Symbolic execution of complex program driven by machine learning based constraint solving

Symbolic execution is a widely-used program analysis technique. It collects and solves path conditions to guide the program traversing. However, due to the limitation of the current constraint solvers, it is difficult to apply symbolic execution on programs with complex path conditions, like nonlinear constraints and function calls. In this paper, we propose a new symbolic execution tool MLB to handle such problem. Instead of relying on the classical constraint solving, in MLB, the feasibility problems of the path conditions are transformed into optimization problems, by minimizing some dissatisfaction degree. The optimization problems are then handled by the underlying optimization solver through machine learning guided sampling and validation. MLB is implemented on the basis of Symbolic PathFinder and encodes not only the simple linear path conditions, but also nonlinear arithmetic operations, and even black-box function calls of library methods, into symbolic path conditions. Experiment results show that MLB can achieve much better coverage on complex real-world programs.

[1]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[2]  Hans-Paul Schwefel,et al.  Evolution strategies – A comprehensive introduction , 2002, Natural Computing.

[3]  Fred Glover,et al.  Tabu Search: A Tutorial , 1990 .

[4]  Marcelo d'Amorim,et al.  CORAL: Solving Complex Constraints for Symbolic PathFinder , 2011, NASA Formal Methods.

[5]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[6]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[7]  Zhendong Su,et al.  Automatic detection of floating-point exceptions , 2013, POPL.

[8]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[9]  Y. Rahmat-Samii,et al.  Particle swarm optimization (PSO) for reflector antenna shaping , 2004, IEEE Antennas and Propagation Society Symposium, 2004..

[10]  Corina S. Pasareanu,et al.  Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis , 2013, Automated Software Engineering.

[11]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[12]  Goldberg,et al.  Genetic algorithms , 1993, Robust Control Systems with Genetic Algorithms.

[13]  Gordon Fraser,et al.  Improving search-based test suite generation with dynamic symbolic execution , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[14]  Martin Fränzle,et al.  Efficient Solving of Large Non-linear Arithmetic Constraint Systems with Complex Boolean Structure , 2007, J. Satisf. Boolean Model. Comput..

[15]  Koushik Sen,et al.  Concolic testing , 2007, ASE.

[16]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[17]  Franck van Breugel,et al.  Automatic handling of native methods in Java PathFinder , 2014, SPIN.

[18]  Corina S. Pasareanu,et al.  Symbolic execution with mixed concrete-symbolic solving , 2011, ISSTA '11.

[19]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[20]  C. D. Gelatt,et al.  Optimization by Simulated Annealing , 1983, Science.

[21]  Gul A. Agha,et al.  Solving complex path conditions through heuristic search on induced polytopes , 2014, FSE 2014.

[22]  William H. Press,et al.  Numerical Recipes 3rd Edition: The Art of Scientific Computing , 2007 .

[23]  Yang Yu,et al.  Derivative-Free Optimization via Classification , 2016, AAAI.

[24]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[25]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[26]  Yang Yu,et al.  On sampling-and-classification optimization in discrete domains , 2016, 2016 IEEE Congress on Evolutionary Computation (CEC).