Abstract
We describe an algorithm to perform symbolic execution of a multithreaded program starting from an arbitrary program context. We argue that this can enable more efficient symbolic exploration of deep code paths in multithreaded programs by allowing the symbolic engine to jump directly to program contexts of interest.
The key challenge is modeling the initial context with reasonable precision - an overly approximate model leads to exploration of many infeasible paths during symbolic execution, while a very precise model would be so expensive to compute that computing it would defeat the purpose of jumping directly to the initial context in the first place. We propose a context-specific dataflow analysis that approximates the initial context cheaply, but precisely enough to avoid some common causes of infeasible-path explosion. This model is necessarily approximate - it may leave portions of the memory state unconstrained, leaving our symbolic execution unable to answer simple questions such as "which thread holds lock A?". For such cases, we describe a novel algorithm for evaluating symbolic synchronization during symbolic execution. Our symbolic execution semantics are sound and complete up to the limits of the underlying SMT solver. We describe initial experiments on an implementation in Cloud 9.
- T. Bergan. Avoiding State-Space Explosion in Multithreaded Programs with Input-Covering Schedules and Symbolic Execution. PhD thesis, Computer Science Dept., University of Washington, Seattle, WA, March 2014.Google Scholar
- T. Bergan, L. Ceze, and D. Grossman. Input-Covering Schedules for Multithreaded Programs. In OOPSLA, 2013. Google Scholar
Digital Library
- T. Bergan, D. Grossman, and L. Ceze. Symbolic Execution of Multithreaded Programs from Arbitrary Program Contexts. Technical Report UW-CSE-13-08-01, Univ. of Washington.Google Scholar
- C. Bienia, S. Kumar, J. P. Singh, and K. Li. The PARSEC Benchmark Suite: Characterization and Architectural Implications. In PACT, 2008. Google Scholar
Digital Library
- H.-J. Boehm. Simple Garbage-Collector-Safety. In PLDI, 1996. Google Scholar
Digital Library
- H.-J. Boehm and S. Adve. Foundations of the C++ Concurrency Memory Model. In PLDI, 2008. Google Scholar
Digital Library
- S. Böhme and M. Moskal. Heaps and Data Structures: A Challenge for Automated Provers. In Proceedings of the 23rd International Conference on Automated Deduction, 2011. Google Scholar
Digital Library
- P. Boonstoppel, C. Cadar, and D. Engler. RWset: Attacking Path Explosion in Constraint-Based Test Generation. In TACAS, 2008. Google Scholar
Digital Library
- S. Bucur, V. Ureche, C. Zamfir, and G. Candea. Parallel Symbolic Execution for Automated Real-World Software Testing. In EuroSys, 2011. Google Scholar
Digital Library
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In OSDI, 2008. Google Scholar
Digital Library
- S. Chatterjee, S. K. Lahiri, S. Qadeer, and Z. Rakamaric. A Reachability Predicate for Analyzing Low-Level Software. In TACAS, 2007. Google Scholar
Digital Library
- A. Cheung, A. Solar-Lezama, and S. Madden. Partial Replay of Long-Running Applications. In FSE, 2011. Google Scholar
Digital Library
- V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. In ASPLOS, 2011. Google Scholar
Digital Library
- K. E. Coons, M. Musuvathi, and K. S. McKinley. Bounded Partial-Order Reduction. In OOPSLA, 2013. Google Scholar
Digital Library
- I. Dillig, T. Dillig, A. Aiken, and M. Sagiv. Precise and Compact Modular Procedure Summaries for Heap Manipulating Programs. In PLDI, 2011. Google Scholar
Digital Library
- L. Effinger-Dean, H.-J. Boehm, P. Joisha, and D. Chakrabarti. Extended Sequential Reasoning for Data-Race-Free Programs. In Workshop on Memory Systems Performance and Correctness, 2011. Google Scholar
Digital Library
- B. Elkarablieh, P. Godefroid, and M. Y. Levin. Precise Pointer Reasoning for Dynamic Test Generation. In ISSTA, 2009. Google Scholar
Digital Library
- C. Flanagan and P. Godefroid. Dynamic Partial-Order Reduction for Model Checking Software. In POPL, 2005. Google Scholar
Digital Library
- V. Ganesh and D. L. Dill. A Decision Procedure for Bit-vectors and Arrays. In CAV, 2007. Google Scholar
Digital Library
- P. Godefroid. Compositional Dynamic Test Generation. In POPL, 2007. Google Scholar
Digital Library
- P. Godefroid. Micro Execution. In ICSE, 2014. Google Scholar
Digital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed Automated Random Testing. In PLDI, 2005. Google Scholar
Digital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Automated Whitebox Fuzz Testing. In Network and Distributed System Security Symposium, 2008.Google Scholar
- P. Godefroid and D. Luchaup. Automatic Partial Loop Summarization in Dynamic Test Generation. In ISSTA, 2011. Google Scholar
Digital Library
- T. Hansen, P. Schachte, and H. Sondergaard. State Joining and Splitting for the Symbolic Execution of Binaries. In Intl. Conf. on Runtime Verification (RV), 2009. Google Scholar
Digital Library
- ISO. C Language Standard, ISO/IEC 9899:2011. 2011.Google Scholar
- S. Khurshid, C. S. Păsăreanu, and W. Visser. Generalized Symbolic Execution for Model Checking and Testing. In TACAS, 2003. Google Scholar
Digital Library
- V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea. Efficient State Merging in Symbolic Execution. In PLDI, 2012. Google Scholar
Digital Library
- C. Lattner. Macroscopic Data Structure Analysis and Optimization. PhD thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL, May 2005. Google Scholar
Digital Library
- C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation. In CGO, 2004. Google Scholar
Digital Library
- Y. Li, Z. Su, L. Wang, and X. Li. Steering Symbolic Execution to Less Traveled Paths. In OOPSLA, 2013. Google Scholar
Digital Library
- K.-K. Ma, K. Y. Phang, J. S. Foster, and M. Hicks. Analysis of Multithreaded Programs. In Static Analysis Symposium (SAS), 2011.Google Scholar
- L. D. Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS, 2008. Google Scholar
Digital Library
- M. Musuvathi and S. Qadeer. Iterative Context Bounding for Systematic Testing of Multithreaded Programs. In PLDI, 2007. Google Scholar
Digital Library
- C. S. Pasareanu, N. Rungta, and W. Visser. Symbolic Execution with Mixed Concrete-Symbolic Solving. In ISSTA, 2011.Google Scholar
Digital Library
- S. Qadeer, S. K. Rajamani, and J. Rehof. Summarizing Procedures in Concurrent Programs. In POPL, 2004. Google Scholar
Digital Library
- M. Rinard. Analysis of Multithreaded Programs. In Static Analysis Symposium (SAS), 2001. Google Scholar
Digital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a Concolic Unit Testing Engine for C. In FSE, 2005. Google Scholar
Digital Library
- N. Tillmann and J. de Halleux. Pex - White Box Test Generation for .NET. In Tests and Proofs (TAP), 2008. Google Scholar
Digital Library
- J. Voung, R. Jhala, and S. Lerner. RELAY: Static Race Detection on Millions of Lines of Code. In FSE, 2007. Google Scholar
Digital Library
- S. C. Woo, M. Ohara, E. Torrie, J. P. Singh, and A. Gupta. The SPLASH-2 Programs: Characterization and Methodological Considerations. In ISCA, 1995. Google Scholar
Digital Library
- C. Zamfir, B. Kasikci, J. Kinder, E. Bugnion, and G. Candea. Automated Debugging for Arbitrarily Long Executions. In HotOS, 2013. Google Scholar
Digital Library
- Y. Zhang and E. Duesterwald. Barrier Matching for Programs With Textually Unaligned Barriers. In PPoPP, 2007. Google Scholar
Digital Library
Index Terms
Symbolic execution of multithreaded programs from arbitrary program contexts
Recommendations
Assertion guided symbolic execution of multithreaded programs
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringSymbolic execution is a powerful technique for systematic testing of sequential and multithreaded programs. However, its application is limited by the high cost of covering all feasible intra-thread paths and inter-thread interleavings. We propose a ...
Symbolic execution of multithreaded programs from arbitrary program contexts
OOPSLA '14: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & ApplicationsWe describe an algorithm to perform symbolic execution of a multithreaded program starting from an arbitrary program context. We argue that this can enable more efficient symbolic exploration of deep code paths in multithreaded programs by allowing the ...
Symbolic execution and program testing
This paper describes the symbolic execution of programs. Instead of supplying the normal inputs to a program (e.g. numbers) one supplies symbols representing arbitrary values. The execution proceeds as in a normal execution except that values may be ...







Comments