Advertisement

A survey of new trends in symbolic execution for software testing and analysis

  • Corina S. Păsăreanu
  • Willem Visser
Regular Paper

Abstract

Symbolic execution is a well-known program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in part to the progress in decision procedures, availability of powerful computers and new algorithmic developments. We provide here a survey of some of the new research trends in symbolic execution, with particular emphasis on applications to test generation and program analysis. We first describe an approach that handles complex programming constructs such as input recursive data structures, arrays, as well as multithreading. Furthermore, we describe recent hybrid techniques that combine concrete and symbolic execution to overcome some of the inherent limitations of symbolic execution, such as handling native code or availability of decision procedures for the application domain. We follow with a discussion of techniques that can be used to limit the (possibly infinite) number of symbolic configurations that need to be analyzed for the symbolic execution of looping programs. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution.

Keywords

Model Checker Decision Procedure Path Condition Symbolic Execution Symbolic State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Proceedings of TACAS (2008)Google Scholar
  2. 2.
    Anand, S., Orso, A., Harrold, M.J.: Type-dependence analysis and program transformation for symbolic execution. In: Proceedings of TACAS (2007)Google Scholar
  3. 3.
    Anand, S., Păsăreanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Proceedings of SPIN (2006)Google Scholar
  4. 4.
    Anand, S., Păsăreanu, C.S., Visser, W.: JPF-SE: A symbolic execution extension to Java PathFinder. In: Proceedings of TACAS (2007)Google Scholar
  5. 5.
    Arons, T., Elster E., Ozer S., Shalev J., Singerman, E.: Efficient symbolic simulation of low level software. In: Proceedings of DATE (2008)Google Scholar
  6. 6.
    Artho C., Barringer H., Goldberg A., Havelund K., Khurshid S., Lowry M.R., Păsăreanu C.S., Rosu G., Sen K., Visser W., Washington R.: Combining test case generation and runtime verification. Theor. Comput. Sci. 336(2–3), 209–234 (2005)zbMATHCrossRefGoogle Scholar
  7. 7.
    Artzi, S., Kiezun, A., Dolby, J., Tip, F., Dig, D., Paradkar, A., Ernst, M.D.: Finding bugs in dynamic web applications. In: Proceedings of ISSTA (2008)Google Scholar
  8. 8.
    Babic, D.: Exploiting Structure for Scalable Software Verification. Ph.D. thesis, University of British Columbia, Vancouver, Canada, Aug (2008)Google Scholar
  9. 9.
    Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: Proceedings of PLDI (2001)Google Scholar
  10. 10.
    Berdine, J., Calcagno, C., O’Hearn, P.: Symbolic execution with separation logic. In: Proceedings of Third Asian Symposium (2005)Google Scholar
  11. 11.
    Boyapati, C., Khurshid, S., Marinov, D.: Korat: Automated testing based on Java predicates. In: Proceedings of ISSTA (2002)Google Scholar
  12. 12.
    Bush W.R., Pincus J.D., Sielaff D.J.: A static analyzer for finding dynamic programming errors. Softw. Pract. Experience 30(7), 775–802 (2000)zbMATHCrossRefGoogle Scholar
  13. 13.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proceedings of ACM Conference on Computer and Communications Security (2006)Google Scholar
  14. 14.
    The Choco Constraint Solver: http://choco.sourceforge.net/
  15. 15.
    Clarke L.A.: A system to generate test data and symbolically execute programs. IEEE Trans. Softw. Eng. 2(3), 215–222 (1976)CrossRefGoogle Scholar
  16. 16.
    Coen-Porisini, A., Denaro, G., Ghezzi, C., Pezze, M.: Using symbolic execution for verifying safety-critical systems. In: Proceedings of ESEC/FSE (2001)Google Scholar
  17. 17.
    Colon, M., Sankaranarayanan, S., Sipma, S.: Linear invariant generation using non-linear constraint solving. In: Proceedings of CAV (2003)Google Scholar
  18. 18.
    Cousot, P.: The role of abstract interpretation in formal methods. In: Proceedings of SEFM (2007)Google Scholar
  19. 19.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of POPL (1978)Google Scholar
  20. 20.
    Csallner, C., Smaragdakis, Y.: Check ‘n’ crash: Combining static checking and testing. In: Proceedings of ICSE (2005)Google Scholar
  21. 21.
    Csallner, C., Tillmann, N., Smaragdakis, Y.: DySy: Dynamic symbolic execution for invariant inference. In: Proceedings of ICSE (2008)Google Scholar
  22. 22.
  23. 23.
    The Daikon invariant detector: http://groups.csail.mit.edu/pag/daikon//
  24. 24.
    Deng, X., Lee, J., Robby: Bogor/kiasan: A k-bounded symbolic execution for checking strong heap properties of open systems. In: Proceedings of ASE (2006)Google Scholar
  25. 25.
    Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. Research Report 159, Compaq Systems Research Center (1998)Google Scholar
  26. 26.
    Emmi, M., Majumdar, R., Sen, K.: Dynamic test input generation for database applications. In: Proceedings of ISSTA (2007)Google Scholar
  27. 27.
    Engler, D., Dunbar, D.: Under-constrained execution: making automatic code destruction easy and scalable. In: Proceedings of ISSTA (2007)Google Scholar
  28. 28.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Proceedings of PLDI (2002)Google Scholar
  29. 29.
    Flanagan, C., Qadeer, S.: Predicate abstraction for software verification. In: Proceedings of POPL (2002)Google Scholar
  30. 30.
    Gargantini, A., Heitmeyer, C.: Using model checking to generate tests from requirements specifications. In: Proceedings of ESEC/FSE (1999)Google Scholar
  31. 31.
    Godefroid, P.: Software model checking via static and dynamic program analysis. In: MOVEP (2006)Google Scholar
  32. 32.
    Godefroid, P.: Compositional dynamic test generation. In: Proceedings of POPL (2007)Google Scholar
  33. 33.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of PLDI (2005)Google Scholar
  34. 34.
    Gulavani, B.S., Henzinger, T.A., Kannan, Y., Nori, A.V., Rajamani, S.K.: SYNERGY: a new algorithm for property checking. In: Proceedings of SIGSOFT FSE (2006)Google Scholar
  35. 35.
    Hantler S.L., King J.C.: An introduction to proving the correctness of programs. ACM Comput. Surv. 8(3), 331–353 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Hong, H., Lee, I., Sokolsky, O., Ural, H.: A temporal logic based theory of test coverage and generation. In: Proceedings of TACAS, April (2002)Google Scholar
  37. 37.
    IASolver (The Brandeis Interval Arithmetic Constraint Solver): http://www.cs.brandeis.edu/~tim/Applets/IAsolver.html/
  38. 38.
  39. 39.
    Joshi, P., Sen, K., Shlimovich, M.: Predictive testing: Amplifying the effectiveness of software testing (short paper). In: Proceedings of ESEC/FSE (2007)Google Scholar
  40. 40.
    Khurshid, S., Garcia, I., Suen, Y.: Repairing structurally complex data. In: Proceedings of SPIN (2005)Google Scholar
  41. 41.
    Khurshid, S., Păsăreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Proceedings of TACAS (2003)Google Scholar
  42. 42.
    King J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)zbMATHCrossRefGoogle Scholar
  43. 43.
    Koelbl A., Pixley C.: Constructing efficient formal models from high-level descriptions using symbolic simulation. Int. J. Parallel Programm. 33(6), 645–666 (2005)zbMATHCrossRefGoogle Scholar
  44. 44.
    Majumdar, R., Sen, K.: Hybrid concolic testing. In: Proceedings of ICSE (2007)Google Scholar
  45. 45.
    Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Proceedings of VMCAI, LNCS, vol. 3385, Paris (2005)Google Scholar
  46. 46.
    Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems:Specification (1992)Google Scholar
  47. 47.
    Păsăreanu, C.S., Visser, W.: Verification of java programs using symbolic execution and invariant generation. In: Proceedings of SPIN (2004)Google Scholar
  48. 48.
    Person, S., Dwyer, M.B., Elbaum, S., Păsăreanu, C.S.: Differential symbolic execution. In: Proceedings of FSE (2008)Google Scholar
  49. 49.
    PEX: Automated Exploratory Testing for .NET: http://research.microsoft.com/Pex/
  50. 50.
    Păsăreanu, C.S., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing nasa software. In: Proceedings of ISSTA (2008)Google Scholar
  51. 51.
    Pugh, W.: The Omega test: A fast and practical integer programming algorithm for dependence analysis. In: Conference on High Performance Networking and Computing archive. Proceedings of the 1991 ACM/IEEE Conference on Supercomputing table of contents Albuquerque, New Mexico, pp. 4–13 (1991)Google Scholar
  52. 52.
  53. 53.
    Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE (2005)Google Scholar
  54. 54.
    Shannon, D., Hajra, S., Lee, A., Zhan, D., Khurshid, S.: Abstracting symbolic execution with string analysis. In: Proceedings of TAIC-PART (2007)Google Scholar
  55. 55.
    Siegel, S.F., Mironova, A., Avrunin, G.S., Clarke, L.A.: Using model checking with symbolic execution to verify parallel numerical programs. In: Proceedings of ISSTA (2006)Google Scholar
  56. 56.
    Sinha, N.: Symbolic program analysis using term rewriting and generalization. In: Proceedings of FMCAD, Nov. (2008)Google Scholar
  57. 57.
    SMT Competitions: http://www.smtcomp.org/
  58. 58.
  59. 59.
    Tiwari, A., Rues, H., Saidi, H., Shankar, N.: A technique for invariant generation. In: Proceedings of TACAS (2001)Google Scholar
  60. 60.
    Tomb, A., Brat, G., Visser, W.: Variably interprocedural program analysis for runtime error detection. In: Proceedings of ISSTA (2007)Google Scholar
  61. 61.
    Tomb, A., Brat, G.P., Visser, W.: Variably interprocedural program analysis for runtime error detection. In: Proceedings of ISSTA (2007)Google Scholar
  62. 62.
    Visser, W., Păsăreanu, C.S., Pelanek, R.: Test input generation for java containers using state matching. In: Proceedings of ISSTA (2006)Google Scholar
  63. 63.
    Visser, W., Păsăreanu, C.S., Khurshid, S.: Test input generation in Java Pathfinder. In: Proceedings of ISSTA (2004)Google Scholar
  64. 64.
    Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for web applications. In: Proceedings of ISSTA (2008)Google Scholar
  65. 65.
    Wegbreit B.: The synthesis of loop predicates. Commun. ACM 17(2), 102–112 (1974)zbMATHCrossRefMathSciNetGoogle Scholar
  66. 66.
    Xie, T., Marinov, D., Schulte, W., Notkin, D.: Symstra: A framework for generating object-oriented unit tests using symbolic execution. In: Proceedings of TACAS (2005)Google Scholar
  67. 67.
    Xu, R.-G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of ISSTA (2008)Google Scholar
  68. 68.
    Yavuz-Kahveci, T., Bultan, T.: Automated verification of concurrent linked lists with counters. In: Hermenegildo, G.P.M. (ed.) Proceedings of SAS (2002)Google Scholar
  69. 69.
    Yices: An SMT Solver http://yices.csl.sri.com/
  70. 70.
    Yorsh, G., Ball, T., Sagiv, M.: Testing, abstraction, theorem proving: better together!. In: Proceedings of ISSTA (2006)Google Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  1. 1.NASA Ames Research CenterCarnegie Mellon UniversityMoffett FieldUSA
  2. 2.Department of Computer ScienceUniversity of StellenboschStellenboschSouth Africa

Personalised recommendations