Dynamic symbolic execution for polymorphism

Symbolic execution is an important program analysis technique that provides auxiliary execution semantics to execute programs with symbolic rather than concrete values. There has been much recent interest in symbolic execution for automatic test case generation and security vulnerability detection, resulting in various tools being deployed in academia and industry. Nevertheless, (subtype or dynamic) polymorphism of object-oriented programs has been neglected: existing symbolic execution techniques can explore different targets of conditional branches but not different targets of method invocations. We address the problem of how this polymorphism can be expressed in a symbolic execution framework. We propose the notion of symbolic types, which make object types symbolic. With symbolic types,[ various targets of a method invocation can be explored systematically by mutating the type of the receiver object of the method during automatic test case generation. To the best of our knowledge, this is the first attempt to address polymorphism in symbolic execution. Mutation of method invocation targets is critical for effectively testing object-oriented programs, especially libraries. Our experimental results show that symbolic types are significantly more effective than existing symbolic execution techniques in achieving test coverage and finding bugs and security vulnerabilities in OpenJDK.

[1]  Frank Tip,et al.  Directed test generation for effective fault localization , 2010, ISSTA '10.

[2]  Jingling Xue,et al.  Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting , 2016, SAS.

[3]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[4]  Olg Köln,et al.  November 2012: Unerlaubte Fernbehandlung im Internet , 2012 .

[5]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[6]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[7]  Sriram K. Rajamani,et al.  An empirical study of optimizations in YOGI , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[8]  Lian Li,et al.  Precise and scalable context-sensitive pointer analysis via value flow graph , 2013, ISMM '13.

[9]  Klaus Havelund,et al.  Java PathFinder, A Translator from Java to Promela , 1999, SPIN.

[10]  Jooyong Yi,et al.  Efficient and formal generalized symbolic execution , 2012, Automated Software Engineering.

[11]  Cristina Cifuentes,et al.  Precise and scalable context-sensitive pointer analysis via value flow graph , 2013, ISMM.

[12]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[13]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[14]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[15]  Patrice Chalin,et al.  Explicating symbolic execution (xSymExe): An evidence-based verification framework , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[16]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[17]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[18]  Sam Tobin-Hochstadt,et al.  Higher-order symbolic execution via contracts , 2012, OOPSLA '12.

[19]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[20]  Rajeev Alur,et al.  TRANSIT: specifying protocols with concolic snippets , 2013, PLDI.

[21]  Patrice Godefroid Higher-order test generation , 2011, PLDI '11.

[22]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[23]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[24]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[25]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[26]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[27]  Yi Lu,et al.  An Incremental Points-to Analysis with CFL-Reachability , 2013, CC.

[28]  Nikolai Tillmann,et al.  Reggae: Automated Test Generation for Programs Using Complex Regular Expressions , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[29]  Nikolai Tillmann,et al.  Demand-Driven Compositional Symbolic Execution , 2008, TACAS.

[30]  Corina S. Pasareanu,et al.  Symbolic execution with mixed concrete-symbolic solving , 2011, ISSTA '11.

[31]  Ondrej Lhoták,et al.  In defense of soundiness , 2015, Commun. ACM.

[32]  Zhendong Su,et al.  Synthesizing method sequences for high-coverage testing , 2011, OOPSLA '11.

[33]  Frank Piessens,et al.  Test Input Generation for Programs with Pointers , 2009, TACAS.

[34]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[35]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[36]  Lian Li,et al.  Boosting the performance of flow-sensitive points-to analysis using value flow , 2011, ESEC/FSE '11.

[37]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[38]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[39]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[40]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[41]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[42]  Guodong Li,et al.  KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs , 2011, CAV.

[43]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[44]  Michael R. Lowry,et al.  Combining unit-level symbolic execution and system-level concrete execution for testing nasa software , 2008, ISSTA '08.

[45]  Rupak Majumdar,et al.  LATEST : Lazy Dynamic Test Input Generation , 2007 .

[46]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[47]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[48]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[49]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[50]  Dawei Qi,et al.  Path exploration based on symbolic output , 2011, ESEC/FSE '11.

[51]  Yifei Zhang,et al.  Program Tailoring: Slicing by Sequential Criteria , 2016, ECOOP.

[52]  Jingling Xue,et al.  On-demand dynamic summary-based points-to analysis , 2012, CGO '12.

[53]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[54]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[55]  Jingling Xue,et al.  Effective Soundness-Guided Reflection Analysis , 2015, SAS.

[56]  Peng Li,et al.  GKLEE: concolic verification and test generation for GPUs , 2012, PPoPP '12.

[57]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[58]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[59]  Jingling Xue,et al.  Self-inferencing Reflection Resolution for Java , 2014, ECOOP.

[60]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.