research-article

Automatic partial loop summarization in dynamic test generation

Authors:

Patrice Godefroid,

Daniel LuchaupAuthors Info & Claims

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

Pages 23 - 33

https://doi.org/10.1145/2001420.2001424

Published: 17 July 2011 Publication History

Abstract

Whitebox fuzzing extends dynamic test generation based on symbolic execution and constraint solving from unit testing to whole-application security testing. Unfortunately, input-dependent loops may cause an explosion in the number of constraints to be solved and in the number of execution paths to be explored. In practice, whitebox fuzzers arbitrarily bound the number of constraints and paths due to input-dependent loops, at the risk of missing code and bugs.

In this work, we investigate the use of simple loop-guard pattern-matching rules to automatically guess an input constraint defining the number of iterations of input-dependent loops during dynamic symbolic execution. We discover the loop structure of the program on the fly, detect induction variables, which are variables modified by a constant value during loop iterations, and infer simple partial loop invariants relating the value of such variables. Whenever a guess is confirmed later during the current dynamic symbolic execution, we then inject new constraints representing pre and post loop conditions, effectively summarizing sets of executions of that loop. These pre and post conditions are derived from partial loop invariants synthesized dynamically using pattern-matching rules on the loop guards and induction variables, without requiring any static analysis, theorem proving, or input-format specification. This technique has been implemented in the whitebox fuzzer SAGE, scales to large programs with many nested loops, and we present results of experiments with a Windows 7 image parser.

References

[1]

S. Anand, P. Godefroid, and N. Tillmann. Demand-Driven Compositional Symbolic Execution. In TACAS'2008, volume 4963 of LNCS, pages 367--381, Budapest, April 2008. Springer-Verlag.

Digital Library

[2]

S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. M. Paradkar, and M. D. Ernst. Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking. IEEE Trans. Software Eng., 36(4):474--494, 2010.

Digital Library

[3]

T. Ball, O. Kupferman, and M. Sagiv. Leaping Loops in the Presence of Abstraction. In CAV'2007, Berlin, July 2007.

Digital Library

[4]

M. Barnett, B. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In FMCO'2005, volume 4111 of LNCS, pages 364--387. Springer-Verlag, September 2006.

Digital Library

[5]

B. Boigelot and P. Godefroid. Symbolic Verification of Communication Protocols with Infinite State Spaces using QDDs. In CAV'96, volume 1102 of LNCS, pages 1--12, New Brunswick, August 1996. Springer-Verlag.

Digital Library

[6]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically Generating Inputs of Death. In ACM CCS, 2006.

Digital Library

[7]

L. de Moura and N. Bjorner. Z3: An Efficient SMT Solver. In TACAS'2008, volume 4963 of LNCS, pages 337--340, Budapest, April 2008. Springer-Verlag.

Digital Library

[8]

M. Emmi, R. Majumdar, and K. Sen. Dynamic Test Input Generation for Database Applications. In ISSTA'2007, pages 151--162, 2007.

Digital Library

[9]

P. Godefroid. Compositional Dynamic Test Generation. In POPL'2007, pages 47--54, Nice, January 2007.

Digital Library

[10]

P. Godefroid. Software Model Checking Improving Security of a Billion Computers. In SPIN'2009, volume 5578 of LNCS, page 1, Grenoble, June 2009. Springer-Verlag.

Digital Library

[11]

P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In PLDI'2005, pages 213--223, Chicago, June 2005.

Digital Library

[12]

P. Godefroid, M. Y. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In NDSS'2008, pages 151--166, San Diego, February 2008.

[13]

P. Godefroid, A. V. Nori, S. K. Rajamani, and S. D. Tetali. Compositional May-Must Program Analysis: Unleashing The Power of Alternation. In POPL'2010, pages 43--55, Madrid, January 2010.

Digital Library

[14]

D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proc. of the 18th Usenix Security Symposium, Aug 2009.

Digital Library

[15]

C. Pasareanu and W. Visser. Verification of Java Programs Using Symbolic Execution and Invariant Generation. In SPIN'2004, volume 2989 of LNCS, Barcelona, April 2004. Springer-Verlag.

[16]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In IEEE Symposium on Security and Privacy, pages 513--528, 2010.

Digital Library

[17]

P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-Extended Symbolic Execution on Binary Programs. In ISSTA'2009, pages 225--236, Chicago, July 2009.

Digital Library

[18]

N. Tillmann and J. de Halleux. Pex - White Box Test Generation for .NET. In TAP'2008, volume 4966 of LNCS, pages 134--153. Springer-Verlag, April 2008.

Digital Library

[19]

A. Tsitovich, N. Sharygina, Ch. Wintersteiger, and D. Kroening. Loop Summarization and Termination Analysis. In To appear in TACAS'2011, April 2011.

Digital Library

[20]

R. Xu, P. Godefroid, and R. Majumdar. Testing for Buffer Overflows with Length Abstraction. In ISSTA'2008, pages 27--38, Seattle, July 2008.

Digital Library

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Show More Cited By

Recommendations

Automatic loop invariant generation for data dependence analysis
FormaliSE '22: Proceedings of the IEEE/ACM 10th International Conference on Formal Methods in Software Engineering

Parallelization of programs relies on sound and precise analysis of data dependences in the code, specifically, when dealing with loops. State-of-art tools are based on dynamic profiling and static analysis. They tend to over- and, occasionally, to ...
A practical loop invariant generation approach based on random testing, constraint solving and verification
ICFEM'12: Proceedings of the 14th international conference on Formal Engineering Methods: formal methods and software engineering

Loop invariants play a major role in software verification. Based on random testing, constraint solving and verification, this paper presents a practical approach for generating equality loop invariants. More importantly, we present a practical ...
Parameterized and multi-level tiled loop generation

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

July 2011

394 pages

ISBN:9781450305624

DOI:10.1145/2001420

General Chair:
Matthew Dwyer
University of Nebraska
,
Program Chair:
Frank Tip
IBM T.J. Watson Research Center

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 July 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '11

Sponsor:

SIGSOFT

ISSTA '11: International Symposium on Software Testing and Analysis

July 17 - 21, 2011

Ontario, Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

75
Total Citations
View Citations
780
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)1

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Glock JPichler JPinzger M(2024)PASDAJournal of Systems and Software10.1016/j.jss.2024.112037213:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112037
Semujju SLiu FHuang HXiang YYan XHao Z(2024)Knowledge transfer based many-objective approach for finding bugs in multi-path loopsComplex & Intelligent Systems10.1007/s40747-023-01323-wOnline publication date: 24-Jan-2024
https://doi.org/10.1007/s40747-023-01323-w
Britikov KBlicha MSharygina NFedyukovich G(2024)Reachability Analysis for Multiloop Programs Using Transition Power AbstractionFormal Methods10.1007/978-3-031-71162-6_29(558-576)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-71162-6_29
Wang ZChen Z(2024)AISE: A Symbolic Verifier by Synergizing Abstract Interpretation and Symbolic Execution (Competition Contribution)Tools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57256-2_19(347-352)Online publication date: 6-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57256-2_19
Shi QXu XZhang XCalandrino JTroncoso C(2023)Extracting protocol format as state machine via controlled static loop analysisProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620630(7019-7036)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620630
Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Wang MTao CGuo H(2023)LCVDJournal of Systems and Software10.1016/j.jss.2023.111706202:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111706
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents