Awesome
Concrete Constraint Guided Symbolic Execution
CGS (concrete-constraint guided searcher) is a dapendency-based path prioritization method for classical symbolic execution. It is motivated by an important observation that concrete branching conditions encompass a significant majority and a large portion of them are only partially covered. Therefore, there is a great potential to improve overall code coverage by guiding symbolic execution towards covering more concrete branches.
The folder IDA and KLEE contains the codes to implement our methods in Section 3 in our paper in ICSE '24.
The artifacts of motivation and experiment be found on zenodo.
Installation
Install LLVM 11.1.0 first and build:
1.Branch dependency analysis: Installation
2.KLEE (using STP solver): Building KLEE
Usage
First, set the following environment variables:
export SANDBOX_DIR=/tmp
export SOURCE_DIR=/path-to/cgs
export OUTPUT_DIR=/path-to/results
Then, build program in benchmark folder.
Next, generate new llvm bitcode (new_benchmark
and stat
folders are created):
python3 run.py [program] gen
Last, use our klee to test:
python3 run.py [program] run [searcher]
Moreover, we provide an option COV_STATS
in run.py
. If it is set to True
before running klee, we can collect the statistics about symbolic and concrete branching conditions and use our modified klee-stats
to show the results:
------------------------------------------------------------------------------------------------------------
| Path | Instrs| Time(s)| ICov(%)| BCov(%)| ICount| PCB| FCB| TC| SC| CC| FCSC| FCCC|
------------------------------------------------------------------------------------------------------------
|random-path/grep/|31573693| 3792.19| 27.68| 17.60| 93708| 0| 0|1404| 120|1372| 85| 385|
------------------------------------------------------------------------------------------------------------
PCB=Partially Covered Branches
FCB=Fully Covered Branches
TC=Total (Branching) Conditions
SC=Symbolic (Branching) Conditions
CC=Concrete (Branching) Conditions
FCSC=Fully Covered Symbolic (Branching) Conditions
FCCC=Fully Covered Concrete (Branching) Conditions
PCB and FCB are non-zero only if we set COV_STATS
to False
.
Cite our paper
@inproceedings{XXX,
author = {Yue Sun, Guowei Yang, Shichao Lv, Zhi Li, Limin Sun},
title = {Concrete Constraint Guided Symbolic Execution},
year = {2024},
address = {Lisbon, Portugal},
url = {https://doi.org/10.1145/3597503.3639078},
numpages = {13},
series = {ICSE '24}
}