research-article

Symbolic execution of programs with heap inputs

Authors:
Pietro Braione

University of Milano-Bicocca, Italy

University of Milano-Bicocca, Italy
View Profile

,
Giovanni Denaro

University of Milano-Bicocca, Italy

University of Milano-Bicocca, Italy
View Profile

,
Mauro Pezzè

University of Milano-Bicocca, Italy / University of Lugano, Switzerland

University of Milano-Bicocca, Italy / University of Lugano, Switzerland
View Profile

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringAugust 2015Pages 602–613https://doi.org/10.1145/2786805.2786842

Published:30 August 2015Publication History

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

Pages 602–613

ABSTRACT

Symbolic analysis is a core component of many automatic test generation and program verication approaches. To verify complex software systems, test and analysis techniques shall deal with the many aspects of the target systems at different granularity levels. In particular, testing software programs that make extensive use of heap data structures at unit and integration levels requires generating suitable input data structures in the heap. This is a main challenge for symbolic testing and analysis techniques that work well when dealing with numeric inputs, but do not satisfactorily cope with heap data structures yet. In this paper we propose a language HEX to specify invariants of partially initialized data structures, and a decision procedure that supports the incremental evaluation of structural properties in HEX. Used in combination with the symbolic execution of heap manipulating programs, HEX prevents the exploration of invalid states, thus improving the eefficiency of program testing and analysis, and avoiding false alarms that negatively impact on verication activities. The experimental data conrm that HEX is an effective and efficient solution to the problem of testing and analyzing heap manipulating programs, and outperforms the alternative approaches that have been proposed so far.

References

A. Bouajjani, C. Drˇ agoi, C. Enea, and M. Sighireanu. Accurate invariant checking for programs manipulating lists and arrays with infinite data. In S. Chakraborty and M. Mukund, editors, Automated Technology for Verification and Analysis, LNCS, pages 167–182. Springer, 2012. Google ScholarDigital Library
C. Boyapati, S. Khurshid, and D. Marinov. Korat: automated testing based on java predicates. In International symposium on Software testing and analysis. ACM, 2002. Google ScholarDigital Library
P. Braione, G. Denaro, and M. Pezzè. Enhancing symbolic execution with built-in term rewriting and constrained lazy initialization. In Proc. of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 411–421, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation, 2008. Google ScholarDigital Library
C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In ACM Conference on Computer and Communications Security. ACM, 2006. Google ScholarDigital Library
L. A. Clarke. A system to generate test data and symbolically execute programs. IEEE Trans. on Soft. Eng., 2(3):215–222, Sept. 1976. Google ScholarDigital Library
A. Coen-Porisini, G. Denaro, C. Ghezzi, and M. Pezzè. Using symbolic execution for verifying safety-critical systems. In Proceedings of the Joint European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering, 2001. Google ScholarDigital Library
X. Deng, J. Lee, and Robby. Bogor/Kiasan: A k-bounded symbolic execution for checking strong heap properties of open systems. In International Conference on Automated Software Engineering, 2006. Google ScholarDigital Library
G. D. Dennis. TSAFE: Building a trusted computing base for air traffic control software. Master’s thesis, Massachusetts Institute of Technology, 2003.Google Scholar
H. Do, S. G. Elbaum, and G. Rothermel. Supporting controlled experimentation with testing techniques: An infrastructure and its potential impact. Empirical Software Engineering: An International Journal, 10(4):405–435, 2005. Google ScholarDigital Library
C. Enea, V. Saveluc, and M. Sighireanu. Compositional invariant checking for overlaid and nested linked lists. In Proceedings of the European Conference on Programming Languages and Systems, ESOP’13, pages 129–148. Springer-Verlag, 2013. Google ScholarDigital Library
J. P. Galeotti, N. Rosner, C. G. López Pombo, and M. F. Frias. Analysis of invariants for efficient bounded verification. In Proceedings of the 19th International Symposium on Software Testing and Analysis, ISSTA ’10, pages 25–36, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
J. Geldenhuys, N. Aguirre, M. Frias, and W. Visser. Bounded lazy initialization. In G. Brat, N. Rungta, and A. Venet, editors, NASA Formal Methods, LNCS 7871. Springer Berlin Heidelberg, 2013.Google ScholarCross Ref
P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In ACM Conference on Programming language design and implementation. ACM, 2005. Google ScholarDigital Library
J. G. Henriksen, J. L. Jensen, M. E. Jørgensen, N. Klarlund, R. Paige, T. Rauhe, and A. Sandholm. Mona: Monadic second-order logic in practice. In Proc. of the Int. Workshop on Tools and Algorithms for Construction and Analysis of Systems, TACAS. Springer-Verlag, 1995. Google ScholarDigital Library
D. Jackson. Software Abstractions: Logic, Language, and Analysis. The MIT Press, 2006. Google ScholarDigital Library
R. Just, D. Jalali, and M. D. Ernst. Defects4J: A database of existing faults to enable controlled testing studies for Java programs. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), pages 437–440, 2014. Google ScholarDigital Library
S. Khurshid, C. S. Pˇ asˇ areanu, and W. Visser. Generalized symbolic execution for model checking and testing. In Tools and Algorithms for Construction and Analysis of Systems, LNCS 2619. Springer, 2003. Google ScholarDigital Library
J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385–394, 1976. Google ScholarDigital Library
B. Liskov and J. Guttag. Program Development in Java: Abstraction, Specification, and Object-Oriented Design. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition, 2000. Google ScholarDigital Library
P. Madhusudan and X. Qiu. Efficient decision procedures for heaps using strand. In Proc. of the 18th International Conference on Static Analysis, SAS’11, pages 43–59. Springer-Verlag, 2011. Google ScholarDigital Library
P. Madhusudan, X. Qiu, and A. Stefanescu. Recursive proofs for inductive tree data-structures. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 123–136, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
R. Majumdar and R.-G. Xu. Directed test generation using symbolic grammars. In Proc. of the Int. Conference on Automated Software Engineering, ASE ’07, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
S. McPeak and G. C. Necula. Data structure specifications via local equality axioms. In Proc. of the 17th International Conference on Computer Aided Verification, CAV’05. Springer-Verlag, 2005. Google ScholarDigital Library
A. Møller and M. I. Schwartzbach. The pointer assertion logic engine. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, PLDI ’01, pages 221–231, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
C. S. Pasareanu and W. Visser. A survey of new trends in symbolic execution for software testing and analysis. International Journal on Software Tools for Technology Transf., 11(4):339–353, Oct. 2009. Google ScholarDigital Library
Z. Rakamari´ c, R. Bruttomesso, A. J. Hu, and A. Cimatti. Verifying heap-manipulating programs in an SMT framework. In Proc. of the 5th International Conference on Automated Technology for Verification and Analysis, ATVA’07, pages 237–252. Springer-Verlag, 2007. Google ScholarDigital Library
J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, LICS ’02, pages 55–74, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In European Software Engineering Conference and ACM Symposium on Foundations of Software Engineering, 2005. Google ScholarDigital Library
J. H. Siddiqui and S. Khurshid. Staged symbolic execution. In ACM Symposium on Applied Computing, 2012. Google ScholarDigital Library
W. Visser, C. S. Pˇ asˇ areanu, and S. Khurshid. Test input generation with Java PathFinder. In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pages 97–107. ACM, 2004. Google ScholarDigital Library
G. Yorsh, A. Rabinovich, M. Sagiv, A. Meyer, and A. Bouajjani. A logic of reachable patterns in linked data-structures. In Proc. of the 9th European Joint Conference on Foundations of Software Science and Computation Structures, FOSSACS’06. Springer-Verlag, 2006. Google ScholarDigital Library

