ABSTRACT
Symbolic execution is an effective program analysis technique whose scalability largely depends on the ability to quickly solve large numbers of first-order logic queries. We propose an effective general technique for speeding up the solving of queries in the theory of arrays and bit-vectors with a specific structure, while otherwise falling back to a complete solver.
The technique has two stages: a learning stage that determines the solution sets of each symbolic variable, and a decision stage that uses this information to quickly determine the satisfiability of certain types of queries. The main challenges involve deciding which operators to support and precisely dealing with integer type casts and arithmetic underflow and overflow.
We implemented this technique in an incomplete solver called PARTI (``PARtial Theory solver for Intervals''), directly integrating it into the popular KLEE symbolic execution engine. We applied KLEE with PARTI and a state-of-the-art SMT solver to synthetic and real-world benchmarks. We found that PARTI practically does not hurt performance while many times achieving order-of-magnitude speedups.
- Saswat Anand, Corina S. Păsăreanu, and Willem Visser. JPF–SE: A Symbolic Execution Extension to Java PathFinder. In Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007), pages 134–138. Springer Berlin Heidelberg, 2007. Google ScholarDigital Library
- Frédéric Benhamou, Laurent Granvilliers, and Frédéric Goualard. Interval Constraints: Results and Perspectives. In In Proceedings of the Joint ERCIM/Compulog NetWorkshop on New Trends in Constraints, 1999.Google Scholar
- Frédéric Benhamou and William J. Older. Applying interval arithmetic to real, integer, and boolean constraints. The Journal of Logic Programming, 32(1):1 – 24, 1997.Google ScholarCross Ref
- Robert Brummayer and Armin Biere. Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays. In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2009), pages 174–177. Springer Berlin Heidelberg, 2009. Google ScholarDigital Library
- Roberto Bruttomesso, Alessandro Cimatti, Anders Franzén, Alberto Griggio, Ziyad Hanna, Alexander Nadel, Amit Palti, and Roberto Sebastiani. A Lazy and Layered SMT(BV) Solver for Hard Industrial Verification Problems. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV 2007), pages 547–560. Springer Berlin Heidelberg, 2007. Google ScholarDigital Library
- PARTI: A Multi-interval Theory Solver for Symbolic Execution ASE ’18, September 3–7, 2018, Montpellier, FranceGoogle Scholar
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08), pages 209–224. USENIX Association, 2008. Google ScholarDigital Library
- Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. EXE: Automatically Generating Inputs of Death. ACM Trans. Inf. Syst. Secur., 12(2):10:1–10:38, December 2008. Google ScholarDigital Library
- Cristian Cadar and Koushik Sen. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM, 56(2):82–90, February 2013. Google ScholarDigital Library
- J. G. Cleary. Logical Arithmetic. Future Computing Systems, pages 125–149, 1987.Google Scholar
- Leonardo de Moura and Nikolaj Bjørner. Efficient E-Matching for SMT Solvers. In Proceedings of the 21st International Conference on Automated Deduction (CADE- 21), pages 183–198. Springer Berlin Heidelberg, 2007. Google ScholarDigital Library
- Leonardo de Moura and Nikolaj Bjørner. Z3: An Efficient SMT Solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2008), pages 337–340. Springer Berlin Heidelberg, 2008. Google ScholarDigital Library
- Bruno Dutertre. Yices 2.2. In Proceedings of the 26th International Conference on Computer Aided Verification (CAV 2014), pages 737–744. Springer International Publishing, 2014. Google ScholarDigital Library
- Bruno Dutertre and Leonardo De Moura. The YICES SMT Solver. volume 2, pages 1–2, 2006.Google Scholar
- Free Software Foundation. Binutils, 2018-07-19.Google Scholar
- Free Software Foundation. Coreutils - GNU core utilities, 2018-07-19.Google Scholar
- Vijay Ganesh and David L. Dill. A Decision Procedure for Bit-Vectors and Arrays. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV 2007), pages 519–531. Springer Berlin Heidelberg, 2007. Google ScholarDigital Library
- Patrice Godefroid, Michael Y Levin, and David Molnar. Automated Whitebox Fuzz Testing. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS’08), volume 8, pages 151–166, 2008.Google Scholar
- Patrice Godefroid, Michael Y. Levin, and David Molnar. Sage: Whitebox fuzzing for security testing. Queue, 10(1):20:20–20:27, January 2012. Google ScholarDigital Library
- Laurent Granvilliers and Frédéric Benhamou. Algorithm 852: RealPaver: An Interval Solver Using Constraint Satisfaction Techniques. ACM Trans. Math. Softw., 32(1):138–156, 2006. Google ScholarDigital Library
- Liana Hadarean, Kshitij Bansal, Dejan Jovanović, Clark Barrett, and Cesare Tinelli. A Tale of Two Solvers: Eager and Lazy Approaches to Bit-Vectors. In Proceedings of the 26th International Conference on Computer Aided Verification (CAV 2014), pages 680–695. Springer International Publishing, 2014. Google ScholarDigital Library
- Frank Harary and Allen J. Schwenk. The Number of Caterpillars. Discrete Mathematics, 6(4):359 – 365, 1973. Google ScholarDigital Library
- T. Hickey, Q. Ju, and M. H. Van Emden. Interval Arithmetic: From Principles to Implementation. J. ACM, 48(5):1038–1068, 2001. Google ScholarDigital Library
- Intel Corporation. Intel®Xeon®Processor E5-2643 v4, 2018-07-19.Google Scholar
- Xiangyang Jia, Carlo Ghezzi, and Shi Ying. Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA’15), pages 177–187. ACM, 2015. Google ScholarDigital Library
- Guodong Li, Indradeep Ghosh, and Sreeranga P. Rajan. KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11), pages 609–615. Springer Berlin Heidelberg, 2011. Google ScholarDigital Library
- Hristina Palikareva and Cristian Cadar. Multi-solver Support in Symbolic Execution. In Proceedings of the 25th International Conference on Computer Aided Verification (CAV 2013), pages 53–68. Springer Berlin Heidelberg, 2013.Google Scholar
- David M. Perry, Andrea Mattavelli, Xiangyu Zhang, and Cristian Cadar. Accelerating array constraints in symbolic execution. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA 2017), pages 68–78, 2017. Google ScholarDigital Library
- N. G. Ramírez, Y. Hamadi, E. Monfroy, and F. Saubion. Evolving SMT Strategies. In Proceedings of the 28th International Conference on Tools with Artificial Intelligence (ICTAI’16), pages 247–254, 2016.Google ScholarCross Ref
- Karsten Scheibler and Bernd Becker. Implication Graph Compression inside the SMT Solver iSAT3. In MBMV, pages 25–36, 2014.Google Scholar
- Karsten Scheibler and Bernd Becker. Using Interval Constraint Propagation for Pseudo-Boolean Constraint Solving. In Proceedings of the 14th Conference on Formal Methods in Computer-Aided Design (FMCAD’14), pages 32:203–32:206, 2014. Google ScholarDigital Library
- KLEE Team. OSDI’08 Coreutils Experiments, 2018-07-19.Google Scholar
- Vu Xuan Tung, To Van Khanh, and Mizuhito Ogawa. raSAT: an SMT solver for polynomial constraints. Formal Methods in System Design, 51(3):462–499, 2017. Google ScholarDigital Library
- Willem Visser, Jaco Geldenhuys, and Matthew B. Dwyer. Green: Reducing, reusing and recycling constraints in program analysis. In Proceedings of the 20th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE’12), pages 58:1–58:11. ACM, 2012. Google ScholarDigital Library
- Guowei Yang, Corina S. Păsăreanu, and Sarfraz Khurshid. Memoized Symbolic Execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA’12), pages 144–154. ACM, 2012. Google ScholarDigital Library
Index Terms
- PARTI: a multi-interval theory solver for symbolic execution
Recommendations
Type and interval aware array constraint solving for symbolic execution
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and AnalysisArray constraints are prevalent in analyzing a program with symbolic execution. Solving array constraints is challenging due to the complexity of the precise encoding for arrays. In this work, we propose to synergize symbolic execution and array ...
Parallel SMT Solving and Concurrent Symbolic Execution
TRUSTCOM-BIGDATASE-ISPA '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 03Satisfiability Modulo Theories (SMT) solving is a fundamental tool in numerous areas of computer science, where problems are expressed as logical formulas whose satisfiability has to be decided. State-of-the-art solvers can handle many real-world ...
Parallel SMT Solving and Concurrent Symbolic Execution
TRUSTCOM-BIGDATASE-ISPA '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 03Satisfiability Modulo Theories (SMT) solving is a fundamental tool in numerous areas of computer science, where problems are expressed as logical formulas whose satisfiability has to be decided. State-of-the-art solvers can handle many real-world ...
Comments