Regular Property Guided Dynamic Symbolic Execution

A challenging problem in software engineering is to check if a program has an execution path satisfying a regular property. We propose a novel method of dynamic symbolic execution (DSE) to automatically find a path of a program satisfying a regular property. What makes our method distinct is when exploring the path space, DSE is guided by the synergy of static analysis and dynamic analysis to find a target path as soon as possible. We have implemented our guided DSE method for Java programs based on JPF and WALA, and applied it to 13 real-world open source Java programs, a total of 225K lines of code, for extensive experiments. The results show the effectiveness, efficiency, feasibility and scalability of the method. Compared with the pure DSE on the time to find the first target path, the average speedup of the guided DSE is more than 258X when analyzing the programs that have more than 100 paths.

[1]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[2]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[3]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[4]  Yi Lu,et al.  An Incremental Points-to Analysis with CFL-Reachability , 2013, CC.

[5]  Grigore Rosu,et al.  Mop: an efficient and generic runtime verification framework , 2007, OOPSLA.

[6]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[7]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[8]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[9]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[10]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[11]  Thomas R. Gross,et al.  Automatic Generation of Object Usage Specifications from Large Method Traces , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[12]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[13]  Michael R. Lowry,et al.  Combining unit-level symbolic execution and system-level concrete execution for testing nasa software , 2008, ISSTA '08.

[14]  Robert J. Simmons,et al.  Proofs from Tests , 2008, IEEE Transactions on Software Engineering.

[15]  Sriram K. Rajamani,et al.  An empirical study of optimizations in YOGI , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[16]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[17]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[18]  Franck van Breugel,et al.  Automatic handling of native methods in Java PathFinder , 2014, SPIN.

[19]  Jan Strejcek,et al.  Checking Properties Described by State Machines: On Synergy of Instrumentation, Slicing, and Symbolic Execution , 2012, FMICS.

[20]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[21]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[22]  George Candea,et al.  Execution synthesis: a technique for automated software debugging , 2010, EuroSys '10.

[23]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[24]  Eric Bodden Efficient hybrid typestate analysis by determining continuation-equivalent states , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[25]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[26]  Junfeng Yang,et al.  Verifying systems rules using rule-directed symbolic execution , 2013, ASPLOS '13.

[27]  Cristian Cadar,et al.  make test-zesti: A symbolic execution solution for improving regression testing , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[28]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[29]  Zhendong Su,et al.  Fast algorithms for Dyck-CFL-reachability with applications to alias analysis , 2013, PLDI.

[30]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[31]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[32]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[33]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[34]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[35]  Alan J. Hu,et al.  Calysto: scalable and precise extended static checking , 2008, ICSE.

[36]  Thomas A. Henzinger,et al.  SYNERGY: a new algorithm for property checking , 2006, SIGSOFT '06/FSE-14.

[37]  Sunghun Kim,et al.  How we get there: a context-guided search strategy in concolic testing , 2014, SIGSOFT FSE.

[38]  Sigmund Cherem,et al.  Practical memory leak detection using guarded value-flow analysis , 2007, PLDI '07.

[39]  Michael R. Lowry,et al.  Combining test case generation and runtime verification , 2005, Theor. Comput. Sci..

[40]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[41]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[42]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[43]  Gregor von Bochmann,et al.  Finite State Description of Communication Protocols , 1978, Comput. Networks.

[44]  Michael Hicks,et al.  Directed Symbolic Execution , 2011, SAS.

[45]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[46]  Akash Lal,et al.  Path Optimization in Programs and Its Application to Debugging , 2006, ESOP.

[47]  Adam Kiezun,et al.  jFuzz: A Concolic Whitebox Fuzzer for Java , 2009, NASA Formal Methods.

[48]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[49]  Stephen McCamant,et al.  Statically-directed dynamic automated test generation , 2011, ISSTA '11.