PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation

Zhang Jun-Xian; Li Zhou-Jun; Zheng Xian-Chen

doi:10.1007/978-3-319-25942-0_15

PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation

Zhang Jun-Xian^*
, Li Zhou-Jun
, Zheng Xian-Chen

^*Corresponding author for this work

School of Computer Science and Engineering

Beihang University
University of Jinan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Dynamic symbolic execution (or concolic execution) is a powerful method for program analysis and software testing by attaching symbolic execution to the concrete running of a program. This paper proposes an approach to handle aggregate types (e.g., pointers, arrays, structures) and their complex combinations for the dynamic symbolic execution of C programs. The main idea of the approach is splitting a complex type program variable into a series of primitive type variables. During the concrete execution of a program, a con- colic execution engine is provided to observe the operations on every program variable at the level of primitive types, and then the symbolic state of the program is updated. The path constraints which must be satisfied to drive the program running along the current execution path are collected to generate new test data for other paths. Our approach guarantees that only primitive type variables can appear in the symbolic states and path constraints. Based on LLVM byte code instrumentation, we present a new tool, called PathWalker, which implements this approach. Experimental results reveal that PathWalker is effective to deal with complex types in C codes.

Original language	English
Title of host publication	Dependable Software Engineering
Subtitle of host publication	Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings
Editors	Zhiming Liu, Wang Yi, Xuandong Li
Publisher	Springer Verlag
Pages	227-242
Number of pages	16
ISBN (Print)	9783319259413
DOIs	https://doi.org/10.1007/978-3-319-25942-0_15
State	Published - 2015
Event	1st International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015 - Nanjing, China Duration: 4 Nov 2015 → 6 Nov 2015

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9409
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	1st International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015
Country/Territory	China
City	Nanjing
Period	4/11/15 → 6/11/15

Keywords

Dynamic symbolic execution
LLVM aggregate type
Program instrumentation

Access to Document

10.1007/978-3-319-25942-0_15

Cite this

Jun-Xian, Z., Zhou-Jun, L., & Xian-Chen, Z. (2015). PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation. In Z. Liu, W. Yi, & X. Li (Eds.), Dependable Software Engineering: Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings (pp. 227-242). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9409). Springer Verlag. https://doi.org/10.1007/978-3-319-25942-0_15

Jun-Xian, Zhang ; Zhou-Jun, Li ; Xian-Chen, Zheng. / PathWalker : A dynamic symbolic execution tool based on LLVM byte code instrumentation. Dependable Software Engineering: Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings. editor / Zhiming Liu ; Wang Yi ; Xuandong Li. Springer Verlag, 2015. pp. 227-242 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{e134c2e7b9234eb2966245d63b8133dc,

title = "PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation",

abstract = "Dynamic symbolic execution (or concolic execution) is a powerful method for program analysis and software testing by attaching symbolic execution to the concrete running of a program. This paper proposes an approach to handle aggregate types (e.g., pointers, arrays, structures) and their complex combinations for the dynamic symbolic execution of C programs. The main idea of the approach is splitting a complex type program variable into a series of primitive type variables. During the concrete execution of a program, a con- colic execution engine is provided to observe the operations on every program variable at the level of primitive types, and then the symbolic state of the program is updated. The path constraints which must be satisfied to drive the program running along the current execution path are collected to generate new test data for other paths. Our approach guarantees that only primitive type variables can appear in the symbolic states and path constraints. Based on LLVM byte code instrumentation, we present a new tool, called PathWalker, which implements this approach. Experimental results reveal that PathWalker is effective to deal with complex types in C codes.",

keywords = "Dynamic symbolic execution, LLVM aggregate type, Program instrumentation",

author = "Zhang Jun-Xian and Li Zhou-Jun and Zheng Xian-Chen",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 1st International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015 ; Conference date: 04-11-2015 Through 06-11-2015",

year = "2015",

doi = "10.1007/978-3-319-25942-0\_15",

language = "英语",

isbn = "9783319259413",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "227--242",

editor = "Zhiming Liu and Wang Yi and Xuandong Li",

booktitle = "Dependable Software Engineering",

address = "德国",

}

Jun-Xian, Z, Zhou-Jun, L & Xian-Chen, Z 2015, PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation. in Z Liu, W Yi & X Li (eds), Dependable Software Engineering: Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9409, Springer Verlag, pp. 227-242, 1st International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015, Nanjing, China, 4/11/15. https://doi.org/10.1007/978-3-319-25942-0_15

PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation. / Jun-Xian, Zhang; Zhou-Jun, Li; Xian-Chen, Zheng.
Dependable Software Engineering: Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings. ed. / Zhiming Liu; Wang Yi; Xuandong Li. Springer Verlag, 2015. p. 227-242 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9409).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PathWalker

T2 - 1st International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015

AU - Jun-Xian, Zhang

AU - Zhou-Jun, Li

AU - Xian-Chen, Zheng

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2015.

PY - 2015

Y1 - 2015

N2 - Dynamic symbolic execution (or concolic execution) is a powerful method for program analysis and software testing by attaching symbolic execution to the concrete running of a program. This paper proposes an approach to handle aggregate types (e.g., pointers, arrays, structures) and their complex combinations for the dynamic symbolic execution of C programs. The main idea of the approach is splitting a complex type program variable into a series of primitive type variables. During the concrete execution of a program, a con- colic execution engine is provided to observe the operations on every program variable at the level of primitive types, and then the symbolic state of the program is updated. The path constraints which must be satisfied to drive the program running along the current execution path are collected to generate new test data for other paths. Our approach guarantees that only primitive type variables can appear in the symbolic states and path constraints. Based on LLVM byte code instrumentation, we present a new tool, called PathWalker, which implements this approach. Experimental results reveal that PathWalker is effective to deal with complex types in C codes.

AB - Dynamic symbolic execution (or concolic execution) is a powerful method for program analysis and software testing by attaching symbolic execution to the concrete running of a program. This paper proposes an approach to handle aggregate types (e.g., pointers, arrays, structures) and their complex combinations for the dynamic symbolic execution of C programs. The main idea of the approach is splitting a complex type program variable into a series of primitive type variables. During the concrete execution of a program, a con- colic execution engine is provided to observe the operations on every program variable at the level of primitive types, and then the symbolic state of the program is updated. The path constraints which must be satisfied to drive the program running along the current execution path are collected to generate new test data for other paths. Our approach guarantees that only primitive type variables can appear in the symbolic states and path constraints. Based on LLVM byte code instrumentation, we present a new tool, called PathWalker, which implements this approach. Experimental results reveal that PathWalker is effective to deal with complex types in C codes.

KW - Dynamic symbolic execution

KW - LLVM aggregate type

KW - Program instrumentation

UR - https://www.scopus.com/pages/publications/84951130833

U2 - 10.1007/978-3-319-25942-0_15

DO - 10.1007/978-3-319-25942-0_15

M3 - 会议稿件

AN - SCOPUS:84951130833

SN - 9783319259413

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 227

EP - 242

BT - Dependable Software Engineering

A2 - Liu, Zhiming

A2 - Yi, Wang

A2 - Li, Xuandong

PB - Springer Verlag

Y2 - 4 November 2015 through 6 November 2015

ER -

Jun-Xian Z, Zhou-Jun L, Xian-Chen Z. PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation. In Liu Z, Yi W, Li X, editors, Dependable Software Engineering: Theories, Tools, and Applications - 1st International Symposium, SETTA 2015, Proceedings. Springer Verlag. 2015. p. 227-242. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-25942-0_15

PathWalker: A dynamic symbolic execution tool based on LLVM byte code instrumentation

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this