Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

A survey of new trends in symbolic execution for software testing and analysis

  • Regular Paper
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Symbolic execution is a well-known program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in part to the progress in decision procedures, availability of powerful computers and new algorithmic developments. We provide here a survey of some of the new research trends in symbolic execution, with particular emphasis on applications to test generation and program analysis. We first describe an approach that handles complex programming constructs such as input recursive data structures, arrays, as well as multithreading. Furthermore, we describe recent hybrid techniques that combine concrete and symbolic execution to overcome some of the inherent limitations of symbolic execution, such as handling native code or availability of decision procedures for the application domain. We follow with a discussion of techniques that can be used to limit the (possibly infinite) number of symbolic configurations that need to be analyzed for the symbolic execution of looping programs. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Proceedings of TACAS (2008)

  2. Anand, S., Orso, A., Harrold, M.J.: Type-dependence analysis and program transformation for symbolic execution. In: Proceedings of TACAS (2007)

  3. Anand, S., Păsăreanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Proceedings of SPIN (2006)

  4. Anand, S., Păsăreanu, C.S., Visser, W.: JPF-SE: A symbolic execution extension to Java PathFinder. In: Proceedings of TACAS (2007)

  5. Arons, T., Elster E., Ozer S., Shalev J., Singerman, E.: Efficient symbolic simulation of low level software. In: Proceedings of DATE (2008)

  6. Artho C., Barringer H., Goldberg A., Havelund K., Khurshid S., Lowry M.R., Păsăreanu C.S., Rosu G., Sen K., Visser W., Washington R.: Combining test case generation and runtime verification. Theor. Comput. Sci. 336(2–3), 209–234 (2005)

    Article  MATH  Google Scholar 

  7. Artzi, S., Kiezun, A., Dolby, J., Tip, F., Dig, D., Paradkar, A., Ernst, M.D.: Finding bugs in dynamic web applications. In: Proceedings of ISSTA (2008)

  8. Babic, D.: Exploiting Structure for Scalable Software Verification. Ph.D. thesis, University of British Columbia, Vancouver, Canada, Aug (2008)

  9. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: Proceedings of PLDI (2001)

  10. Berdine, J., Calcagno, C., O’Hearn, P.: Symbolic execution with separation logic. In: Proceedings of Third Asian Symposium (2005)

  11. Boyapati, C., Khurshid, S., Marinov, D.: Korat: Automated testing based on Java predicates. In: Proceedings of ISSTA (2002)

  12. Bush W.R., Pincus J.D., Sielaff D.J.: A static analyzer for finding dynamic programming errors. Softw. Pract. Experience 30(7), 775–802 (2000)

    Article  MATH  Google Scholar 

  13. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proceedings of ACM Conference on Computer and Communications Security (2006)

  14. The Choco Constraint Solver: http://choco.sourceforge.net/

  15. Clarke L.A.: A system to generate test data and symbolically execute programs. IEEE Trans. Softw. Eng. 2(3), 215–222 (1976)

    Article  Google Scholar 

  16. Coen-Porisini, A., Denaro, G., Ghezzi, C., Pezze, M.: Using symbolic execution for verifying safety-critical systems. In: Proceedings of ESEC/FSE (2001)

  17. Colon, M., Sankaranarayanan, S., Sipma, S.: Linear invariant generation using non-linear constraint solving. In: Proceedings of CAV (2003)

  18. Cousot, P.: The role of abstract interpretation in formal methods. In: Proceedings of SEFM (2007)

  19. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of POPL (1978)

  20. Csallner, C., Smaragdakis, Y.: Check ‘n’ crash: Combining static checking and testing. In: Proceedings of ICSE (2005)

  21. Csallner, C., Tillmann, N., Smaragdakis, Y.: DySy: Dynamic symbolic execution for invariant inference. In: Proceedings of ICSE (2008)

  22. CVC3: http://www.cs.nyu.edu/acsys/cvc3/

  23. The Daikon invariant detector: http://groups.csail.mit.edu/pag/daikon//

  24. Deng, X., Lee, J., Robby: Bogor/kiasan: A k-bounded symbolic execution for checking strong heap properties of open systems. In: Proceedings of ASE (2006)

  25. Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. Research Report 159, Compaq Systems Research Center (1998)

  26. Emmi, M., Majumdar, R., Sen, K.: Dynamic test input generation for database applications. In: Proceedings of ISSTA (2007)

  27. Engler, D., Dunbar, D.: Under-constrained execution: making automatic code destruction easy and scalable. In: Proceedings of ISSTA (2007)

  28. Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Proceedings of PLDI (2002)

  29. Flanagan, C., Qadeer, S.: Predicate abstraction for software verification. In: Proceedings of POPL (2002)

  30. Gargantini, A., Heitmeyer, C.: Using model checking to generate tests from requirements specifications. In: Proceedings of ESEC/FSE (1999)

  31. Godefroid, P.: Software model checking via static and dynamic program analysis. In: MOVEP (2006)

  32. Godefroid, P.: Compositional dynamic test generation. In: Proceedings of POPL (2007)

  33. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of PLDI (2005)

  34. Gulavani, B.S., Henzinger, T.A., Kannan, Y., Nori, A.V., Rajamani, S.K.: SYNERGY: a new algorithm for property checking. In: Proceedings of SIGSOFT FSE (2006)

