Symbolic Executionloris/cs703/cs703material/SE.pdfSubhajit Roy (IIT Kanpur) Symbolic Execution...

Symbolic Execution

Subhajit Roy

Indian Institute of Technology Kanpur

November 8, 2019

Introduction

Outline

1 Introduction

Subhajit Roy (IIT Kanpur) Symbolic Execution November 8, 2019 2 / 36

Introduction

Correctness of Software

Program Verification (sound, incomplete, infinite inputs)

Program Testing1 (unsound, complete, finite inputs)

Symbolic Execution (sound, incomplete, infinite inputs)

1The testing community often uses different definitions of soundness and completenessSubhajit Roy (IIT Kanpur) Symbolic Execution November 8, 2019 3 / 36

Introduction

Symbolic Execution

Analyse this

What inputs cause this program to violate the assertion?

1 i n t main ( ) {

3 i n p u t ( a , b , c , d ) ;i f ( a <= b ){

5 c++;}

7 e l s e {d++;

9 i f ( c == 2∗d )a s s e r t ( a > d )

Introduction

Symbolic Execution

Analyze this

OK, let’s answer this!

A customer buys 5 hot dogs and 5 bags of potato chips for $12.50. Anothercustomer buys 3 hot dogs and 4 bags of potato chips for $8.25. Find the costof each item.a

== Use symbols to represent unknowns! ==

ahttps://www.wyzant.com/resources/answers/107505/fond the cost of each item

Introduction

Symbolic Execution

Analyze this

Introduction

Symbolic Execution

Analyze this

Introduction

Symbolic Execution

Simple idea

Execute a program with symbolic inputs!

i n t main ( ) {2

i n p u t ( a , b , c , d ) ;4 i f ( a <= b ){

c++;6 }

e l s e {8 d++;

i f ( c == 2∗d )10 a s s e r t ( a > d )

VariableName SymbolicNamea α0b α1c α2d α3

Analyze the Path Condition

Introduction

Symbolic Execution

Simple idea

i n t main ( ) {2

i n p u t ( a , b , c , d ) ;4 i f ( a <= b ){

c++;6 }

e l s e {8 d++;

i f ( c == 2∗d )10 a s s e r t ( a > d )

Introduction

Symbolic Execution

Simple idea

i n t main ( ) {2

i n p u t ( a , b , c , d ) ;4 i f ( a <= b ){

c++;6 }

e l s e {8 d++;

i f ( c == 2∗d )10 a s s e r t ( a > d )

Introduction

Symbolic Execution

Simple idea

i n t main ( ) {2

i n p u t ( a , b , c , d ) ;4 i f ( a <= b ){

c++;6 }

e l s e {8 d++;

i f ( c == 2∗d )10 a s s e r t ( a > d )

Introduction

Bounded Model Checking v/s Symbolic Execution

φk = STEP (X0, X1) ∧ STEP (X1, X2) · · · ∧ STEP (Xk−1, Xk)

... but on a single path!

SE can be seen as performing BMC on each path in isolation.

Introduction

Gaining Coverage

How to explore multiple (potentially, all) paths:

Concolic execution Concrete execution on random input, collectconstraints, edit constraints, solve for new path

EGT (Execution generated testing) Symbolically execute, fork at branches

Introduction

Gaining Coverage

How to explore multiple (potentially, all) paths:

Concolic execution Concrete execution on random input, collectconstraints, edit constraints, solve for new path

EGT (Execution generated testing) Symbolically execute, fork at branches

Introduction

i n t main ( ) {2

i n p u t ( a , b , c , d ) ;4 s y m b o l i c ( a , b , c , d ) ;

i f ( a <= b ){6 c++;

i f ( c <= d )8 p r i n t f ( ” Hi\n” ) ;

}10 e l s e {

d++;12 i f ( c∗c == d )

p r i n t f ( ”Bye\n” ) ;14 }}

Introduction

1 i n t main ( ) {

3 i n p u t ( a , b , c , d ) ;s y m b o l i c ( a , b , c , d ) ;

5 i f ( a <= b ){c++;

7 i f ( c <= d )p r i n t f ( ” Hi\n” ) ;

