Abstract
We propose a certification approach for checking the analysis results produced by symbolic execution. Given a program P under test, an analysis producer performs symbolic execution on P and creates a certificate C that represents the results of symbolic execution. The analysis consumer checks the validity of C with respect to P using efficient symbolic re-execution of P. The certificates are simple to create and easy to validate. Each certificate is a list of witnesses that include: test inputs that validate path feasibility without requiring any constraint solving; and infeasibility summaries that provide hints on how to efficiently establish path infeasibility. To account for incompleteness in symbolic execution (due to incompleteness of the backend solver), the certificate also contains an incompleteness summary. Our approach deploys constraint slicing and other heuristics as performance optimizations. Experimental results using a prototype certification tool based on Symbolic PathFinder for Java show that certification can be 3X to 370X (on average, 75X) faster than traditional symbolic execution. We also show the benefits of the approach for the reliability assessment of a software component under different probabilistic environment conditions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Albert, E., Gmez-Zamalloa, M., Rojas, J.M., Puebla, G.: Compositional CLP-based test data generation for imperative languages. In: LOPSTR 2011 (2011)
Barrett, C.W., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 298–302. Springer, Heidelberg (2007)
Belov, A., Janota, M., Lynce, I., Marques-Silva, J.: On computing minimal equivalent subformulas. In: Milano, M. (ed.) CP 2012. LNCS, vol. 7514, pp. 158–174. Springer, Heidelberg (2012)
Böhme, S., Weber, T.: Fast LCF-style proof reconstruction for Z3. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 179–194. Springer, Heidelberg (2010)
Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection, fingerprint generation. In: SS, pp. 15:1–15:16 (2007)
Burnim, J., Juvekar, S., Sen, K.: WISE: automated test generation for worst-case complexity. In: ICSE, pp. 463–473 (2009)
Clarke, L.A.: A program testing system. In: ACM 1976, pp. 488–491 (1976)
de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)
Filieri, A., Păsăreanu, C.S., Visser, W.: Reliability analysis in symbolic pathfinder. In: ICSE 2013, pp. 622–631. IEEE Press, Piscataway (2013)
Geldenhuys, J., Dwyer, M.B., Visser, W.: Probabilistic symbolic execution. In: ISSTA 2012, pp. 166–176. ACM, New York (2012)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213–223 (2005)
Hatcliff, J., Robby, Chalin, P., Belt, J.: Explicating symbolic execution (xsym-exe): an evidence-based verification framework. In: ICSE 2013, pp. 222–231 (2013)
Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 526. Springer, Heidelberg (2002)
Inkumsah, K., Xie, T.: Improving structural testing of object-oriented programs via integrating evolutionary testing and symbolic execution. In: ASE, pp. 297–306 (2008)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Loera, J.A.D., Hemmecke, R., Tauzer, J., Yoshida, R.: Effective lattice point counting in rational convex polytopes. JSC 38(4), 1273–1302 (2004)
Ma, K.-K., Yit Phang, K., Foster, J.S., Hicks, M.: Directed symbolic execution. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 95–111. Springer, Heidelberg (2011)
Namjoshi, K.S.: Certifying model checkers. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 2. Springer, Heidelberg (2001)
Necula, G.C.: Proof-carrying code. In: POPL, pp. 106–119 (1997)
Peled, D.A., Zuck, L.D.: From model checking to a temporal proof. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, p. 1. Springer, Heidelberg (2001)
Person, S., Yang, G., Rungta, N., Khurshid, S.: Directed incremental symbolic execution. In: PLDI, pp. 504–515 (2011)
Păsăreanu, C.S., Mehlitz, P.C., Bushnell, D.H., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: ISSTA, pp. 15–25 (2008)
Păsăreanu, C.S., Rungta, N.: Symbolic PathFinder: symbolic execution of Java bytecode. In: ASE, pp. 179–180 (2010)
Qiu, R., Yang, G., Pasareanu, C.S., Khurshid, S.: Compositional symbolic execution with memoized replay. In: ICSE, pp. 632–642 (2015)
Rinard, M., Marinov, D.: Credible compilation with pointers. In: Workshop on Run-Time Result Verication (1999)
Rojas, J.M., Pasareanu, C.S.: Compositional symbolic execution through program specialization. In: BYTECODE 2013 (ETAPS) (2013)
Sen, K., Agha, G.: CUTE and jCUTE: concolic unit testing and explicit path model-checking tools. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 419–423. Springer, Heidelberg (2006)
Siddiqui, J.H., Khurshid, S.: Scaling symbolic execution using ranged analysis. In: OOPSLA, pp. 523–536 (2012)
Souza, M., Borges, M., d’Amorim, M., Păsăreanu, C.S.: CORAL: solving complex constraints for symbolic pathfinder. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 359–374. Springer, Heidelberg (2011)
Stump, A., Oe, D., Reynolds, A., Hadarean, L., Tinelli, C.: SMT proof checking using a logical framework. Form. Methods Syst. Des. 42(1), 91–118 (2013)
Teleghani, A., Atlee, J.M.: Search-carrying code. In: ASE 2010, pp. 367–376
Visser, W., Geldenhuys, J., Dwyer, M.B.: Green: reducing, reusing and recycling constraints in program analysis. In: FSE, pp. 58:1–58:11 (2012)
Whalen, M.W., Godefroid, P., Mariani, L., Polini, A., Tillmann, N., Visser. W.: FITE: future integrated testing environment. In: FoSER, pp. 401–406 (2010)
Xia, S., Hook, J.: Certifying temporal properties for compiled C programs. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 161–174. Springer, Heidelberg (2004)
Yang, G., Khurshid, S., Person, S., Rungta, N.: Property differencing for incremental checking. In: ICSE, pp. 1059–1070 (2014)
Yang, G., Pasareanu, C.S., Khurshid, S.: Memoized symbolic execution. In: ISSTA, pp. 144–154 (2012)
Acknowledgments
This material is based on research sponsored by NSF under grants CCF-1319688, CCF-1319858 and CCF-1549161.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Qiu, R., Păsăreanu, C.S., Khurshid, S. (2016). Certified Symbolic Execution. In: Artho, C., Legay, A., Peled, D. (eds) Automated Technology for Verification and Analysis. ATVA 2016. Lecture Notes in Computer Science(), vol 9938. Springer, Cham. https://doi.org/10.1007/978-3-319-46520-3_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-46520-3_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46519-7
Online ISBN: 978-3-319-46520-3
eBook Packages: Computer ScienceComputer Science (R0)