Tools and Algorithms for the Construction and Analysis of Systems

Volume 5505 of the series Lecture Notes in Computer Science pp 277-291

Test Input Generation for Programs with Pointers

  • Dries VanoverbergheAffiliated withKatholieke Universiteit Leuven
  • , Nikolai TillmannAffiliated withMicrosoft Research
  • , Frank PiessensAffiliated withKatholieke Universiteit Leuven


Software testing is an essential process to improve software quality in practice. Researchers have proposed several techniques to automate parts of this process. In particular, symbolic execution can be used to automatically generate a set of test inputs that achieves high code coverage.

However, most state-of-the-art symbolic execution approaches cannot directly handle programs whose inputs are pointers, as is often the case for C programs. Automatically generating test inputs for pointer manipulating code such as a linked list or balanced tree implementation remains a challenge. Eagerly enumerating all possible heap shapes forfeits the advantages of symbolic execution. Alternatively, for a tester, writing assumptions to express the disjointness of memory regions addressed by input pointers is a tedious and labor-intensive task.

This paper proposes a novel solution for this problem: by exploiting type information, disjointness constraints that characterize permissible configurations of typed pointers in byte-addressable memory can be automatically generated. As a result, the constraint solver can automatically generate relevant heap shapes for the program under test. We report on our experience with an implementation of this approach in Pex, a dynamic symbolic execution framework for .NET. We examine two different symbolic representations for typed memory, and we discuss the impact of various optimizations.


Test input generation symbolic execution pointers