research-article

MultiSE: multi-path symbolic execution using value summaries

Authors:

Wontae ChoiAuthors Info & Claims

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

Pages 842 - 853

https://doi.org/10.1145/2786805.2786830

Published: 30 August 2015 Publication History

Abstract

Dynamic symbolic execution (DSE) has been proposed to effectively generate test inputs for real-world programs. Unfortunately, DSE techniques do not scale well for large realistic programs, because often the number of feasible execution paths of a program increases exponentially with the increase in the length of an execution path. In this paper, we propose MultiSE, a new technique for merging states incrementally during symbolic execution, without using auxiliary variables. The key idea of MultiSE is based on an alternative representation of the state, where we map each variable, including the program counter, to a set of guarded symbolic expressions called a value summary. MultiSE has several advantages over conventional DSE and conventional state merging techniques: value summaries enable sharing of symbolic expressions and path constraints along multiple paths and thus avoid redundant execution. MultiSE does not introduce auxiliary symbolic variables, which enables it to 1) make progress even when merging values not supported by the constraint solver, 2) avoid expensive constraint solver calls when resolving function calls and jumps, and 3) carry out most operations concretely. Moreover, MultiSE updates value summaries incrementally at every assignment instruction, which makes it unnecessary to identify the join points and to keep track of variables to merge at join points. We have implemented MultiSE for JavaScript programs in a publicly available open-source tool. Our evaluation of MultiSE on several programs shows that 1) value summaries are an eective technique to take advantage of the sharing of value along multiple execution path, that 2) MultiSE can run significantly faster than traditional dynamic symbolic execution and, 3) MultiSE saves a substantial number of state merges compared to conventional state-merging techniques.

References

[1]

S. Anand, P. Godefroid, and N. Tillmann. Demand-driven compositional symbolic execution. In TACAS, pages 367–381, 2008.

Digital Library

[2]

S. Anand and M. J. Harrold. Heap cloning: Enabling dynamic symbolic execution of java programs. In ASE, pages 33–42, 2011.

Digital Library

[3]

S. Anand, C. S. Păsăreanu, and W. Visser. JPF-SE: a symbolic execution extension to Java PathFinder. In TACAS’07, 2007.

Digital Library

[4]

S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding bugs in dynamic web applications. In ISSTA’08, 2008.

Digital Library

[5]

T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 1083–1094, New York, NY, USA, 2014. ACM.

Digital Library

[6]

C. Barrett and C. Tinelli. CVC3. In 19th International Conference on Computer Aided Verification (CAV ’07), volume 4590 of LNCS, pages 298–302, 2007.

Digital Library

[7]

P. Boonstoppel, C. Cadar, and D. Engler. RWset: Attacking path explosion in constraint-based test generation. In TACAS’08, 2008.

Digital Library

[8]

A. Bouajjani, C. Dragoi, C. Enea, and M. Sighireanu. On inter-procedural analysis of programs with lists and data. In PLDI, pages 578–589, 2011.

Digital Library

[9]

R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Trans. Computers, 35(8):677–691, 1986.

Digital Library

[10]

J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In ASE’08, Sept. 2008.

Digital Library

[11]

C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI’08, Dec 2008.

Digital Library

[12]

C. Calcagno, D. Distefano, P. W. O’Hearn, and H. Yang. Compositional shape analysis by means of bi-abduction. J. ACM, 58(6):26, 2011.

Digital Library

[13]

A. Chakrabarti and P. Godefroid. Software partitioning for effective automated unit testing. In EMSOFT, pages 262–271, 2006.

Digital Library

[14]

B.-C. Cheng and W. mei W. Hwu. Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation. In PLDI, pages 57–69, 2000.

Digital Library

[15]

S. Cherem, L. Princehouse, and R. Rugina. Practical memory leak detection using guarded value-flow analysis. In PLDI, pages 480–491, 2007.

Digital Library

[16]

V. Chipounov, V. Kuznetsov, and G. Candea. The s2e platform: Design, implementation, and applications. ACM Trans. Comput. Syst., 30(1):2, 2012.

Digital Library

[17]

L. A. Clarke. A program testing system. In Proc. of the 1976 annual conference, pages 488–491, 1976.

Digital Library

[18]

I. Dillig, T. Dillig, A. Aiken, and M. Sagiv. Precise and compact modular procedure summaries for heap manipulating programs. In PLDI, pages 567–577, 2011.

Digital Library

[19]

P. Godefroid. Compositional dynamic test generation. In POPL’07, Jan. 2007.

Digital Library

[20]

P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In PLDI’05, June 2005.

