Chapter Five - Advances in Symbolic Execution

Abstract Symbolic execution is a systematic technique for checking programs, which forms a basis for various software testing and verification techniques. It provides a powerful analysis in principle but remains challenging to scale and generalize symbolic execution in practice. This chapter reviews the cutting-edge research accomplishments in addressing these challenges in the last 5 years, including advances in addressing the scalability challenges such as constraint solving and path explosion, as well as advances in applying symbolic execution in testing, security, and probabilistic program analysis.

[1]  Yang Liu,et al.  Generating Performance Distributions via Probabilistic Symbolic Execution , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[2]  Song Wang,et al.  DASE: Document-Assisted Symbolic Execution for Improving Automated Software Testing , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[3]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[4]  Sam Malek,et al.  SIG-Droid: Automated system input generation for Android applications , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[5]  Moonzoo Kim,et al.  Industrial application of concolic testing approach: A case study on libexif by using CREST-BV and KLEE , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[6]  Dan Grossman,et al.  Input-covering schedules for multithreaded programs , 2013, OOPSLA.

[7]  Ashish Tiwari,et al.  A Nonlinear Real Arithmetic Fragment , 2014, CAV.

[8]  Nazareno Aguirre,et al.  Bounded Lazy Initialization , 2013, NASA Formal Methods.

[9]  Gordon Fraser,et al.  Augmented dynamic symbolic execution , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[10]  Matthew B. Dwyer,et al.  Exact and approximate probabilistic symbolic execution for nondeterministic programs , 2014, ASE.

[11]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[12]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[13]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[14]  Murali Krishna Ramanathan,et al.  Type-Aware Concolic Testing of JavaScript Programs , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[15]  Sarfraz Khurshid,et al.  Property differencing for incremental checking , 2014, ICSE.

[16]  Maryam Abdul Ghafoor,et al.  Symbolic execution of stored procedures in database management systems , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Xin Li,et al.  Symbolic execution of complex program driven by machine learning based constraint solving , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Padmanabhan Krishnan,et al.  Combining Static Analysis and Constraint Solving for Automatic Test Case Generation , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[19]  Sam Malek,et al.  Testing android apps through symbolic execution , 2012, ACM SIGSOFT Softw. Eng. Notes.

[20]  Nikolaj Bjørner,et al.  Path Feasibility Analysis for String-Manipulating Programs , 2009, TACAS.

[21]  Zhendong Su,et al.  XSat: A Fast Floating-Point Satisfiability Solver , 2016, CAV.

[22]  Yannis Smaragdakis,et al.  Sound predictive race detection in polynomial time , 2012, POPL '12.

[23]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[24]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[25]  Xiangyu Zhang,et al.  Scaling Up Symbolic Analysis by Removing Z-Equivalent States , 2014, TSEM.

[26]  Zvonimir Rakamaric,et al.  JDart: A Dynamic Symbolic Analysis Framework , 2016, TACAS.

[27]  Gogul Balakrishnan,et al.  Feedback-directed unit test generation for C/C++ using concolic execution , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[28]  Elena Sherman,et al.  Minimizing the Size of Path Conditions Using Convex Polyhedra Abstract Domain , 2015, SOEN.

[29]  Nikolai Tillmann,et al.  Demand-Driven Compositional Symbolic Execution , 2008, TACAS.

[30]  Madan Musuvathi,et al.  Iterative context bounding for systematic testing of multithreaded programs , 2007, PLDI '07.

[31]  Toby Walsh,et al.  Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications , 2009 .

[32]  Marcelo d'Amorim,et al.  Iterative distribution-aware sampling for probabilistic symbolic execution , 2015, ESEC/SIGSOFT FSE.

[33]  Patrice Chalin,et al.  Efficient Symbolic Execution of Value-Based Data Structures for Critical Systems , 2012, NASA Formal Methods.

[34]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[35]  Chao Wang,et al.  Conc-iSE: Incremental symbolic execution of concurrent software , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[36]  Suman Jana,et al.  Automatically Detecting Error Handling Bugs Using Error Specifications , 2016, USENIX Security Symposium.

[37]  Jose Miguel Rojas,et al.  Compositional Symbolic Execution through Program Specialization , 2013 .

[38]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[39]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[40]  Cesare Tinelli,et al.  A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions , 2014, CAV.

[41]  Corina S. Pasareanu,et al.  Reliability analysis in Symbolic PathFinder , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[42]  Parosh Aziz Abdulla,et al.  Norn: An SMT Solver for String Constraints , 2015, CAV.

[43]  Cristian Cadar,et al.  Shadow symbolic execution for better testing of evolving software , 2014, ICSE Companion.

