Symbolic execution formally explained

In this paper, we provide a formal explanation of symbolic execution in terms of a symbolic transition system and prove its correctness and completeness with respect to an operational semantics which models the execution on concrete values.We first introduce a formalmodel for a basic programming languagewith a statically fixed number of programming variables. This model is extended to a programming language with recursive procedures which are called by a call-by-value parameter mechanism. Finally, we present a more general formal framework for proving the soundness and completeness of the symbolic execution of a basic object-oriented language which features dynamically allocated variables.

[1]  Cristian Cadar,et al.  A segmented memory model for symbolic execution , 2019, ESEC/SIGSOFT FSE.

[2]  Patrice Godefroid,et al.  Precise pointer reasoning for dynamic test generation , 2009, ISSTA.

[3]  Zvonimir Rakamaric,et al.  Releasing the PSYCO: Using Symbolic Search in Interface Generation for Java , 2017, SOEN.

[4]  Frank S. de Boer,et al.  A Complete Guide to the Future , 2007, ESOP.

[5]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[6]  Jan Strejcek,et al.  Symbolic Memory with Pointers , 2014, ATVA.

[7]  Marcello M. Bonsangue,et al.  The weakest precondition calculus: Recursion and duality , 1994, Formal Aspects of Computing.

[8]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[9]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[10]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[12]  Giovanni Denaro,et al.  Symbolic execution of programs with heap inputs , 2015, ESEC/SIGSOFT FSE.

[13]  Frank S. de Boer,et al.  A WP-calculus for OO , 1999, FoSSaCS.

[14]  David Notkin,et al.  Symstra: A Framework for Generating Object-Oriented Unit Tests Using Symbolic Execution , 2005, TACAS.

[15]  Xiangyu Zhang,et al.  Accelerating array constraints in symbolic execution , 2017, ISSTA.

[16]  Corina S. Pasareanu,et al.  Symbolic Arrays in Symbolic PathFinder , 2017, SOEN.

[17]  Elvira Albert,et al.  Test Case Generation by Symbolic Execution: Basic Concepts, a CLP-Based Instance, and Actor-Based Concurrency , 2014, SFM.

[18]  David Gries,et al.  The Science of Programming , 1981, Text and Monographs in Computer Science.

[19]  Jooyong Yi,et al.  Bogor/Kiasan: A k-bounded Symbolic Execution for Checking Strong Heap Properties of Open Systems , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[20]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[21]  Frank S. de Boer,et al.  Verification of Sequential and Concurrent Programs , 1997, Texts and Monographs in Computer Science.

[22]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[23]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[24]  Dorel Lucanu,et al.  A generic framework for symbolic execution: A coinductive approach , 2017, J. Symb. Comput..

[25]  Frank S. de Boer,et al.  On the Nature of Symbolic Execution , 2019, 2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC).

[26]  Reiner Hähnle,et al.  ABS: A Core Language for Abstract Behavioral Specification , 2010, FMCO.

[27]  Frank S. de Boer,et al.  SymPaths: Symbolic Execution Meets Partial Order Reduction , 2020, 20 Years of KeY.