research-article

Symbolic execution for software testing in practice: preliminary assessment

Authors:
Cristian Cadar

Imperial College London, London, United Kingdom

Imperial College London, London, United Kingdom
View Profile

,
Patrice Godefroid

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Sarfraz Khurshid

University of Texas at Austin, Austin, TX, USA

University of Texas at Austin, Austin, TX, USA
View Profile

,
Corina S. Păsăreanu

Carnegie Melon University & NASA Ames, Pittsburgh, PA, USA

Carnegie Melon University & NASA Ames, Pittsburgh, PA, USA
View Profile

,
Koushik Sen

University of California at Berkeley, Berkeley, CA, USA

University of California at Berkeley, Berkeley, CA, USA
View Profile

,
Nikolai Tillmann

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Willem Visser

Stellenbosch University, Matieland, South Africa

Stellenbosch University, Matieland, South Africa
View Profile

ICSE '11: Proceedings of the 33rd International Conference on Software EngineeringMay 2011Pages 1066–1071https://doi.org/10.1145/1985793.1985995

Published:21 May 2011Publication History

ICSE '11: Proceedings of the 33rd International Conference on Software Engineering

Pages 1066–1071

ABSTRACT

We present results for the "Impact Project Focus Area" on the topic of symbolic execution as used in software testing. Symbolic execution is a program analysis technique introduced in the 70s that has received renewed interest in recent years, due to algorithmic advances and increased availability of computational power and constraint solving technology. We review classical symbolic execution and some modern extensions such as generalized symbolic execution and dynamic test generation. We also give a preliminary assessment of the use in academia, research labs, and industry.

