Skip to main content
SpringerLink
Log in

Scaling symbolic execution using staged analysis

  • SI: SAC-SVT’12
  • Published:
Innovations in Systems and Software Engineering Aims and scope Submit manuscript

Abstract

Recent advances in constraint solving technology and raw computation power have led to a substantial increase in the effectiveness of techniques based on symbolic execution for systematic bug finding. However, scaling symbolic execution remains a challenging problem. We present a novel approach to increase the efficiency of symbolic execution for systematic testing of object-oriented programs. Our insight is that we can apply symbolic execution in stages, rather than the traditional approach of applying it all at once, to compute abstract symbolic inputs that can later be shared across different methods to test them systematically. For example, a class invariant can provide the basis of generating abstract symbolic tests that are then used to symbolically execute several methods that require their inputs to satisfy the invariant. We present an experimental evaluation to compare our approach against KLEE, a state-of-the-art implementation of symbolic execution. Results show that our approach enables significant savings in the cost of systematic testing using symbolic execution.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Adve V et al. (2003) LLVA: a low-level virtual instruction set architecture. In: Proceedings of MICRO-36

  2. Anand S, Păsăreanu CS, Visser W (2007) JPF-SE: a symbolic execution extension to Java PathFinder. In: Proceedings of 13th International Conference on Tools and Algorithms for the Construction and Analysis of Syst. (TACAS), pp 134–138

  3. Anand S et al. (2009) Symbolic execution with abstraction. Int J Softw Tools Technol Transf 11:53–67

    Google Scholar 

  4. Boyapati C et al (2002) Korat: automated testing based on Java predicates. In: Proceedings of ISSTA

  5. Bush WR et al (2000) A static analyzer for finding dynamic programming errors. Softw Pract Exper 30(7): 775–802

    Google Scholar 

  6. Cadar C, Engler D (2005) Execution generated test cases: how to make systems code crash itself. In: Proceedings of SPIN

  7. Cadar C et al (2006) EXE: automatically generating inputs of death. In: Proceedings of CCS

  8. Cadar C et al (2008) KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI

  9. Clarke LA (1976) Test data generation and symbolic execution of programs as an aid to program validation. PhD thesis, University of Colorado at Boulder

  10. Daniel B et al (2007) Automated testing of refactoring engines. In: Proceedings of ESEC/FSE

  11. Do H, Rothermel G (2006) On the use of mutation faults in empirical assessments of test case prioritization techniques. IEEE Trans Softw Eng 32:733–752

    Google Scholar 

  12. Galeotti JP et al (2010) Analysis of invariants for efficient bounded verification. In: Proceedings of ISSTA

  13. Gligoric M et al (2010) Test generation through programming in UDITA. In: Proceedings of ICSE

  14. Godefroid P (2007) Compositional dynamic test generation. In: Proceedings of POPL

  15. Godefroid P et al (2005) DART: directed automated random testing. In: Proceedings of PLDI

  16. Godefroid P et al (2008) Automated whitebox fuzz testing. In: Proceedings of NDSS

  17. Jackson D (2006) Software abstractions: logic, language, and analysis. The MIT Press, Cambridge

  18. Khurshid S et al (2003) Generalized symbolic execution for model checking and testing. In: Proceedings of TACAS

  19. King JC (1976) Symbolic execution and program testing. Commun ACM 19(7):385–394

    Google Scholar 

  20. Marinov D, Khurshid S (2001) TestEra: a novel framework for automated testing of Java programs. In: Proceedings of ASE

  21. Offutt J et al (2004) An experimental mutation system for Java. SIGSOFT Softw Eng Notes 29(5):1–4

    Google Scholar 

  22. Sen K et al (2005) CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE

  23. Shao D et al (2007) Whispec: white-box testing of libraries using declarative specifications. In: Proceedings of LCSD

  24. Siddiqui JH, Khurshid S (2009) An empirical study of structural constraint solving techniques. In: Proceedings of ICFEM

  25. Siddiqui JH, Khurshid S (2012a) Scaling symbolic execution using ranged analysis. In: Proceedings of Annual Conference on Object Oriented Programming Systems, Language and Applications (OOPSLA)

  26. Siddiqui JH, Khurshid S (2012b) Staged symbolic execution. In: Proceedings of ACM Symposium on Applied Computing-Software Verification and Testing Track (SAC-SVT)

  27. Sullivan K et al (2004) Software assurance by bounded exhaustive testing. In: Proceedings of ISSTA

  28. Tillmann N, De Halleux J (2008) Pex: white box test generation for.NET. In: Proceedings of TAP

  29. Visser W et al (2003) Model checking programs. Automated Softw Eng J 10(2):203–232

    Google Scholar 

Download references

Acknowledgments

We thank Darko Marinov for detailed comments on an earlier draft of this paper. This work was funded in part by the Fulbright Program, the NSF under Grant Nos. CCF-0845628 and IIS-0438967, and AFOSR grant FA9550-09-1-0351.

Author information

Authors and Affiliations

  1. LUMS School of Science and Engineering, DHA, Lahore, Pakistan

    Junaid Haroon Siddiqui

  2. The University of Texas at Austin, Austin, TX, 78712, USA

    Sarfraz Khurshid

Authors
  1. Junaid Haroon Siddiqui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sarfraz Khurshid
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Junaid Haroon Siddiqui.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Siddiqui, J.H., Khurshid, S. Scaling symbolic execution using staged analysis. Innovations Syst Softw Eng 9, 119–131 (2013). https://doi.org/10.1007/s11334-013-0196-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11334-013-0196-9

Keywords

Search

Navigation