research-article

Multiplex symbolic execution: exploring multiple paths by solving once

Authors:

Ji WangAuthors Info & Claims

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

Pages 846 - 857

https://doi.org/10.1145/3324884.3416645

Published: 27 January 2021 Publication History

Abstract

Path explosion and constraint solving are two challenges to symbolic execution's scalability. Symbolic execution explores the program's path space with a searching strategy and invokes the underlying constraint solver in a black-box manner to check the feasibility of a path. Inside the constraint solver, another searching procedure is employed to prove or disprove the feasibility. Hence, there exists the problem of double searchings in symbolic execution. In this paper, we propose to unify the double searching procedures to improve the scalability of symbolic execution. We propose Multiplex Symbolic Execution (MuSE) that utilizes the intermediate assignments during the constraint solving procedure to generate new program inputs. MuSE maps the constraint solving procedure to the path exploration in symbolic execution and explores multiple paths in one time of solving. We have implemented MuSE on two symbolic execution tools (based on KLEE and JPF) and three commonly used constraint solving algorithms. The results of the extensive experiments on real-world benchmarks indicate that MuSE has orders of magnitude speedup to achieve the same coverage.

References

[1]

2020. LibFuzzer. http://llvm.org/docs/LibFuzzer.html.

[2]

Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing Symbolic Execution with Veritesting. In Proceedings of the 36th International Conference on Software Engineering (Hyderabad, India) (ICSE 2014). Association for Computing Machinery, New York, NY, USA, 1083--1094.

Digital Library

[3]

Berkeley. 2020. SoftFloat 2b. http://www.jhauser.us/arithmetic/SoftFloat.html.

[4]

J. Burnim and K. Sen. 2008. Heuristics for Scalable Dynamic Test Generation. In 2008 23rd IEEE/ACM International Conference on Automated Software Engineering. 443--446.

[5]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (San Diego, California) (OSDI'08). USENIX Association, USA, 209--224.

Digital Library

[6]

Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2008. EXE: Automatically Generating Inputs of Death. ACM Trans. Inf. Syst. Secur. 12, 2, Article 10 (Dec. 2008), 38 pages.

Digital Library

[7]

Sooyoung Cha, Seongjoon Hong, Junhee Lee, and Hakjoo Oh. 2018. Automatically Generating Search Heuristics for Concolic Testing. In Proceedings of the 40th International Conference on Software Engineering (Gothenburg, Sweden) (ICSE '18). Association for Computing Machinery, New York, NY, USA, 1244--1254.

Digital Library

[8]

S. Cha, S. Lee, and H. Oh. 2018. Template-Guided Concolic Testing via Online Learning. In 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). 408--418.

[9]

Sooyoung Cha and Hakjoo Oh. 2019. Concolic Testing with Adaptively Changing Search Heuristics. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Tallinn, Estonia) (ESEC/FSE 2019). Association for Computing Machinery, New York, NY, USA, 235--245.

Digital Library

[10]

Brett Daniel, Tihomir Gvero, and Darko Marinov. 2010. On Test Repair Using Symbolic Execution. In Proceedings of the 19th International Symposium on Software Testing and Analysis (Trento, Italy) (ISSTA '10). Association for Computing Machinery, New York, NY, USA, 207--218.

Digital Library

[11]

Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337--340.

Digital Library

[12]

Isil Dillig, Thomas Dillig, and Alex Aiken. 2009. Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers. In Computer Aided Verification, Ahmed Bouajjani and Oded Maler (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 233--247.

[13]

Bruno Dutertre and Leonardo de Moura. 2006. A Fast Linear-Arithmetic Solver for DPLL(T). In Computer Aided Verification, Thomas Ball and Robert B. Jones (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 81--94.

[14]

The Free Software Foundation. 2020. GNU Scientific Library. https://www.gnu.org/software/gsl/.

[15]

Zhoulai Fu and Zhendong Su. 2016. XSat: A Fast Floating-Point Satisfiability Solver. In Proceedings of the 28th International Conference on Computer Aided Verification. 187--209.

[16]

Vijay Ganesh and David L. Dill. 2007. A Decision Procedure for Bit-Vectors and Arrays. In Proceedings of the 19th International Conference on Computer Aided Verification (Berlin, Germany) (CAV'07). Springer-Verlag, Berlin, Heidelberg, 519--531.

