Skip to main content

Constraints in Dynamic Symbolic Execution: Bitvectors or Integers?

  • Conference paper
  • First Online:
Tests and Proofs (TAP 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11823))

Included in the following conference series:

Abstract

Dynamic symbolic execution is a technique that analyses programs by gathering mathematical constraints along execution paths. To achieve bit-level precision, one must use the theory of bitvectors. However, other theories might achieve higher performance, justifying in some cases the possible loss of precision.

In this paper, we explore the impact of using the theory of integers on the precision and performance of dynamic symbolic execution of C programs. In particular, we compare an implementation of the symbolic executor KLEE using a partial solver based on the theory of integers, with a standard implementation of KLEE using a solver based on the theory of bitvectors, both employing the popular SMT solver Z3. To our surprise, our evaluation on a synthetic sort benchmark, the ECA set of Test-Comp 2019 benchmarks, and GNU Coreutils revealed that for most applications the integer solver did not lead to any loss of precision, but the overall performance difference was rarely significant.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Symbolic execution tools that use integer solvers typically do not handle such operations, e.g. CREST reverts to the concrete case when encountering a bitwise operation.

  2. 2.

    Available at https://github.com/kren1/klee/tree/int_constraints.

  3. 3.

    Available at https://github.com/kren1/klee/commits/int_testcomp.

  4. 4.

    https://github.com/sosy-lab/sv-benchmarks.

  5. 5.

    https://www.gnu.org/software/coreutils/.

  6. 6.

    http://klee.github.io/docs/coreutils-experiments/.

References

  1. Barrett, C., Conway, C., Deters, M., Hadarean, L., Jovanovic, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_14

    Chapter  Google Scholar 

  2. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), December 2008

    Google Scholar 

  3. Cadar, C., Godefroid, P., Khurshid, S., Pasareanu, C., Sen, K., Tillmann, N., Visser, W.: Symbolic execution for software testing in practice-preliminary assessment. In: Proceedings of the 33rd International Conference on Software Engineering, Impact Track (ICSE Impact 2011), May 2011

    Google Scholar 

  4. Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. Assoc. Comput. Mach. (CACM) 56(2), 82–90 (2013)

    Article  Google Scholar 

  5. CREST: Automatic Test Generation Tool for C. https://github.com/jburnim/crest

  6. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of the 15th Network and Distributed System Security Symposium (NDSS 2008), February 2008

    Google Scholar 

  7. He, S., Rakamarić, Z.: Counterexample-guided bit-precision selection. In: Chang, B.-Y.E. (ed.) APLAS 2017. LNCS, vol. 10695, pp. 534–553. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71237-6_26

    Chapter  Google Scholar 

  8. Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the 2nd International Symposium on Code Generation and Optimization (CGO 2004), March 2004

    Google Scholar 

  9. Martignoni, L., McCamant, S., Poosankam, P., Song, D., Maniatis, P.: Path-exploration lifting: hi-fi tests for lo-fi emulators. In: Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2012), March 2012

    Google Scholar 

  10. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  11. Palikareva, H., Cadar, C.: Multi-solver support in symbolic execution. In: Proceedings of the 25th International Conference on Computer-Aided Verification (CAV 2013), July 2013. http://srg.doc.ic.ac.uk/files/papers/klee-multisolver-cav-13.pdf

  12. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC/FSE 2005), September 2005

    Google Scholar 

  13. Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., Vigna, G.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2016), May 2016

    Google Scholar 

  14. Tillmann, N., de Halleux, J.: Pex–white box test generation for .NET. In: Beckert, B., Hähnle, R. (eds.) TAP 2008. LNCS, vol. 4966, pp. 134–153. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79124-9_10

    Chapter  Google Scholar 

Download references

Acknowledgements

We would like to thank Yannick Moy for challenging us at the Dagstuhl Seminar 19062 to pursue this direction of research, and Frank Busse and the anonymous reviewers for their valuable feedback. This research was generously sponsored by the UK EPSRC via grant EP/N007166/1 and a PhD studentship.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Martin Nowack .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kapus, T., Nowack, M., Cadar, C. (2019). Constraints in Dynamic Symbolic Execution: Bitvectors or Integers?. In: Beyer, D., Keller, C. (eds) Tests and Proofs. TAP 2019. Lecture Notes in Computer Science(), vol 11823. Springer, Cham. https://doi.org/10.1007/978-3-030-31157-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31157-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31156-8

  • Online ISBN: 978-3-030-31157-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics