A Comparative Study of Incremental Constraint Solving Approaches in Symbolic Execution

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8855)


Constraint solving is a major source of cost in Symbolic Execution (SE). This paper presents a study to assess the importance of some sensible options for solving constraints in SE. The main observation is that stack-based approaches to incremental solving is often much faster compared to cache-based approaches, which are more popular. Considering all 96 C programs from the KLEE benchmark that we analyzed, the median speedup obtained with a (non-optimized) stack-based approach was of 5x. Results suggest that tools should take advantage of incremental solving support from modern SMT solvers and researchers should look for ways to combine stack- and cache-based approaches to reduce execution cost even further. Instructions to reproduce results are available online:


Time Budget Boolean Expression Symbolic Execution Constraint Solver Path Constraint 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alt-Ergo webpage,
  2. 2.
    Boolector webpage,
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    MathSAT5 webpage,
  7. 7.
    RUGRAT webpage,
  8. 8.
  9. 9.
  10. 10.
  11. 11.
    Audemard, G., Lagniez, J.-M., Simon, L.: Improving Glucose for Incremental SAT Solving with Assumptions: Application to MUS Extraction. In: Järvisalo, M., Van Gelder, A. (eds.) SAT 2013. LNCS, vol. 7962, pp. 309–317. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Bankovic, M.: Argosmtexpression: an smt-lib 2.0 compliant expression library. In: Workshop of the SAT (June 2012)Google Scholar
  13. 13.
    Borges, M., Filieri, A., d’Amorim, M., Păsăreanu, C.S., Visser, W.: Compositional solution space quantification for probabilistic software analysis. In: PLDI, pp. 123–132 (2014)Google Scholar
  14. 14.
    Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT - A Formal System for Testing and Debugging Programs by Symbolic Execution. In: International Conference on Reliable Software, pp. 234–245 (1975)Google Scholar
  15. 15.
    Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: ASE 2008, pp. 443–446 (2008)Google Scholar
  16. 16.
    Cadar, C., Dunbar, D., Engler, D.: Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224 (2008)Google Scholar
  17. 17.
    Cadar, C., Godefroid, P., Khurshid, S., Pasareanu, C.S., Sen, K., Tillmann, N., Visser, W.: Symbolic execution for software testing in practice: preliminary assessment. In: ICSE, pp. 1066–1071 (2011)Google Scholar
  18. 18.
    Clarke, L.A.: A Program Testing System. In: ACM Annual Conference, pp. 488–491 (1976)Google Scholar
  19. 19.
    Howden, W.E.: Symbolic Testing and the DISSECT Symbolic Evaluation System. IEEE TSE 3(4), 266–278 (1977)zbMATHGoogle Scholar
  20. 20.
    Hussain, I., Csallner, C., Grechanik, M., Fu, C., Xie, Q., Park, S., Taneja, K., Hossain, B.M.M.: Evaluating program analysis and testing tools with the RUGRAT random benchmark application generator. In: WODA, pp. 1–6 (2012)Google Scholar
  21. 21.
  22. 22.
    King, J.C.: Symbolic execution and program testing. Communications of ACM 19(7), 385–394 (1976)CrossRefzbMATHGoogle Scholar
  23. 23.
    Li, Y., Albarghouthi, A., Kincaid, Z., Gurfinkel, A., Chechik, M.: Symbolic optimization with smt solvers. SIGPLAN Not. 49(1), 607–618 (2014)Google Scholar
  24. 24.
    Liu, T., Nagel, M., Taghdiri, M.: Bounded program verification using an smt solver: A case study. In: ICST, pp. 101–110 (2012)Google Scholar
  25. 25.
    Pasareanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)CrossRefGoogle Scholar
  26. 26.
    Păsăreanu, C.S., Rungta, N.: Symbolic PathFinder: symbolic execution of Java bytecode. In: ASE, pp. 179–180 (2010)Google Scholar
  27. 27.
    Ramamoorthy, C., Ho, S., Chert, W.: On the automated generation of program test data. IEEE TSE 2(4), 293–300 (1976)Google Scholar
  28. 28.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: SP, pp. 317–331 (2010)Google Scholar
  29. 29.
    SMT-LIB webpage,
  30. 30.
  31. 31.
    Steiner, W.: An evaluation of smt-based schedule synthesis for time-triggered multi-hop networks. In: RTSS, pp. 375–384 (2010)Google Scholar
  32. 32.
    Tillmann, N., de Halleux, J.: Pex–white box test generation for.NET. In: Beckert, B., Hähnle, R. (eds.) TAP 2008. LNCS, vol. 4966, pp. 134–153. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Visser, W., Geldenhuys, J., Dwyer, M.B.: Green: Reducing, reusing and recycling constraints in program analysis. In: FSE, pp. 1–11 (2012)Google Scholar
  34. 34.
    Visser, W., Geldenhuys, J., Dwyer, M.B.: Green: Reducing, reusing and recycling constraints in program analysis. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE 2012, pp. 58:1–58:11. ACM, New York (2012)Google Scholar
  35. 35.
    Yang, G., Khurshid, S., Pasareanu, C.S.: Memoise: A tool for memoized symbolic execution. In: ICSE, pp. 1343–1346 (May 2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Karlsruhe Institute of TechnologyGermany
  2. 2.Federal University of PernambucoBrazil

Personalised recommendations