A Comparative Study of Incremental Constraint Solving Approaches in Symbolic Execution

Liu, Tianhai; Araújo, M.ª L. Diniz; d’Amorim, Marcelo; Taghdiri, Mana

doi:10.1007/978-3-319-13338-6_21

Cited by 20 publications

(8 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Symbolic execution engines issue a huge number of queries to the constraint solver that are often large and complex when analyzing real-world programs. As a result, constraint solving dominates runtime for the majority of non-trivial programs [30,33]. Recent research has tackled the challenge by proposing several constraint solving optimizations that can help reduce constraint solving cost [5, 12, 21, 27, 33-35, 41, 45].…”

mentioning

confidence: 99%

Chopped symbolic execution

Trabish

Mattavelli

Rinetzky

et al. 2018

Proceedings of the 40th International Conference on Software Engineering

View full text Add to dashboard Cite

Symbolic execution is a powerful program analysis technique that systematically explores multiple program paths. However, despite important technical advances, symbolic execution often struggles to reach deep parts of the code due to the well-known path explosion problem and constraint solving limitations. In this paper, we propose chopped symbolic execution, a novel form of symbolic execution that allows users to specify uninteresting parts of the code to exclude during the analysis, thus only targeting the exploration to paths of importance. However, the excluded parts are not summarily ignored, as this may lead to both false positives and false negatives. Instead, they are executed lazily, when their effect may be observable by code under analysis. Chopped symbolic execution leverages various on-demand static analyses at runtime to automatically exclude code fragments while resolving their side effects, thus avoiding expensive manual annotations and imprecision. Our preliminary results show that the approach can effectively improve the effectiveness of symbolic execution in several different scenarios, including failure reproduction and test suite augmentation.

show abstract

mentioning

confidence: 99%

Chopped symbolic execution

Trabish

Mattavelli

Rinetzky

et al. 2018

Proceedings of the 40th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…KLEE has to make more feasibility checks (up to 2 per node of the FEP tree) than the concolic method and uses a constraint cache to limit solver calls. It does not benefit from incremental constraint solving or backtracking and this may make it less efficient [15] but breadth-first generation strategies are easily implemented. To do that in PathCrawler, while keeping the efficiency of backtracking, we used multi-threading.…”

Section: Related Workmentioning

confidence: 99%

Towards exhaustive branch coverage with PathCrawler

Williams

2021

2021 IEEE/ACM International Conference on Automation of Software Test (AST)

View full text Add to dashboard Cite

Branch coverage of source code is a very widely used test criterion. Moreover, branch coverage is a similar problem to line coverage, MC/DC and the coverage of assertion violations, certain runtime errors and various other types of test objective. Indeed, establishing that a large number of test objectives are unreachable, or conversely, providing the test inputs which reach them, is at the heart of many verification tasks. However, automatic test generation for exhaustive branch coverage remains an elusive goal: many modern tools obtain high coverage scores without being able to provide an explanation for why some branches are not covered, such as a demonstration that they are unreachable. Concolic test generation offers the promise of exhaustive coverage but covers paths more efficiently than branches. In this paper, I explain why, and propose different strategies to improve its performance on exhaustive branch coverage. A comparison of these strategies on examples of real code shows promising results.

show abstract

“…State-of-the-art SMT solvers can efficiently handle huge expressions in some relevant logic theories, namely Booleans, Integers, Reals, the Mixed Theory of Integers and Reals, Strings, Fixed Size Bit-vectors, Arrays, Uninterpreted Functions and Uninterpreted Sorts [8], [9], [14], [15], [17], [19], and largely contribute to the industrial applicability of symbolic program analysis [5]. Despite the maturity of theories and tools, SMT solvers still represent a main bottleneck to the scalability of symbolic program analysis [24], [26], [28].…”

Section: Introductionmentioning

confidence: 99%

Reusing Solutions Modulo Theories

Aquino

Denaro

Pezzè

2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

In this paper we propose an approach for reusing formula solutions to reduce the impact of Satisfiability Modulo Theories (SMT) solvers on the scalability of symbolic program analysis. SMT solvers can efficiently handle huge expressions in relevant logic theories, but they still represent a main bottleneck to the scalability of symbolic analyses, like symbolic execution and symbolic model checking. Reusing proofs of formulas solved during former analysis sessions can reduce the amount of invocations of SMT solvers, thus mitigating the impact of SMT solvers on symbolic program analysis. Early approaches to reuse formula solutions exploit equivalence and inclusion relations among structurally similar formulas, and are strongly tighten to the specific target logics. In this paper, we present an original approach that reuses both satisfiability and unsatisfiability proofs shared among many formulas beyond only equivalent or related-by-implication formulas. Our approach straightforwardly generalises across multiple logics. It is based on the original concept of distance between formulas, which heuristically approximates the likelihood of formulas to share either satisfiability or unsatisfiability proofs. We show the efficiency and the generalisability of our approach, by instantiating the underlying distance function for formulas that belong to most popular logic theories handled by current SMT solvers, and confirm the effectiveness of the approach, by reporting experimental results on over nine millions formulas from five logic theories.

show abstract

A Comparative Study of Incremental Constraint Solving Approaches in Symbolic Execution

Cited by 20 publications

References 22 publications

Chopped symbolic execution

Chopped symbolic execution

Towards exhaustive branch coverage with PathCrawler

Reusing Solutions Modulo Theories

Contact Info

Product

Resources

About