9 }e l s e {

11 d++;i f ( c∗c == d )

13 p r i n t f ( ”Bye\n” ) ;}

Introduction

Covering behaviors

Fork at each branch if both sides are feasible (use an SMT solver)

1 i n t main ( ) {

5 −→ i f ( a <= b){c++;

7 i f ( c <= d )p r i n t f ( ” Hi\n” ) ;

9 }e l s e {

11 d++;i f ( c∗c == d )

13 p r i n t f ( ”Bye\n” ) ;}

Introduction

Covering behaviors

Fork at each branch if both sides are feasible (use an SMT solver)

1 i n t main ( ) {

5 i f ( a <= b ){c++;

7 −→ i f ( c <= d)p r i n t f ( ” Hi\n” ) ;

9 }e l s e {

11 d++;−→ i f ( c*c == d)

13 p r i n t f ( ”Bye\n” ) ;}

Introduction

Generating test

Solve the path condition (PC) to synthesize testcases

1 i n t main ( ) {i n t main ( ) {

i f ( a <= b ){7 c++;

i f ( c <= d )9 p r i n t f ( ” Hi\n” ) ;

}11 e l s e {

d++;13 i f ( c∗c == d )

p r i n t f ( ”Bye\n” ) ;15 }−→}

Path PC Assignment

1 (α0 <= α1) ∧ (α2 + 1 <= α3) (0,1,2,3)

2 (α0 <= α1) ∧ (α2 + 1 > α3) (0,1,4,3)

3 (α0 > α1) ∧ (α2 ∗ α2 == α3 + 1) (1,0,2,3)

4 (α0 > α1) ∧ (α2 ∗ α2 6= α3 + 1) (1,0,0,0)

Introduction

Generating test

Solve the path condition (PC) to synthesize testcases

18 i n t main ( ) {i n t main ( ) {

i f ( a <= b ){24 c++;

i f ( c <= d )26 p r i n t f ( ” Hi\n” ) ;

}28 e l s e {

d++;30 i f ( c∗c == d )

p r i n t f ( ”Bye\n” ) ;32 }−→}

Path PC Assignment

1 (α0 <= α1) ∧ (α2 + 1 <= α3) (0,1,2,3)

2 (α0 <= α1) ∧ (α2 + 1 > α3) (0,1,4,3)

3 (α0 > α1) ∧ (α2 ∗ α2 == α3 + 1) (1,0,2,3)

4 (α0 > α1) ∧ (α2 ∗ α2 6= α3 + 1) (1,0,0,0)Subhajit Roy (IIT Kanpur) Symbolic Execution November 8, 2019 12 / 36

Introduction

Concolic Testing

1 Run program on a random input

2 Collect the path condition as the program executes

3 Modify the path condition when program terminates

4 Solve modified path condition to generate new input for the next run of theprogram

Introduction

Handling real-world programs

external function calls

vector instructions

system calls

floating-point instructions

non-linear arithmetic ...

== Concretization and Virtualization ==

Introduction

Handling real-world programs

external function calls

vector instructions

system calls

floating-point instructions

non-linear arithmetic ...

== Concretization and Virtualization ==

Introduction

Concretization

i n t main ( ) {36 r e a d ( x ) ;

i f ( x > 0) {38 y = foo ( x );

i f ( y > 150)40 p r i n t ( ” l e s s ” ) ;

i f ( y > 250)42 a s s e r t ( 0 ) ;

i f ( y != a )44 a s s e r t ( 0 ) ;

i f ( y < 0)46 a s s e r t ( 0 ) ;

Possible solutions

Overapproxy ← ∗

Underapprox (concretization)y ← 0

Introduction

Concretization

50 i n t main ( ) {r e a d ( x ) ;

52 i f ( x > 0) {y = foo ( x );

54 i f ( y > 150)p r i n t ( ” l e s s ” ) ;

56 i f ( y > 250)a s s e r t ( 0 ) ;

58 i f ( y != a )a s s e r t ( 0 ) ;

60 i f ( y < 0)a s s e r t ( 0 ) ;

Possible solutions

Overapproxy ← ∗

Introduction

Concretization

i n t main ( ) {66 r e a d ( x ) ;

i f ( x > 0) {68 y = foo ( x );

i f ( y > 150)70 p r i n t ( ” l e s s ” ) ;

i f ( y > 250)72 a s s e r t ( 0 ) ;

i f ( y != a )74 a s s e r t ( 0 ) ;

i f ( y < 0)76 a s s e r t ( 0 ) ;

Possible solutions

Overapproxy ← ∗

Introduction

Concretization

80 i n t main ( ) {r e a d ( x ) ;

82 i f ( x > 0) {y = foo ( x );

84 i f ( y > 150)p r i n t ( ” l e s s ” ) ;

86 i f ( y > 250)a s s e r t ( 0 ) ;

88 i f ( y != a )a s s e r t ( 0 ) ;

90 i f ( y < 0)a s s e r t ( 0 ) ;

Possible solutions

Overapproxy ← ∗

Introduction

Problems with concretization

i n t main ( ) {96 r e a d ( x ) ;

i f ( x > 0){98 y = foo(x);

i f ( y > 150)100 p r i n t ( ” l e s s ” ) ;

i f ( y > 250)102 a s s e r t ( 0 ) ;

i f ( y != x )104 a s s e r t ( 0 ) ;

i f ( y < 0)106 a s s e r t ( 0 ) ;

}108 }

Loss in coverage! (unsound)

Introduction

110 i n t main ( ) {r e a d ( x ) ;

112 i f ( x > 0){y = foo(x);

114 i f ( y > 150)p r i n t ( ” l e s s ” ) ;

116 i f ( y > 250)a s s e r t ( 0 ) ;

118 i f ( y != x )a s s e r t ( 0 ) ;

120 i f ( y < 0)a s s e r t ( 0 ) ;

122 }}

Introduction

i n t main ( ) {126 r e a d ( x ) ;

i f ( x > 0){128 y = foo(x);

i f ( y > 150)130 p r i n t ( ” l e s s ” ) ;

i f ( y > 250)132 a s s e r t ( 0 ) ;

i f ( y != x )134 a s s e r t ( 0 ) ;

i f ( y < 0)136 a s s e r t ( 0 ) ;

}138 }

Introduction

140 i n t main ( ) {r e a d ( x ) ;

142 i f ( x >= 0) {→ y = abs(x);

144 i f ( x > 100)i f ( y != x )

146 a s s e r t ( 0 ) ;}

False positive! (incompleteness—in a testing tool?)Is it a bug? (no, a conscious design decision)

Introduction

150 i n t main ( ) {r e a d ( x ) ;

152 i f ( x >= 0) {→ y = abs(x);

154 i f ( x > 100)i f ( y != x )

156 a s s e r t ( 0 ) ;}

Introduction

160 i n t main ( ) {r e a d ( x ) ;

162 i f ( x >= 0) {→ y = abs(x);

164 i f ( x > 100)i f ( y != x )

166 a s s e r t ( 0 ) ;}

False positive! (incompleteness—in a testing tool?)

Is it a bug? (no, a conscious design decision)

Introduction

170 i n t main ( ) {r e a d ( x ) ;

172 i f ( x >= 0) {→ y = abs(x);

174 i f ( x > 100)i f ( y != x )

176 a s s e r t ( 0 ) ;}

Introduction

180 i n t main ( ) {r e a d ( x ) ;

182 i f ( x >= 0){→ y = abs ( x ) ;

184 i f ( x > 100)i f ( y != x )

186 a s s e r t ( 0 ) ;}

Reproducibility (of tests)?

Introduction

190 i n t main ( ) {r e a d ( x ) ;

192 i f ( x >= 0){→ y = abs ( x ) ;

194 i f ( x > 100)i f ( y != x )

196 a s s e r t ( 0 ) ;}

Reproducibility (of tests)?

Introduction

Question

Can we regain soundness, completeness and reproducibility lost due toconcretizations?

Pandey, Kotcharlakota and Roy. Deferred concretization in symbolic execution via

fuzzing. ISSTA 2019.

Introduction

Question

Can we regain soundness, completeness and reproducibility lost due toconcretizations?

Pandey, Kotcharlakota and Roy. Deferred concretization in symbolic execution via

fuzzing. ISSTA 2019.

Introduction

Modeling heap memory

1 i n t main ( ) {r e a d ( x ) ;

3 a = m a l l o c ( 1 0 0 ) ;c l e a r ( a ) ;

5 a [ x ] = 5a s s e r t ( a [ x ] != a [2∗ x − 2 ] ) ;

1 i n t main ( ) {r e a d ( x ) ;

3 a = Ha ;f o r ( i n t i =0; i <100; i ++) w r i t e (Ha , i , 0) ;

5 w r i t e (Ha , x , 5) ;a s s e r t ( r e a d (Ha , x ) != r e a d (Ha , 2∗x − 2) ) ;

== Use the array theory to model H ==

Introduction

i n t main ( ) {10 r e a d ( x ) ;

a = m a l l o c ( 1 0 0 ) ;12 c l e a r ( a ) ;

a [ x ] = 514 a s s e r t ( a [ x ] != a [2∗ x − 2 ] ) ;}

i n t main ( ) {10 r e a d ( x ) ;

a = Ha ;12 f o r ( i n t i =0; i <100; i ++) w r i t e (Ha , i , 0) ;

w r i t e (Ha , x , 5) ;14 a s s e r t ( r e a d (Ha , x ) != r e a d (Ha , 2∗x − 2) ) ;}

Introduction

i n t main ( ) {18 r e a d ( x ) ;

a = m a l l o c ( 1 0 0 ) ;20 c l e a r ( a ) ;

a [ x ] = 522 a s s e r t ( a [ x ] != a [2∗ x − 2 ] ) ;}

i n t main ( ) {18 r e a d ( x ) ;

a = Ha ;20 f o r ( i n t i =0; i <100; i ++) w r i t e (Ha , i , 0) ;

w r i t e (Ha , x , 5) ;22 a s s e r t ( r e a d (Ha , x ) != r e a d (Ha , 2∗x − 2) ) ;}

Introduction

Array theory

Axioms

∀a ∀i ∀v (read(write(a, i, v), i) = v)

∀a ∀i ∀j ∀v (i 6= j → read(write(a, i, v), j) = read(a, j))

∀a ∀b ((∀i (read(a, i) = read(b, i)))→ a = b

Introduction

Virtualization

S2E2 enables symbolic execution for binaries running in a virtualized environment(QEMU), enabling whole system verification.

2https://s2e.systemsSubhajit Roy (IIT Kanpur) Symbolic Execution November 8, 2019 22 / 36

Introduction

Applications of Symbolic Execution

Test-case generation (path coverage)

Program debugging [Chandra et al., ICSE 2011]

Program repair [Nguyen et al., ICSE 2013; Mechtaev et al. ICSE 2016]

Bucketing tests [Pham et al., FASE 2017]

Introduction

Angelic Degugging [Chandra et al. ICSE ’11]

Objective

Given a informal specification as a set of tests, can we identify which expressionsare ikely to be buggy?

Introduction

200 i n t main ( ) {r e a d ( x , y , z ) ;

202 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

204 t3 = ( z >= x ) ;

206 i f ( t3 && t2 ) max = z ;i f ( t1 && ! t3 ) max = x ;

208 i f ( t2 && ! t1 ) max = y ;

210 output ( max ) ;}

What is the bug?

How to fix the bug?

Introduction

i n t main ( ) {214 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;216 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;218

i f ( t3 && t2 ) max = z ;220 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;222

output ( max ) ;224 }

What is the bug?

How to fix the bug?

Introduction

226 i n t main ( ) {r e a d ( x , y , z ) ;

228 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

230 t3 = ( z >= x ) ;

232 i f ( t3 && t2 ) max = z ;i f ( t1 && ! t3 ) max = x ;

234 i f ( t2 && ! t1 ) max = y ;

What is the bug?

How to fix the bug?

Introduction

i n t main ( ) {240 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;242 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;244

i f ( t3 && t2 ) max = z ; // bug246 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;248

Test Input Output StatusI1 8, 2, 4 8 PassI2 1, 2, 4 0 FailI3 7, 5, 4 7 PassI4 2, 5, 1 5 Pass

Introduction

252 i n t main ( ) {r e a d ( x , y , z ) ;

254 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

256 t3 = ( z >= x ) ;

258 i f ( t3 && t2 ) max = z ; // bugi f ( t1 && ! t3 ) max = x ;

260 i f ( t2 && ! t1 ) max = y ;

Test Input Output StatusI1 8, 2, 4 8 PassI2 1, 2, 4 0 FailI3 7, 5, 4 7 PassI4 2, 5, 1 5 Pass

Introduction

Approach

Define scope of debugging

E = All expressions (and subexpressions) within a user-specified scope.Expressions at distinct program locations are different expressions.

Test for angelic values on failing tests

∀e ∈ E : AngelicTest(P, I, e) = ∃α.Test(P [α/e], I)

Check for regressions on passing tests

∀e ∈ E : FlexTest(P, I, e) = ∃α.(Test(P [α/e], I) ∧ α 6= Eval(P, I, e)

Collect suspicious expressions

{e | e ∈ E ∧AngelicTest(P, If , e) ∧ ∀i ∈ [i..k].F lexTest(P, Ipi , e)}

Introduction

Approach

Introduction

Approach

Introduction

Approach

Introduction

Angelic non-determinism

i n t main ( ) {266 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;268 t2 = ( y >= z ) ;

t3 = ( z >= x )270

i f (∗ ) max = z ; // a n g e l i c272 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;274

Say, E = {t1, t2, t3, !t1, !t2,!t3, t1 && !t3, t2 && !t1, t3&& t2}For e = (t3 && t2), value 1passes test

There exist alternate valuesfor e (i.e. for (t3 && t2)),different than the originalvalues, that still passes allpassing tests

So, e = (t3 && t2) is identifiedas a suspicious expression

Introduction

Angelic non-determinism

278 i n t main ( ) {r e a d ( x , y , z ) ;

280 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

282 t3 = ( z >= x )

284 i f (∗ ) max = z ; // a n g e l i ci f ( t1 && ! t3 ) max = x ;

286 i f ( t2 && ! t1 ) max = y ;

Say, E = {t1, t2, t3, !t1, !t2,!t3, t1 && !t3, t2 && !t1, t3&& t2}For e = (t3 && t2), value 1passes test

There exist alternate valuesfor e (i.e. for (t3 && t2)),different than the originalvalues, that still passes allpassing tests

So, e = (t3 && t2) is identifiedas a suspicious expression

Introduction

Understanding FlexTest

Ideal check

Given a suspicious expression e and a test I, does Test(P[e’/e], I) hold for analternate expression e’?

Requires us to know the repaired expression e’ !

Approximate check

Given a suspicious expression e and a test I, does Test(P[w’/e], I), hold for analternate value w’, w 6= w′, where w is the value for the expression e when P isrun on I?

Do we lose anything?

Introduction

Ideal check

Approximate check

Introduction

Ideal check

Approximate check

Introduction

Ideal check

Approximate check

Introduction

Approximate Check

i n t main ( ) {292 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;294 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;296

i f ( t1 && ! t3 ) max = x ;298 i f ( t2 && ! t1 ) max = y ;

i f ( t3 && t2 ) max = z ; // bug300

A non-zero value of expression (t3 && t2) breaks other passing tests,violating FlexText!

So, we may lose on some suspicious expressions.

But in this case, there is another repair expression, t2 at the lastconditiona, that passes FlexTest

arecall that all expressions at distinct lines are different

Introduction

Approximate Check

304 i n t main ( ) {r e a d ( x , y , z ) ;

306 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

308 t3 = ( z >= x ) ;

310 i f ( t1 && ! t3 ) max = x ;i f ( t2 && ! t1 ) max = y ;

312 i f ( t3 && t2 ) max = z ; // bug

Introduction

Approximate Check

i n t main ( ) {318 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;320 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;322

i f ( t1 && ! t3 ) max = x ;324 i f ( t2 && ! t1 ) max = y ;

i f ( t3 && t2 ) max = z ; // bug326

Introduction

Approximate Check

330 i n t main ( ) {r e a d ( x , y , z ) ;

332 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

334 t3 = ( z >= x ) ;

336 i f ( t1 && ! t3 ) max = x ;i f ( t2 && ! t1 ) max = y ;

338 i f ( t3 && t2 ) max = z ; // bug

Introduction

How to realize angelic non-determinism using SymbolicExecution: AngelicTest and FlexTest

i n t main ( ) {344 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;346 t2 = ( y >= z ) ;

t3 = ( z >= x )348

i f ( a = s y m b o l i c ( ) ) // ( t3 && t2 )350 max = z ;

assume ( a != ( t3 && t2 ) )352 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;354

output ( max ) ;356 assume ( max == expected max ) ;

AngelicTest: Run program onconcrete inputs, fresh symbolicvariable for candidate expression,output assumed to be expectedoutput.

FlexTest: Run program on concreteinputs, fresh symbolic variable forcandidates, assume that thesymbolic variable takes a differentvalue than actual expression, outputassumed to be expected output.

Introduction

How to realize angelic non-determinism using SymbolicExecution: AngelicTest and FlexTest

i n t main ( ) {360 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;362 t2 = ( y >= z ) ;

t3 = ( z >= x )364

i f ( a = s y m b o l i c ( ) ) // ( t3 && t2 )366 max = z ;

i f ( t2 && ! t1 ) max = y ;370

output ( max ) ;372 assume ( max == expected max ) ;

AngelicTest: Run program onconcrete inputs, fresh symbolicvariable for candidate expression,output assumed to be expectedoutput.

FlexTest: Run program on concreteinputs, fresh symbolic variable forcandidates, assume that thesymbolic variable takes a differentvalue than actual expression, outputassumed to be expected output.

Introduction

Discussion

Only works on 1-fixable programs

Evaluated on JTOPAS, an open-source Java library for parsing arbitrary text,with 10 seeded faults; could identify 4 of them.

Introduction

What about repair? (SemFix, ICSE 2013)

i n t main ( ) {376 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;378 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;380

// ( t3 && t2 )382 i f f ( x , y , z , t1 , t2 , t2 )

max = z ;384 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;386

Instead of non-determinism, maintain an uninterpreted function to“capture” the semantics of the correct expression;

Run the program on all inputs to collect “enough” examples for thesemantics of the correct expression;

Synthesize the correct expression according to the semantics.

Introduction

390 i n t main ( ) {r e a d ( x , y , z ) ;

392 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

394 t3 = ( z >= x ) ;

396 // ( t3 && t2 )i f f ( x , y , z , t1 , t2 , t2 )

398 max = z ;i f ( t1 && ! t3 ) max = x ;

400 i f ( t2 && ! t1 ) max = y ;

Introduction

i n t main ( ) {406 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;408 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;410

// ( t3 && t2 )412 i f f ( x , y , z , t1 , t2 , t2 )

max = z ;414 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;416

Introduction

420 i n t main ( ) {r e a d ( x , y , z ) ;

422 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

424 t3 = ( z >= x ) ;

426 // ( t3 && t2 )i f f ( x , y , z , t1 , t2 , t2 )

428 max = z ;i f ( t1 && ! t3 ) max = x ;

430 i f ( t2 && ! t1 ) max = y ;

Introduction

i n t main ( ) {436 r e a d ( x , y , z ) ;

t1 = ( x >= y ) ;438 t2 = ( y >= z ) ;

t3 = ( z >= x ) ;440

// ( t3 && t2 )442 i f f ( x , y , z , t1 , t2 , t2 )

max = z ;444 i f ( t1 && ! t3 ) max = x ;

i f ( t2 && ! t1 ) max = y ;446

Introduction

SemFix

450 i n t main ( ) {r e a d ( x , y , z ) ;

452 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

454 t3 = ( z >= x ) ;

456 i f ( a = s y m b o l i c ( ) ) max = z ; //bug

i f ( t2 && ! t1 ) max = y ;460

Test f(x,y,z,t1,t2,t3)I1 f(8,2,4,1,0,0) = 0I2 f(1,2,4,0,0,1) = 1I3 f(7,5,4,1,1,0) = 0I4 f(2,5,1,0,1,0) = 0

(t3 && !t2) synthesized!

Introduction

SemFix

464 i n t main ( ) {r e a d ( x , y , z ) ;

466 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

468 t3 = ( z >= x ) ;

i f ( t2 && ! t1 ) max = y ;474

Introduction

SemFix

478 i n t main ( ) {r e a d ( x , y , z ) ;

480 t1 = ( x >= y ) ;t2 = ( y >= z ) ;

482 t3 = ( z >= x ) ;

i f ( t2 && ! t1 ) max = y ;488

Introduction

Angelix [ICSE ’16]

What about multi-line repairs?

Challenge: The value from one repaired expression may be required to feedinto the repair of another expression:

The dependencies of which repairs feed into which, can be represented as aforest — angelic forest;The synthesis of repair expressions is done on this angelic forest;The angelic forest is independent of the size of the program, and only dependson the domain of candidate repair expressions.

The synthesis procedure can be seen as synthesizing higher-order functions(symbolic execution and the angelic forest, however, allow you to skip thiscomplexity and allows synthesis with values only)

Introduction

The dependencies of which repairs feed into which, can be represented as aforest — angelic forest;

The synthesis of repair expressions is done on this angelic forest;The angelic forest is independent of the size of the program, and only dependson the domain of candidate repair expressions.

Introduction

The dependencies of which repairs feed into which, can be represented as aforest — angelic forest;The synthesis of repair expressions is done on this angelic forest;

The angelic forest is independent of the size of the program, and only dependson the domain of candidate repair expressions.

Introduction

Concluding Remarks

In terms of industrial adoption, symbolic execution is perhaps one of themost successful outcomes from PL and SE research.

Engines like SAGE and KLEE are quite mature, and are being used routinelyin industry and academia.

Acknowledgements: Some of the slides are from the ISSTA 2019 talk of mystudent, Awanish Pandey.

Symbolic Executionloris/cs703/cs703material/SE.pdfSubhajit Roy (IIT Kanpur) Symbolic Execution...

Documents

Transcript of Symbolic Executionloris/cs703/cs703material/SE.pdfSubhajit Roy (IIT Kanpur) Symbolic Execution...

Andrii Vozniuk - Symbolic Reasoning and Concrete Execution

UNDER-CONSTRAINED SYMBOLIC EXECUTION: CORRECTNESS CHECKING ...gc034dd8484/submit-augmented.pdf · under-constrained symbolic execution: correctness checking for real code a dissertation

Symbolic Execution & Constraint Solving

A Survey of Symbolic Execution Techniques

Neuro-Symbolic Execution: Augmenting Symbolic Execution ......Problem Inputs: 1. Source code 2. Symbolic Variables (e.g., filename& file) 3. Candidate Vulnerability Points (CVPs)-Divide

Symbolic Execution as DPLL Modulo Theories

Coupling Distributed and Symbolic Execution for …Coupling Distributed and Symbolic Execution for Natural Language Queries by deﬁning a set of symbolic operators (e.g., argmax,

Relational Symbolic Execution

JaVerT 2.0: Compositional Symbolic Execution for JavaScript

Neuro-Symbolic Execution: The Feasibility of an Inductive ... · Neuro-Symbolic Execution: The Feasibility of an Inductive Approach to Symbolic Execution Shiqi Shen Soundarya Ramesh

Killing Stubborn Mutants with Symbolic Execution

Visualizing Symbolic Execution with Bokeh

DySy: Dynamic Symbolic Execution for Invariant Inference

Symbolic Execution and Program Testingmadhu.cs.illinois.edu/cs598-fall10/king76symbolicexecution.pdf · Symbolic Execution and Program Testing James C. King ... suppose that each

Symbolic Execution - USENIX

Oblique: Accelerating Page Loads Using Symbolic Execution

Using Dynamic Symbolic Execution to Improve Deductive ...€¦ · Using Dynamic Symbolic Execution to Improve Deductive Veriﬁcation Dries Vanoverberghe,Nikolaj Bjørner, Jonathan

Symbolic Execution And KLEE

Linear Obfuscation to Combat Symbolic Execution

Symbolic Execution - Iowa State Universityweb.cs.iastate.edu/~weile/cs513x/6.SymbolicExecution.pdf · Intuitive Understanding of Symbolic Execution I ’Execute’ programs with symbols: