Yufeng Zhang,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.48550/arXiv.1205.4951

2012-05-31

Abstract:Symbolic execution is an effective path oriented and constraint based program analysis technique. Recently, there is a significant development in the research and application of symbolic execution. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large-scale or very complex programs. In this paper, we propose a new fashion of symbolic execution, named Speculative Symbolic Execution (SSE), to speed up symbolic execution by reducing the invocation times of constraint solver. In SSE, when encountering a branch statement, the search procedure may speculatively explore the branch without regard to the feasibility. Constraint solver is invoked only when the speculated branches are accumulated to a specified number. In addition, we present a key optimization technique that enhances SSE greatly. We have implemented SSE and the optimization technique on Symbolic Pathfinder (SPF). Experimental results on six programs show that, our method can reduce the invocation times of constraint solver by 21% to 49% (with an average of 30%), and save the search time from 23.6% to 43.6% (with an average of 30%).

Software Engineering

Xin Li,Yongjuan Liang,Hong Qian,Yi-Qi Hu,Lei Bu,Yang Yu,Xin Chen,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970364

2016-01-01

Abstract:Symbolic execution is a widely-used program analysis technique. It collects and solves path conditions to guide the program traversing. However, due to the limitation of the current constraint solvers, it is difficult to apply symbolic execution on programs with complex path conditions, like nonlinear constraints and function calls. In this paper, we propose a new symbolic execution tool MLB to handle such problem. Instead of relying on the classical constraint solving, in MLB, the feasibility problems of the path conditions are transformed into optimization problems, by minimizing some dissatisfaction degree. The optimization problems are then handled by the underlying optimization solver through machine learning guided sampling and validation. MLB is implemented on the basis of Symbolic PathFinder and encodes not only the simple linear path conditions, but also nonlinear arithmetic operations, and even black-box function calls of library methods, into symbolic path conditions. Experiment results show that MLB can achieve much better coverage on complex real-world programs.

Huibin Wang,Chunqiang Li,Jianyi Meng,Xiaoyan Xiang

DOI: https://doi.org/10.1587/transinf.2018edp7298

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Symbolic execution is capable of automatically generating tests that achieve high coverage. However, its practical use is limited by the scalability problem. To mitigate it, this paper proposes State Concretization based Symbolic Execution (SCSE). SCSE speeds up symbolic execution via state concretization. Specifically, by introducing a concrete store, our approach avoids invoking the constraint solver to check path feasibility at conditional instructions. Intuitively, there is no need to check the feasibility of a path along a concrete execution since it is always feasible. With state concretization, the number of solver queries greatly decreases, thus improving the efficiency of symbolic execution. Through experimental evaluation on real programs, we show that state concretization helps to speed up symbolic execution significantly.

Shiqi Shen,Soundarya Ramesh,Shweta Shinde,Abhik Roychoudhury,Prateek Saxena

2018-01-01

Abstract:Symbolic execution is a powerful technique for program analysis. However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers. Often, relationships between variables of interest are not expressible directly as purely symbolic constraints. To this end, we present a new approach -- neuro-symbolic execution -- which learns an approximation of the relationship as a neural net. It features a constraint solver that can solve mixed constraints, involving both symbolic expressions and neural network representation. To do so, we envision such constraint solving as procedure combining SMT solving and gradient-based optimization. We demonstrate the utility of neuro-symbolic execution in constructing exploits for buffer overflows. We report success on 13/14 programs which have difficult constraints, known to require specialized extensions to symbolic execution. In addition, our technique solves $100$% of the given neuro-symbolic constraints in $73$ programs from standard verification and invariant synthesis benchmarks.

