Symbolic execution for software testing: three decades later
Citations
532 citations
Cites background from "Symbolic execution for software tes..."
...However, fuzzers like AFL are designed to target arbitrarily large programs and, in spite of several advancements, the application of symbolic/concolic techniques to such programs remains a challenge [10]....
[...]
392 citations
375 citations
362 citations
Additional excerpts
...Fault-based testing uses symbolic evaluation [132], [133] and constraint solving [133] techniques to prove the absence of certain types of faults in...
[...]
271 citations
References
6,859 citations
4,841 citations
2,941 citations
"Symbolic execution for software tes..." refers background in this paper
...While the key idea behind symbolic execution was introduced more than three decades ago [5, 12, 22, 25], it has only recently been made practical, as a result of significant advances in constraint satisfiability [14], and of more scalable dynamic approaches which combine concrete and symbolic execution [9, 20]....
[...]
...The key idea behind symbolic execution [12, 25] is to use symbolic values, instead of concrete data values as input and to represent the values of program variables as symbolic expressions over the symbolic input values....
[...]
2,896 citations
2,346 citations
"Symbolic execution for software tes..." refers background or methods in this paper
...DART [20] is the first concolic testing tool that combines dynamic test generation with random testing and model checking techniques with the goal of systematically executing all (or as many as possible) execution paths of a program, while checking each execution for various types of errors....
[...]
...CUTE (A Concolic Unit Testing Engine) and jCUTE (CUTE for Java)31,33,35 extend DART to handle multithreaded programs that manipulate dynamic data structures using pointer operations....
[...]
...DART, CUTE, and CREST....
[...]
...DART19 is the first concolic testing tool that combines dynamic test generation with random testing and model checking techniques with the goal of systematically executing all (or as many as possible) feasible paths of a program, while checking each execution for various types of errors....
[...]
...On the one end of the spectrum is a system like DART that only reasons about concrete pointers, or systems like CUTE and CREST that support only equality and inequality constraints for pointers, which can be efficiently solved.35 At the other end are systems like EXE, and more recently KLEE and SAGE10,17,35 that model pointers using the theory of arrays with selections and updates implemented by solvers like STP or Z3....
[...]