References

S. Anand, C. S. Păsăreanu, and W. Visser. JPF-SE: a symbolic execution extension to Java PathFinder. In TACAS'07, pages 134--138, 2007. Google ScholarDigital Library
S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding bugs in dynamic web applications. In ISSTA'08, July 2008. Google ScholarDigital Library
T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic exploit generation. In NDSS'11, Feb 2011.Google Scholar
M. Baluda, P. Braione, G. Denaro, and M. Pezzé. Structural coverage of feasible code. In AST'10, pages 59--66. ACM, 2010. Google ScholarDigital Library
D. Bethea, R. Cochran, and M. Reiter. Server-side verification of client behavior in online games. In NDSS'10, Feb-Mar 2010.Google Scholar
N. Bjørner, N. Tillmann, and A. Voronkov. Path feasibility analysis for string-manipulating programs. In TACAS'09, Mar. 2009. Google ScholarDigital Library
P. Boonstoppel, C. Cadar, and D. Engler. RWset: Attacking path explosion in constraint-based test generation. In TACAS'08, Mar-Apr 2008. Google ScholarDigital Library
R. S. Boyer, B. Elspas, and K. N. Levitt. SELECT - a formal system for testing and debugging programs by symbolic execution. SIGPLAN Not., 10:234--245, 1975. Google ScholarDigital Library
J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In ASE'08, 2008. Google ScholarDigital Library
W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software - Practice and Experience, 30(7):775--802, 2000. Google ScholarDigital Library
C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI'08, Dec 2008. Google ScholarDigital Library
C. Cadar and D. Engler. Execution generated test cases: How to make systems code crash itself (invited paper). In SPIN'05, Aug 2005. Google ScholarDigital Library
C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. EXE: Automatically generating inputs of death. In CCS'06, Oct-Nov 2006. Google ScholarDigital Library
V. Chipounov and G. Candea. Reverse engineering of binary device drivers with RevNIC. In EuroSys'10, Apr 2010. Google ScholarDigital Library
L. A. Clarke. A program testing system. In Proc. of the 1976 annual conference, pages 488--491, 1976. Google ScholarDigital Library
L. A. Clarke and D. J. Richardson. Program Flow Analysis: Theory and Application (Symbolic Evaluation Methods for Program Analysis). S. Muchnick and N. Jones, Prentice Hall, 1981. Google ScholarDigital Library
L. A. Clarke and D. J. Richardson. Applications of symbolic evaluation. Journal of Systems and Software, 5(1):15--35, 1985. Google ScholarDigital Library
A. Coen-Porisini, G. Denaro, C. Ghezzi, and M. Pezzé. Using symbolic execution for verifying safety-critical systems. In ESEC/FSE'01, 2001. Google ScholarDigital Library
P. D. Coward. Symbolic execution systems - a review. Softw. Eng. J., 3:229--239, November 1988. Google ScholarDigital Library
H. Cui, J. Wu, C. che Tsai, and J. Yang. Stable deterministic multithreading through schedule memoization. In OSDI'10, 2010. Google ScholarDigital Library
J. de Halleux and N. Tillmann. Moles: Tool-assisted environment isolation with closures. In TOOLS'10, June-July 2010. Google ScholarDigital Library
L. de Moura and N. Bjorner. Z3: An Efficient SMT Solver. In TACAS'08, Mar-Apr 2008. Google ScholarDigital Library
X. Deng, J. Lee, and Robby. Bogor/Kiasan: A k-bounded symbolic execution for checking strong heap properties of open systems. In ASE'06, 2006. Google ScholarDigital Library
L. K. Dillon. Using symbolic execution for verification of Ada tasking programs. ACM TOPLAS, 12, October 1990. Google ScholarDigital Library
V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV'07, July 2007. Google ScholarDigital Library
P. Godefroid. Compositional dynamic test generation. In Proc. of the ACM POPL, Jan 2007. Google ScholarDigital Library
P. Godefroid. Software model checking improving security of a billion computers. In SPIN'09, June 2009. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In PLDI'05, June 2005. Google ScholarDigital Library
P. Godefroid, M. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In NDSS'08, Feb. 2008.Google Scholar
L. J. Harrison and R. A. Kemmerer. An interleaving symbolic execution approach for the formal verification of Ada programs with tasking. In Ada Applications and Environments'88, 1988.Google ScholarCross Ref
W. Howden. Symbolic testing and the DISSECT symbolic evaluation system. IEEE Transactions on Software Engineering, 3(4):266--278, 1977. Google ScholarDigital Library
K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun. jFuzz: A concolic whitebox fuzzer for Java. In In NFM'09, Apr. 2009.Google Scholar
S. Khurshid, C. S. Păsăreanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS'03, Apr. 2003. Google ScholarDigital Library
Y. Kim, M. Kim, and N. Dang. Scalable distributed concolic testing: a case study on a flash storage platform. In ICTAC'10, pages 199--213, 2010. Google ScholarDigital Library
J. C. King. Symbolic execution and program testing. Commun. ACM, 19:385--394, July 1976. Google ScholarDigital Library
B. Korel. A Dynamic Approach of Test Data Generation. In IEEE Conference on Software Maintenance, Nov 1990.Google Scholar
V. Kuznetsov, V. Chipounov, and G. Candea. Testing closed-source binary device drivers with DDT. In USENIX ATC'10, June 2010. Google ScholarDigital Library
K. Lakhotia, N. Tillmann, M. Harman, and J. de Halleux. Flopsy - search-based floating point constraint solving for symbolic execution. In ICTSS'10, pages 142--157, 2010. Google ScholarDigital Library
C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In CGO'04, Mar 2004. Google ScholarDigital Library
R. Majumdar and K. Sen. Hybrid concolic testing. In ICSE'07, May 2007. Google ScholarDigital Library
R. Majumdar and R.-G. Xu. Reducing test inputs using information partitions. In CAV'09, pages 555--569, 2009. Google ScholarDigital Library
D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In USENIX Security'09, Aug 2009. Google ScholarDigital Library
C. Pasareanu, P. Mehlitz, D. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In ISSTA'08, July 2008. Google ScholarDigital Library
C. S. Pasareanu and W. Visser. A survey of new trends in symbolic execution for software testing and analysis. STTT, 11(4):339--353, 2009. Google ScholarDigital Library
S. Person, G. Yang, N. Rungta, and S. Khurshid. Directed incremental symbolic execution. In PLDI'11 (to appear), June 2011. Google ScholarDigital Library
C. Ramamoorthy, S.-B. Ho, and W. Chen. On the automated generation of program test data. IEEE Trans. on Software Engineering, 2(4):293--300, 1976. Google ScholarDigital Library
M. Ruse, T. Sarkar, and S. Basu. Analysis & detection of SQL injection vulnerabilities via automatic test case generation of programs. In SAINT'10, July 2010. Google ScholarDigital Library
R. Sasnauskas, J. A. B. Link, M. H. Alizai, and K. Wehrle. Kleenet: automatic bug hunting in sensor network applications. In IPSN'10, Apr 2010.Google Scholar
E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
K. Sen. Scalable Automated Methods for Dynamic Program Analysis. PhD thesis, University of Illinois at Urbana-Champaign, June 2006. Google ScholarDigital Library
K. Sen and G. Agha. CUTE and jCUTE : Concolic unit testing and explicit path model-checking tools. In CAV'06, 2006. Google ScholarDigital Library
K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In ESEC/FSE'05, Sep 2005. Google ScholarDigital Library
J. H. Siddiqui and S. Khurshid. ParSym: Parallel symbolic execution. In ICSTE'10, Oct. 2010.Google ScholarCross Ref
S. F. Siegel, A. Mironova, G. S. Avrunin, and L. A. Clarke. Combining symbolic execution with model checking to verify parallel numerical programs. ACM TOSEM, 17:10:1--10:34, May 2008. Google ScholarDigital Library
M. Souza, M. Borges, M. d'Amorim, and C. Păsăreanu. Coral: Solving complex constraints for symbolic pathfinder. In NFM'11 (to appear), Apr. 2011. Google ScholarDigital Library
M. Staats and C. S. Pasareanu. Parallel symbolic execution for structural test generation. In ISSTA'10, July 2010. Google ScholarDigital Library
N. Tillmann and J. de Halleux. Pex - white box test generation for .NET. In TAP'08, Apr 2008. Google ScholarDigital Library
N. Tillmann and W. Schulte. Parameterized unit tests. In ESEC/FSE'05, Sept. 2005. Google ScholarDigital Library
W. Visser, C. S. Păsăreanu, and R. Pelánek. Test input generation for java containers using state matching. In ISSTA'06, July 2006. Google ScholarDigital Library
T. Xie. Improving automation in developer testing: State of practice. Technical report, North Carolina State University, 2009.Google Scholar
T. Xie, N. Tillmann, P. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In DSN'09, June-July 2009.Google ScholarCross Ref
Z. Xu, Y. Kim, M. Kim, G. Rothermel, and M. B. Cohen. Directed test suite augmentation: techniques and tradeoffs. In FSE'10, Nov. 2010. Google ScholarDigital Library
J. Yang, C. Sar, P. Twohey, C. Cadar, and D. Engler. Automatically generating malicious disks using symbolic execution. In IEEE Symposium on Security and Privacy, May 2006. Google ScholarDigital Library
C. Zamfir and G. Candea. Execution synthesis: A technique for automated software debugging. In EuroSys'10, Apr 2010. Google ScholarDigital Library

Index Terms

Symbolic execution for software testing in practice: preliminary assessment

Recommendations

Symbolic execution and program testing

This paper describes the symbolic execution of programs. Instead of supplying the normal inputs to a program (e.g. numbers) one supplies symbols representing arbitrary values. The execution proceeds as in a normal execution except that values may be ...
Read More
Automatic testing of symbolic execution engines via program generation and differential testing
ASE '17: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more. Symbolic execution tools, like CREST, KLEE, FuzzBALL, and Symbolic PathFinder, have enabled researchers and ...
Read More
Veritesting Challenges in Symbolic Execution of Java

Scaling symbolic execution to industrial-sized programs is an important open research problem. Veritesting is a promising technique that improves scalability by combining the advantages of static symbolic execution with those of dynamic symbolic ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '11: Proceedings of the 33rd International Conference on Software Engineering
May 2011
1258 pages
ISBN:9781450304450
DOI:10.1145/1985793
General Chair:
Richard N. Taylor
UC Irvine, USA
,
Program Chairs:
Harald Gall
University of Zurich, Switzerland
,
Nenad Medvidović
University of Southern California, USA
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 May 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dynamic test generation
generalized symbolic execution
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 208
  Total Citations
  View Citations
- 2,205
  Total Downloads
- Downloads (Last 12 months)72
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Symbolic execution for software testing in practice: preliminary assessment

ICSE '11: Proceedings of the 33rd International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Symbolic execution and program testing

Automatic testing of symbolic execution engines via program generation and differential testing

Veritesting Challenges in Symbolic Execution of Java