Xusheng Xiao,Sihan Li,Tao Xie,Nikolai Tillmann

DOI: https://doi.org/10.1109/ase.2013.6693084

2013-01-01

Abstract:Dynamic Symbolic Execution (DSE) is a state-of-the-art test-generation approach that systematically explores program paths to generate high-covering tests. In DSE, the presence of loops (especially unbound loops) can cause an enormous or even infinite number of paths to be explored. There exist techniques (such as bounded iteration, heuristics, and summarization) that assist DSE in addressing loop problems. However, there exists no literature-survey or empirical work that shows the pervasiveness of loop problems or identifies challenges faced by these techniques on real-world open-source applications. To fill this gap, we provide characteristic studies to guide future research on addressing loop problems for DSE. Our proposed study methodology starts with conducting a literature-survey study to investigate how technical problems such as loop problems compromise automated software-engineering tasks such as test generation, and which existing techniques are proposed to deal with such technical problems. Then the study methodology continues with conducting an empirical study of applying the existing techniques on real-world software applications sampled based on the literature-survey results and major open-source project hostings. This empirical study investigates the pervasiveness of the technical problems and how well existing techniques can address such problems among real-world software applications. Based on such study methodology, our two-phase characteristic studies identify that bounded iteration and heuristics are effective in addressing loop problems when used properly. Our studies further identify challenges faced by these techniques and provide guidelines for effectively addressing these challenges.

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

You Li,Zhendong Su,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2544173.2509553

2013-01-01

ACM SIGPLAN Notices

Abstract:Symbolic execution is a promising testing and analysis methodology. It systematically explores a program's execution space and can generate test cases with high coverage. One significant practical challenge for symbolic execution is how to effectively explore the enormous number of program paths in real-world programs. Various heuristics have been proposed for guiding symbolic execution, but they are generally inefficient and ad-hoc. In this paper, we introduce a novel, unified strategy to guide symbolic execution to less explored parts of a program. Our key idea is to exploit a specific type of path spectra, namely the length-n subpath program spectra , to systematically approximate full path information for guiding path exploration. In particular, we use frequency distributions of explored length- n subpaths to prioritize "less traveled" parts of the program to improve test coverage and error detection. We have implemented our general strategy in KLEE, a state-of-the-art symbolic execution engine. Evaluation results on the GNU Coreutils programs show that (1) varying the length n captures program-specific information and exhibits different degrees of effectiveness, and (2) our general approach outperforms traditional strategies in both coverage and error detection.

Zu-wei ZHAO,Shi-ning FENG,En-yi TANG,Xin CHEN,Xuan-dong LI,Min-xue PAN,Chen ZHAO

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.11.003

2017-01-01

Abstract:Loop is an important program structure in computer.Many applications need to estimate the maximum iteration number of loops in programs by loop bound analysis.Existing loop bound analysis uses conservative methods to derive outer loop bounds,which estimates the bounds higher than the real ones.In this paper,we propose an automatic inner bound analysis,which generates bounds slightly lower than the real ones.When users combine the inner bound analysis with traditional outer bound analysis,they can restrict every real loop bound in an interval and get more information about the loops.We implement the inner bound analysis by a scope-condition guided symbolic execution.The insight of our technique is that when symbolic execution substitutes program inputs by symbols in its derivation,it generates loop bounds for all valid inputs and generates corresponding test cases that make the inner bounds feasible.We optimize the technique and evaluate it on several benchmarks.The results show that the analysis is precise and efficient.

Charitha Saumya,Rohan Gangaraju,Kirshanthan Sundararajah,Milind Kulkarni

2023-08-03

Abstract:Dynamic symbolic execution (DSE) suffers from path explosion problem when the target program has many conditional branches. Classical approach for managing the path explosion problem is dynamic state merging. Dynamic state merging combines similar symbolic program states together to avoid the exponential growth of states in DSE. However, state merging still requires solver invocations at each branch point of the program even when both paths of the branch is feasible and, the best path search strategy for DSE may not create the best state merging opportunities. Some drawbacks of state merging can be mitigated by compile-time state merging i.e. branch elimination by converting control-flow into data-flow. In this paper, we propose a non-semantics preserving but failure-preserving compiler technique for removing expensive symbolic branches in a program to improve the scalability of DSE. We develop a framework for detecting spurious bugs that can be inserted by our transformation. Finally, we show that our transformation can significantly improve the performance of exhaustive DSE on variety of benchmarks and helps in achieving more coverage in a large real-world subjects within a limited time budget.

Software Engineering,Programming Languages

Xiaofei Xie,Bihuan Chen,Yang Liu,Wei Le,Xiaohong Li

DOI: https://doi.org/10.1145/2950290.2950340

2016-01-01

Abstract:Loops are challenging structures for program analysis, especially when loops contain multiple paths with complex interleaving executions among these paths. In this paper, we first propose a classification of multi-path loops to understand the complexity of the loop execution, which is based on the variable updates on the loop conditions and the execution order of the loop paths. Secondly, we propose a loop analysis framework, named Proteus, which takes a loop program and a set of variables of interest as inputs and summarizes path-sensitive loop effects on the variables. The key contribution is to use a path dependency automaton (PDA) to capture the execution dependency between the paths. A DFS-based algorithm is proposed to traverse the PDA to summarize the effect for all feasible executions in the loop. The experimental results show that Proteus is effective in three applications: Proteus can 1) compute a more precise bound than the existing loop bound analysis techniques; 2) significantly outperform state-of-the-art tools for loop verification; and 3) generate test cases for deep loops within one second, while KLEE and Pex either need much more time or fail.

Jiahe Xu,Jingwei Xu,Taolue Chen,Xiaoxing Ma

DOI: https://doi.org/10.1109/qrs62785.2024.00031

2024-01-01

Abstract:Symbolic execution is a powerful program analysis technique. External environment construction and internal path explosion are two long-standing problems which may affect the effectiveness and performance of symbolic execution on complex programs. The intrinsic challenge is to achieve a sufficient understanding of the program context to construct a set of execution environments which can guide the selection of symbolic states. In this paper, we propose a novel program-context-guided symbolic execution framework LangSym based on program’s instruction/user manual. Leveraging the capabilities of natural language understanding and code generation in large language models (LLMs), LangSym can automatically extract the knowledge related to the functionality of the program, and generate adequate test cases and the corresponding environments as the prior knowledge for symbolic execution. We instantiate LangSym in KLEE, a widely adopted symbolic execution engine, to build a pipeline that could automatically leverage LLMs to boost the symbolic execution. We evaluate LangSym on almost all GNU Coreutils programs and considerable large-scale programs, showing that LangSym outperforms the existing strategies in KLEE with at least a 10% increase for line coverage.

Junjie Chen,Wenxiang Hu,Lingming Zhang,Dan Hao,Sarfraz Khurshid,Lu Zhang

DOI: https://doi.org/10.4230/LIPIcs.ECOOP.2018.6

2018-01-01

Abstract:Symbolic execution is an effective but expensive technique for automated test generation. Over the years, a large number of refined symbolic execution techniques have been proposed to improve its efficiency. However, the symbolic execution efficiency problem remains, and largely limits the application of symbolic execution in practice. Orthogonal to refined symbolic execution, in this paper we propose to accelerate symbolic execution through semantic-preserving code transformation on the target programs. During the initial stage of this direction, we adopt a particular code transformation, compiler optimization, which is initially proposed to accelerate program concrete execution by transforming the source program into another semantic-preserving target program with increased efficiency (e.g., faster or smaller). However, compiler optimizations are mostly designed to accelerate program concrete execution rather than symbolic execution. Recent work also reported that unified settings on compiler optimizations that can accelerate symbolic execution for any program do not exist at all. Therefore, in this work we propose a machine-learning based approach to tuning compiler optimizations to accelerate symbolic execution, whose results may also aid further design of specific code transformations for symbolic execution. In particular, the proposed approach LEO separates source-code functions and libraries through our program-splitter, and predicts individual compiler optimization (i.e., whether a type of code transformation is chosen) separately through analyzing the performance of existing symbolic execution. Finally, LEO applies symbolic execution on the code transformed by compiler optimization (through our local-optimizer). We conduct an empirical study on GNU Coreutils programs using the KLEE symbolic execution engine. The results show that LEO significantly accelerates symbolic execution, outperforming the default KLEE configurations (i.e., turning on/off all compiler optimizations) in various settings, e.g., with the default training/testing time, LEO achieves the highest line coverage in 50/68 programs, and its average improvement rate on all programs is 46.48%/88.92% in terms of line coverage compared with turning on/off all compiler optimizations.

Haijun Wang,Ting Liu,Xiaohong Guan,Chao Shen,Qinghua Zheng,Zijiang Yang

DOI: https://doi.org/10.1109/TSE.2016.2584063

IF: 7.4

2017-01-01

IEEE Transactions on Software Engineering

Abstract:Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored paths usually grows exponentially with the increase of program size. In this paper, we argue that for the purpose of fault detection it is not necessary to systematically explore the paths, and propose a new symbolic execution approach to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value. Our approach can achieve the equivalent fault detection capability as traditional symbolic execution without exhaustive path exploration. In addition, we develop a practical implementation called Dependence Guided Symbolic Execution (DGSE) to soundly approximate our approach. Through exploiting program dependence, DGSE can predict and eliminate the redundant paths at a reasonable computational cost. Our empirical study shows that the redundant paths are abundant and widespread in a program. Compared with traditional symbolic execution, DGSE only explores 6.96 to 96.57 percent of the paths and achieves a speedup of 1.02 $\\times$ to 49.56$\\times$ . We have released our tool and the benchmarks used to evaluate DGSE$^\\ast$ .

Xiaofei Xie,Bihuan Chen,Liang Zou,Shang-Wei Lin,Yang Liu,Xiaohong Li

DOI: https://doi.org/10.1145/3106237.3106260

2017-01-01

Abstract:Loop termination is an important problem for proving the correctness of a system and ensuring that the system always reacts. Existing loop termination analysis techniques mainly depend on the synthesis of ranking functions, which is often expensive. In this paper, we present a novel approach, named Loopster, which performs an efficient static analysis to decide the termination for loops based on path termination analysis and path dependency reasoning. Loopster adopts a divide-and-conquer approach: (1) we extract individual paths from a target multi-path loop and analyze the termination of each path, (2) analyze the dependencies between each two paths, and then (3) determine the overall termination of the target loop based on the relations among paths. We evaluate Loopster by applying it on the loop termination competition benchmark and three real-world projects. The results show that Loopster is effective in a majority of loops with better accuracy and 20 ×+ performance improvement compared to the state-of-the-art tools.

Xin Li,Yongjuan Liang,Hong Qian,Yi-Qi Hu,Lei Bu,Yang Yu,Xin Chen,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970364

2016-01-01

Abstract:Symbolic execution is a widely-used program analysis technique. It collects and solves path conditions to guide the program traversing. However, due to the limitation of the current constraint solvers, it is difficult to apply symbolic execution on programs with complex path conditions, like nonlinear constraints and function calls. In this paper, we propose a new symbolic execution tool MLB to handle such problem. Instead of relying on the classical constraint solving, in MLB, the feasibility problems of the path conditions are transformed into optimization problems, by minimizing some dissatisfaction degree. The optimization problems are then handled by the underlying optimization solver through machine learning guided sampling and validation. MLB is implemented on the basis of Symbolic PathFinder and encodes not only the simple linear path conditions, but also nonlinear arithmetic operations, and even black-box function calls of library methods, into symbolic path conditions. Experiment results show that MLB can achieve much better coverage on complex real-world programs.

Yufeng Zhang,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.48550/arXiv.1205.4951

2012-05-31

Abstract:Symbolic execution is an effective path oriented and constraint based program analysis technique. Recently, there is a significant development in the research and application of symbolic execution. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large-scale or very complex programs. In this paper, we propose a new fashion of symbolic execution, named Speculative Symbolic Execution (SSE), to speed up symbolic execution by reducing the invocation times of constraint solver. In SSE, when encountering a branch statement, the search procedure may speculatively explore the branch without regard to the feasibility. Constraint solver is invoked only when the speculated branches are accumulated to a specified number. In addition, we present a key optimization technique that enhances SSE greatly. We have implemented SSE and the optimization technique on Symbolic Pathfinder (SPF). Experimental results on six programs show that, our method can reduce the invocation times of constraint solver by 21% to 49% (with an average of 30%), and save the search time from 23.6% to 43.6% (with an average of 30%).

Software Engineering

xusheng xiao,tao xie,nikolai tillmann,peli de halleux

2010-01-01

Abstract:The process of achieving high structural coverage of the pro- gram under test can be automated using Dynamic Sym- bolic Execution (DSE), which generates test inputs to it- eratively explore paths of the program under test. When applied on real-world applications, DSE faces various chal- lenges in generating test inputs to achieve high structural coverage. Among issues related to these challenges, our preliminary study identified two main types of issues: (1) object-creation issues (OCI), where DSE fails to generate method-call sequences to produce desirable object states; (2) external-method-call issues (EMCI), where symbolic val- ues are passed as arguments to third-party library methods that are not instrumented by DSE. Automatically solving these two main types of issues is challenging, since the explo- ration space of generating method-call sequences for desir- able object states is usually too huge, and instrumenting all third-party libraries can cause explosion of the exploration space. However, when provided with informative informa- tion of issues, users can effectively assist DSE to achieve high structural coverage. In this paper, we propose a gen- eral approach, called Covana, to identify issues faced by DSE via analyzing runtime information, and filter out irrelevant issues using residual structural coverage. We provide two techniques to instantiate our general approach to identify OCIs and EMCIs. To show the effectiveness of Covana, we conduct evaluations on two open source projects. Our re- sults show that Covana effectively identifies 155 OCIs, and 43 EMCIs. Moreover, Covana effectively reduces 296 irrel- evant issues out of 451 OCIs and 1567 irrelevant issues out of 1610 EMCIs produced by a straightforward approach.

Kai Zhu,Chenkai Guo,Kuihao Yan,Xiaoqi Jia,Haichao Du,Qingjia Huang,Yamin Xie,Jing Tang

2024-11-05

Abstract:Analyzing programs with loops is a challenging task, suffering from potential issues such as indeterminate number of iterations and exponential growth of control flow complexity. Loop summarization, as a static analysis method for concrete semantic interpretation, receives increasing focuses. It produces symbolic expressions semantically equivalent to the loop program. However, current loop summarization methods are only suitable for single-branch loops or multi-branch loops with simple cycles, without supporting complex loops with irregular branch-to-branch transitions. In this paper, we proposed LoopSCC, a novel loop summarization technique, to achieve concrete semantic interpretation on complex loop. LoopSCC analyzes the control flow at the granularity of single-loop-path and applies the strongly connected components (SCC for short) for contraction and simplification, resulting in the contracted single-loop-path graph (CSG for short). Based on the control flow information provided by the CSG, we can convert the loop summary into a combination of SCC summaries. When an SCC contains irregular branch-to-branch transitions, we propose to explore a convergent range to identify the determinate cycles of different execution paths, referred as oscillatory interval. The loop summarization composed of both iteration conditions and execution operations can eventually be derived recursively. Extensive experiments compared to six state-of-the-art loop interpretation methods are conducted to evaluate the effectiveness of LoopSCC. From the results, LoopSCC outperforms comparative methods in both interpretation accuracy and application effectiveness. Especially, LoopSCC achieves a 100% interpretation accuracy on public common-used benchmark. A systematical study for loop properties on three large-scale programs illustrates that LoopSCC presents outstanding scalability for real-world loop programs.

Programming Languages

Xiaoyin Wang,Lingming Zhang,Philip Tanofsky

DOI: https://doi.org/10.1145/2771783.2771818

2015-07-13

Abstract:Software testing has been the major approach to software quality assurance for decades, but it typically involves intensive manual efforts. To reduce manual efforts, researchers have proposed numerous approaches to automate test-case generation, which is one of the most time-consuming tasks in software testing. One most recent achievement in the area is Dynamic Symbolic Execution (DSE), and tools based on DSE, such as KLEE, have been reported to generate test suites achieving higher code coverage than manually developed test suites. However, besides the competitive code coverage, there have been few studies to compare DSE-based test suites with manually developed test suites more thoroughly on various metrics to understand the detailed differences between the two testing methodologies. In this paper, we revisit the experimental study on the KLEE tool and GNU CoreUtils programs, and compare KLEE-based test suites with manually developed test suites on various aspects. We further carried out a qualitative study to investigates the reasons behind the differences in statistical results. The results of our studies show that while KLEE-based test suites are able to generate test cases with higher code coverage, they are relatively less effective on covering hard-to-cover code and killing mutants. Furthermore, our qualitative study reveals that KLEE-based test suites have advantages in exploring error-handling code and exhausting options, but are less effective on generating valid string inputs and exploring meaningful program behaviors.

Bu Lei,Liang Yongjuan,Xie Zhunyi,Qian Hong,Hu Yi-Qi,Yu Yang,Chen Xin,Li Xuandong

DOI: https://doi.org/10.1007/s00165-021-00538-3

2021-01-01

Formal Aspects of Computing

Abstract:During program traversing, symbolic execution collects pathconditions and feeds them to a constraint solver to obtain feasiblesolutions. However, complex path conditions, like nonlinearconstraints, which widely appear in programs, are hard to be handledefficiently by the existing solvers. In this paper, we adapt theclassical symbolic execution framework with a machine learningapproach for constraint satisfaction. The approach samples andlearns from different solutions to identify potentially feasiblearea. This sampling-learning style solving can be applied indifferent class of complex problems easily. Therefore, incorporatingthis approach, our framework, MLBSE, supports the symbolicexecution of not only simple linear path conditions, but alsononlinear arithmetic operations, and even black-box function callsof library methods. Meanwhile, thanks to the theoretical foundationof the machine learning based approach, when the solver fails tosolve a path condition, we can have an estimation of the confidencein the satisfiability (ECS) of the problem to give users insightsabout how the problem is analyzed and whether they could ultimatelyfind a solution. We implement MLBSE on the basis of SymbolicPath Finder (SPF) into a fully automatic Java symbolic executionengine. Users can feed their code to MLBSE directly, which isvery convenient to use. To evaluate its performance, 22 real caseprograms are used as the benchmarks for MLBSE to generate testcases, which involve a total number of 1042 methods that are full ofnonlinear operations, floating-point arithmetic as well as nativemethod calls. Experiment results show that the coverage achieved byMLBSE is much higher than the state-of-the-art tools.

Tuba Yavuz

2024-08-15

Abstract:Dynamic symbolic execution (DSE) provides a precise means to analyze programs and it can be used to generate test cases and to detect a variety of bugs including memory vulnerabilities. However, the path explosion problem may prevent a symbolic executor from covering program locations or paths of interest. In this paper, we present a Multi-Pass Targeted Dynamic Symbolic Execution approach that starts from a target program location and moves backward until it reaches a specified entry point to check for reachability, to detect bugs on the feasible paths between the entry point and the target, and to collect constraints about the memory locations accessed by the code. Our approach uses a mix of backward and forward reasoning passes. It introduces an abstract address space that gets populated during the backward pass and uses unification to precisely map the abstract objects to the objects in the concrete address space. We have implemented our approach in a tool called DESTINA using KLEE, a DSE tool. We have evaluated DESTINA using SvComp benchmarks from the memory safety and control-flow categories. Results show that DESTINA can detect memory vulnerabilities precisely and it can help DSE reach target locations faster when it struggles with the path explosion. Our approach achieves on average 4X reduction in the number of paths explored and 2X speedup.

