faster than symbolic testing while maintaining the same precision. Taint-based concolic ...
ExLi: An Inline-Test Generation Tool for Java
FSE 2024: Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering

We present ExLi, a tool for automatically generating inline tests, which were recently proposed for statement-level code validation. ExLi is the first tool to support retrofitting inline tests to existing codebases, towards increasing adoption of this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

July 2009

306 pages

ISBN:9781605583389

DOI:10.1145/1572272

General Chair:
Gregg Rothermel
University of Nebraska-Lincoln, USA
,
Program Chair:
Laura Dillon
Michigan State University, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '09

Sponsor:

ISSTA '09: International Symposium on Software Testing and Analysis

July 19 - 23, 2009

IL, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
442
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen Tung LBinh Duong NLe KHung P(2024)Automated test data generation and stubbing method for C/C++ embedded projectsAutomated Software Engineering10.1007/s10515-024-00449-631:2Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1007/s10515-024-00449-6
He NZhao ZWang JHu YGuo SWang HLiang GLi DChen XGuo YJust RFraser G(2023)Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598064(385-397)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598064
Borzacchiello LCoppa EDemetrescu C(2022)Handling Memory-Intensive Operations in Symbolic ExecutionProceedings of the 15th Innovations in Software Engineering Conference10.1145/3511430.3511453(1-5)Online publication date: 24-Feb-2022
https://dl.acm.org/doi/10.1145/3511430.3511453
Tung LTran HLe KHung P(2022)An automated test data generation method for void pointers and function pointers in C/C++ libraries and embedded projectsInformation and Software Technology10.1016/j.infsof.2022.106821145:COnline publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.infsof.2022.106821
Trabish DItzhaky SRinetzky N(2021)Address-Aware Query Caching for Symbolic Execution2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST49551.2021.00023(116-126)Online publication date: Apr-2021
https://doi.org/10.1109/ICST49551.2021.00023
Brown FStefan DEngler DCapkun SRoesner F(2020)SysProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489224(199-216)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489224
Gerlich RPrause C(2020)Optimizing the Parameters of an Evolutionary Algorithm for Fuzzing and Test Data Generation2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW50294.2020.00061(338-345)Online publication date: Oct-2020
https://doi.org/10.1109/ICSTW50294.2020.00061
Kapus TCadar CDumas MPfahl DApel SRusso A(2019)A segmented memory model for symbolic executionProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338936(774-784)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338936
Nguyen DHuong TDinh HHung P(2019)Improvements of Directed Automated Random Testing in Test Data Generation for C++ ProjectsInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819401950040229:09(1279-1312)Online publication date: 10-Oct-2019
https://doi.org/10.1142/S0218194019500402
de Boer FBonsangue M(2019)On the Nature of Symbolic Execution2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)10.1109/SYNASC49474.2019.00009(4-5)Online publication date: Sep-2019
https://doi.org/10.1109/SYNASC49474.2019.00009
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents