MultiSE: multi-path symbolic execution using value summaries

@article{Sen2015MultiSEMS,
  title={MultiSE: multi-path symbolic execution using value summaries},
  author={Koushik Sen and George C. Necula and Liang Gong and Wontae Choi},
  journal={Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering},
  year={2015}
}
  • Koushik Sen, G. Necula, Wontae Choi
  • Published 30 August 2015
  • Computer Science
  • Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering
Dynamic symbolic execution (DSE) has been proposed to effectively generate test inputs for real-world programs. Unfortunately, DSE techniques do not scale well for large realistic programs, because often the number of feasible execution paths of a program increases exponentially with the increase in the length of an execution path. In this paper, we propose MultiSE, a new technique for merging states incrementally during symbolic execution, without using auxiliary variables. The key idea of… 

Figures and Tables from this paper

Eliminating Path Redundancy via Postconditioned Symbolic Execution
TLDR
This work proposes a new redundancy removal method called postconditioned symbolic execution, which can identify path suffixes shared by multiple runs and eliminate them during test generation when they are redundant.
Java Ranger: statically summarizing regions for efficient symbolic execution of Java
Merging execution paths is a powerful technique for reducing path explosion in symbolic execution. One approach, introduced and dubbed “veritesting” by Avgerinos et al., works by translating abounded
Chopped Symbolic Execution
TLDR
This paper proposes chopped symbolic execution, a novel form of symbolic execution that allows users to specify uninter-esting parts of the code to exclude during the analysis, thus only targeting the exploration to paths of importance.
Dependence Guided Symbolic Execution
TLDR
It is argued that for the purpose of fault detection it is not necessary to systematically explore the paths, and a new symbolic execution approach is proposed to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value.
Exact Heap Summaries for Symbolic Execution
TLDR
This work presents a method for initializing input references in a symbolic input heap using guarded value sets that exactly preserves GSE semantics and results from an empirical evaluation show an increase in the size and number of analyzed heaps over existing GSE representations.
Fine-Grain Memory Object Representation in Symbolic Execution
  • Martin Nowack
  • Computer Science
    2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)
  • 2019
TLDR
An enhanced, fine-grain and efficient representation of memory that mimics the allocations of tested applications and achieves a significant reduction of the memory consumption of states, allowing to represent more states in memory more efficiently.
Compositional Symbolic Execution: Incremental Solving Revisited
TLDR
It is shown that the combination of CSE and incremental solving is mutually beneficial, and the use of assumption-based features, available in modern constraint solvers, as a way to overcome the lack of context during summarisation.
Memory models in symbolic execution: key ideas and new thoughts
TLDR
MemSight, a new approach to symbolic memory that reduces the need for concretization, is introduced: rather than mapping address instances to data as previous approaches do, the technique maps symbolic address expressions to data, maintaining the possible alternative states resulting from the memory referenced by a symbolic address in a compact, implicit form.
A General Lattice Model for Merging Symbolic Execution Branches
TLDR
This work puts forward an abstraction-based framework for state merging in symbolic execution and shows that it subsumes existing approaches and proves soundness, and reduces in proof size of up to 80 % when applied to complex verification problems.
Summary-Guided Incremental Symbolic Execution
  • Qiuping Yi, Junye Wen, Guowei Yang
  • Computer Science
    2020 IEEE/ACM 42nd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)
  • 2020
TLDR
This paper presents a novel approach for incremental symbolic execution based on an iteration loop between path exploration and path suffixes summarization, which is efficient and effective in exploring incremental behaviors.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 65 REFERENCES
Efficient state merging in symbolic execution
TLDR
A way to automatically choose when and how to merge states such that the performance of symbolic execution is significantly increased and query count estimation, a method for statically estimating the impact that each symbolic variable has on solver queries that follow a potential merge point, is presented.
Reducing Test Inputs Using Information Partitions
TLDR
This work presents an algorithm that combines test input generation by concolic execution with dynamic computation and maintenance of information flow between inputs, and outputs an input partition and a set of test inputs such that inputs in different blocks do not have any dependencies between them.
Symbolic Program Analysis Using Term Rewriting and Generalization
  • N. Sinha
  • Computer Science
    2008 Formal Methods in Computer-Aided Design
  • 2008
TLDR
This work proposes a new program verification technique that addresses the problems of symbolic execution by performing a work list based analysis that handles join points, and simplifying the intermediate state representation by using term rewriting.
Demand-Driven Compositional Symbolic Execution
TLDR
A demand-driven compositional interprocedural symbolic execution is performed entirely using first-order logic formulas solved with an off-the-shelf SMT (Satisfiability-Modulo-Theories) solver - this allows a uniform and elegant way of summarizing procedures at various levels of detail and of composing those using logic formulas.
Heap cloning: Enabling dynamic symbolic execution of java programs
  • Saswat Anand, M. J. Harrold
  • Computer Science
    2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011)
  • 2011
TLDR
The empirical evaluation of the heap cloning system, called Cinger, shows that Cinger can compute precise path constraints, and requires little (if any) manual effort for a set of large real-world programs.
CUTE: a concolic unit testing engine for C
TLDR
A method to represent and track constraints that capture the behavior of a symbolic execution of a unit with memory graphs as inputs is developed and an efficient constraint solver is proposed to facilitate incremental generation of such test inputs.
Enhancing symbolic execution with veritesting
TLDR
Veritesting allows MergePoint to find twice as many bugs, explore orders of magnitude more paths, and achieve higher code coverage than previous dynamic symbolic execution systems.
Compositional dynamic test generation
TLDR
This paper introduces a new algorithm, dubbed SMART for Systematic Modular Automated Random Testing, that extends DART by testing functions in isolation, encoding test results as function summaries expressed using input preconditions and output postconditions, and then re-using those summaries when testing higher-level functions.
Symbolic execution and program testing
TLDR
A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language.
Heuristics for Scalable Dynamic Test Generation
  • Jacob Burnim, Koushik Sen
  • Computer Science
    2008 23rd IEEE/ACM International Conference on Automated Software Engineering
  • 2008
TLDR
Several heuristic search strategies are presented, including a novel strategy guided by the control flow graph of the program under test, which achieves significantly greater branch coverage on the same testing budget than concolic testing with a traditional depth-first search strategy.
...
1
2
3
4
5
...