Cited By
View all- Yang GFilieri ABorges MClun DWen J(2019)Advances in Symbolic Execution10.1016/bs.adcom.2018.10.002(225-287)Online publication date: 2019
User-defined backtracking criteria for symbolic execution
Pages 1 - 5
Abstract
Symbolic execution is a path-sensitive program analysis technique that aids users with program verification. To avoid exploring infeasible paths, symbolic execution checks the prefix of a current path for feasibility by adding a branch constraint to the path prefix and passing the formula to an off-the-shelf SMT solver for an evaluation. If the solver returns SAT/UNSAT, then the prefix is marked as feasible/infeasible.
However, the solver can also return an UNKNOWN result, which means it cannot evaluate the formula. In addition, an operation occurring before a constraint can cause over-approximation that propagates to the solver's result. Moreover, symbolic execution might time out the solver if it takes too long to run. A symbolic execution tool might handle these uncertainties by backtracking or by continuing its exploration of the prefix.
This paper examines the behavior of path constraints beyond uncertain backtracking points. String and integer constraints are collected from concrete program execution via dynamic symbolic execution. These constraints are used to analyze how over- approximation in a path prefix affects the completeness of its extensions. We also examine variations in time required to decide a path constraint. Our findings suggest that a custom backtracking criteria defined by the user does improve the completeness of symbolic execution.
References
[1]
Choco. http://www.emn.fr/z-info/choco-solver.
[2]
A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. Springer, 2003.
[3]
L. De Moura and N. Bjørner. Z3: An efficient SMT solver. Tools and Algorithms for the Construction and Analysis of Systems, pages 337--340, 2008.
[4]
J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, July 1976.
[5]
C. Pacheco and M. D. Ernst. Randoop: feedback-directed random testing for java. In Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion, pages 815--816. ACM, 2007.
[6]
C. S. Păsăreanu, N. Rungta, and W. Visser. Symbolic execution with mixed concrete-symbolic solving. pages 34--44, 2011.
[7]
E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Security and Privacy (SP), 2010 IEEE Symposium on, pages 317--331. IEEE, 2010.
[8]
K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proc. ESEC/FSE, pages 263--272, 2005.
[9]
O. Strichman. Decision procedures: an algorithmic point of view. Springer, 2010.
[10]
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot: A java bytecode optimization framework. pages 214--224, 2010.
[11]
W. Visser, J. Geldenhuys, and M. B. Dwyer. Green: reducing, reusing and recycling constraints in program analysis. pages 58:1--58:11, 2012.
Index Terms
- User-defined backtracking criteria for symbolic execution
Recommendations
Multiplex symbolic execution: exploring multiple paths by solving once
ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software EngineeringPath explosion and constraint solving are two challenges to symbolic execution's scalability. Symbolic execution explores the program's path space with a searching strategy and invokes the underlying constraint solver in a black-box manner to check the ...
Optimizing Constraint Solving to Better Support Symbolic Execution
ICSTW '11: Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation WorkshopsConstraint solving is an integral part of symbolic execution, as most symbolic execution techniques rely heavily on an underlying constraint solver. In fact, the performance of the constraint solver used by a symbolic execution technique can ...
Type and interval aware array constraint solving for symbolic execution
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and AnalysisArray constraints are prevalent in analyzing a program with symbolic execution. Solving array constraints is challenging due to the complexity of the precise encoding for arrays. In this work, we propose to synergize symbolic execution and array ...
Comments
Information & Contributors
Information
Published In
Copyright © 2014 Authors.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 February 2014
Published in SIGSOFT Volume 39, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 104Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)0
Reflects downloads up to 15 Jan 2025
Other Metrics
Citations
Cited By
View all- Yang GFilieri ABorges MClun DWen J(2019)Advances in Symbolic Execution10.1016/bs.adcom.2018.10.002(225-287)Online publication date: 2019
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in