Pointer-induced aliasing: a problem classification
POPL '91 Proceedings of the 18th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Program analysis via graph reachability
ILPS '97 Proceedings of the 1997 international symposium on Logic programming
Scalable context-sensitive flow analysis using instantiation constraints
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Type-base flow analysis: from polymorphic subtyping to CFL-reachability
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Symbolic execution and program testing
Communications of the ACM
Model checking Java programs using structural heuristics
ISSTA '02 Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
Proving Pointer Programs in Hoare Logic
MPC '00 Proceedings of the 5th International Conference on Mathematics of Program Construction
Program testing techniques using simulated execution
ANSS '76 Proceedings of the 4th symposium on Simulation of computer systems
SELECT—a formal system for testing and debugging programs by symbolic execution
Proceedings of the international conference on Reliable software
LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation
Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization
The set constraint/CFL reachability connection in practice
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Directed explicit-state model checking in the validation of communication protocols
International Journal on Software Tools for Technology Transfer (STTT)
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Symbolic Testing and the DISSECT Symbolic Evaluation System
IEEE Transactions on Software Engineering
EMSOFT '08 Proceedings of the 8th ACM international conference on Embedded software
Heuristics for Scalable Dynamic Test Generation
ASE '08 Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering
Execution synthesis: a technique for automated software debugging
Proceedings of the 5th European conference on Computer systems
A decision procedure for bit-vectors and arrays
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Mixing type checking and symbolic execution
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Using symbolic evaluation to understand behavior in configurable software systems
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Adapting an AI planning heuristic for directed model checking
SPIN'06 Proceedings of the 13th international conference on Model Checking Software
Probabilistic symbolic execution
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Diagnosing abstraction failure for separation logic-based analyses
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Alternate and learn: finding witnesses without looking all over
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Verifying systems rules using rule-directed symbolic execution
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Automated testing with targeted event sequence generation
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Regression tests to expose change interaction errors
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
KATCH: high-coverage testing of software patches
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
An orchestrated survey of methodologies for automated software test case generation
Journal of Systems and Software
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Path exploration based on symbolic output
ACM Transactions on Software Engineering and Methodology (TOSEM) - Testing, debugging, and error handling, formal methods, lifecycle concerns, evolution and maintenance
| Hi-index | 0.00 |
In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortest-distance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and call-chain-backward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, Mix-CCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU Coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, Mix-CCBSE performed best on average, combining to good effect the features of its constituent components.