Xinyu Wang,Jun Sun,Zhenbang Chen,Peixin Zhang,Jingyi Wang,Yun Lin

DOI: https://doi.org/10.1145/3180155.3180177

2018-01-01

Abstract:Concolic testing integrates concrete execution (e.g., random testing) and symbolic execution for test case generation. It is shown to be more cost-effective than random testing or symbolic execution sometimes. A concolic testing strategy is a function which decides when to apply random testing or symbolic execution, and if it is the latter case, which program path to symbolically execute. Many heuristics-based strategies have been proposed. It is still an open problem what is the optimal concolic testing strategy. In this work, we make two contributions towards solving this problem. First, we show the optimal strategy can be defined based on the probability of program paths and the cost of constraint solving. The problem of identifying the optimal strategy is then reduced to a model checking problem of Markov Decision Processes with Costs. Secondly, in view of the complexity in identifying the optimal strategy, we design a greedy algorithm for approximating the optimal strategy. We conduct two sets of experiments. One is based on randomly generated models and the other is based on a set of C programs. The results show that existing heuristics have much room to improve and our greedy algorithm often outperforms existing heuristics.

Bu Lei,Liang Yongjuan,Xie Zhunyi,Qian Hong,Hu Yi-Qi,Yu Yang,Chen Xin,Li Xuandong

DOI: https://doi.org/10.1007/s00165-021-00538-3

2021-01-01

Formal Aspects of Computing

Abstract:During program traversing, symbolic execution collects pathconditions and feeds them to a constraint solver to obtain feasiblesolutions. However, complex path conditions, like nonlinearconstraints, which widely appear in programs, are hard to be handledefficiently by the existing solvers. In this paper, we adapt theclassical symbolic execution framework with a machine learningapproach for constraint satisfaction. The approach samples andlearns from different solutions to identify potentially feasiblearea. This sampling-learning style solving can be applied indifferent class of complex problems easily. Therefore, incorporatingthis approach, our framework, MLBSE, supports the symbolicexecution of not only simple linear path conditions, but alsononlinear arithmetic operations, and even black-box function callsof library methods. Meanwhile, thanks to the theoretical foundationof the machine learning based approach, when the solver fails tosolve a path condition, we can have an estimation of the confidencein the satisfiability (ECS) of the problem to give users insightsabout how the problem is analyzed and whether they could ultimatelyfind a solution. We implement MLBSE on the basis of SymbolicPath Finder (SPF) into a fully automatic Java symbolic executionengine. Users can feed their code to MLBSE directly, which isvery convenient to use. To evaluate its performance, 22 real caseprograms are used as the benchmarks for MLBSE to generate testcases, which involve a total number of 1042 methods that are full ofnonlinear operations, floating-point arithmetic as well as nativemethod calls. Experiment results show that the coverage achieved byMLBSE is much higher than the state-of-the-art tools.

Guofeng Zhang,Zhenbang Chen,Ziqi Shuai

DOI: https://doi.org/10.1109/apsec57359.2022.00030

IF: 3.5

2024-10-31

Journal of Systems and Software

Abstract:Floating-point programs are challenging for symbolic execution due to the constraint solving problem. This paper empirically studies five existing symbolic execution methods for floating-point programs to evaluate their effectiveness and limitations. We have implemented the existing methods based on the state-of-the-art symbolic execution tool KLEE and constructed a real-world floating-point program benchmark for evaluation. We evaluate the existing methods with respect to statement coverage and the ability to detect floating-point exceptions. The results demonstrate that the existing methods complement each other. Based on the evaluation results, we propose a synergistic approach to improving the efficiency of the symbolic execution for floating-point programs. The experimental results indicate our synergistic method's effectiveness in finding floating-point exceptions.

computer science, theory & methods, software engineering

Meixi Liu,Ziqi Shuai,Luyao Liu,Kelin Ma,Ke Ma

DOI: https://doi.org/10.1109/apsec57359.2022.00042

2022-01-01

Abstract:Array constraint solving is widely adopted by the existing symbolic execution engines for encoding programs precisely. The counterexample-guided abstraction refinement (CEGAR) based method is state-of-the-art for array constraint solving. However, we observed that the CEGAR-based method may need many refinements to solve the array constraints produced by the symbolic executor, which decreases the performance of constraint solving. Based on the observation, we propose a machine learning-based method to improve the efficiency of the CEGAR-based array constraint solving. Our method adaptively turns on or off the CEGAR loop according to different solving problems. We have implemented our method on the symbolic executor KLEE and its underlying CEGAR-based constraint solver STP. We have conducted an extensive experiment on 55 real-world programs. On average, our method increases the number of explored paths by 21%. The results of the extensive experiments on real-world C programs show the effectiveness of our method.

