Combining Model Checking and Symbolic Execution for Software Testing
Techniques for checking complex software range from model checking and static analysis to testing. Over the years, we have developed a tool, Symbolic PathFinder (SPF), that aims to leverage the power of systematic analysis techniques, such as model checking and symbolic execution, for thorough testing of complex software. Symbolic PathFinder analyzes Java programs by systematically exploring a symbolic representation of the programs’ behaviors and it generates test cases that are guaranteed to cover the explored paths. The tool also analyzes different thread inter-leavings and it checks properties of the code during test generation. Furthermore, SPF uses off-the-shelf decision procedures to solve mixed integer-real constraints and uses “lazy initialization” to handle complex input data structures. Recently, SPF has been extended with “mixed concrete-symbolic” constraint solving capabilities, to handle external library calls and to address decision procedures’ incompleteness. The tool is part of the Java PathFinder open-source tool-set and has been applied in many projects at NASA, in industry and in academia. We review the tool and its applications and we discuss how it compares with related, “dynamic” symbolic execution approaches.