Directed Symbolic Execution

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6887)


In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortest-distance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and call-chain-backward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, Mix-CCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU Coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, Mix-CCBSE performed best on average, combining to good effect the features of its constituent components.


Search Strategy Target Line Symbolic Execution Feasible Path Random Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bornat, R.: Proving pointer programs in Hoare logic. In: MPC, pp. 102–126 (2000)Google Scholar
  2. 2.
    Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT–a formal system for testing and debugging programs by symbolic execution. In: ICRS, pp. 234–245 (1975)Google Scholar
  3. 3.
    Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: ASE, pp. 443–446 (2008)Google Scholar
  4. 4.
    Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224 (2008)Google Scholar
  5. 5.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: CCS, pp. 322–335 (2006)Google Scholar
  6. 6.
    Coreutils - GNU core utilities,
  7. 7.
    Edelkamp, S., Leue, S., Lluch-Lafuente, A.: Directed explicit-state model checking in the validation of communication protocols. Software Tools for Technology Transfer 5(2), 247–267 (2004)CrossRefzbMATHGoogle Scholar
  8. 8.
    Edelkamp, S., Lluch-Lafuente, A., Leue, S.: Trail-directed model checking. Electrical Notes Theoretical Computer Science 55(3), 343–356 (2001)CrossRefzbMATHGoogle Scholar
  9. 9.
    Fähndrich, M., Rehof, J., Das, M.: Scalable context-sensitive flow analysis using instantiation constraints. In: PLDI, pp. 253–263 (2000)Google Scholar
  10. 10.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213–223 (2005)Google Scholar
  12. 12.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: EMSOFT, pp. 207–216 (2008)Google Scholar
  13. 13.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS (2008)Google Scholar
  14. 14.
    Groce, A., Visser, W.: Model checking Java programs using structural heuristics. In: ISSTA, pp. 12–21 (2002)Google Scholar
  15. 15.
    Howden, W.E.: Symbolic testing and the DISSECT symbolic evaluation system. IEEE Transactions on Software Engineering 3(4), 266–278 (1977)CrossRefzbMATHGoogle Scholar
  16. 16.
    Khoo, Y.P., Chang, B.-Y.E., Foster, J.S.: Mixing type checking and symbolic execution. In: PLDI, pp. 436–447 (2010)Google Scholar
  17. 17.
    King, J.C.: Symbolic execution and program testing. CACM 19(7), 385–394 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    The KLEE Symbolic Virtual Machine,
  19. 19.
    Kodumal, J., Aiken, A.: The set constraint/CFL reachability connection in practice. In: PLDI, pp. 207–218 (2004)Google Scholar
  20. 20.
    Kupferschmid, S., Hoffmann, J., Dierks, H., Behrmann, G.: Adapting an AI planning heuristic for directed model checking. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 35–52. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Landi, W., Ryder, B.G.: Pointer-induced aliasing: a problem taxonomy. In: POPL, pp. 93–103 (1991)Google Scholar
  22. 22.
    Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis transformation. In: CGO, pp. 75–86 (2004)Google Scholar
  23. 23.
    Ma, K.-K., Khoo, Y.P., Foster, J.S., Hicks, M.: Directed symbolic execution. Technical Report CS-TR-4979, UMD-College Park (April 2011)Google Scholar
  24. 24.
    Majumdar, R., Sen, K.: Hybrid concolic testing. In: ICSE, pp. 416–426 (2007)Google Scholar
  25. 25.
    Meyering, J.: Seq: give a proper diagnostic for an invalid –format=% option (2008),
  26. 26.
    Morris, J.M.: A general axiom of assignment. Assignment and linked data structure. A proof of the Schorr-Waite algorithm. In: Broy, M., Schmidt, G. (eds.) Theoretical Foundations of Programming Methodology, pp. 25–51 (1982)Google Scholar
  27. 27.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    The Newlib Homepage,
  29. 29.
    Osterweil, L.J., Fosdick, L.D.: Program testing techniques using simulated execution. In: ANSS, pp. 171–177 (1976)Google Scholar
  30. 30.
    Rehof, J., Fähndrich, M.: Type-base flow analysis: from polymorphic subtyping to CFL-reachability. In: PLDI, pp. 54–66 (2001)Google Scholar
  31. 31.
    Reisner, E., Song, C., Ma, K.-K., Foster, J.S., Porter, A.: Using symbolic evaluation to understand behavior in configurable software systems. In: ICSE, pp. 445–454 (2010)Google Scholar
  32. 32.
    Reps, T.W.: Program analysis via graph reachability. In: ILPS, pp. 5–19 (1997)Google Scholar
  33. 33.
  34. 34.
    Xie, T., Tillmann, N., de Halleux, J., Schulte, W.: Fitness-guided path exploration in dynamic symbolic execution. In: DSN, pp. 359–368 (2009)Google Scholar
  35. 35.
    Zamfir, C.: Personal communication (May 2011)Google Scholar
  36. 36.
    Zamfir, C., Candea, G.: Execution synthesis: a technique for automated software debugging. In: EuroSys, pp. 321–334 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  1. 1.Computer Science DepartmentUniversity of MarylandCollege ParkUSA

Personalised recommendations