Xin Li
ABSTRACT
Symbolic execution is a widely-used program analysis technique. It collects and solves path conditions to guide the program traversing. However, due to the limitation of the current constraint solvers, it is difficult to apply symbolic execution on programs with complex path conditions, like nonlinear constraints and function calls. In this paper, we propose a new symbolic execution tool MLB to handle such problem. Instead of relying on the classical constraint solving, in MLB, the feasibility problems of the path conditions are transformed into optimization problems, by minimizing some dissatisfaction degree. The optimization problems are then handled by the underlying optimization solver through machine learning guided sampling and validation. MLB is implemented on the basis of Symbolic PathFinder and encodes not only the simple linear path conditions, but also nonlinear arithmetic operations, and even black-box function calls of library methods, into symbolic path conditions. Experiment results show that MLB can achieve much better coverage on complex real-world programs.
- Barr, E. T., Vo, T., Le, V., and Su, Z. Automatic detection of floating-point exceptions. ACM SIGPLAN Notices 48, 1 (2013), 549–560. Google Scholar
Digital Library
- Beyer, H., and Schwefel, H. Evolution strategies - A comprehensive introduction. Natural Computing 1, 1 (2002), 3–52. Google ScholarDigital Library
- Boyer, R. S., Elspas, B., and Levitt, K. N. SELECT-a formal system for testing and debugging programs by symbolic execution. ACM SigPlan Notices 10, 6 (1975), 234–245. Google ScholarDigital Library
- Cadar, C., Dunbar, D., Engler, D. R., et al. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI (2008), vol. 8, pp. 209–224. Google ScholarDigital Library
- Cadar, C., Godefroid, P., Khurshid, S., Păsăreanu, C. S., Sen, K., Tillmann, N., and Visser, W. Symbolic execution for software testing in practice: preliminary assessment. In ICSE (2011), ACM, pp. 1066–1071. Google ScholarDigital Library
- De Moura, L., and Rner, N. Z3: an efficient SMT solver. In Theory and Practice of Software, TACAS (2008). Google ScholarDigital Library
- Dinges, P., and Agha, G. Solving complex path conditions through heuristic search on induced polytopes. In FSE (2014), ACM, pp. 425–436. Google ScholarDigital Library
- Franzle, M., Herde, C., Teige, T., Ratschan, S., and Schubert, T. Efficient solving of large non-linear arithmetic constraint systems with complex boolean structure. Journal on Satisfiability, Boolean Modeling and Computation 1 (2007), 209–236.Google ScholarCross Ref
- Galeotti, J. P., Fraser, G., and Arcuri, A. Improving search-based test suite generation with dynamic symbolic execution. In ISSRE (2013), IEEE, pp. 360–369.Google ScholarCross Ref
- Gies, D., and Rahmat-samii, Y. Particle swarm optimization (PSO) for reflector antenna shaping. In APS/URSI (2004), vol. 3, IEEE, pp. 2289–2292.Google ScholarCross Ref
- Glover, F. Tabu search: A tutorial. Interfaces 20, 4 (1990), 74–94. Google ScholarDigital Library
- Goldberg, D. E. Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley, Reading, MA, 1989. Google ScholarDigital Library
- Havelund, K., and Pressburger, T. Model checking Java programs using Java PathFinder. International Journal on Software Tools for Technology Transfer 2, 4 (2000), 366–381.Google ScholarCross Ref
- Kennedy, J., and Eberhart, R. Swarm Intelligence. Morgan Kaufmann, 2001. Google ScholarDigital Library
- Kirkpatrick, S., Gelatt Jr, C. D., and Vecchi, M. P. Optimization by simulated annealing. Science 220, 4598 (1983), 671–680.Google ScholarCross Ref
- Păsăreanu, C. S., and Rungta, N. Symbolic PathFinder: symbolic execution of Java bytecode. In ASE (2010), ACM, pp. 179–180. Google ScholarDigital Library
- Păsăreanu, C. S., Rungta, N., and Visser, W. Symbolic execution with mixed concrete-symbolic solving. In ISSTA (2011), ACM, pp. 34–44. Google ScholarDigital Library
- Păsăreanu, C. S., Visser, W., Bushnell, D., Geldenhuys, J., Mehlitz, P., and Rungta, N. Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis. Automated Software Engineering 20, 3 (2013), 391–425.Google ScholarCross Ref
- Press, W. H. Numerical recipes 3rd edition: The art of scientific computing. Cambridge university press, 2007. Google ScholarDigital Library
- Qian, H., and Yu, Y. On sampling-and-classification optimization in discrete domains. In CEC (2016).Google ScholarDigital Library
- Sen, K. Concolic testing. In ASE (2007), ACM, pp. 571–572. Google ScholarDigital Library
- Sen, K., and Agha, G. CUTE and jCUTE: Concolic unit testing and explicit path model-checking tools. In Computer Aided Verification (2006), Springer, pp. 419–423. Google ScholarDigital Library
- Shafiei, N., and Breugel, F. v. Automatic handling of native methods in Java PathFinder. In SPIN (2014), ACM, pp. 97–100. Google ScholarDigital Library
- Souza, M., Borges, M., d’Amorim, M., and Păsăreanu, C. S. CORAL: solving complex constraints for Symbolic PathFinder. In NASA Formal Methods. Springer, 2011, pp. 359–374. Google ScholarDigital Library
- Tillmann, N., and De Halleux, J. Pex–white box test generation for. net. In Tests and Proofs. Springer, 2008, pp. 134–153. Google ScholarDigital Library
- Yu, Y., Qian, H., and Hu, Y.-Q. Derivative-free optimization via classification. In AAAI (2016), pp. 2286–2292.Google ScholarCross Ref
Index Terms
- Symbolic execution of complex program driven by machine learning based constraint solving
Recommendations
Machine learning steered symbolic execution framework for complex software code
Special Issue on Formal Methods and AIAbstractDuring program traversing, symbolic execution collects path conditions and feeds them to a constraint solver to obtain feasible solutions. However, complex path conditions, like nonlinear constraints, which widely appear in programs, are hard to ...
Optimizing Constraint Solving to Better Support Symbolic Execution
ICSTW '11: Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation WorkshopsConstraint solving is an integral part of symbolic execution, as most symbolic execution techniques rely heavily on an underlying constraint solver. In fact, the performance of the constraint solver used by a symbolic execution technique can ...
Symbolic Execution with Interval Solving and Meta-heuristic Search
ICST '12: Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and ValidationA challenging problem in symbolic execution is to solve complex mathematical constraints such as constraints that include floating-point variables and transcendental functions. The inability to solve such constraints limit the application scope of ...
Comments