Symbolic execution for software testing: three decades later

The challenges---and great promise---of modern symbolic execution techniques, and the tools to help implement them.

[1]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[2]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[3]  Lori A. Clarke,et al.  A program testing system , 1976, ACM '76.

[4]  William E. Howden,et al.  Symbolic Testing and the DISSECT Symbolic Evaluation System , 1977, IEEE Transactions on Software Engineering.

[5]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[6]  Michelle L. Crane,et al.  Runtime Conformance Checking of Objects Using Alloy , 2003, RV@CAV.

[7]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[8]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[9]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[10]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[11]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[12]  Koushik Sen,et al.  Automated Systematic Testing of Open Distributed Programs , 2006, FASE.

[13]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[14]  Koushik Sen,et al.  A Race-Detection and Flipping Algorithm for Automated Testing of Multi-threaded Programs , 2006, Haifa Verification Conference.

[15]  Gul Agha,et al.  Scalable Automated Methods for Dynamic Program Analysis , 2006 .

[16]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[17]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[18]  Rupak Majumdar,et al.  LATEST : Lazy Dynamic Test Input Generation , 2007 .

[19]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[20]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[21]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[22]  Frank Tip,et al.  Finding bugs in dynamic web applications , 2008, ISSTA '08.

[23]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[24]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[25]  Klaus Wehrle,et al.  KleeNet: automatic bug hunting in sensor network applications , 2008, SenSys '08.

[26]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[27]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[28]  Michael K. Reiter,et al.  Server-side verification of client behavior in online games , 2011, TSEC.

[29]  Tao Xie,et al.  Improving Structural Testing of Object-Oriented Programs via Integrating Evolutionary Testing and Symbolic Execution , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[30]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[31]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[32]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[33]  Dawson R. Engler,et al.  RWset: Attacking Path Explosion in Constraint-Based Test Generation , 2008, TACAS.

[34]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[35]  Patrice Godefroid,et al.  Precise pointer reasoning for dynamic test generation , 2009, ISSTA.

[36]  Rupak Majumdar,et al.  Reducing Test Inputs Using Information Partitions , 2009, CAV.

[37]  Corina S. Pasareanu,et al.  A survey of new trends in symbolic execution for software testing and analysis , 2009, International Journal on Software Tools for Technology Transfer.

[38]  Moonzoo Kim,et al.  Scalable Distributed Concolic Testing: A Case Study on a Flash Storage Platform , 2010, ICTAC.

[39]  George Candea,et al.  Execution synthesis: a technique for automated software debugging , 2010, EuroSys '10.

[40]  Samik Basu,et al.  Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[41]  Myra B. Cohen,et al.  Directed test suite augmentation: techniques and tradeoffs , 2010, FSE '10.

[42]  Giovanni Denaro,et al.  Structural coverage of feasible code , 2010, AST '10.

[43]  Mark Harman,et al.  n empirical investigation into branch coverage for C programs using CUTE and USTIN , 2010 .

[44]  Junfeng Yang,et al.  Stable Deterministic Multithreading through Schedule Memoization , 2010, OSDI.

[45]  George Candea,et al.  Reverse engineering of binary device drivers with RevNIC , 2010, EuroSys '10.

[46]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[47]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[48]  Guodong Li,et al.  KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs , 2011, CAV.

[49]  Peter R. Pietzuch,et al.  Rule-Based Verification of Network Protocol Implementations Using Symbolic Execution , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[50]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[51]  Paolo Tonella,et al.  Symbolic search-based testing , 2011, 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011).

[52]  Patrice Godefroid Higher-order test generation , 2011, PLDI '11.

[53]  Mark Harman,et al.  An Analysis and Survey of the Development of Mutation Testing , 2011, IEEE Transactions on Software Engineering.

[54]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[55]  Paul H. J. Kelly,et al.  Symbolic crosschecking of floating-point and SIMD code , 2011, EuroSys '11.

[56]  Peng Li,et al.  GKLEE: concolic verification and test generation for GPUs , 2012, PPoPP '12.