Software Engineering,Programming Languages

Xiaofei Xie,Bihuan Chen,Liang Zou,Yang Liu,Wei Le,Xiaohong Li

DOI: https://doi.org/10.1109/tse.2017.2788018

IF: 7.4

2019-01-01

IEEE Transactions on Software Engineering

Abstract:Analyzing loops is very important for various software engineering tasks such as bug detection, test case generation and program optimization. However, loops are very challenging structures for program analysis, especially when (nested) loops contain multiple paths that have complex interleaving relationships. In this paper, we propose the path dependency automaton (PDA) to capture the dependencies among the multiple paths in a loop. Based on the PDA, we first propose a loop classification to understand the complexity of loop summarization. Then, we propose a loop analysis framework, named Proteus, which takes a loop program and a set of variables of interest as inputs and summarizes path-sensitive loop effects (i.e., disjunctive loop summary) on the variables of interest. An algorithm is proposed to traverse the PDA to summarize the effect for all possible executions in the loop. We have evaluated Proteus using loops from five open-source projects and two well-known benchmarks and applying the disjunctive loop summary to three applications: loop bound analysis, program verification and test case generation. The evaluation results have demonstrated that Proteus can compute a more precise bound than the existing loop bound analysis techniques; Proteus can significantly outperform the state-of-the-art tools for loop program verification; and Proteus can help generate test cases for deep loops within one second, while symbolic execution tools KLEE and Pex either need much more time or fail.

Tao Xie,Nikolai Tillmann,Jonathan de Halleux,Wolfram Schulte

DOI: https://doi.org/10.1109/dsn.2009.5270315

2009-01-01

Abstract:Dynamic symbolic execution is a structural testing technique that systematically explores feasible paths of the program under test by running the program with different test inputs to improve code coverage. To address the space-explosion issue in path exploration, we propose a novel approach called Fitnex, a search strategy that uses state-dependent fitness values (computed through a fitness function) to guide path exploration. The fitness function measures how close an already discovered feasible path is to a particular test target (e.g., covering a not-yet-covered branch). Our new fitness-guided search strategy is integrated with other strategies that are effective for exploration problems where the fitness heuristic fails. We implemented the new approach in Pex, an automated structural testing tool developed at Microsoft Research. We evaluated our new approach by comparing it with existing search strategies. The empirical results show that our approach is effective since it consistently achieves high code coverage faster than existing search strategies.

Yuexing Wang,Min Zhou,Yu Jiang,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ase.2017.8115706

2017-01-01

Abstract:To reduce the false positives of static analysis, many tools collect path constraints and integrate SMT solvers to filter unreachable execution paths. However, the accumulated calling and computing of SMT solvers are time and resource consuming. This paper presents TsmartLW, an alternate static analysis tool in which we implement a path constraint solving engine to speed up reachability determination. Within the engine, typical types of constraint-patterns are firstly defined based on an empirical study of a large number of code repositories. For each pattern, a constraint solving algorithm is designed and implemented. For each program, the engine predicts the most suitable strategy and then applies the strategy to solve path constraints. The experimental results on some well-known benchmarks and real-world applications show that TsmartLW is faster than some state-of-the-art static analysis tools. For example, it is 1.32× faster than CPAchecker and our engine is 369× faster than SMT solvers in solving path constraints. The demo video is available at https://www.youtube.com/watch?v=5c3ARhFclHA&t=2s.