BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT Support

Lazy Initialization (LI) allows symbolic execution to effectively deal with heap-allocated data structures, thanks to a significant reduction in spurious and redundant symbolic structures. Bounded lazy initialization (BLI) improves on LI by taking advantage of precomputed relational bounds on the interpretation of class fields in order to reduce the number of spurious structures even further. In this paper we present bounded lazy initialization with SAT support (BLISS), a novel technique that refines the search for valid structures during the symbolic execution process. BLISS builds upon BLI, extending it with field bound refinement and satisfiability checks. Field bounds are refined while a symbolic structure is concretized, avoiding cases that, due to the concrete part of the heap and the field bounds, can be deemed redundant. Satisfiability checks on refined symbolic heaps allow us to prune these heaps as soon as they are identified as infeasible, i.e., as soon as it can be confirmed that they cannot be extended to any valid concrete heap. Compared to LI and BLI, BLISS reduces the time required by LI by up to four orders of magnitude for the most complex data structures. Moreover, the number of partially symbolic structures obtained by exploring program paths is reduced by BLISS by over 50 percent, with reductions of over 90 percent in some cases (compared to LI). BLISS uses less memory than LI and BLI, which enables the exploration of states unreachable by previous techniques.

[1]  Daniel Jackson,et al.  Bounded Verification of Voting Software , 2008, VSTTE.

[2]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[3]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[4]  Jooyong Yi,et al.  Bogor/Kiasan: A k-bounded Symbolic Execution for Checking Strong Heap Properties of Open Systems , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[5]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[6]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[7]  Marcelo F. Frias,et al.  TACO: Efficient SAT-Based Bounded Verification Using Symmetry Breaking and Tight Bounds , 2013, IEEE Transactions on Software Engineering.

[8]  Matthew B. Dwyer,et al.  Green: reducing, reusing and recycling constraints in program analysis , 2012, SIGSOFT FSE.

[9]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[10]  Stephan Merz,et al.  Model Checking , 2000 .

[11]  John Hatcliff,et al.  Towards A Case-Optimal Symbolic Execution Algorithm for Analyzing Strong Properties of Object-Oriented Programs , 2007, Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007).

[12]  Marcelo F. Frias,et al.  Analysis of invariants for efficient bounded verification , 2010, ISSTA '10.

[13]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[14]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[15]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[16]  Nazareno Aguirre,et al.  Bounded Lazy Initialization , 2013, NASA Formal Methods.

[17]  Daniel Jackson,et al.  Checking Properties of Heap-Manipulating Procedures with a Constraint Solver , 2003, TACAS.

[18]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[19]  Daniel Jackson,et al.  Finding bugs with a constraint solver , 2000, ISSTA '00.

[20]  Corina S. Pasareanu,et al.  Parallel symbolic execution for structural test generation , 2010, ISSTA '10.

[21]  Marcelo F. Frias,et al.  Parallel bounded analysis in code with rich invariants by refinement of field bounds , 2013, ISSTA.

[22]  Sarfraz Khurshid,et al.  Whispec: white-box testing of libraries using declarative specifications , 2007, LCSD '07.

[23]  Corina S. Pasareanu,et al.  Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis , 2013, Automated Software Engineering.

[24]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.