Digital Library

[21]

P. Godefroid, S. K. Lahiri, and C. Rubio-González. Statically validating must summaries for incremental compositional dynamic test generation. In SAS, pages 112–128, 2011.

Digital Library

[22]

P. Godefroid, M. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In NDSS’08, Feb. 2008.

[23]

P. Godefroid, A. V. Nori, S. K. Rajamani, and S. D. Tetali. Compositional may-must program analysis: unleashing the power of alternation. In POPL’10, 2010.

Digital Library

[24]

B. S. Gulavani, S. Chakraborty, G. Ramalingam, and A. V. Nori. Bottom-up shape analysis using lisf. ACM Trans. Program. Lang. Syst., 33(5):17, 2011.

Digital Library

[25]

S. Gulwani and A. Tiwari. Computing procedure summaries for interprocedural analysis. In ESOP, pages 253–267, 2007.

Digital Library

[26]

D. L. Heine and M. S. Lam. A practical flow-sensitive and context-sensitive c and c++ memory leak detector. In PLDI, pages 168–181, 2003.

Digital Library

[27]

J. Jaffar, V. Murali, and J. A. Navas. Boosting concolic testing via interpolation. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 48–58, New York, NY, USA, 2013. ACM.

Digital Library

[28]

J. Jaffar, V. Murali, J. A. Navas, and A. E. Santosa. Tracer: A symbolic execution tool for verification. In CAV, pages 758–766, 2012.

Digital Library

[29]

K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun. jFuzz: A concolic whitebox fuzzer for Java. In In NFM’09, Apr. 2009.

[30]

J. C. King. Symbolic execution and program testing. Commun. ACM, 19:385–394, July 1976.

Digital Library

[31]

J. Kreiker, T. W. Reps, N. Rinetzky, M. Sagiv, R. Wilhelm, and E. Yahav. Interprocedural shape analysis for effectively cutpoint-free programs. In Programming Logics, pages 414–445, 2013.

[32]

V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea. Efficient state merging in symbolic execution. In PLDI, pages 193–204, 2012.

Digital Library

[33]

G. Li, I. Ghosh, and S. P. Rajan. Klover: A symbolic execution and automatic test generation tool for c++ programs. In CAV, pages 609–615, 2011.

Digital Library

[34]

R. Majumdar and R.-G. Xu. Reducing test inputs using information partitions. In CAV’09, LNCS, pages 555–569, 2009.

Digital Library

[35]

K. L. McMillan. Lazy annotation for program testing and verification. In CAV, pages 104–118, 2010.

Digital Library

[36]

C. Pasareanu, P. Mehlitz, D. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In ISSTA’08, July 2008.

Digital Library

[37]

D. Qi, A. Roychoudhury, Z. Liang, and K. Vaswani. Darwin: an approach for debugging evolving programs. In ESEC/FSE, pages 33–42, 2009.

Digital Library

[38]

T. W. Reps, S. Horwitz, and S. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL, pages 49–61, 1995.

Digital Library

[39]

X. Rival and B.-Y. E. Chang. Calling context abstraction with shapes. In POPL, pages 173–186, 2011.

Digital Library

[40]

R. A. Santelices, P. K. Chittimalli, T. Apiwattanapong, A. Orso, and M. J. Harrold. Test-suite augmentation for evolving software. In ASE, pages 218–227, 2008.

Digital Library

[41]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10, pages 513–528. IEEE, 2010.

Digital Library

[42]

K. Sen and G. Agha. CUTE and jCUTE : Concolic unit testing and explicit path model-checking tools. In CAV’06, 2006.

Digital Library

[43]

K. Sen, S. Kalasapur, T. Brutch, and S. Gibbs. Jalangi: A selective record-replay and dynamic analysis framework for javascript. In ESEC/FSE’13, August 2013. To appear.

Digital Library

[44]

K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In ESEC/FSE’05, Sep 2005.

Digital Library

[45]

M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis, chapter 7, pages 189–234. Prentice-Hall, Englewood Cliffs, NJ, 1981.

[46]

N. Sinha. Symbolic program analysis using term rewriting and generalization. In Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design, page 19. IEEE Press, 2008.

Digital Library

[47]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In ICISS’08, Dec. 2008.

Digital Library

[48]

N. Tillmann and J. de Halleux. Pex - white box test generation for .NET. In TAP’08, Apr 2008.

Digital Library

[49]

E. Torlak and R. Bodik. A lightweight symbolic virtual machine for solver-aided host languages. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, pages 530–541, New York, NY, USA, 2014. ACM.

Digital Library

[50]

W. Visser, C. S. Pˇ asˇ areanu, and R. Pelánek. Test input generation for java containers using state matching. In ISSTA’06, July 2006.

Digital Library

[51]

J. Whaley and M. C. Rinard. Compositional pointer and escape analysis for java programs. In OOPSLA, pages 187–206, 1999.

Digital Library

[52]

Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In POPL, pages 351–363, 2005.

Digital Library

[53]

G. Yang, S. Khurshid, and C. S. Pasareanu. Memoise: a tool for memoized symbolic execution. In ICSE, pages 1343–1346, 2013.

Digital Library

[54]

G. Yorsh, E. Yahav, and S. Chandra. Generating precise and concise procedure summaries. In POPL, pages 221–234, 2008.

Digital Library

Cited By

Herklotz YWickerson J(2024)Hyperblock Scheduling for Verified High-Level SynthesisProceedings of the ACM on Programming Languages10.1145/36564558:PLDI(1929-1953)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656455
Yi QYu YYang G(2024)Compatible Branch Coverage Driven Symbolic Execution for Efficient Bug FindingProceedings of the ACM on Programming Languages10.1145/36564438:PLDI(1633-1655)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656443
Hu JDuan YYin HRoychoudhury APaiva AAbreu RStorey M(2024)Marco: A Stochastic Asynchronous Concolic ExplorerProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623301(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623301
Show More Cited By

Index Terms

MultiSE: multi-path symbolic execution using value summaries
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Concolic testing: a decade later (keynote)
WODA 2015: Proceedings of the 13th International Workshop on Dynamic Analysis

Symbolic execution for software testing has witnessed renewed interest in the recent years due to its ability to generate high-coverage test suites and find deep errors in software systems. In this talk, I will give an overview of a modern symbolic ...
Exploiting program dependencies for scalable multiple-path symbolic execution
ISSTA '10: Proceedings of the 19th international symposium on Software testing and analysis

This paper presents a new technique, called Symbolic Program Decomposition (or SPD), for symbolic execution of multiple paths that is more scalable than existing techniques, which symbolically execute control-flow paths individually. SPD exploits ...
Dynamic symbolic execution for polymorphism
CC 2017: Proceedings of the 26th International Conference on Compiler Construction

Symbolic execution is an important program analysis technique that provides auxiliary execution semantics to execute programs with symbolic rather than concrete values. There has been much recent interest in symbolic execution for automatic test case ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

August 2015

1068 pages

ISBN:9781450336758

DOI:10.1145/2786805

General Chair:
Elisabetta Di Nitto
Politecnico di Milano, Italy
,
Program Chairs:
Mark Harman
University College London, UK
,
Patrick Heymans
University of Namur, Belgium

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 August 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

ESEC/FSE'15

Sponsor:

SIGSOFT

ESEC/FSE'15: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

August 30 - September 4, 2015

Bergamo, Italy

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

83
Total Citations
View Citations
915
Total Downloads

Downloads (Last 12 months)117
Downloads (Last 6 weeks)35

Reflects downloads up to 05 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Herklotz YWickerson J(2024)Hyperblock Scheduling for Verified High-Level SynthesisProceedings of the ACM on Programming Languages10.1145/36564558:PLDI(1929-1953)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656455
Yi QYu YYang G(2024)Compatible Branch Coverage Driven Symbolic Execution for Efficient Bug FindingProceedings of the ACM on Programming Languages10.1145/36564438:PLDI(1633-1655)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656443
Hu JDuan YYin HRoychoudhury APaiva AAbreu RStorey M(2024)Marco: A Stochastic Asynchronous Concolic ExplorerProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623301(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623301
Shi JChen YLi QHuang YYang YZhao M(2024)Automated Test Cases Generator for IEC 61131-3 Structured Text Based Dynamic Symbolic ExecutionIEEE Transactions on Computers10.1109/TC.2024.335128573:4(1048-1059)Online publication date: Apr-2024
https://doi.org/10.1109/TC.2024.3351285
Liu ZAn KCao Y(2024)Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00121(4015-4033)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00121
Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Pick LDesai AGupta A(2023)Psym: Efficient Symbolic Exploration of Distributed SystemsProceedings of the ACM on Programming Languages10.1145/35912477:PLDI(660-685)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591247
Lu SBodík R(2023)Grisette: Symbolic Compilation as a Functional Programming LibraryProceedings of the ACM on Programming Languages10.1145/35712097:POPL(455-487)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571209
Hussein SYan QMcCamant SSharma VWhalen M(2023)Java Ranger: Supporting String and Array Operations in Java Ranger (Competition Contribution)Tools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-30820-8_35(553-558)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30820-8_35
He WMestre JPupyrev SWang LYu H(2022)Profile inference revisitedProceedings of the ACM on Programming Languages10.1145/34987146:POPL(1-24)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498714
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents