• Publications
  • Influence
EXE: Automatically Generating Inputs of Death
TLDR
This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Expand
  • 907
  • 113
  • PDF
A Decision Procedure for Bit-Vectors and Arrays
TLDR
STP is a decision procedure for the satisfiability of quantifier-free formulas in the theory of bit-vectors and arrays that has been optimized for large problems encountered in software analysis applications. Expand
  • 598
  • 76
  • PDF
EXPRESSION: a language for architecture exploration through compiler/simulator retargetability
TLDR
We describe EXPRESSION, a language supporting architectural design space exploration for embedded systems-on-chip (SOC) and automatic generation of a retargetable compiler/simulator toolkit. Expand
  • 451
  • 31
  • PDF
HAMPI: a solver for string constraints
TLDR
We propose Hampi, a solver for string constraints generated by analysis techniques for string-manipulating programs. Expand
  • 275
  • 24
  • PDF
Z3-str: a z3-based string solver for web application analysis
TLDR
We present Z3-str, a satisfiability solver that supports a rich combined logic over strings and non-string operations aimed at symbolic, static and dynamic analysis of web applications. Expand
  • 162
  • 22
  • PDF
EXE: automatically generating inputs of death
This paper presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it onExpand
  • 187
  • 12
An Overview of SAL
TLDR
We propose an intermediate language, developed in collaboration with Stanford, Berkeley, and Verimag for specifying concurrent systems in a compositional way. Expand
  • 211
  • 12
  • PDF
Learning Rate Based Branching Heuristic for SAT Solvers
TLDR
In this paper, we propose a framework for viewing solver branching heuristics as optimization algorithms where the objective is to maximize the learning rate, defined as the propensity for variables to generate learnt clauses. Expand
  • 101
  • 12
  • PDF
Taint-based directed whitebox fuzzing
TLDR
We present a new automated white box fuzzing technique that uses dynamic taint tracing to automatically locate regions of original seed input files that influence values used at key program attack points (points where the program may contain an error). Expand
  • 266
  • 10
  • PDF
ZSstrS: A string solver with theory-aware heuristics
TLDR
We present a new string SMT solver that is faster than its competitors Z3str2, Norn, CVC4, S3, and S3P over a majority of three industrial-strength benchmarks. Expand
  • 47
  • 10
  • PDF