Automatic testing of symbolic execution engines via program generation and differential testing

Kapus, Timotej; Cadar, Cristian

doi:10.1109/ase.2017.8115669

Cited by 33 publications

(20 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The idea of randomly generating or mutating programs to induce errors in production compilers and interpreters has a long history, with grammar-or mutationbased fuzzers having been designed to test implementations of languages such as COBOL [Sauder 1962], PL/I [Hanford 1970], FORTRAN [Burgess and Saidi 1996], Ada and Pascal [Wichmann 1998], and more recently C [Le et al 2014[Le et al , 2015aNagai et al 2014;Nakamura and Ishiura 2016;Sun et al 2016a;Yang et al 2011;Yarpgen 2018], JavaScript and PHP [Holler et al 2012], Java byte-code [Chen et al 2016], OpenCL [Lidbury et al 2015], GLSL [Donaldson et al 2017;Donaldson and Lascu 2016] and C++ [Sun et al 2016b] (see also two surveys on the topic [Boujarwah and Saleh 1997;Kossatchev and Posypkin 2005]). Related approaches have been used to test other programming language processors, such as static analysers , refactoring engines [Daniel et al 2007], and symbolic executors [Kapus and Cadar 2017]. Many of these approaches are either geared towards inducing crashes, for which the test oracle problem is easy.…”

Section: Related Workmentioning

confidence: 99%

Compiler fuzzing: how much does it matter?

Marcozzi

Tang

Donaldson

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

Despite much recent interest in randomised testing (fuzzing) of compilers, the practical impact of fuzzer-found compiler bugs on real-world applications has barely been assessed. We present the first quantitative and qualitative study of the tangible impact of miscompilation bugs in a mature compiler. We follow a rigorous methodology where the bug impact over the compiled application is evaluated based on (1) whether the bug appears to trigger during compilation; (2) the extent to which generated assembly code changes syntactically due to triggering of the bug; and (3) whether such changes cause regression test suite failures, or whether we can manually find application inputs that trigger execution divergence due to such changes. The study is conducted with respect to the compilation of more than 10 million lines of C/C++ code from 309 Debian packages, using 12% of the historical and now fixed miscompilation bugs found by four state-of-the-art fuzzers in the Clang/LLVM compiler, as well as 18 bugs found by human users compiling real code or as a by-product of formal verification efforts. The results show that almost half of the fuzzer-found bugs propagate to the generated binaries for at least one package, in which case only a very small part of the binary is typically affected, yet causing two failures when running the test suites of all the impacted packages. User-reported and formal verification bugs do not exhibit a higher impact, with a lower rate of triggered bugs and one test failure. The manual analysis of a selection of the syntactic changes caused by some of our bugs (fuzzer-found and non fuzzer-found) in package assembly code, shows that either these changes have no semantic impact or that they would require very specific runtime circumstances to trigger execution divergence. CCS Concepts: • Software and its engineering → Compilers; Software verification and validation.

show abstract

Section: Related Workmentioning

confidence: 99%

Compiler fuzzing: how much does it matter?

Marcozzi

Tang

Donaldson

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Testing symbolic execution engines. Kapus and Cadar use random program generation in combination with differential testing to find bugs in symbolic execution engines [9], by for instance comparing crashes, output differences, and code coverage. Unlike our approach, this work specifically targets symbolic execution engines and compares the tested engines on randomly generated programs.…”

Section: Related Workmentioning

confidence: 99%

Differentially testing soundness and precision of program analyzers

Klinger

Christakis

Wüstholz³

2019

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

In the last decades, numerous program analyzers have been developed both by academia and industry. Despite their abundance however, there is currently no systematic way of comparing the effectiveness of different analyzers on arbitrary code. In this paper, we present the first automated technique for differentially testing soundness and precision of program analyzers. We used our technique to compare six mature, state-ofthe art analyzers on tens of thousands of automatically generated benchmarks. Our technique detected soundness and precision issues in most analyzers, and we evaluated the implications of these issues to both designers and users of program analyzers.

show abstract

“…General evaluation of program analysis techniques. While related works mainly evaluate the existing program analysis tools by focusing on the final goal for which these tools are being used, the research community has started to invest effort into ensuring the preciseness and reliability of program analysis tools, regardless of the problem they are trying to solve [11], [28].…”

Section: Related Workmentioning

confidence: 99%

“…As an example, Kapus et al [28] adopted compiler testing techniques to automatically find errors in symbolic execution engines. They managed to find 20 major bugs in three widelyused symbolic execution engines.…”

Section: Related Workmentioning

confidence: 99%

Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools

Machiry¹,

Redini²,

Gustafson³

et al. 2019

Proceedings 2019 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Binary static analysis has seen a recent surge in interest, due to a rise in analysis targets for which no other method is appropriate, such as, embedded firmware. This has led to the proposal of a number of binary static analysis tools and techniques, handling various kinds of programs, and answering different research questions. While static analyis tools that focus on binaries inherit the undecidability of static analysis, they bring with them other challenges, particularly in dealing with the aliasing of code and data pointers. These tools may tackle these challenges in different ways, but unfortunately, there is currently no concrete means of comparing their effectiveness at solving these central, problem-independent aspects of static analysis.

show abstract

Automatic testing of symbolic execution engines via program generation and differential testing

Cited by 33 publications

References 33 publications

Compiler fuzzing: how much does it matter?

Compiler fuzzing: how much does it matter?

Differentially testing soundness and precision of program analyzers

Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools

Contact Info

Product

Resources

About