Abstract
We present an approach to address a main performance bottleneck in symbolic execution. Despite a powerful method to produce test cases with high coverage, symbolic execution often suffers from the problem of exploring a huge number of paths without (1) significantly increasing the coverage, and (2) going deep enough to hit hot spots. The situation becomes worse for modern programming languages such as C/C++ which extensively use library calls and shared code. In this paper we use a novel “lazy” execution approach to evaluate functions, library calls, and other entities commonly used in a high level language. Specifically, the symbolic executor uses high level abstractions and sub-space search to control and guide symbolic execution so that only necessary paths are visited to produce valid test cases. This method is able to avoid exploring many useless or duplicate paths. Experimental results show that it can help solve path constraints and produce test cases in much less time. For many programs, it can improve the performance by several orders of magnitude while maintaining the same source code coverage.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)
Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009)
Blanc, N., Groce, A., Kroening, D.: Verifying C++ with STL containers via predicate abstraction. In: Automated Software Engineering, ASE (2007)
Boonstoppel, P., Cadar, C., Engler, D.: RWset: Attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008)
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Operating Systems Design and Implementation (OSDI) (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Conference on Computer and Communications Security, CCS (2006)
Ganesh, V., Kieżun, A., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.: HAMPI: A string solver for testing, analysis and vulnerability detection. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 1–19. Springer, Heidelberg (2011)
Ghosh, I., Shafiei, N., Li, G., Chiang, W.-F.: JST: An automatic test generation tool for industrial java applications with strings. In: International Conference on Software Engineering, ICSE (2013)
Godefroid, P., Nori, A.V., Rajamani, S.K., Tetali, S.: Compositional may-must program analysis: unleashing the power of alternation. In: Symposium on Principles of Programming Languages, POPL (2010)
Khurshid, S., Păsăreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003)
Kuznetsov, V., Kinder, J., Bucur, S., Candea, G.: Efficient state merging in symbolic execution. In: Programming Language Design and Implementation (PLDI) (2012)
Lattner, C., Adve, V.S.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Symposium on Code Generation and Optimization (CGO) (2004)
Li, G.: Validated compilation through logic. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 169–183. Springer, Heidelberg (2011)
Li, G., Ghosh, I.: PASS: String solving with parameterized array and interval automaton. In: Bertacco, V., Legay, A. (eds.) HVC 2013. LNCS, vol. 8244, pp. 15–31. Springer, Heidelberg (2013)
Li, G., Ghosh, I., Rajan, S.P.: KLOVER: A symbolic execution and automatic test generation tool for C++ programs. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 609–615. Springer, Heidelberg (2011)
Li, G., Li, P., Sawaga, G., Gopalakrishnan, G., Ghosh, I., Rajan, S.P.: GKLEE: Concolic verification and test generation for GPUs. In: Symposium on Principles and Practice of Parallel Programming (PPoPP) (2012)
Lin, M., Li Chen, Y., Yu, K., Shi Wu, G.: Lazy symbolic execution for test data generation. IET Software 5(2), 132–141 (2011)
Majumdar, R., Sen, K.: LATEST: Lazy dynamic test input generation. Tech. Rep. UCB/EECS-2007, EECS Department, University of California, Berkeley (2007)
Tillmann, N., de Halleux, J.: Pex–white box test generation for .NET. In: Beckert, B., Hähnle, R. (eds.) TAP 2008. LNCS, vol. 4966, pp. 134–153. Springer, Heidelberg (2008)
uClibc++: An embedded C++ library, http://cxx.uclibc.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, G., Ghosh, I. (2013). Lazy Symbolic Execution through Abstraction and Sub-space Search. In: Bertacco, V., Legay, A. (eds) Hardware and Software: Verification and Testing. HVC 2013. Lecture Notes in Computer Science, vol 8244. Springer, Cham. https://doi.org/10.1007/978-3-319-03077-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-03077-7_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-03076-0
Online ISBN: 978-3-319-03077-7
eBook Packages: Computer ScienceComputer Science (R0)