[44]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[45]  Rupak Majumdar,et al.  Approximate counting in SMT and value estimation for probabilistic programs , 2014, Acta Informatica.

[46]  Marie-Laure Potet,et al.  Lazart: A Symbolic Approach for Evaluation the Robustness of Secured Codes against Control Flow Injections , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation.

[47]  Suzette Person,et al.  Regression Verification Using Impact Summaries , 2013, SPIN.

[48]  Vincent Loechner,et al.  Counting Integer Points in Parametric Polytopes Using Barvinok's Rational Functions , 2007, Algorithmica.

[49]  Tim Miller,et al.  Compositional Symbolic Execution Using Fine-Grained Summaries , 2015, 2015 24th Australasian Software Engineering Conference.

[50]  Giovanni Denaro,et al.  Enhancing symbolic execution with built-in term rewriting and constrained lazy initialization , 2013, ESEC/FSE 2013.

[51]  Kenneth L. McMillan,et al.  Using Unfoldings to Avoid the State Explosion Problem in the Verification of Asynchronous Circuits , 1992, CAV.

[52]  Jürgen Dingel,et al.  Using Fuzzy Logic and Symbolic Execution to Prioritize UML-RT Test Cases , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[53]  Peter Müller,et al.  Automatic Verification of Iterated Separating Conjunctions Using Symbolic Execution , 2016, CAV.

[54]  Zhenbang Chen,et al.  Speculative Symbolic Execution , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[55]  Thomas A. Henzinger,et al.  Array Folds Logic , 2016, CAV.

[56]  Sarfraz Khurshid,et al.  Scaling symbolic execution using ranged analysis , 2012, OOPSLA '12.

[57]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[58]  Wei Le Segmented symbolic analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[59]  Corina S. Pasareanu,et al.  Statistical symbolic execution with informed sampling , 2014, Software Engineering & Management.

[60]  Corina S. Pasareanu,et al.  Symbolic PathFinder v7 , 2014, SOEN.

[61]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[62]  Jan Strejcek,et al.  Abstracting path conditions , 2012, ISSTA 2012.

[63]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[64]  Arnaud Gotlieb,et al.  Symbolic Path-Oriented Test Data Generation for Floating-Point Programs , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[65]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[66]  Chao Wang,et al.  Symbolic Predictive Analysis for Concurrent Programs , 2009, FM.

[67]  Tao Xie,et al.  MetaSymploit: Day-One Defense against Script-based Attacks with Security-Enhanced Symbolic Analysis , 2013, USENIX Security Symposium.

[68]  Christel Baier,et al.  Principles of model checking , 2008 .

[69]  Jorge A. Navas,et al.  Boosting concolic testing via interpolation , 2013, ESEC/FSE 2013.

[70]  Keijo Heljanko,et al.  Using unfoldings in automated testing of multithreaded programs , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[71]  Chao Wang,et al.  Generating Data Race Witnesses by an SMT-Based Analysis , 2011, NASA Formal Methods.

[72]  Mukul R. Prasad,et al.  Automated testing with targeted event sequence generation , 2013, ISSTA.

[73]  Suresh Jagannathan,et al.  Poling: SMT Aided Linearizability Proofs , 2015, CAV.

[74]  Tim Miller,et al.  Looking Closer at Compositional Symbolic Execution , 2015, ASWEC.

[75]  Marcelo d'Amorim,et al.  Compositional solution space quantification for probabilistic software analysis , 2014, PLDI.

[76]  Alexander Pretschner,et al.  MACKE: Compositional analysis of low-level vulnerabilities with symbolic execution , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[77]  Marcelo d'Amorim,et al.  Quantifying information leaks using reliability analysis , 2014, SPIN.

[78]  Yang Liu,et al.  S-looper: automatic summarization for multipath string loops , 2015, ISSTA.

[79]  Junaid Haroon Siddiqui,et al.  Incremental symbolic execution for automated test suite maintenance , 2014, ASE.

[80]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[81]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[82]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[83]  Peng Li,et al.  GKLEE: concolic verification and test generation for GPUs , 2012, PPoPP '12.

[84]  Koushik Sen,et al.  Generating Succinct Test Cases Using Don't Care Analysis , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[85]  Sunghun Kim,et al.  How we get there: a context-guided search strategy in concolic testing , 2014, SIGSOFT FSE.

[86]  Giovanni Denaro,et al.  Reusing constraint proofs in program analysis , 2015, ISSTA.

[87]  Andrew W. Moore,et al.  Reinforcement Learning: A Survey , 1996, J. Artif. Intell. Res..

[88]  Gregg Rothermel,et al.  Software testing: a research travelogue (2000–2014) , 2014, FOSE.

[89]  Herbert Bos,et al.  Dowser: A Guided Fuzzer for Finding Buffer Overflow Vulnerabilities , 2013, login Usenix Mag..

[90]  Sarfraz Khurshid,et al.  Directed Incremental Symbolic Execution , 2014, TSEM.

[91]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[92]  Peter Sestoft,et al.  Partial evaluation and automatic program generation , 1993, Prentice Hall international series in computer science.

[93]  Shweta Shinde,et al.  A model counter for constraints over unbounded strings , 2014, PLDI.

[94]  Rody Kersten,et al.  Improving Coverage of Test Cases Generated by Symbolic PathFinder for Programs with Loops , 2015, SOEN.

[95]  Pekka Abrahamsson,et al.  Are Software Startups Applying Agile Practices? The State of the Practice from a Large Survey , 2017, XP.

[96]  Jian Liu,et al.  Postconditioned Symbolic Execution , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[97]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[98]  Cristian Cadar,et al.  make test-zesti: A symbolic execution solution for improving regression testing , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[99]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[100]  Zhendong Su,et al.  Combining Symbolic Execution and Model Checking for Data Flow Testing , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[101]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[102]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[103]  Niranjan Hasabnis,et al.  Extracting instruction semantics via symbolic execution of code generators , 2016, SIGSOFT FSE.

[104]  Sarfraz Khurshid,et al.  Memoized symbolic execution , 2012, ISSTA 2012.

[105]  Mayur Naik,et al.  APISan: Sanitizing API Usages through Semantic Cross-Checking , 2016, USENIX Security Symposium.

[106]  Dawei Qi,et al.  Path exploration based on symbolic output , 2011, ESEC/FSE '11.

[107]  Gul A. Agha,et al.  Solving complex path conditions through heuristic search on induced polytopes , 2014, FSE 2014.

[108]  Giovanni Denaro,et al.  JBSE: a symbolic executor for Java programs with complex heap inputs , 2016, SIGSOFT FSE.

[109]  Florentin Ipate,et al.  RIVER: A Binary Analysis Framework Using Symbolic Execution and Reversible x86 Instructions , 2016, FM.

[110]  Gregory Gay,et al.  Efficient observability-based test generation by dynamic symbolic execution , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[111]  Nikolai Kosmatov,et al.  Efficient Leveraging of Symbolic Execution to Advanced Coverage Criteria , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation.

[112]  Rolf Drechsler,et al.  ParCoSS: Efficient Parallelized Compiled Symbolic Simulation , 2016, CAV.

[113]  Frédéric Benhamou,et al.  Algorithm 852: RealPaver: an interval solver using constraint satisfaction techniques , 2006, TOMS.

[114]  Elena Sherman,et al.  Evaluation of string constraint solvers in the context of symbolic execution , 2014, ASE.

[115]  Jun Sun,et al.  Satisfiability Modulo Heap-Based Programs , 2016, CAV.

[116]  Michael D. Ernst,et al.  Randoop: feedback-directed random testing for Java , 2007, OOPSLA '07.

[117]  Helmut Veith,et al.  Con2colic testing , 2013, ESEC/FSE 2013.

[118]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[119]  Dawson R. Engler,et al.  symMMU: symbolically executed runtime libraries for symbolic memory access , 2014, ASE.

[120]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[121]  Ruzica Piskac,et al.  Automating Separation Logic Using SMT , 2013, CAV.

[122]  Ninghui Li,et al.  SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[123]  Sarfraz Khurshid,et al.  A Synergistic Approach for Distributed Symbolic Execution Using Test Ranges , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[124]  Zhenbang Chen,et al.  S2PF: speculative symbolic PathFinder , 2012, SOEN.

[125]  Ting Chen,et al.  State of the art: Dynamic symbolic execution for automated test generation , 2013, Future Gener. Comput. Syst..

[126]  Parosh Aziz Abdulla,et al.  String Constraints for Verification , 2014, CAV.

[127]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[128]  Matthew B. Dwyer,et al.  Green: reducing, reusing and recycling constraints in program analysis , 2012, SIGSOFT FSE.

[129]  Nazareno Aguirre,et al.  BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT Support , 2015, IEEE Transactions on Software Engineering.

[130]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[131]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[132]  Joxan Jaffar,et al.  Progressive Reasoning over Recursively-Defined Strings , 2016, CAV.

[133]  Sam Blackshear,et al.  Thresher: precise refutations for heap reachability , 2013, PLDI.

[134]  Corina S. Pasareanu,et al.  A survey of new trends in symbolic execution for software testing and analysis , 2009, International Journal on Software Tools for Technology Transfer.

[135]  Cesare Tinelli,et al.  A Tale of Two Solvers: Eager and Lazy Approaches to Bit-Vectors , 2014, CAV.

[136]  Vitaly Shmatikov,et al.  Using Program Analysis to Synthesize Sensor Spoofing Attacks , 2017, AsiaCCS.

[137]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[138]  Stefania Gnesi,et al.  FM 2016: Formal Methods , 2016, Lecture Notes in Computer Science.

[139]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[140]  Xiangyu Zhang,et al.  IPA: improving predictive analysis with pointer analysis , 2016, ISSTA.

[141]  Corina S. Pasareanu,et al.  Symbolic Arrays in Symbolic PathFinder , 2017, SOEN.

[142]  Jaco Geldenhuys,et al.  Model Checking Software , 2015, Lecture Notes in Computer Science.

[143]  Thomas Wies,et al.  Deciding Local Theory Extensions via E-matching , 2015, CAV.

[144]  Matthew B. Dwyer,et al.  Compositional load test generation for software pipelines , 2012, ISSTA 2012.

[145]  Amer Diwan,et al.  Measuring enforcement windows with symbolic trace interpretation: what well-behaved programs say , 2012, ISSTA 2012.

[146]  Lori A. Clarke,et al.  A program testing system , 1976, ACM '76.

[147]  Dan Grossman,et al.  Symbolic execution of multithreaded programs from arbitrary program contexts , 2014, OOPSLA 2014.

[148]  Carlo Ghezzi,et al.  Enhancing reuse of constraint solutions to improve symbolic execution , 2015, ISSTA.

[149]  Zhenbang Chen,et al.  Regular Property Guided Dynamic Symbolic Execution , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[150]  Wei Le,et al.  Patch verification via multiversion interprocedural control flow graphs , 2014, ICSE.

[151]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[152]  Pravesh Kothari,et al.  A randomized scheduler with probabilistic guarantees of finding bugs , 2010, ASPLOS 2010.

[153]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[154]  Sarfraz Khurshid,et al.  Compositional Symbolic Execution with Memoized Replay , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[155]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[156]  Mark Harman,et al.  Higher Order Mutation Testing , 2009, Inf. Softw. Technol..

[157]  Marcelo F. Frias,et al.  Model Counting for Complex Data Structures , 2015, SPIN.

[158]  Jiang Ming,et al.  Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[159]  Matthew B. Dwyer,et al.  Probabilistic symbolic execution , 2012, ISSTA 2012.

[160]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[161]  Giovanni Denaro,et al.  Symbolic execution of programs with heap inputs , 2015, ESEC/SIGSOFT FSE.

[162]  Gregory Gay,et al.  Observable modified condition/decision coverage , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[163]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[164]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[165]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[166]  Hiroaki Yoshida,et al.  FSX: fine-grained incremental unit test generation for C/C++ programs , 2016, ISSTA.

[167]  Elena Sherman,et al.  User-defined backtracking criteria for symbolic execution , 2014, SOEN.

[168]  Dawson R. Engler,et al.  Expression Reduction from Programs in a Symbolic Binary Executor , 2013, SPIN.

[169]  Gerardo Rubino,et al.  Rare Event Simulation using Monte Carlo Methods , 2009 .

[170]  Zvonimir Rakamaric,et al.  Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[171]  Supratik Chakraborty,et al.  A Scalable Approximate Model Counter , 2013, CP.

[172]  Reiner Hähnle,et al.  A General Lattice Model for Merging Symbolic Execution Branches , 2016, ICFEM.

[173]  Chao Wang,et al.  Assertion guided symbolic execution of multithreaded programs , 2015, ESEC/SIGSOFT FSE.

[174]  Bernard Carré,et al.  SPARK—an annotated Ada subset for safety-critical programming , 1990, TRI-Ada '90.

[175]  Marcelo d'Amorim,et al.  Symbolic Execution with Interval Solving and Meta-heuristic Search , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[176]  Corina S. Pasareanu,et al.  Model-Counting Approaches for Nonlinear Numerical Constraints , 2017, NFM.

[177]  Hung Viet Nguyen,et al.  Dangling references in multi-configuration and dynamic PHP-based Web applications , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[178]  Matthew B. Dwyer,et al.  CIVL: the concurrency intermediate verification language , 2015, SC15: International Conference for High Performance Computing, Networking, Storage and Analysis.

[179]  Johannes Kinder,et al.  ExpoSE: practical symbolic execution of standalone JavaScript , 2017, SPIN.

[180]  Koushik Sen,et al.  MultiSE: multi-path symbolic execution using value summaries , 2015, ESEC/SIGSOFT FSE.