Parallel SMT-Constrained Symbolic Execution for Eclipse CDT/Codan

This paper presents a parallel symbolic execution engine as a plug-in extension to Eclipse CDT/Codan. It uses the CDT parser and the control flow graph builder from CDT’s code analysis framework (Codan). Path satisfiability and bug conditions are checked with an SMT solver in the logic of arrays, uninterpreted functions and nonlinear integer and real arithmetic (AUFNIRA). Each worker of the parallel engine keeps the symbolic program states along its current program path in memory, to allow for quick backtracking. Dynamic redistribution of work between workers is enabled by splitting a worker’s partition of the execution tree at the partition’s top decision node, where a partition is defined by the start path leading to its root control flow decision node. The runtime behaviour of the parallel symbolic execution engine is evaluated by running it on buffer overflow test programs from the NSA’s Juliet test suite for static analyzers. Both the speedup of backtracking the symbolic program state over a previous single-threaded implementation with path replay and the speedup with an increasing number of workers are investigated.

[1]  Susan L. Graham Code Generation and Optimization , 1983, Method and tools for compiler construction.

[2]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[3]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[4]  Corina S. Pasareanu,et al.  A survey of new trends in symbolic execution for software testing and analysis , 2009, International Journal on Software Tools for Technology Transfer.

[5]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[6]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[7]  Jeff McAffer,et al.  OSGi and Equinox: Creating Highly Modular Java Systems , 2010 .

[8]  John Harrison,et al.  Handbook of Practical Logic and Automated Reasoning , 2009 .

[9]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[10]  Corina S. Pasareanu,et al.  Parallel symbolic execution for structural test generation , 2010, ISSTA '10.

[11]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[12]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[13]  Andreas Ibing SMT-Constrained Symbolic Execution for Eclipse CDT/Codan , 2013, SEFM Workshops.

[14]  Terence Parr Language Implementation Patterns: Create Your Own Domain-Specific and General Programming Languages , 2009 .

[15]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[16]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[17]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[18]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[19]  Rina Dechter,et al.  Constraint Processing , 1995, Lecture Notes in Computer Science.

[20]  Padhraic Smyth,et al.  Analysis and Visualization of Network Data using JUNG , 2005 .