3 research outputs found
Enhancing dynamic symbolic execution via loop summarisation, segmented memory and pending constraints
Software has become ubiquitous and its impact is still increasing. The more software is
created, the more bugs get introduced into it. With software’s increasing omnipresence,
these bugs have a high probability of negative impact on everyday life. There are many
efforts aimed at improving software correctness, among which symbolic execution, a program
analysis technique that aims to systematically explore all program paths. In this thesis we
present three techniques for enhancing symbolic execution.
We first present a counterexample-guided inductive synthesis approach to summarise a
class of loops, called memoryless loops using standard library functions. Our approach can
summarize two thirds of memoryless loops we gathered on a set of open-source programs.
These loop summaries can be used to: 1) enhance symbolic execution, 2) optimise native
code and 3) refactor code.
We then propose a technique that avoids expensive forking by using a segmented memory
model. In this model, we split memory into segments using pointer alias analysis, so that each
symbolic pointer refers to objects in a single segment. This results in a memory model where
forking due to symbolic pointer dereferences is reduced. We evaluate our segmented memory
model on benchmarks such as SQLite, m4 and make and observe significant decreases in
execution time and memory usage.
Finally, we present pending constraints, which can enhance scalability of symbolic
execution by aggressively prioritising execution paths that are already known to be feasible
either via cached solver solutions or seeds. The execution of other paths is deferred until
no paths are known to be feasible without using the constraint solver. We evaluate our
technique on nine applications, including SQLite3, make and tcpdump, and show it can
achieve higher coverage for both seeded and non-seeded exploration.Open Acces
Pending constraints in symbolic execution for better exploration and seeding
Symbolic execution is a well established technique for software testing and analysis. However, scalability continues to be a challenge, both in terms of constraint solving cost and path explosion.In this work, we present a novel approach for symbolic execution, which can enhance its scalability by aggressively prioritising execution paths that are already known to be feasible, and deferring all other paths. We evaluate our technique on nine applications, in-cludingSQLite3, make and tcpdump and show it can achieve higher coverage for both seeded and non-seeded exploration