Wenhan Wang,Kaibo Liu,An Ran Chen,Ge Li,Zhi Jin,Gang Huang,Lei Ma

2024-09-14

Abstract:Symbolic execution is a key technology in software testing, which generates test cases by collecting symbolic path constraints and then solving constraints with SMT solvers. Symbolic execution has been proven helpful in generating high-coverage test cases, but its limitations, e.g., the difficulties in solving path constraints, prevent it from broader usage in software testing. Moreover, symbolic execution has encountered many difficulties when applied to dynamically typed languages like Python, because it is extremely challenging to translate the flexible Python grammar into rigid solvers. To overcome the main challenges of applying symbolic execution in Python, we proposed an LLM-empowered agent, LLM-Sym, that automatically calls an SMT solver, Z3, to solve execution path constraints. Based on an introductory-level symbolic execution engine, our LLM agent can extend it to supporting programs with complex data type `list'. The core contribution of LLM-Sym is translating complex Python path constraints into Z3 code. To enable accurate path-to-Z3 translation, we design a multiple-step code generation pipeline including type inference, retrieval and self-refine. Our experiments demonstrate that LLM-Sym is capable of solving path constraints on Leetcode problems with complicated control flows and list data structures, which is impossible for the backbone symbolic execution engine. Our approach paves the way for the combination of the generation ability of LLMs with the reasoning ability of symbolic solvers, and opens up new opportunities in LLM-augmented test case generation.

Software Engineering,Programming Languages

Haijun Wang,Ting Liu,Xiaohong Guan,Chao Shen,Qinghua Zheng,Zijiang Yang

DOI: https://doi.org/10.1109/TSE.2016.2584063

IF: 7.4

2017-01-01

IEEE Transactions on Software Engineering

Abstract:Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored paths usually grows exponentially with the increase of program size. In this paper, we argue that for the purpose of fault detection it is not necessary to systematically explore the paths, and propose a new symbolic execution approach to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value. Our approach can achieve the equivalent fault detection capability as traditional symbolic execution without exhaustive path exploration. In addition, we develop a practical implementation called Dependence Guided Symbolic Execution (DGSE) to soundly approximate our approach. Through exploiting program dependence, DGSE can predict and eliminate the redundant paths at a reasonable computational cost. Our empirical study shows that the redundant paths are abundant and widespread in a program. Compared with traditional symbolic execution, DGSE only explores 6.96 to 96.57 percent of the paths and achieves a speedup of 1.02 $\\times$ to 49.56$\\times$ . We have released our tool and the benchmarks used to evaluate DGSE$^\\ast$ .

Junjie Chen,Wenxiang Hu,Lingming Zhang,Dan Hao,Sarfraz Khurshid,Lu Zhang

DOI: https://doi.org/10.4230/LIPIcs.ECOOP.2018.6

2018-01-01

Abstract:Symbolic execution is an effective but expensive technique for automated test generation. Over the years, a large number of refined symbolic execution techniques have been proposed to improve its efficiency. However, the symbolic execution efficiency problem remains, and largely limits the application of symbolic execution in practice. Orthogonal to refined symbolic execution, in this paper we propose to accelerate symbolic execution through semantic-preserving code transformation on the target programs. During the initial stage of this direction, we adopt a particular code transformation, compiler optimization, which is initially proposed to accelerate program concrete execution by transforming the source program into another semantic-preserving target program with increased efficiency (e.g., faster or smaller). However, compiler optimizations are mostly designed to accelerate program concrete execution rather than symbolic execution. Recent work also reported that unified settings on compiler optimizations that can accelerate symbolic execution for any program do not exist at all. Therefore, in this work we propose a machine-learning based approach to tuning compiler optimizations to accelerate symbolic execution, whose results may also aid further design of specific code transformations for symbolic execution. In particular, the proposed approach LEO separates source-code functions and libraries through our program-splitter, and predicts individual compiler optimization (i.e., whether a type of code transformation is chosen) separately through analyzing the performance of existing symbolic execution. Finally, LEO applies symbolic execution on the code transformed by compiler optimization (through our local-optimizer). We conduct an empirical study on GNU Coreutils programs using the KLEE symbolic execution engine. The results show that LEO significantly accelerates symbolic execution, outperforming the default KLEE configurations (i.e., turning on/off all compiler optimizations) in various settings, e.g., with the default training/testing time, LEO achieves the highest line coverage in 50/68 programs, and its average improvement rate on all programs is 46.48%/88.92% in terms of line coverage compared with turning on/off all compiler optimizations.

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder,Olivier Mattmann

2023-11-07

Abstract:Symbolic Execution is a formal method that can be used to verify the behavior of computer programs and detect software vulnerabilities. Compared to other testing methods such as fuzzing, Symbolic Execution has the advantage of providing formal guarantees about the program. However, despite advances in performance in recent years, Symbolic Execution is too slow to be applied to real-world software. This is primarily caused by the \emph{path explosion problem} as well as by the computational complexity of SMT solving. In this paper, we present a divide-and-conquer approach for symbolic execution by executing individual slices and later combining the side effects. This way, the overall problem size is kept small, reducing the impact of computational complexity on large problems.

Cryptography and Security,Symbolic Computation,Systems and Control

Jiahe Xu,Jingwei Xu,Taolue Chen,Xiaoxing Ma

DOI: https://doi.org/10.1109/qrs62785.2024.00031

2024-01-01

Abstract:Symbolic execution is a powerful program analysis technique. External environment construction and internal path explosion are two long-standing problems which may affect the effectiveness and performance of symbolic execution on complex programs. The intrinsic challenge is to achieve a sufficient understanding of the program context to construct a set of execution environments which can guide the selection of symbolic states. In this paper, we propose a novel program-context-guided symbolic execution framework LangSym based on program’s instruction/user manual. Leveraging the capabilities of natural language understanding and code generation in large language models (LLMs), LangSym can automatically extract the knowledge related to the functionality of the program, and generate adequate test cases and the corresponding environments as the prior knowledge for symbolic execution. We instantiate LangSym in KLEE, a widely adopted symbolic execution engine, to build a pipeline that could automatically leverage LLMs to boost the symbolic execution. We evaluate LangSym on almost all GNU Coreutils programs and considerable large-scale programs, showing that LangSym outperforms the existing strategies in KLEE with at least a 10% increase for line coverage.

You Li,Zhendong Su,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2544173.2509553

2013-01-01

ACM SIGPLAN Notices

Abstract:Symbolic execution is a promising testing and analysis methodology. It systematically explores a program's execution space and can generate test cases with high coverage. One significant practical challenge for symbolic execution is how to effectively explore the enormous number of program paths in real-world programs. Various heuristics have been proposed for guiding symbolic execution, but they are generally inefficient and ad-hoc. In this paper, we introduce a novel, unified strategy to guide symbolic execution to less explored parts of a program. Our key idea is to exploit a specific type of path spectra, namely the length-n subpath program spectra , to systematically approximate full path information for guiding path exploration. In particular, we use frequency distributions of explored length- n subpaths to prioritize "less traveled" parts of the program to improve test coverage and error detection. We have implemented our general strategy in KLEE, a state-of-the-art symbolic execution engine. Evaluation results on the GNU Coreutils programs show that (1) varying the length n captures program-specific information and exhibits different degrees of effectiveness, and (2) our general approach outperforms traditional strategies in both coverage and error detection.

Shen Shiqi,Shweta Shinde,Soundarya Ramesh,Abhik Roychoudhury,Prateek Saxena

DOI: https://doi.org/10.14722/ndss.2019.23530

2019-01-01

Elements

Abstract:Symbolic execution is a powerful technique for program analysis.However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers.Often, relationships between variables of interest are not expressible directly as purely symbolic constraints.To this end, we present a new approach-neuro-symbolic execution-which learns an approximation of the relationship between program values of interest, as a neural network.We develop a procedure for checking satisfiability of mixed constraints, involving both symbolic expressions and neural representations.We implement our new approach in a tool called NEUEX as an extension of KLEE, a state-of-the-art dynamic symbolic execution engine.NEUEX finds 33 exploits in a benchmark of 7 programs within 12 hours.This is an improvement in the bug finding efficacy of 94% over vanilla KLEE.We show that this new approach drives execution down difficult paths on which KLEE and other DSE extensions get stuck, eliminating limitations of purely SMT-based techniques.

Hui Xu,Zirui Zhao,Yangfan Zhou,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.1712.01674

2018-05-25

Abstract:Symbolic execution now becomes an indispensable technique for software testing and program analysis. There are several symbolic execution tools available off-the-shelf, and we need a practical benchmark approach to learn their capabilities. Therefore, this paper introduces a novel approach to benchmark symbolic execution tools in a fine-grained and efficient manner. In particular, our approach evaluates the performance of such tools against the known challenges faced by general symbolic execution techniques, such as floating-point numbers and symbolic memories. To this end, we first survey related papers and systematize the challenges of symbolic execution. We extract 12 distinct challenges from the literature and categorize them into two categories: symbolic-reasoning challenges and path-explosion challenges. Then, we develop a dataset of logic bombs and a framework to benchmark symbolic execution tools automatically. For each challenge, our dataset contains several logic bombs, each of which is guarded by a specific challenging problem. If a symbolic execution tool can find test cases to trigger logic bombs, it indicates that the tool can handle the corresponding problems. We have conducted real-world experiments with three popular symbolic execution tools: KLEE, Angr, and Triton. Experimental results show that our approach can reveal their capabilities and limitations in handling particular issues accurately and efficiently. The benchmark process generally takes only dozens of minutes to evaluate a tool. We release our dataset on GitHub as open source, with an aim to better facilitate the community to conduct future work on benchmarking symbolic execution tools.

Software Engineering

Yaoxuan Wu,Ahmad Humayun,Muhammad Ali Gulzar,Miryung Kim

DOI: https://doi.org/10.1145/3660825

2024-07-12

Abstract:Symbolic execution is an automated test input generation technique that models individual program paths as logical constraints. However, the realism of concrete test inputs generated by SMT solvers often comes into question. Existing symbolic execution tools only seek arbitrary solutions for given path constraints. These constraints do not incorporate the naturalness of inputs that observe statistical distributions, range constraints, or preferred string constants. This results in unnatural-looking inputs that fail to emulate real-world data. In this paper, we extend symbolic execution with consideration for incorporating naturalness. Our key insight is that users typically understand the semantics of program inputs, such as the distribution of height or possible values of zipcode, which can be leveraged to advance the ability of symbolic execution to produce natural test inputs. We instantiate this idea in NaturalSym, a symbolic execution-based test generation tool for data-intensive scalable computing (DISC) applications. NaturalSym generates natural-looking data that mimics real-world distributions by utilizing user-provided input semantics to drastically enhance the naturalness of inputs, while preserving strong bug-finding potential. On DISC applications and commercial big data test benchmarks, NaturalSym achieves a higher degree of realism —as evidenced by a perplexity score 35.1 points lower on median, and detects 1.29× injected faults compared to the state-of-the-art symbolic executor for DISC, BigTest. This is because BigTest draws inputs purely based on the satisfiability of path constraints constructed from branch predicates, while NaturalSym is able to draw natural concrete values based on user-specified semantics and prioritize using these values in input generation. Our empirical results demonstrate that NaturalSym finds injected faults 47.8× more than NaturalFuzz (a coverage-guided fuzzer) and 19.1× more than ChatGPT. Meanwhile, TestMiner (a mining-based approach) fails to detect any injected faults. NaturalSym is the first symbolic executor that combines the notion of input naturalness in symbolic path constraints during SMT-based input generation. We make our code available at https://github.com/UCLA-SEAL/NaturalSym.

Yuexing Wang,Min Zhou,Yu Jiang,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ase.2017.8115706

2017-01-01

Abstract:To reduce the false positives of static analysis, many tools collect path constraints and integrate SMT solvers to filter unreachable execution paths. However, the accumulated calling and computing of SMT solvers are time and resource consuming. This paper presents TsmartLW, an alternate static analysis tool in which we implement a path constraint solving engine to speed up reachability determination. Within the engine, typical types of constraint-patterns are firstly defined based on an empirical study of a large number of code repositories. For each pattern, a constraint solving algorithm is designed and implemented. For each program, the engine predicts the most suitable strategy and then applies the strategy to solve path constraints. The experimental results on some well-known benchmarks and real-world applications show that TsmartLW is faster than some state-of-the-art static analysis tools. For example, it is 1.32× faster than CPAchecker and our engine is 369× faster than SMT solvers in solving path constraints. The demo video is available at https://www.youtube.com/watch?v=5c3ARhFclHA&t=2s.

Zhiyi Zhang,Zhenyu Chen,Ruizhi Gao,Eric Wong,Baowen Xu

DOI: https://doi.org/10.1007/s11432-015-0450-5

2016-01-01

Science China Information Sciences

Abstract:Constraint solving is a frequent, but expensive operation with symbolic execution to generate tests for a program. To improve the efficiency of test generation using constraint solving, four optimization techniques are usually applied to existing constraint solvers, which are constraint independence, constraint set simplification, constraint caching, and expression rewriting. In this paper, we conducted an empirical study, using these four constraint optimization techniques in a well known test generation tool KLEE with 77 GNU Coreutils applications, to systematically investigate how these optimization techniques affect the efficiency of test generation. The experimental results show that these constraint optimization techniques as well as their combinations cannot improve the efficiency of test generation significantly for ALL-SIZED programs. Moreover, we studied the constraint optimization techniques with respect to two static metrics, lines of code(LOC) and cyclomatic complexity(CC), of programs. The experimental results show that the "constraint set simplification" technique can improve the efficiency of test generation significantly for the programs with high LOC and CC values. The"constraint caching" optimization technique can improve the efficiency of test generation significantly for the programs with low LOC and CC values. Finally, we propose four hybrid optimization strategies and practical guidelines based on different static metrics.

Ziyan Luo,Xujie Si

2024-06-04

Abstract:Solving Constrained Horn Clauses (CHCs) is a fundamental challenge behind a wide range of verification and analysis tasks. Data-driven approaches show great promise in improving CHC solving without the painstaking manual effort of creating and tuning various heuristics. However, a large performance gap exists between data-driven CHC solvers and symbolic reasoning-based solvers. In this work, we develop a simple but effective framework, "Chronosymbolic Learning", which unifies symbolic information and numerical data points to solve a CHC system efficiently. We also present a simple instance of Chronosymbolic Learning with a data-driven learner and a BMC-styled reasoner. Despite its relative simplicity, experimental results show the efficacy and robustness of our tool. It outperforms state-of-the-art CHC solvers on a dataset consisting of 288 benchmarks, including many instances with non-linear integer arithmetics.

Logic in Computer Science,Artificial Intelligence,Programming Languages