Abstract
Symbolic execution is being successfully used to automatically test statically compiled code. However, increasingly more systems and applications are written in dynamic interpreted languages like Python. Building a new symbolic execution engine is a monumental effort, and so is keeping it up-to-date as the target language evolves. Furthermore, ambiguous language specifications lead to their implementation in a symbolic execution engine potentially differing from the production interpreter in subtle ways.
We address these challenges by flipping the problem and using the interpreter itself as a specification of the language semantics. We present a recipe and tool (called Chef) for turning a vanilla interpreter into a sound and complete symbolic execution engine. Chef symbolically executes the target program by symbolically executing the interpreter's binary while exploiting inferred knowledge about the program's high-level structure.
Using Chef, we developed a symbolic execution engine for Python in 5 person-days and one for Lua in 3 person-days. They offer complete and faithful coverage of language features in a way that keeps up with future language versions at near-zero cost. Chef-produced engines are up to 1000 times more performant than if directly executing the interpreter symbolically without Chef.
- Al Danial. Cloc.footnotesizehttp://cloc.sourceforge.net/.Google Scholar
- S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding bugs in dynamic web applications. In Intl. Symp. on Software Testing and Analysis, 2008. Google Scholar
Digital Library
- T. F. Bissyandé, F. Thung, D. Lo, L. Jiang, and L. Réveillère. Popularity, interoperability, and impact of programming languages in 100,000 open source projects. In Computer Software & Applications Conference, 2013. Google Scholar
Digital Library
- E. Bounimova, P. Godefroid, and D. Molnar. Billions and billions of constraints: Whitebox fuzz testing in production. Technical Report MSR-TR-2012-55, Microsoft Research, 2012.Google Scholar
- S. Bucur, J. Kinder, and G. Candea. Making automated testing of cloud applications an integral component of PaaS. In Proc. 4th Asia-Pacific Workshop on Systems (APSYS 2013). USENIX, 2013. Google Scholar
Digital Library
- J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In Intl. Conf. on Automated Software Engineering, 2008. Google Scholar
Digital Library
- C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Symp. on Operating Sys. Design and Implem., 2008. Google Scholar
Digital Library
- M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford. A NICE way to test openflow applications. In Symp. on Networked Systems Design and Implem., 2012. Google Scholar
Digital Library
- V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in-vivo multi-path analysis of software systems. In Intl. Conf. on Architectural Support for Programming Languages and Operating Systems, 2011. Google Scholar
Digital Library
- K. Claessen and J. Hughes. QuickCheck: A lightweight tool for random testing of haskell programs. In ACM SIGPLAN International Conference on Functional Programming, 2000. Google Scholar
Digital Library
- A. T. Clements, M. F. Kaashoek, N. Zeldovich, R. T. Morris, and E. Kohler. The scalable commutativity rule: Designing scalable software for multicore processors. In Symp. on Operating Systems Principles, 2013. Google Scholar
Digital Library
- L. de Moura and N. Bjorner. Generalized, efficient array decision procedures. In Intl. Conf. on Formal Methods in Computer-Aided Design, 2009.Google Scholar
Cross Ref
- V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Intl. Conf. on Computer Aided Verification, 2007. Google Scholar
Digital Library
- P. Godefroid. Compositional dynamic test generation. In Symp. on Principles of Programming Languages, 2007. Google Scholar
Digital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Intl. Conf. on Programming Language Design and Implem., 2005. Google Scholar
Digital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In Network and Distributed System Security Symp., 2008.Google Scholar
- A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Intl. Conf. on Software Engineering, 2009. Google Scholar
Digital Library
- R. S. King. The top 10 programming languages. IEEE Spectrum, 48 (10): 84, 2011.Google Scholar
Cross Ref
- V. Kuznetsov, V. Chipounov, and G. Candea. Testing closed-source binary device drivers with DDT. In USENIX Annual Technical Conf., 2010. Google Scholar
Digital Library
- V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea. Efficient state merging in symbolic execution. In Intl. Conf. on Programming Language Design and Implem., 2012. Google Scholar
Digital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Intl. Symp. on Code Generation and Optimization, 2004. Google Scholar
Digital Library
- The Python Language Reference. Python Software Foundation. http://docs.python.org/3/reference/.Google Scholar
- S. Sapra, M. Minea, S. Chaki, A. Gurfinkel, and E. M. Clarke. Finding errors in python programs using dynamic symbolic execution. In Intl. Conf. on Testing Software and Systems, 2013.Google Scholar
Cross Ref
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for JavaScript. In IEEE Symp. on Security and Privacy, 2010. Google Scholar
Digital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In Intl. Conf. on Information Systems Security, 2008. Google Scholar
Digital Library
- N. Tillmann and W. Schulte. Parameterized unit tests. In Symp. on the Foundations of Software Eng., 2005. Google Scholar
Digital Library
- J. Wagner, V. Kuznetsov, and G. Candea. -OVERIFY: Optimizing programs for fast verification. In Workshop on Hot Topics in Operating Systems, 2013. Google Scholar
Digital Library
- T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In Intl. Conf. on Dependable Systems and Networks, 2009.Google Scholar
Cross Ref
- C. Zamfir and G. Candea. Execution synthesis: A technique for automated debugging. In ACM EuroSys European Conf. on Computer Systems, 2010. Google Scholar
Digital Library
Index Terms
Prototyping symbolic execution engines for interpreted languages
Recommendations
Prototyping symbolic execution engines for interpreted languages
ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systemsSymbolic execution is being successfully used to automatically test statically compiled code. However, increasingly more systems and applications are written in dynamic interpreted languages like Python. Building a new symbolic execution engine is a ...
Prototyping symbolic execution engines for interpreted languages
ASPLOS '14Symbolic execution is being successfully used to automatically test statically compiled code. However, increasingly more systems and applications are written in dynamic interpreted languages like Python. Building a new symbolic execution engine is a ...
Symbolic types for lenient symbolic execution
We present lambda_sym, a typed λ-calculus for lenient symbolic execution, where some language constructs do not recognize symbolic values. Its type system, however, ensures safe behavior of all symbolic values in a program. Our calculus extends a base ...









Comments