Skip to main content
SpringerLink
Log in

Directed Symbolic Execution

  • Conference paper
Static Analysis (SAS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6887))

Included in the following conference series:

Abstract

In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortest-distance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and call-chain-backward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, Mix-CCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU Coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, Mix-CCBSE performed best on average, combining to good effect the features of its constituent components.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bornat, R.: Proving pointer programs in Hoare logic. In: MPC, pp. 102–126 (2000)

    Google Scholar 

  2. Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT–a formal system for testing and debugging programs by symbolic execution. In: ICRS, pp. 234–245 (1975)

    Google Scholar 

  3. Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: ASE, pp. 443–446 (2008)

    Google Scholar 

  4. Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224 (2008)

    Google Scholar 

  5. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: CCS, pp. 322–335 (2006)

    Google Scholar 

  6. Coreutils - GNU core utilities, http://www.gnu.org/software/coreutils/

  7. Edelkamp, S., Leue, S., Lluch-Lafuente, A.: Directed explicit-state model checking in the validation of communication protocols. Software Tools for Technology Transfer 5(2), 247–267 (2004)

    Article  MATH  Google Scholar 

  8. Edelkamp, S., Lluch-Lafuente, A., Leue, S.: Trail-directed model checking. Electrical Notes Theoretical Computer Science 55(3), 343–356 (2001)

    Article  MATH  Google Scholar 

  9. Fähndrich, M., Rehof, J., Das, M.: Scalable context-sensitive flow analysis using instantiation constraints. In: PLDI, pp. 253–263 (2000)

    Google Scholar 

  10. Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213–223 (2005)

    Google Scholar 

  12. Godefroid, P., Levin, M.Y., Molnar, D.A.: Active property checking. In: EMSOFT, pp. 207–216 (2008)

    Google Scholar 

  13. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS (2008)

    Google Scholar 

  14. Groce, A., Visser, W.: Model checking Java programs using structural heuristics. In: ISSTA, pp. 12–21 (2002)

    Google Scholar 

  15. Howden, W.E.: Symbolic testing and the DISSECT symbolic evaluation system. IEEE Transactions on Software Engineering 3(4), 266–278 (1977)

    Article  MATH  Google Scholar 

  16. Khoo, Y.P., Chang, B.-Y.E., Foster, J.S.: Mixing type checking and symbolic execution. In: PLDI, pp. 436–447 (2010)

    Google Scholar 

  17. King, J.C.: Symbolic execution and program testing. CACM 19(7), 385–394 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  18. The KLEE Symbolic Virtual Machine, http://klee.llvm.org

  19. Kodumal, J., Aiken, A.: The set constraint/CFL reachability connection in practice. In: PLDI, pp. 207–218 (2004)

    Google Scholar 

  20. Kupferschmid, S., Hoffmann, J., Dierks, H., Behrmann, G.: Adapting an AI planning heuristic for directed model checking. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 35–52. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Landi, W., Ryder, B.G.: Pointer-induced aliasing: a problem taxonomy. In: POPL, pp. 93–103 (1991)

    Google Scholar 

  22. Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis transformation. In: CGO, pp. 75–86 (2004)

    Google Scholar 

  23. Ma, K.-K., Khoo, Y.P., Foster, J.S., Hicks, M.: Directed symbolic execution. Technical Report CS-TR-4979, UMD-College Park (April 2011)

    Google Scholar 

  24. Majumdar, R., Sen, K.: Hybrid concolic testing. In: ICSE, pp. 416–426 (2007)

    Google Scholar 

  25. Meyering, J.: Seq: give a proper diagnostic for an invalid –format=% option (2008), http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b8108fd2ddf77ae79cd014f4f37798a52be13fd1

  26. Morris, J.M.: A general axiom of assignment. Assignment and linked data structure. A proof of the Schorr-Waite algorithm. In: Broy, M., Schmidt, G. (eds.) Theoretical Foundations of Programming Methodology, pp. 25–51 (1982)

    Google Scholar 

  27. Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  28. The Newlib Homepage, http://sourceware.org/newlib/

  29. Osterweil, L.J., Fosdick, L.D.: Program testing techniques using simulated execution. In: ANSS, pp. 171–177 (1976)

    Google Scholar 

  30. Rehof, J., Fähndrich, M.: Type-base flow analysis: from polymorphic subtyping to CFL-reachability. In: PLDI, pp. 54–66 (2001)

    Google Scholar 

  31. Reisner, E., Song, C., Ma, K.-K., Foster, J.S., Porter, A.: Using symbolic evaluation to understand behavior in configurable software systems. In: ICSE, pp. 445–454 (2010)

    Google Scholar 

  32. Reps, T.W.: Program analysis via graph reachability. In: ILPS, pp. 5–19 (1997)

    Google Scholar 

  33. μClibc, http://www.uclibc.org/

  34. Xie, T., Tillmann, N., de Halleux, J., Schulte, W.: Fitness-guided path exploration in dynamic symbolic execution. In: DSN, pp. 359–368 (2009)

    Google Scholar 

  35. Zamfir, C.: Personal communication (May 2011)

    Google Scholar 

  36. Zamfir, C., Candea, G.: Execution synthesis: a technique for automated software debugging. In: EuroSys, pp. 321–334 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Maryland, College Park, USA

    Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster & Michael Hicks

Authors
  1. Kin-Keung Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Khoo Yit Phang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jeffrey S. Foster
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Hicks
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Deptartement, Technion, 32000, Technion City, Haifa, Israel

    Eran Yahav

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ma, KK., Yit Phang, K., Foster, J.S., Hicks, M. (2011). Directed Symbolic Execution. In: Yahav, E. (eds) Static Analysis. SAS 2011. Lecture Notes in Computer Science, vol 6887. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23702-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23702-7_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23701-0

  • Online ISBN: 978-3-642-23702-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation