Scaling symbolic execution using staged analysis

  • Junaid Haroon SiddiquiEmail author
  • Sarfraz Khurshid


Recent advances in constraint solving technology and raw computation power have led to a substantial increase in the effectiveness of techniques based on symbolic execution for systematic bug finding. However, scaling symbolic execution remains a challenging problem. We present a novel approach to increase the efficiency of symbolic execution for systematic testing of object-oriented programs. Our insight is that we can apply symbolic execution in stages, rather than the traditional approach of applying it all at once, to compute abstract symbolic inputs that can later be shared across different methods to test them systematically. For example, a class invariant can provide the basis of generating abstract symbolic tests that are then used to symbolically execute several methods that require their inputs to satisfy the invariant. We present an experimental evaluation to compare our approach against KLEE, a state-of-the-art implementation of symbolic execution. Results show that our approach enables significant savings in the cost of systematic testing using symbolic execution.


Software testing Symbolic execution Staged analysis 



We thank Darko Marinov for detailed comments on an earlier draft of this paper. This work was funded in part by the Fulbright Program, the NSF under Grant Nos. CCF-0845628 and IIS-0438967, and AFOSR grant FA9550-09-1-0351.


  1. 1.
    Adve V et al. (2003) LLVA: a low-level virtual instruction set architecture. In: Proceedings of MICRO-36Google Scholar
  2. 2.
    Anand S, Păsăreanu CS, Visser W (2007) JPF-SE: a symbolic execution extension to Java PathFinder. In: Proceedings of 13th International Conference on Tools and Algorithms for the Construction and Analysis of Syst. (TACAS), pp 134–138Google Scholar
  3. 3.
    Anand S et al. (2009) Symbolic execution with abstraction. Int J Softw Tools Technol Transf 11:53–67Google Scholar
  4. 4.
    Boyapati C et al (2002) Korat: automated testing based on Java predicates. In: Proceedings of ISSTAGoogle Scholar
  5. 5.
    Bush WR et al (2000) A static analyzer for finding dynamic programming errors. Softw Pract Exper 30(7): 775–802Google Scholar
  6. 6.
    Cadar C, Engler D (2005) Execution generated test cases: how to make systems code crash itself. In: Proceedings of SPINGoogle Scholar
  7. 7.
    Cadar C et al (2006) EXE: automatically generating inputs of death. In: Proceedings of CCS Google Scholar
  8. 8.
    Cadar C et al (2008) KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDIGoogle Scholar
  9. 9.
    Clarke LA (1976) Test data generation and symbolic execution of programs as an aid to program validation. PhD thesis, University of Colorado at BoulderGoogle Scholar
  10. 10.
    Daniel B et al (2007) Automated testing of refactoring engines. In: Proceedings of ESEC/FSEGoogle Scholar
  11. 11.
    Do H, Rothermel G (2006) On the use of mutation faults in empirical assessments of test case prioritization techniques. IEEE Trans Softw Eng 32:733–752Google Scholar
  12. 12.
    Galeotti JP et al (2010) Analysis of invariants for efficient bounded verification. In: Proceedings of ISSTAGoogle Scholar
  13. 13.
    Gligoric M et al (2010) Test generation through programming in UDITA. In: Proceedings of ICSEGoogle Scholar
  14. 14.
    Godefroid P (2007) Compositional dynamic test generation. In: Proceedings of POPLGoogle Scholar
  15. 15.
    Godefroid P et al (2005) DART: directed automated random testing. In: Proceedings of PLDIGoogle Scholar
  16. 16.
    Godefroid P et al (2008) Automated whitebox fuzz testing. In: Proceedings of NDSSGoogle Scholar
  17. 17.
    Jackson D (2006) Software abstractions: logic, language, and analysis. The MIT Press, CambridgeGoogle Scholar
  18. 18.
    Khurshid S et al (2003) Generalized symbolic execution for model checking and testing. In: Proceedings of TACASGoogle Scholar
  19. 19.
    King JC (1976) Symbolic execution and program testing. Commun ACM 19(7):385–394Google Scholar
  20. 20.
    Marinov D, Khurshid S (2001) TestEra: a novel framework for automated testing of Java programs. In: Proceedings of ASEGoogle Scholar
  21. 21.
    Offutt J et al (2004) An experimental mutation system for Java. SIGSOFT Softw Eng Notes 29(5):1–4Google Scholar
  22. 22.
    Sen K et al (2005) CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSEGoogle Scholar
  23. 23.
    Shao D et al (2007) Whispec: white-box testing of libraries using declarative specifications. In: Proceedings of LCSDGoogle Scholar
  24. 24.
    Siddiqui JH, Khurshid S (2009) An empirical study of structural constraint solving techniques. In: Proceedings of ICFEMGoogle Scholar
  25. 25.
    Siddiqui JH, Khurshid S (2012a) Scaling symbolic execution using ranged analysis. In: Proceedings of Annual Conference on Object Oriented Programming Systems, Language and Applications (OOPSLA)Google Scholar
  26. 26.
    Siddiqui JH, Khurshid S (2012b) Staged symbolic execution. In: Proceedings of ACM Symposium on Applied Computing-Software Verification and Testing Track (SAC-SVT)Google Scholar
  27. 27.
    Sullivan K et al (2004) Software assurance by bounded exhaustive testing. In: Proceedings of ISSTAGoogle Scholar
  28. 28.
    Tillmann N, De Halleux J (2008) Pex: white box test generation for.NET. In: Proceedings of TAPGoogle Scholar
  29. 29.
    Visser W et al (2003) Model checking programs. Automated Softw Eng J 10(2):203–232Google Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  1. 1.LUMS School of Science and EngineeringDHA, LahorePakistan
  2. 2.The University of Texas at AustinAustinUSA

Personalised recommendations