[17]

Patrice Godefroid, Adam Kiezun, and Michael Y. Levin. 2008. Grammar-Based Whitebox Fuzzing. SIGPLAN Not. 43, 6 (June 2008), 206--215.

Digital Library

[18]

Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed Automated Random Testing. SIGPLAN Not. 40, 6 (June 2005), 213--223.

Digital Library

[19]

Patrice Godefroid, Michael Y. Levin, and David Molnar. 2012. SAGE: Whitebox Fuzzing for Security Testing. Queue 10, 1 (Jan. 2012), 20--27.

Digital Library

[20]

Xiangyang Jia, Carlo Ghezzi, and Shi Ying. 2015. Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (Baltimore, MD, USA) (ISSTA 2015). Association for Computing Machinery, New York, NY, USA, 177--187.

Digital Library

[21]

James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (July 1976), 385--394.

Digital Library

[22]

S Kirkpatrick, C D Gelatt, and M P Vecchi. 1983. Optimization by Simulated Annealing. Science 220, 4598 (1983), 671--680.

[23]

Daniel Kroening and Ofer Strichman. 2008. Decision Procedures: An Algorithmic Point of View.

[24]

Volodymyr Kuznetsov, Johannes Kinder, Stefan Bucur, and George Candea. 2012. Efficient State Merging in Symbolic Execution. SIGPLAN Not. 47, 6 (June 2012), 193--204.

Digital Library

[25]

Leon S Lasdon, Richard L Fox, and Margery W Ratner. 1963. Linear Programming and Extensions. Princeton University.

[26]

Eva K Lee and John E Mitchell. 2009. Integer programming: branch and bound methodsInteger Programming: Branch and Bound Methods. Springer US, Boston, MA, 1634--1643.

[27]

You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering Symbolic Execution to Less Traveled Paths. SIGPLAN Not. 48, 10 (Oct. 2013), 19--32.

Digital Library

[28]

Daniel Liew, Cristian Cadar, Alastair F. Donaldson, and J. Ryan Stinnett. 2019. Just Fuzz It: Solving Floating-Point Constraints Using Coverage-Guided Fuzzing. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Tallinn, Estonia) (ESEC/FSE 2019). Association for Computing Machinery, New York, NY, USA, 521--532.

Digital Library

[29]

Kin-Keung Ma, Khoo Yit Phang, Jeffrey S Foster, and Michael Hicks. 2011. Directed Symbolic Execution. In Static Analysis, Eran Yahav (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 95--111.

[30]

Phil McMinn. 2004. Search-Based Software Test Data Generation: A Survey: Research Articles. Softw. Test. Verif. Reliab. 14, 2 (June 2004), 105--156.

Digital Library

[31]

Aina Niemetz, Mathias Preiner, and Armin Biere. 2014 (published 2015). Boolector 2.0 system description. Journal on Satisfiability, Boolean Modeling and Computation 9 (2014 (published 2015)), 53--58.

[32]

Brian Olson, Irina Hashmi, Kevin Molloy, and Amarda Shehu. 2012. Basin Hopping as a General and Versatile Optimization Framework for the Characterization of Biological Macromolecules. Adv. in Artif. Intell. 2012, Article 3 (Jan. 2012), 1 pages.

Digital Library

[33]

Corina S. Păsăreanu and Neha Rungta. 2010. Symbolic PathFinder: Symbolic Execution of Java Bytecode. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (Antwerp, Belgium) (ASE '10). Association for Computing Machinery, New York, NY, USA, 179--180.

Digital Library

[34]

Minghui Quan. 2016. Hotspot symbolic execution of floating-point programs. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2016, Seattle, WA, USA, November 13--18, 2016, Thomas Zimmermann, Jane Cleland-Huang, and Zhendong Su (Eds.). ACM, 1112--1114.

Digital Library

[35]

David A. Ramos and Dawson Engler. 2015. Under-Constrained Symbolic Execution: Correctness Checking for Real Code. In Proceedings of the 24th USENIX Conference on Security Symposium (Washington, D.C.) (SEC'15). USENIX Association, USA, 49--64.

