Dynamic Symbolic Execution (DSE) is an important method for the testing of programs. An important system on DSE is KLEE which inputs a C/C++ program annotated with symbolic variables, compiles it into LLVM, and then emulates the execution paths of LLVM using a specified backtracking strategy. The major challenge in symbolic execution is path explosion. The method of abstraction learning has been used to address this. The key step here is the computation of an interpolant to represent the learnt abstraction. In this paper, we present a new interpolation algorithm and implement it on top of the KLEE system. The main objective is to address the path explosion problem in pursuit of code penetration: to prove that a target program point is either reachable or unreachable. That is, our focus is verification. We show that despite the overhead of computing interpolants, the pruning of the symbolic execution tree that interpolants provide often brings significant overall benefits. We then performed a comprehensive experimental evaluation against KLEE, as well as against one well-known system that is based on Static Symbolic Execution, CBMC. Our primary experiment shows code penetration success at a new level, particularly so when the target is hard to determine. A secondary experiment shows that our implementation is competitive for testing.
翻译:动态符号执行( DSE) 是测试程序的一个重要方法 。 DSE 的一个重要系统是 KLEE, 它将C/ C++ 程序输入带有符号变量的C/ C+ 程序, 将其编译为LLVM, 然后使用指定的回溯跟踪策略复制LLLVM的执行路径。 象征性执行的主要挑战是路径爆炸。 抽象学习方法已被用于解决这个问题。 这里的关键步骤是计算一个内插来代表所学的抽象。 在此文件中, 我们提出了一个新的内插算法, 并在 KLEE 系统上方实施。 主要目标是解决路径爆炸问题, 以追求代码渗透: 证明一个目标程序点要么可以达到, 要么无法达到。 也就是说, 我们的焦点是核查。 我们显示, 尽管计算机内部的顶端, 但内插者提供的符号执行树的剪切方法往往带来巨大的整体效益。 我们随后对 KLEE 进行了全面的实验评估, 并且对基于 Static 执行的已知系统进行了实验。 CBMC 在 二级测试中, 我们的竞争性的测试显示, 我们的高级测试显示, 成功 。
相关内容
微信扫码咨询专知VIP会员