Symbolic execution and program testing
Communications of the ACM
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Randoop: feedback-directed random testing for Java
Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Soot: a Java bytecode optimization framework
CASCON First Decade High Impact Papers
Decision Procedures: An Algorithmic Point of View
Decision Procedures: An Algorithmic Point of View
Symbolic execution with mixed concrete-symbolic solving
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Green: reducing, reusing and recycling constraints in program analysis
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Hi-index | 0.00 |
Symbolic execution is a path-sensitive program analysis technique that aids users with program verification. To avoid exploring infeasible paths, symbolic execution checks the prefix of a current path for feasibility by adding a branch constraint to the path prefix and passing the formula to an off-the-shelf SMT solver for an evaluation. If the solver returns SAT/UNSAT, then the prefix is marked as feasible/infeasible. However, the solver can also return an UNKNOWN result, which means it cannot evaluate the formula. In addition, an operation occurring before a constraint can cause over-approximation that propagates to the solver's result. Moreover, symbolic execution might time out the solver if it takes too long to run. A symbolic execution tool might handle these uncertainties by backtracking or by continuing its exploration of the prefix. This paper examines the behavior of path constraints beyond uncertain backtracking points. String and integer constraints are collected from concrete program execution via dynamic symbolic execution. These constraints are used to analyze how over- approximation in a path prefix affects the completeness of its extensions. We also examine variations in time required to decide a path constraint. Our findings suggest that a custom backtracking criteria defined by the user does improve the completeness of symbolic execution.