Index Terms

Symbolic execution of programs with heap inputs
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Combining symbolic execution and search-based testing for programs with complex heap inputs
ISSTA 2017: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis

Despite the recent improvements in automatic test case generation, handling complex data structures as test inputs is still an open problem. Search-based approaches can generate sequences of method calls that instantiate structured inputs to exercise a ...
Read More
JBSE: a symbolic executor for Java programs with complex heap inputs
FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

We present the Java Bytecode Symbolic Executor (JBSE), a symbolic executor for Java programs that operates on complex heap inputs. JBSE implements both the novel Heap EXploration Logic (HEX), a symbolic execution approach to deal with heap inputs, and ...
Read More
Runtime exception detection in Java programs using symbolic execution

Most of the runtime failures of a software system can be revealed during test execution only, which has a very high cost. In Java programs, runtime failures are manifested as unhandled runtime exceptions.

In this paper we present an approach and tool ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering
August 2015
1068 pages
ISBN:9781450336758
DOI:10.1145/2786805
General Chair:
Elisabetta Di Nitto
Politecnico di Milano, Italy
,
Program Chairs:
Mark Harman
University College London, UK
,
Patrick Heymans
University of Namur, Belgium
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 August 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Symbolic execution
data structure invariants
lazy initialization
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate112of543submissions,21%
Upcoming Conference
FSE '24

Sponsor:

sigsoft

32nd ACM International Conference on the Foundations of Software Engineering

July 15 - 19, 2024

Ipojuca (Pernambuco) , Brazil
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 20
  Total Citations
  View Citations
- 502
  Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Symbolic execution of programs with heap inputs

ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Combining symbolic execution and search-based testing for programs with complex heap inputs

JBSE: a symbolic executor for Java programs with complex heap inputs

Runtime exception detection in Java programs using symbolic execution