  35. Hantler S.L., King J.C.: An introduction to proving the correctness of programs. ACM Comput. Surv. 8(3), 331–353 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  36. Hong, H., Lee, I., Sokolsky, O., Ural, H.: A temporal logic based theory of test coverage and generation. In: Proceedings of TACAS, April (2002)

  37. IASolver (The Brandeis Interval Arithmetic Constraint Solver): http://www.cs.brandeis.edu/~tim/Applets/IAsolver.html/

  38. Java PathFinder: http://javapathfinder.sourceforge.net

  39. Joshi, P., Sen, K., Shlimovich, M.: Predictive testing: Amplifying the effectiveness of software testing (short paper). In: Proceedings of ESEC/FSE (2007)

  40. Khurshid, S., Garcia, I., Suen, Y.: Repairing structurally complex data. In: Proceedings of SPIN (2005)

  41. Khurshid, S., Păsăreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Proceedings of TACAS (2003)

  42. King J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MATH  Google Scholar 

  43. Koelbl A., Pixley C.: Constructing efficient formal models from high-level descriptions using symbolic simulation. Int. J. Parallel Programm. 33(6), 645–666 (2005)

    Article  MATH  Google Scholar 

  44. Majumdar, R., Sen, K.: Hybrid concolic testing. In: Proceedings of ICSE (2007)

  45. Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Proceedings of VMCAI, LNCS, vol. 3385, Paris (2005)

  46. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems:Specification (1992)

  47. Păsăreanu, C.S., Visser, W.: Verification of java programs using symbolic execution and invariant generation. In: Proceedings of SPIN (2004)

  48. Person, S., Dwyer, M.B., Elbaum, S., Păsăreanu, C.S.: Differential symbolic execution. In: Proceedings of FSE (2008)

  49. PEX: Automated Exploratory Testing for .NET: http://research.microsoft.com/Pex/

  50. Păsăreanu, C.S., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing nasa software. In: Proceedings of ISSTA (2008)

  51. Pugh, W.: The Omega test: A fast and practical integer programming algorithm for dependence analysis. In: Conference on High Performance Networking and Computing archive. Proceedings of the 1991 ACM/IEEE Conference on Supercomputing table of contents Albuquerque, New Mexico, pp. 4–13 (1991)

  52. SAT Competitions: http://www.satcompetition.org/

  53. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE (2005)

  54. Shannon, D., Hajra, S., Lee, A., Zhan, D., Khurshid, S.: Abstracting symbolic execution with string analysis. In: Proceedings of TAIC-PART (2007)

  55. Siegel, S.F., Mironova, A., Avrunin, G.S., Clarke, L.A.: Using model checking with symbolic execution to verify parallel numerical programs. In: Proceedings of ISSTA (2006)

  56. Sinha, N.: Symbolic program analysis using term rewriting and generalization. In: Proceedings of FMCAD, Nov. (2008)

  57. SMT Competitions: http://www.smtcomp.org/

  58. STP (Simple Theorem Prover): http://sourceforge.net/projects/stp-fast-prover

  59. Tiwari, A., Rues, H., Saidi, H., Shankar, N.: A technique for invariant generation. In: Proceedings of TACAS (2001)

  60. Tomb, A., Brat, G., Visser, W.: Variably interprocedural program analysis for runtime error detection. In: Proceedings of ISSTA (2007)

  61. Tomb, A., Brat, G.P., Visser, W.: Variably interprocedural program analysis for runtime error detection. In: Proceedings of ISSTA (2007)

  62. Visser, W., Păsăreanu, C.S., Pelanek, R.: Test input generation for java containers using state matching. In: Proceedings of ISSTA (2006)

  63. Visser, W., Păsăreanu, C.S., Khurshid, S.: Test input generation in Java Pathfinder. In: Proceedings of ISSTA (2004)

  64. Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for web applications. In: Proceedings of ISSTA (2008)

  65. Wegbreit B.: The synthesis of loop predicates. Commun. ACM 17(2), 102–112 (1974)

    Article  MATH  MathSciNet  Google Scholar 

  66. Xie, T., Marinov, D., Schulte, W., Notkin, D.: Symstra: A framework for generating object-oriented unit tests using symbolic execution. In: Proceedings of TACAS (2005)

  67. Xu, R.-G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of ISSTA (2008)

  68. Yavuz-Kahveci, T., Bultan, T.: Automated verification of concurrent linked lists with counters. In: Hermenegildo, G.P.M. (ed.) Proceedings of SAS (2002)

  69. Yices: An SMT Solver http://yices.csl.sri.com/

  70. Yorsh, G., Ball, T., Sagiv, M.: Testing, abstraction, theorem proving: better together!. In: Proceedings of ISSTA (2006)

Download references

Author information

Authors and Affiliations

  1. NASA Ames Research Center, Carnegie Mellon University, Moffett Field, CA, 94035, USA

    Corina S. Păsăreanu

  2. Department of Computer Science, University of Stellenbosch, Stellenbosch, South Africa

    Willem Visser

Authors
  1. Corina S. Păsăreanu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Willem Visser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Corina S. Păsăreanu.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Păsăreanu, C.S., Visser, W. A survey of new trends in symbolic execution for software testing and analysis. Int J Softw Tools Technol Transfer 11, 339–353 (2009). https://doi.org/10.1007/s10009-009-0118-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-009-0118-1

Keywords

Search

Navigation