symbolic execution with mixed concrete-symbolic solving (symcrete execution) jonathan manos
TRANSCRIPT
Symbolic Execution with MixedConcrete-Symbolic Solving
(SymCrete Execution)
Jonathan Manos
About the Paper
• Article found on ACM Digital Library• Title: Symbolic Execution with Mixed
Concrete-Symbolic Solving• Published in: ISSTA '11 Proceedings of the
2011 International Symposium on Software Testing and Analysis
• Authors:– Corina S. Pӑsӑreanu– Neha Rungta– Willem Visser
What is Symbolic Execution?
• A method of analyzing a program to determine what inputs cause each part of a program to execute
• Used extensively in program testing
void test(int y) { if (y == 2)
S1;else
S2;}
Symbolic Execution Testing
void test(int y) { if (y == 2)
S1;else
S2;}
• When [y == 2] we get to S1• When [y != 2] we get to S2• These rules are known as Path Conditions
Symbolic Execution in practice
• Many testing tools make use of symbolic execution• Microsoft uses Pex, SAGE, YOGI, and PREfix• IBM uses Apollo• NASA and Fujitsu use Symbolic (Java) PathFinder• Others:– UIUC’s CUTE and jCUTE– Stanford’s KLEE– UC Berkeley’s CREST– BitBlaze
Symbolic Execution Testing
void test(int x, int y) { if (y == hash(x))
S1;else
S2;}
• There is no code available for hash(x)– Therefore we cannot have any definitive path
conditions or constraints• Therefore Symbolic Execution is not possible
Directed Automated Random Testing (DART)
• Also known as Concolic Execution• Combination of concrete and symbolic
execution– Executes programs concretely– Collects the path condition– Runs and executes again with newly found
solutuions• Conquers the incompleteness of symbolic
execution
DART TestingAim: n/avoid test(int x, int y) {
if (x > 0){if (y == hash(x))
S0;else
S1;if (x > 3 && y > 10)
S3;else
S4;}
}
test(1, 0)[X > 0]
[X > 0 & Y != 10]
[X > 0 & Y != 10 & X <= 3]
Reached: S1 and S4
DART Testing (cont..)Aim: to reach S3;void test(int x, int y) { if (x > 0){
if (y == hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
TEST: [X > 0 & Y != 10 & X > 3]test(4, 0)[X > 0]
[X > 0 & Y != 40]
[X > 0 & Y != 40 & X > 3 & Y <= 10]
Reached: S1 and S4
DART Testing (cont..)Aim: to reach S3;
void test(int x, int y) { if (x > 0){
if (y == hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
TEST: [X > 0 & Y > 10 & Y != 10 & X > 3]
test(4, 11)[X > 0]
[X > 0 & Y != 40]
[X > 0 & Y != 40 & X > 3 & Y > 10]
Reached: S1 and S3
DART Testing (cont..)Aim: to reach S0;
void test(int x, int y) { if (x > 0){
if (y == hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
TEST: [X > 0 & Y = 40 & Y != 10 & X > 3]
test(4, 40)[X > 0]
[X > 0 & Y = 40]
[X > 0 & Y = 40 & X > 3 & Y > 10]
Reached: S0 and S3
DART Testing (cont..)Aim: to reach S0 and S4
void test(int x, int y) { if (x > 0){
if (y == [40]hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
TEST: [X > 0 & Y = 40 & Y != 10 & X <= 3]
test(1, 40)[X > 0]
[X > 0 & Y != 10]
[X > 0 & Y != 10 & X <= 3 & Y > 10]Reached: S1 and S4DIVERGENCE! Cannot ever finish
Flaws of Execution Strategies
• Symbolic Execution– Sound method, but incomplete functionality– Cannot solve problems when: • there is no access to code • The decision procedures do not work
• DART Execution– Complete method, but unsound performance– Can fail when:• functions are unpredictable
Symbolic Execution with MixedConcrete-Symbolic Solving
• (DART) Concolic = Concrete + Symbolic– Concrete execution that produces symbolic path
conditions• SymCrete = Symbolic + Concrete– Symbolic execution that falls back to concrete
execution as it is needed
SymCrete Execution Methodology
1. Split the Path Condition into two parts:– EASY: Part you can solve symbolically– HARD: Part you cannot solve symbolically
2. Solve the easy part symbolically and evaluate the hard part with concrete execution
3. Replace the hard part with the evaluated results and check if results are SAT
• SAT – Satisfies the given boolean formula– or Satisfiable
SymCrete Executionvoid test(int x, int y) { if (x > 0){
if (y == hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
native int hash(x) { if (0<=x<=10) return x*10; else return 0;
}
[X > 0]
[X > 0 & Y = hash(X) ] S0Easy hard
1. X > 0 Y = hash(X)2. X = 1 Y = hash(1) = 103. [X > 0 & Y = 10] is SAT
[X > 0 & Y != hash(X) ] S1[X>0 & Y != 10] is SAT
SymCrete Executionvoid test(int x, int y) { if (x > 0){
if (y == hash(x))S0;
elseS1;
if (x > 3 && y > 10)S3;
elseS4;
}}
native int hash(x) { if (0<=x<=10) return x*10; else return 0;}
[X > 0]
[X > 0 & Y = hash(X) ] S0
[X > 3 & Y = hash(X) & Y > 10]S0 and S31. X > 3 & Y > 10 Y = hash(X)2. X = 4 & Y = 11 Y = hash(4) = 403. [X > 3 & Y = 40 & Y > 10] is SAT
[X > 0 & Y = hash(X) & X <= 3]S0 and S41. X > 0 & X <= 3 Y = hash(X)2. X = 1 Y = hash(1)3. [X > 0 & Y = 10 & X <= 3] is SAT
Why SimCrete > DART
• SimCrete avoids the problem of being unsound– Checks if boolean path condition is SAT– If not SAT, SimCrete will not continue with that
path condition• DART would continue with the found path
condition and diverge• SimCrete’s Benefits:– uses the simplicity of symbolic execution– Adds the additional features of DART (concrete
execution)
Implementation of SymCrete ex.
• Symbolic Execution extension for Java’s PathFinder called jpf-symbc
• Model Checker for JavaOpen Sourcehttp://babelfish.arc.nasa.gov/trac/jpf
Symbolic PathFinderSPF
-Willem Visser’s PowerPoint
-Willem Visser’s PowerPoint
Works Cited
1. Păsăreanu, Corina S., Neha Rungta, and Willem Visser. "Symbolic Execution with Mixed Concrete-symbolic Solving." ISSTA '11 Proceedings of the 2011 International Symposium on Software Testing and Analysis Table of Contents (2011): 34-44. ACM Digital Library. ACM, 17 July 2011. Web. 1 Mar. 2015.
2. Powerpoint from one of the authors (Willem Visser)