Exploiting undefined behaviors for efficient symbolic execution

Sharma, Asankhaya

doi:10.1145/2591062.2594450

Cited by 6 publications

(2 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Overify [Wagner et al 2013] proposes a set of compiler optimisations to speed symex. Sharma et al [Sharma 2014] exploit these results and introduce undefined behaviour to trigger various compiler optimisations that speed up symex [Cadar 2015]. Under-Constrained Symex [Ramos and Engler 2015] operates on each function in a program individually.…”

Section: The State Of the Art In Symbolic Executionmentioning

confidence: 99%

Indexing Operators to Extend the Reach of Symbolic Execution

Barr,

Clark,

Harman

et al. 2018

Preprint

View full text Add to dashboard Cite

Traditional program analysis analyses a program language, that is, all programs that can be written in the language. There is a difference, however, between all possible programs that can be written and the corpus of actual programs written in a language. We seek to exploit this difference: for a given program, we apply a bespoke program transformation (indexify) to convert expressions that current SMT solvers do not, in general, handle, such as constraints on strings, into equisatisfiable expressions that they do handle.To this end, indexify replaces operators in hard-to-handle expressions with homomorphic versions that behave the same on a finite subset of the domain of the original operator, and return ⊥ denoting unknown outside of that subset. By focusing on what literals and expressions are most useful for analysing a given program, indexify constructs a small, finite theory that extends the power of a solver on the expressions a target program builds.Indexify's bespoke nature necessarily means that its evaluation must be experimental, resting on a demonstration of its effectiveness in practice. We have developed indexify, a tool for indexify and released it publicly. We demonstrate its utility and effectiveness by applying it to two real world benchmarks -string expressions in coreutils and floats in fdlibm53. indexify reduces time-to-completion on coreutils from Klee's 49.5m on average to 6.0m. It increases branch coverage on coreutils from 30.10% for Klee and 14.79% for Zesti to 66.83%. When indexifying floats in fdlibm53, Indexify increases branch coverage from 34.45% to 71.56% over Klee. For a restricted class of inputs, indexify permits the symbolic execution of program paths unreachable with previous techniques: it covers more than twice as many branches in coreutils as Klee.

show abstract

Section: The State Of the Art In Symbolic Executionmentioning

confidence: 99%

Indexing Operators to Extend the Reach of Symbolic Execution

Barr,

Clark,

Harman

et al. 2018

Preprint

View full text Add to dashboard Cite

show abstract

“…Recently, symbolic execution and concolic execution [14][15][16] technique and tools have been widely explored. Tools such as KLEE [17], SAGE [18], JPF-SE [19], S2E [20], jCUTE [21], BitBlaze [22], Pex [23] and Pathgrind [24] are just some of the symbolic execution engines currently used successfully in academia and in industry. These tools have demonstrated great advantages in software testing and security verification [25,26].…”

Section: B Symbolic Execution On Hardware Domainmentioning

confidence: 99%

Automatic generation of high-coverage tests for RTL designs using software techniques and tools

Feng

Huang

2016

2016 IEEE 11th Conference on Industrial Electronics and Applications (ICIEA)

View full text Add to dashboard Cite

Abstract-Register Transfer Level (RTL) design validation is a crucial stage in the hardware design process. We present a new approach to enhancing RTL design validation using available software techniques and tools. Our approach converts the source code of a RTL design into a C++ software program. Then a powerful symbolic execution engine is employed to execute the converted C++ program symbolically to generate test cases. To better generate efficient test cases, we limit the number of cycles to guide symbolic execution. Moreover, we add bit-level symbolic variable support into the symbolic execution engine. Generated test cases are further evaluated by simulating the RTL design to get accurate coverage. We have evaluated the approach on a floating point unit (FPU) design. The preliminary results show that our approach can deliver highquality tests to achieve high coverage.

show abstract

Evaluating Initial Inputs for Concolic Testing

Wei-Guang

Zeng

2015

2015 International Symposium on Theoretical Aspects of Software Engineering

View full text Add to dashboard Cite

Exploiting undefined behaviors for efficient symbolic execution

Cited by 6 publications

References 24 publications

Indexing Operators to Extend the Reach of Symbolic Execution

Indexing Operators to Extend the Reach of Symbolic Execution

Automatic generation of high-coverage tests for RTL designs using software techniques and tools

Evaluating Initial Inputs for Concolic Testing

Contact Info

Product

Resources

About