Abstract
Recent advances in constraint solving technology and raw computation power have led to a substantial increase in the effectiveness of techniques based on symbolic execution for systematic bug finding. However, scaling symbolic execution remains a challenging problem. We present a novel approach to increase the efficiency of symbolic execution for systematic testing of object-oriented programs. Our insight is that we can apply symbolic execution in stages, rather than the traditional approach of applying it all at once, to compute abstract symbolic inputs that can later be shared across different methods to test them systematically. For example, a class invariant can provide the basis of generating abstract symbolic tests that are then used to symbolically execute several methods that require their inputs to satisfy the invariant. We present an experimental evaluation to compare our approach against KLEE, a state-of-the-art implementation of symbolic execution. Results show that our approach enables significant savings in the cost of systematic testing using symbolic execution.
Similar content being viewed by others
References
Adve V et al. (2003) LLVA: a low-level virtual instruction set architecture. In: Proceedings of MICRO-36
Anand S, Păsăreanu CS, Visser W (2007) JPF-SE: a symbolic execution extension to Java PathFinder. In: Proceedings of 13th International Conference on Tools and Algorithms for the Construction and Analysis of Syst. (TACAS), pp 134–138
Anand S et al. (2009) Symbolic execution with abstraction. Int J Softw Tools Technol Transf 11:53–67
Boyapati C et al (2002) Korat: automated testing based on Java predicates. In: Proceedings of ISSTA
Bush WR et al (2000) A static analyzer for finding dynamic programming errors. Softw Pract Exper 30(7): 775–802
Cadar C, Engler D (2005) Execution generated test cases: how to make systems code crash itself. In: Proceedings of SPIN
Cadar C et al (2006) EXE: automatically generating inputs of death. In: Proceedings of CCS
Cadar C et al (2008) KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI
Clarke LA (1976) Test data generation and symbolic execution of programs as an aid to program validation. PhD thesis, University of Colorado at Boulder
Daniel B et al (2007) Automated testing of refactoring engines. In: Proceedings of ESEC/FSE
Do H, Rothermel G (2006) On the use of mutation faults in empirical assessments of test case prioritization techniques. IEEE Trans Softw Eng 32:733–752
Galeotti JP et al (2010) Analysis of invariants for efficient bounded verification. In: Proceedings of ISSTA
Gligoric M et al (2010) Test generation through programming in UDITA. In: Proceedings of ICSE
Godefroid P (2007) Compositional dynamic test generation. In: Proceedings of POPL
Godefroid P et al (2005) DART: directed automated random testing. In: Proceedings of PLDI
Godefroid P et al (2008) Automated whitebox fuzz testing. In: Proceedings of NDSS
Jackson D (2006) Software abstractions: logic, language, and analysis. The MIT Press, Cambridge
Khurshid S et al (2003) Generalized symbolic execution for model checking and testing. In: Proceedings of TACAS
King JC (1976) Symbolic execution and program testing. Commun ACM 19(7):385–394
Marinov D, Khurshid S (2001) TestEra: a novel framework for automated testing of Java programs. In: Proceedings of ASE
Offutt J et al (2004) An experimental mutation system for Java. SIGSOFT Softw Eng Notes 29(5):1–4
Sen K et al (2005) CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE
Shao D et al (2007) Whispec: white-box testing of libraries using declarative specifications. In: Proceedings of LCSD
Siddiqui JH, Khurshid S (2009) An empirical study of structural constraint solving techniques. In: Proceedings of ICFEM
Siddiqui JH, Khurshid S (2012a) Scaling symbolic execution using ranged analysis. In: Proceedings of Annual Conference on Object Oriented Programming Systems, Language and Applications (OOPSLA)
Siddiqui JH, Khurshid S (2012b) Staged symbolic execution. In: Proceedings of ACM Symposium on Applied Computing-Software Verification and Testing Track (SAC-SVT)
Sullivan K et al (2004) Software assurance by bounded exhaustive testing. In: Proceedings of ISSTA
Tillmann N, De Halleux J (2008) Pex: white box test generation for.NET. In: Proceedings of TAP
Visser W et al (2003) Model checking programs. Automated Softw Eng J 10(2):203–232
Acknowledgments
We thank Darko Marinov for detailed comments on an earlier draft of this paper. This work was funded in part by the Fulbright Program, the NSF under Grant Nos. CCF-0845628 and IIS-0438967, and AFOSR grant FA9550-09-1-0351.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Siddiqui, J.H., Khurshid, S. Scaling symbolic execution using staged analysis. Innovations Syst Softw Eng 9, 119–131 (2013). https://doi.org/10.1007/s11334-013-0196-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11334-013-0196-9