What does a symbolic state consist of?
The symbolic state consists of:
A preficx of a path in the CFG
A symbolic map, which maps each variable of the program to an expression over the symbolic variables
A path condition (a constraint over the symbolic variables), which holds if and only if the execution takes the current path
What does a search strategy define?
A search strategy defines how the next path is chosen
How does a search strategy work?
The first path is chosen randomly
The next path is determined by negating a conjunct of the path condition
The foreach statement determines which conjunct to negate
What’s the difference between the Long-first and the Short-first search strategy?
Long first:
The foreach statement considers longer prefixes first
Short first:
The foreach statement considers shorter prefixes first
What happens with Assumptions during symbolic execution?
Branching and assume statements append both append and element to the sequence
-> treated identically except assumptions are never negated to explore new paths
What happens when Symbolic execution encounters loops?
Might not terminate
-> we cannot enumerate all paths for loops in general
Every additional recursion just tests one more loop iteration
-> by adding the negation of the loop condition
Some branches might not be covered
-> because SE gets stuck exploring a loop
How does one improve the procedure to handle loops?
Bound the number of loop iterations or use a time-out
What issues does performing an interprocedural symbolic execution have for method calls?
Issues:
Scalability
Modularity
What limitations does constraint solving have?
Non-linear constraint over reals is difficult to solve
Without solution no test data will be provided
( - neither for the other branches)
What type of testing is dynamic symbolic execution?
Concolic testing or whitebox testing
How does the algorithm for DSE work?
Exactly like symbolic execution, but we may use concrete values when constraint solving fails
What happens for dynamic symbolic execution when a constraint solver cannot symbollically reason about the function Hash(y)?
DSE:
Randomly picks values for x,y
Observes the concrete value c of Hash(y)
Changes the calue of x to c in the next run
What happens to method calls in path conditions?
The results of method calls may be used as conditions
-> In DSE expressions that cannot be encoded are replaced by their concrete values
How does DSE replace expressions by their values?
Expressions that cannot be encoded as constraints are replaced by their concrete values by…
by adapting the defintion of procedure ExecuteSymbolic
by fixing method arguments with assumptions
How does replacing by concrete values by “Adapting the definition of the prodedure ExecuteSymbolic” work?
How does replacing by concrete values by “By fixing method arguments with assumptions” work?
What problem could appear from replacing calls by concrete values?
When method results are constrained by values other than symbolic values, the resulting contraints do not provide useful conditions
What happens with the procedure when the solver returns unknown?
When the solver returns “unknown”, simplify constraint by replacing a symbolic value and retry solving
What are the pros of simplifying constraints?
Pros:
Replacing a variable with a concrete value:
Might reduce the complexity
(e.g. replacing A in AxB > 0)
Reduces the size
(number of free variables)
What are the cons of simplifying constraints?
Cons:
Strategy does not necessarily succeed
New Constraint might be unsatisfiable
Solver might still yield “unknown
When may all paths be enumerated with DSE?
When:
There are finitely many paths
And all feasable branches are explored
Last changed19 days ago
