Towards Optimal Concolic Testing

@article{Wang2018TowardsOC,
  title={Towards Optimal Concolic Testing},
  author={Xinyu Wang and Jun Sun and Zhenbang Chen and Peixin Zhang and Jingyi Wang and Yun Lin},
  journal={2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE)},
  year={2018},
  pages={291-302}
}
  • Xinyu Wang, Jun Sun, Yun Lin
  • Published 27 May 2018
  • Computer Science
  • 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE)
Concolic testing integrates concrete execution (e.g., random testing) and symbolic execution for test case generation. It is shown to be more cost-effective than random testing or symbolic execution sometimes. A concolic testing strategy is a function which decides when to apply random testing or symbolic execution, and if it is the latter case, which program path to symbolically execute. Many heuristics-based strategies have been proposed. It is still an open problem what is the optimal… 

Figures and Tables from this paper

Engineering Seminar ( WiSe 2020 / 21 ) Search Strategies in Concolic Testing Description
TLDR
After examining the theoretic foundations of concolic testing and its traditional search strategies (e.g., DFS, BFS), the student is required to investigate and discuss recent advanced search strategies for concolicTesting.
Concolic Testing Heap-Manipulating Programs ( Technical Report )
TLDR
This work proposes the first concolic testing engine called CSF for heap-manipulating programs based on separation logic which effectively combines specification-based testing and concolic execution for test input generation and shows that CSF generates valid test inputs with high coverage efficiently.
Concolic Testing Heap-Manipulating Programs
TLDR
This work proposes the first concolic testing engine called CSF for heap-manipulating programs based on separation logic which effectively combines specification-based testing and concolic execution for test input generation and shows that CSF generates valid test inputs with high coverage efficiently.
Modified condition/decision coverage (MC/DC) oriented compiler optimization for symbolic execution
TLDR
The results indicate that instruction combining (IC) optimization is the important and dominant optimization for symbolic execution w.r.t. MC/DC.
SymJEx: symbolic execution on the GraalVM
TLDR
This paper presents a novel symbolic execution engine called SymJEx, implemented on top of the multi-language Java Virtual Machine GraalVM, which uses the Graal compiler's intermediate representation to derive and evaluate path conditions, allowingGraalVM users to leverage the engine to improve software quality.
Concolic testing with adaptively changing search heuristics
TLDR
Experimental results show that the transition from the traditional non-adaptive approaches to the new Chameleon greatly improves the practicality of concolic testing in terms of both code coverage and bug-finding.
PReach: A Heuristic for Probabilistic Reachability to Identify Hard to Reach Statements
TLDR
The experiments indicate that the heuristic-based probabilistic reachability analysis tool PReach can identify hard to reach statements with high precision and accuracy in benchmarks from software verification and testing competitions, Apache Commons Lang, and the DARPA STAC program.
Multiplex Symbolic Execution: Exploring Multiple Paths by Solving Once
TLDR
This paper proposes Multiplex Symbolic Execution (MuSE) that utilizes the intermediate assignments during the constraint solving procedure to generate new program inputs and explores multiple paths in one time of solving.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 50 REFERENCES
How we get there: a context-guided search strategy in concolic testing
TLDR
A context-guided search strategy that looks at preceding branches in execution paths and selects a branch in a new context for the next input, achieving the highest coverage of all twelve subjects and reaching a target coverage with a much smaller number of iterations on most subjects than other strategies.
Hybrid Concolic Testing
We present hybrid concolic testing, an algorithm that interleaves random testing with concolic execution to obtain both a deep and a wide exploration of program state space. Our algorithm generates
Steering symbolic execution to less traveled paths
TLDR
A novel, unified strategy to guide symbolic execution to less explored parts of a program, using frequency distributions of explored length-n subpaths to prioritize "less traveled" parts of the program to improve test coverage and error detection.
Heuristics for Scalable Dynamic Test Generation
  • Jacob Burnim, Koushik Sen
  • Computer Science
    2008 23rd IEEE/ACM International Conference on Automated Software Engineering
  • 2008
TLDR
Several heuristic search strategies are presented, including a novel strategy guided by the control flow graph of the program under test, which achieves significantly greater branch coverage on the same testing budget than concolic testing with a traditional depth-first search strategy.
Probabilistic symbolic execution
TLDR
An extension of the widely used Symbolic PathFinder symbolic execution system that calculates path probabilities is presented, exploiting state-of-the-art computational algebra techniques to count the number of solutions to path conditions, yielding exact results for path probabilities.
Fitness-guided path exploration in dynamic symbolic execution
TLDR
This work proposes a novel approach called Fitnex, a search strategy that uses state-dependent fitness values (computed through a fitness function) to guide path exploration, and shows that this approach consistently achieves high code coverage faster than existing search strategies.
Parallel symbolic execution for structural test generation
TLDR
This work proposes a technique, Simple Static Partitioning, for parallelizing symbolic execution, which uses a set of pre-conditions to partition the symbolic execution tree, allowing us to effectively distribute symbolic execution and decrease the time needed to explore the symbolic executions tree.
Under-constrained execution: making automatic code destruction easy and scalable
Software testing is well-recognized as a crucial part of the modern software development process. However, manual testing is labor intensive and often fails to produce impressive coverage results.
Using test case reduction and prioritization to improve symbolic execution
TLDR
The proposed test case reduction strategy is based on a recently introduced generalization of delta debugging, and the prioritization techniques include novel methods that, for this purpose, can outperform some traditional regression testing algorithms.
On the efficiency of automated testing
TLDR
This paper mathematically model the most effective systematic testing technique S_0 in which every sampled test input strictly increases the "degree of confidence" and is subject to the analysis cost c, and proves an upper bound on c of S-0, beyond which R is more efficient on the average.
...
1
2
3
4
5
...