Symbolic execution and program testing
Communications of the ACM
Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
Test input generation with java PathFinder
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
A Test Data Generation Tool for Unit Testing of C Programs
QSIC '06 Proceedings of the Sixth International Conference on Quality Software
Unifying type checking and property checking for low-level code
Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A reachability predicate for analyzing low-level software
TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Pex: white box test generation for .NET
TAP'08 Proceedings of the 2nd international conference on Tests and proofs
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Execution generated test cases: how to make systems code crash itself
SPIN'05 Proceedings of the 12th international conference on Model Checking Software
Partial replay of long-running applications
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Hi-index | 0.01 |
Software testing is an essential process to improve software quality in practice. Researchers have proposed several techniques to automate parts of this process. In particular, symbolic execution can be used to automatically generate a set of test inputs that achieves high code coverage. However, most state-of-the-art symbolic execution approaches cannot directly handle programs whose inputs are pointers, as is often the case for C programs. Automatically generating test inputs for pointer manipulating code such as a linked list or balanced tree implementation remains a challenge. Eagerly enumerating all possible heap shapes forfeits the advantages of symbolic execution. Alternatively, for a tester, writing assumptions to express the disjointness of memory regions addressed by input pointers is a tedious and labor-intensive task. This paper proposes a novel solution for this problem: by exploiting type information, disjointness constraints that characterize permissible configurations of typed pointers in byte-addressable memory can be automatically generated. As a result, the constraint solver can automatically generate relevant heap shapes for the program under test. We report on our experience with an implementation of this approach in Pex, a dynamic symbolic execution framework for .NET. We examine two different symbolic representations for typed memory, and we discuss the impact of various optimizations.