Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

Published byColeen Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos."— Presentation transcript:

1 Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos

2 About the Paper Article found on ACM Digital Library Title: Symbolic Execution with Mixed Concrete-Symbolic Solving Published in: ISSTA '11 Proceedings of the 2011 International Symposium on Software Testing and Analysis ISSTA '11 Authors: – Corina S. Pӑsӑreanu – Neha Rungta – Willem Visser

3 What is Symbolic Execution? A method of analyzing a program to determine what inputs cause each part of a program to execute Used extensively in program testing void test(int y) { if (y == 2) S1; else S2; }

4 Symbolic Execution Testing void test(int y) { if (y == 2) S1; else S2; } When [y == 2] we get to S1 When [y != 2] we get to S2 These rules are known as Path Conditions

5 Symbolic Execution in practice Many testing tools make use of symbolic execution Microsoft uses Pex, SAGE, YOGI, and PREfix IBM uses Apollo NASA and Fujitsu use Symbolic (Java) PathFinder Others: – UIUC’s CUTE and jCUTE – Stanford’s KLEE – UC Berkeley’s CREST – BitBlaze

6 Symbolic Execution Testing void test(int x, int y) { if (y == hash(x)) S1; else S2; } There is no code available for hash(x) – Therefore we cannot have any definitive path conditions or constraints Therefore Symbolic Execution is not possible

7 Directed Automated Random Testing (DART) Also known as Concolic Execution Combination of concrete and symbolic execution – Executes programs concretely – Collects the path condition – Runs and executes again with newly found solutuions Conquers the incompleteness of symbolic execution

8 DART Testing Aim: n/a void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } test(1, 0) [X > 0] [X > 0 & Y != 10] [X > 0 & Y != 10 & X <= 3] Reached: S1 and S4

9 DART Testing (cont..) Aim: to reach S3; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } TEST: [X > 0 & Y != 10 & X > 3] test(4, 0) [X > 0] [X > 0 & Y != 40] [X > 0 & Y != 40 & X > 3 & Y <= 10] Reached: S1 and S4

10 DART Testing (cont..) Aim: to reach S3; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } TEST: [X > 0 & Y > 10 & Y != 10 & X > 3] test(4, 11) [X > 0] [X > 0 & Y != 40] [X > 0 & Y != 40 & X > 3 & Y > 10] Reached: S1 and S3

11 DART Testing (cont..) Aim: to reach S0; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } TEST: [X > 0 & Y = 40 & Y != 10 & X > 3] test(4, 40) [X > 0] [X > 0 & Y = 40] [X > 0 & Y = 40 & X > 3 & Y > 10] Reached: S0 and S3

12 DART Testing (cont..) Aim: to reach S0 and S4 void test(int x, int y) { if (x > 0){ if (y == [40]hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } TEST: [X > 0 & Y = 40 & Y != 10 & X <= 3] test(1, 40) [X > 0] [X > 0 & Y != 10] [X > 0 & Y != 10 & X 10] Reached: S1 and S4 DIVERGENCE! Cannot ever finish

13 Flaws of Execution Strategies Symbolic Execution – Sound method, but incomplete functionality – Cannot solve problems when: there is no access to code The decision procedures do not work DART Execution – Complete method, but unsound performance – Can fail when: functions are unpredictable

14 Symbolic Execution with Mixed Concrete-Symbolic Solving (DART) Concolic = Concrete + Symbolic – Concrete execution that produces symbolic path conditions SymCrete = Symbolic + Concrete – Symbolic execution that falls back to concrete execution as it is needed

15 SymCrete Execution Methodology 1.Split the Path Condition into two parts: – EASY: Part you can solve symbolically – HARD: Part you cannot solve symbolically 2.Solve the easy part symbolically and evaluate the hard part with concrete execution 3.Replace the hard part with the evaluated results and check if results are SAT SAT – Satisfies the given boolean formula – or Satisfiable

16 SymCrete Execution void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } [X > 0] [X > 0 & Y = hash(X) ] S0 Easyhard 1. X > 0 Y = hash(X) 2. X = 1 Y = hash(1) = 10 3. [X > 0 & Y = 10] is SAT [X > 0 & Y != hash(X) ] S1 [X>0 & Y != 10] is SAT

17 SymCrete Execution void test(int x, int y) { if (x > 0){ if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } [X > 0] [X > 0 & Y = hash(X) ] S0 [X > 3 & Y = hash(X) & Y > 10]S0 and S3 1. X > 3 & Y > 10 Y = hash(X) 2. X = 4 & Y = 11 Y = hash(4) = 40 3. [X > 3 & Y = 40 & Y > 10] is SAT [X > 0 & Y = hash(X) & X <= 3]S0 and S4 1. X > 0 & X <= 3 Y = hash(X) 2. X = 1 Y = hash(1) 3. [X > 0 & Y = 10 & X <= 3] is SAT

18 Why SimCrete > DART SimCrete avoids the problem of being unsound – Checks if boolean path condition is SAT – If not SAT, SimCrete will not continue with that path condition DART would continue with the found path condition and diverge SimCrete’s Benefits: – uses the simplicity of symbolic execution – Adds the additional features of DART (concrete execution)

19 Implementation of SymCrete ex. Symbolic Execution extension for Java’s PathFinder called jpf-symbc Model Checker for Java Open Source http://babelfish.arc.nasa. gov/trac/jpf Symbolic PathFinder SPF -Willem Visser’s PowerPoint

20 Works Cited 1.P ă s ă reanu, Corina S., Neha Rungta, and Willem Visser. "Symbolic Execution with Mixed Concrete-symbolic Solving." ISSTA '11 Proceedings of the 2011 International Symposium on Software Testing and Analysis Table of Contents (2011): 34-44. ACM Digital Library. ACM, 17 July 2011. Web. 1 Mar. 2015. 2.Powerpoint from one of the authors (Willem Visser)

Download ppt "Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos."

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
A Survey of Approaches for Automated Unit Testing

A Survey of Approaches for Automated Unit Testing
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.

Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.

1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.

Similar presentations

Ads by Google