Multi-objective Evolutionary Algorithm for String SMT Solver Testing

String Satisfiability Modulo Theories (SMT) solver is widely used in academia and industry. The runtime efficiency of the solvers may have great impact on various software engineering tasks such as automated reasoning and formal verification. Although many studies have been conducted to test SMT solvers, they mainly focus on detecting soundness bugs of SMT solvers. In contrast, only very few studies concentrate on detecting performance defects of SMT solvers. Moreover, in the existing literatures, we observe two major barriers in generating test cases that trigger performance defects for string SMT solvers, i.e., the guidance information barrier and the diversity barrier.In this paper, we propose a multi-objective evolutionary algorithm, MulStringFuzz, to detect performance defects of string SMT solvers. The unique feature of MulStringFuzz lies in the combination of the multi-objective model and the diversity maintenance mechanism. To tackle the guidance information barrier, MulStringFuzz employs multiple objective functions, i.e., the running time, the code coverage, and the test case complexity to guide the test case generation. To tackle the diversity barrier, a tracing based crowding distance mechanism is proposed to ensure the diversity of generated test cases. Extensive experiments are conducted to evaluate the effectiveness of MulStringFuzz, and we investigate how each proposed mechanism contribute to the overall framework. The test cases generated by MulStringFuzz can cover nearly 5,000 more lines of code and trigger 3.25 times performance defects than StringFuzz, which shows that MulStringFuzz can effectively detect performance defect of the String SMT solver.

[1]  Sylvain Hallé,et al.  Execution Trace Analysis Using LTL-FO ^+ , 2016, ISoLA.

[2]  Armin Biere,et al.  Model-Based API Testing for SMT Solvers , 2017, SMT.

[3]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[4]  Xin Yao,et al.  Parallel Problem Solving from Nature PPSN VI , 2000, Lecture Notes in Computer Science.

[5]  Z. Su,et al.  On the unusual effectiveness of type-aware operator mutations for testing SMT solvers , 2020, Proc. ACM Program. Lang..

[6]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[7]  Armin Biere,et al.  Fuzzing and delta-debugging SMT solvers , 2009, SMT '09.

[8]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[9]  Lei Ma,et al.  Wuji: Automatic Online Combat Game Testing Using Evolutionary Deep Reinforcement Learning , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[10]  Federico Mora,et al.  StringFuzz: A Fuzzer for String Solvers , 2018, CAV.

[11]  Armin Biere,et al.  Model-Based Testing for Verification Back-Ends , 2013, TAP@STAF.

[12]  Bihuan Chen,et al.  Hawkeye: Towards a Desired Directed Grey-box Fuzzer , 2018, CCS.

[13]  Shan Lu,et al.  Understanding and detecting real-world performance bugs , 2012, PLDI.

[14]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[15]  Harald C. Gall,et al.  System evolution tracking through execution trace analysis , 2005, 13th International Workshop on Program Comprehension (IWPC'05).

[16]  Gordon Fraser,et al.  EvoSuite: automatic test suite generation for object-oriented software , 2011, ESEC/FSE '11.

[17]  Zhendong Su,et al.  Validating SMT solvers via semantic fusion , 2020, PLDI.

[18]  Kevin Leyton-Brown,et al.  SATzilla: Portfolio-based Algorithm Selection for SAT , 2008, J. Artif. Intell. Res..

[19]  Christopher L. Conway,et al.  Cvc4 , 2011, CAV.

[20]  Hyeonseung Im,et al.  Precise and scalable static analysis of jQuery using a regular expression domain , 2016, DLS.

[21]  Mark Harman,et al.  Deploying Search Based Software Engineering with Sapienz at Facebook , 2018, SSBSE.

[22]  Fuyuan Zhang,et al.  Detecting critical bugs in SMT solvers using blackbox mutational fuzzing , 2020, ESEC/SIGSOFT FSE.

[23]  Esben Andreasen,et al.  String Analysis for Dynamic Field Access , 2014, CC.

[24]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[25]  Yang Liu,et al.  Guided, stochastic model-based GUI testing of Android apps , 2017, ESEC/SIGSOFT FSE.

[26]  Alastair F. Donaldson,et al.  Just fuzz it: solving floating-point constraints using coverage-guided fuzzing , 2019, ESEC/SIGSOFT FSE.

[27]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[28]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[29]  Toby Walsh,et al.  Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications , 2009 .

[30]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[31]  A. Shamsai,et al.  Multi-objective Optimization , 2017, Encyclopedia of Machine Learning and Data Mining.

[32]  Yang Liu,et al.  Cerebro: context-aware adaptive fuzzing for effective vulnerability detection , 2019, ESEC/SIGSOFT FSE.

[33]  Frank Tip,et al.  Automated repair of HTML generation errors in PHP applications using string constraint solving , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[34]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.