[36]

Anthony Romano. 2014. Practical Floating-Point Tests with Integer Code. In Verification, Model Checking, and Abstract Interpretation - 15th International Conference, VMCAI 2014, San Diego, CA, USA, January 19--21, 2014, Proceedings (Lecture Notes in Computer Science), Kenneth L. McMillan and Xavier Rival (Eds.), Vol. 8318. Springer, 337--356.

Digital Library

[37]

Koushik Sen. 2006. Scalable Automated Methods for Dynamic Program Analysis. Ph.D. Dissertation. USA. Advisor(s) Agha, Gul. AAI3242987.

Digital Library

[38]

Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A Concolic Unit Testing Engine for C. SIGSOFT Softw. Eng. Notes 30, 5 (Sept. 2005), 263--272.

Digital Library

[39]

Jiří Slab, Jan Strejček, and Marek Trtík. 2012. Checking Properties Described by State Machines: On Synergy of Instrumentation, Slicing, and Symbolic Execution, Vol. 7437.

[40]

Matheus Souza, Mateus Borges, Marcelo d'Amorim, and Corina S. Pasareanu. 2011. CORAL: Solving Complex Constraints for Symbolic PathFinder. In NASA Formal Methods.

[41]

Nikolai Tillmann and Jonathan de Halleux. 2008. Pex-White Box Test Generation for .NET. In Tests and Proofs, Bernhard Beckert and Reiner Hähnle (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 134--153.

[42]

Willem Visser, Jaco Geldenhuys, and Matthew B. Dwyer. 2012. Green: Reducing, Reusing and Recycling Constraints in Program Analysis. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering (Cary, North Carolina) (FSE '12). Association for Computing Machinery, New York, NY, USA, Article 58, 11 pages.

Digital Library

[43]

Chao Wang, Zijiang Yang, Vineet Kahlon, and Aarti Gupta. 2008. Peephole Partial Order Reduction. In Tools and Algorithms for the Construction and Analysis of Systems, C R Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 382--396.

[44]

Xinyu Wang, Jun Sun, Zhenbang Chen, Peixin Zhang, Jingyi Wang, and Yun Lin. 2018. Towards optimal concolic testing. In Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, Gothenburg, Sweden, May 27 - June 03, 2018, Michel Chaudron, Ivica Crnkovic, Marsha Chechik, and Mark Harman (Eds.). ACM, 291--302.

Digital Library

[45]

Joachim Wegener, Andre Baresel, and Harmen Sthamer. 2001. Evolutionary test environment for automatic structural testing. Information and Software Technology 43, 14 (2001), 841--854.

[46]

Hengbiao Yu, Zhenbang Chen, Xianjin Fu, Ji Wang, Zhendong Su, Jun Sun, Chun Huang, and Wei Dong. 2020. Symbolic Verification of Message Passing Interface Programs. In Proceedings of The 42nd International Conference on Software Engineering (Seoul, South Korea) (ICSE 2020). New York, NY, USA.

Digital Library

[47]

Hengbiao Yu, Zhenbang Chen, Ji Wang, Zhendong Su, and Wei Dong. 2018. Symbolic Verification of Regular Properties. In Proceedings of the 40th International Conference on Software Engineering (Gothenburg, Sweden) (ICSE '18). Association for Computing Machinery, New York, NY, USA, 871--881.

Digital Library

[48]

Hengbiao Yu, Zhenbang Chen, Yufeng Zhang, Ji Wang, and Wei Dong. 2017. RGSE: A Regular Property Guided Symbolic Executor for Java. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (Paderborn, Germany) (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 954--958.

Digital Library

[49]

Y. Zhang, Z. Chen, and J. Wang. 2012. Speculative Symbolic Execution. In 2012 IEEE 23rd International Symposium on Software Reliability Engineering. 101--110.

[50]

Yufeng Zhang, Zhenbang Chen, Ji Wang, Wei Dong, and Zhiming Liu. 2015. Regular Property Guided Dynamic Symbolic Execution. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (Florence, Italy) (ICSE '15). IEEE Press, 643--653.

Digital Library

Cited By

Shuai ZChen ZMa KLiu KZhang YSun JWang J(2024)Partial Solution Based Constraint Solving Cache in Symbolic ExecutionProceedings of the ACM on Software Engineering10.1145/36608171:FSE(2493-2514)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660817
Zheng PSu BLuo XChen TZhang NZheng ZChristakis MPradel M(2024)LENT-SSE: Leveraging Executed and Near Transactions for Speculative Symbolic Execution of Smart ContractsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680303(566-577)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680303
Wu ZLiu YQin ZSun XWang W(2023)JDart-Hea: Hybrid Evolutionary Algorithm in Dynamic Symbolic Execution2023 8th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP57908.2023.10270914(1009-1014)Online publication date: 8-Jul-2023
https://doi.org/10.1109/ICSIP57908.2023.10270914
Show More Cited By

Index Terms

Multiplex symbolic execution: exploring multiple paths by solving once
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

Type and interval aware array constraint solving for symbolic execution
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

Array constraints are prevalent in analyzing a program with symbolic execution. Solving array constraints is challenging due to the complexity of the precise encoding for arrays. In this work, we propose to synergize symbolic execution and array ...
User-defined backtracking criteria for symbolic execution

Symbolic execution is a path-sensitive program analysis technique that aids users with program verification. To avoid exploring infeasible paths, symbolic execution checks the prefix of a current path for feasibility by adding a branch constraint to the ...
Symbolic Execution with Interval Solving and Meta-heuristic Search
ICST '12: Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation

A challenging problem in symbolic execution is to solve complex mathematical constraints such as constraints that include floating-point variables and transcendental functions. The inability to solve such constraints limit the application scope of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

December 2020

1449 pages

ISBN:9781450367684

DOI:10.1145/3324884

General Chair:
John Grundy,
Program Chairs:
Claire Le Goues,
David Lo

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 January 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key R&D Program of China
NSFC

Conference

ASE '20

Sponsor:

ASE '20: 35th IEEE/ACM International Conference on Automated Software Engineering

December 21 - 25, 2020

Virtual Event, Australia

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
203
Total Downloads

Downloads (Last 12 months)55
Downloads (Last 6 weeks)6

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shuai ZChen ZMa KLiu KZhang YSun JWang J(2024)Partial Solution Based Constraint Solving Cache in Symbolic ExecutionProceedings of the ACM on Software Engineering10.1145/36608171:FSE(2493-2514)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660817
Zheng PSu BLuo XChen TZhang NZheng ZChristakis MPradel M(2024)LENT-SSE: Leveraging Executed and Near Transactions for Speculative Symbolic Execution of Smart ContractsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680303(566-577)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680303
Wu ZLiu YQin ZSun XWang W(2023)JDart-Hea: Hybrid Evolutionary Algorithm in Dynamic Symbolic Execution2023 8th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP57908.2023.10270914(1009-1014)Online publication date: 8-Jul-2023
https://doi.org/10.1109/ICSIP57908.2023.10270914
Chen ZZhang GChen ZShuai ZPan WZhang YWang J(2023)Adaptive solving strategy synthesis for symbolic executionJournal of Software: Evolution and Process10.1002/smr.2568Online publication date: 11-May-2023
https://doi.org/10.1002/smr.2568
Liu MShuai ZLiu LMa KMa K(2022)Optimal Refinement-based Array Constraint Solving for Symbolic Execution2022 29th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC57359.2022.00042(299-308)Online publication date: Dec-2022
https://doi.org/10.1109/APSEC57359.2022.00042
Zhang GChen ZShuai Z(2022)Symbolic Execution of Floating-point Programs: How far are we?2022 29th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC57359.2022.00030(179-188)Online publication date: Dec-2022
https://doi.org/10.1109/APSEC57359.2022.00030
Shuai ZChen ZZhang YSun JWang JCadar CZhang X(2021)Type and interval aware array constraint solving for symbolic executionProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464826(361-373)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464826
Chen ZChen ZShuai ZZhang GPan WZhang YWang JCadar CZhang X(2021)Synthesize solving strategy for symbolic executionProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464815(348-360)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464815
He JSivanrupan GTsankov PVechev MKim YKim JVigna GShi E(2021)Learning to Explore Paths for Symbolic ExecutionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484813(2526-2540)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484813
Zhang TZhang YChen ZShuai ZWang JGrundy JLe Goues CLo D(2020)Efficient multiplex symbolic execution with adaptive search strategyProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3418902(1255-1256)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3418902

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents