Seminar on Programming Languages and Program Analysis
Symbolic Execution Tools for Software Testing
In this seminar we will discuss classic and state-of-the-art papers regarding symbolic execution.
Symbolic Execution (description taken from "Symbolic execution for software testing: three decades later ©ACM by Cristian Cadar and Koushik Sen, CACM 2013):
Symbolic execution has garnered a lot of attention in recent years as an effective technique for generating high-coverage test suites and for finding deep errors in complex software applications.
While the key idea behind symbolic execution was introduced more than three decades ago, it has only recently been made practical, as a result of signi cant advances in constraint satis ability, and of more scalable dynamic approaches that combine concrete and symbolic execution.
Symbolic execution is typically used in software testing to explore as many different program paths as possible in a given amount of time, and for each path to generate a set of concrete input values exercising it, and check for the presence of various kinds of errors including assertion violations, uncaught exceptions, security vulnerabilities, and memory corruption. The ability to generate concrete test inputs is one of the major strengths of symbolic execution: from a test generation perspective, it allows the creation of high-coverage test suites, while from a bug-finding perspective, it provides developers with a concrete input that triggers the bug, which can be used to con rm the error independently of the symbolic execution tool that generated it.
Furthermore, note that in terms of finding errors on a given program path, symbolic execution is much more powerful than traditional dynamic execution techniques such as those implemented by popular tools like Valgrind or Purify, because it has the ability to find a bug if there are any buggy inputs on that path, rather than depending on having a concrete input that triggers the bug. Finally, unlike other program analysis techniques, symbolic execution is not limited to finding generic errors such as buffer overflows, but can reason about higher-level program properties, such as complex program assertions.
Requirements
- Give a 70-80 minutes talk about his or hers assigned topic (one or two research papers).
- Answer students questions during the talk.
- Lead a summary discussion.
- Say something original (i.e., not written in the paper) about the topic.
For example:
- Download and execute two implementations of the described algorithm and evaluate them.
- Extend the discussion regarding a particularly close related work.
- Make an interesting connection to a topic discussed in a previous talk.
- Describe a personal expereicne with using the discussed technique (or a simialr one) at work.
- Write a short (1 page) summary about the discussed topic, the original contribution, and the main points that came out during the discussion.
- Actively participate in the discussions led by other students.
Admin
- The slides and the summary should be written in English. (The talk can be given in Hebrew.)
- You are expected to be present in every lesson, unless coordinated beforehand with the lecturer.
- Name your presentation and summary using the seminar's naming conventions, e.g.,
- seminar1718a-lec-Num-presentation-firstname-secondname.pptx
- seminar1718a-lec-Num-summary-firstname-secondname.docx
- Meet the lecturer one week before the lesson.
- Send your presentation and summary to the lecturer up to one week after your lecture.
- Mathematical fonts for Powerpoint and Word can be found here.
Announcements
- Reception Hour: Sunday 15:00–16:00 (Schreiber 123A)
- There is no meeting on Sunday 9/Dec/2017 (Hanukkah vacation).
Schedule
- Topic: Overview
- Date: 14.Oct.2018
- Presenter: Noam Rinetzky
- Papers: Symbolic execution for software testing: three decades later ©ACM
- Presentation: PPTX PDF
- Topic: Classic symbolic execution
- Date: 21.Oct.2018
- Presenter: Tal Rosner
- Papers: [23], [6], [12]
- Topic: SAT and SMT
- Date: 28.Oct.2018
- Presenter: Ron Tavivian
- Papers:
- Topic: Execution-generated testing (EGT)
- Date: 4.Nov.2018
- Presenter: Oz Anani
- Papers: [8], [9], [10]
- Topic: NO LESSON
- Date: 11.Nov.2017
- Topic: Tools
- Topic: Concrete testing tools + BMC
- Date: 25.Nov.2018
- Presenter: Ben Solomon
- Paper: [21], [28], Bounded Model Checking
- Topic: NO LESSON
- Date: 2.Dec.2018
- Topic: NO LESSON
- Date: 9.Dec.2018
- Topic: Search heuristics
- Date: 16.Dec.2018
- Presenter: Guy Mozes
- Papers: [7], [26] ,[27], [13]
- Topic: Scaling symbolic execution
- Date: 23.Dec.2018
- Presenter I : Ran Toledo
- Paper I: Efficient state merging in symbolic execution
- Presenter II : Noam Zukerman
- Paper II: MultiSE: Multi-Path Symbolic Execution using Value Summaries
- Topic: Targeted symbolic execution
- Date: 30.Dec.2018
- Presenter I: Daniel / Yehonatan Fridman
- Papers I : KATCH: High-Coverage Testing of Software Patches, Demand-Driven Compositional Symbolic Execution
- Presenter II: Daniel / Yehonatan Fridman
- Paper II: Chopped symbolic execution
- Topic: Applications: Verification of multithreaded code + Exploit Generation
- Date: 6.Jan.2019
- Presenter I: Omer Bracha
- Papers I: [14], Symbolic Execution of Multithreaded Programs from Arbitrary Program Contexts
- Presenter II: Gilad Ilsar
- Papers II: [2]
- Topic: Applications: Online Gaming + Verification of GPUs
- Date: 13.Jan.2019
- Presenter I: Roi Koren
- Paper I: [4]
- Presenter II: Ohad Rubin
- Paper II: [25]
[N] is the citation number in Symbolic execution for software testing: three decades later