Abstract: symbolic execution is an effective way of systematically exploring the search space of a program, and is often used for automatic software testing and bug finding. The program to be analyzed is usually compiled into a binary or an intermediate representation, on which symbolic execution is carried out. During this process, compiler optimizations influence the effectiveness and efficiency of symbolic execution. However, to the best of our knowledge, there exists no work on compiler optimization recommendation for symbolic execution with respect to (w.r.t.) modified condition/decision coverage (MC/DC), which is an important testing coverage criterion widely used for mission-critical software. This study describes our use of a state-of-the-art symbolic execution tool to carry out extensive experiments to study the impact of compiler optimizations on symbolic execution w.r.t. MC/DC. The results indicate that instruction combining (IC) optimization is the important and dominant optimization for symbolic execution w.r.t MC/DC. We designed and implemented a support vector machine based optimization recommendation method w.r.t. IC (denoted as auto). The experiments on two standard benchmarks (Coreutils and NECLA) showed that auto achieves the best MC/DC on 67.47% of Coreutils programs and 78.26% of NECLA programs.

面向MC/DC的符号执行编译优化

[1]Agakov F, Bonilla E, Cavazos J, et al., 2006. Using machine learning to focus iterative optimization. Proc Int Symp on Code Generation and Optimization, p.295-305.

[2]Aho AV, Sethi R, Ullman JD, 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Heidelberg, Berlin, Germany.

[3]Ammann P, Offutt J, 2016. Introduction to Software Testing. Cambridge University Press, Cambridge, UK.

[4]Barr ET, Clark D, Harman M, et al., 2018. Indexing operators to extend the reach of symbolic execution. https://arxiv.org/abs/1806.10235

[5]Beizer B, 2003. Software Testing Techniques. Dreamtech Press, New Delhi, India.

[6]Bucur S, Ureche V, Zamfir C, et al., 2011. Parallel symbolic execution for automated real-world software testing. Proc 6^th Conf on Computer Systems, p.183-198.

[7]Cadar C, 2015. Targeted program transformations for symbolic execution. Proc 10^th Joint Meeting on Foundations of Software Engineering, p.906-909.

[8]Cadar C, Dunbar D, Engler D, 2008. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. Proc 8^th USENIX Symp on Operating Systems Design and Implementation, p.209-224.

[9]Chang CC, Lin CJ, 2011. LIBSVM: a library for support vector machines. ACM Trans Intell Syst Technol, 2(3):27.

[10]Chawla NV, 2005. Data mining for imbalanced datasets: an overview. In: Maimon O, Rokach L (Eds.), Data Mining and Knowledge Discovery. Springer, Boston, USA, p.853-867.

[11]Chen JJ, Hu WX, Zhang LM, et al., 2018. Learning to accelerate symbolic execution via code transformation. Proc 32^nd European Conf on Object-Oriented Programming, Article 6.

[12]Chen S, Cowan CFN, Grant PM, 1991. Orthogonal least squares learning algorithm for radial basis function networks. IEEE Trans Neur Netw, 2(2):302-309.

[13]Chen TY, Cheung SC, Yiu SM, 1998. Metamorphic Testing: a New Approach for Generating Next Test Cases. Technical Report HKUST-CS98-01, Department of Computer Science, Hong Kong University of Science and Technology, Hong Kong, China.

[14]Christakis M, Müller P, Wüstholz V, 2016. Guiding dynamic symbolic execution toward unverified program executions. Proc 38^th Int Conf on Software Engineering, p.144-155.

[15]Converse H, Olivo O, Khurshid S, 2017. Non-semantics-preserving transformations for higher-coverage test generation using symbolic execution. Proc IEEE Int Conf on Software Testing, Verification and Validation, p.241-252.

[16]Cortes C, Vapnik V, 1995. Support-vector networks. Mach Learn, 20(3):273-297.

[17]Cui HM, Hu G, Wu JY, et al., 2013. Verifying systems rules using rule-directed symbolic execution. Proc 18^th Int Conf on Architectural Support for Programming Languages and Operating Systems, p.329-342.

[18]de Moura L, Bjorner N, 2008. Z3: an efficient SMT solver. Proc 14^th Int Conf on Tools and Algorithms for the Construction and Analysis of Systems, p.337-340.

[19]de Moura L, Bjorner N, 2011. Satisfiability modulo theories: introduction and applications. Commun ACM, 54(9):69-77.

[20]Dong S, Olivo O, Zhang L, et al., 2015. Studying the influence of standard compiler optimizations on symbolic execution. Proc 26^th Int Symp on Software Reliability Engineering, p.205-215.

[21]Dupuy A, Leveson N, 2000. An empirical evaluation of the MC/DC coverage criterion on the HETE-2 satellite software. Proc 19^th Digital Avionics Systems Conf, Article 1.B.6.

[22]Duran JW, Ntafos SC, 1984. An evaluation of random testing. IEEE Trans Softw Eng, SE-10(4):438-444.

[23]EUROCAE (European Organisation for Civil Aviation Equipment), 1998. Software Considerations in Airborne Systems and Equipment Certification, RTCA DO-178B. EUROCAE, Paris, France.

[24]Fan WQ, Liang HL, Yang YX, et al., 2009. A novel symbolic execution framework for multi-procedure program analysis. Proc 2^nd IEEE Int Conf on Broadband Network & Multimedia Technology, p.858-863.

[25]Fehnker A, Huuck R, Jayet P, et al., 2006. Goanna—a static model checker. Proc Int Workshop on Parallel and Distributed Methods in Verification, p.297-300.

[26]Fewster M, Graham D, 2000. Software Test Automation: Effective Use of Test Execution Tools. Emerald Group Publishing, Bingley, UK.

[27]Godefroid P, Klarlund N, Sen K, 2005. DART: directed automated random testing. Proc ACM SIGPLAN Conf on Programming Language Design and Implementation, p.213-223.

[28]Godefroid P, Levin MY, Molnar D, et al., 2008. Automated whitebox fuzz testing. Proc Network and Distributed System Security Symp, p.151-166.

[29]Hariri F, Shi A, Converse H, et al., 2016. Evaluating the effects of compiler optimizations on mutation testing at the compiler IR level. Proc 27^th Int Symp on Software Reliability Engineering, p.105-115.

[30]Hayhurst KJ, Veerhusen DS, 2001. A practical tutorial on modified condition/decision coverage. Proc 20^th Digital Avionics Systems Conf, Article 1.B.2.

[31]Jia Y, Harman M, 2011. An analysis and survey of the development of mutation testing. IEEE Trans Softw Eng, 37(5):649-678.

[32]Jia XY, Ghezzi C, Ying S, 2015. Enhancing reuse of constraint solutions to improve symbolic execution. Proc Int Symp on Software Testing and Analysis, p.177-187.

[33]Joshi HP, Dhanasekaran A, Dutta R, 2015. Impact of software obfuscation on susceptibility to return-oriented programming attacks. Proc 36^th Sarnoff Symp, p.161-166.

[34]Khurshid S, Päsäreanu CS, Visser W, 2003. Generalized symbolic execution for model checking and testing. Proc Int Conf Tools and Algorithms for the Construction and Analysis of Systems, p.553-568.

[35]King JC, 1976. Symbolic execution and program testing. Commun ACM, 19(7):385-394.

[36]Kuznetsov V, Kinder J, Bucur S, et al., 2012. Efficient state merging in symbolic execution. 33^rd ACM SIGPLAN Conf on Programming Language Design and Implementation, p.193-204.

[37]Lattner C, Adve VS, 2004. LLVM: a compilation framework for lifelong program analysis & transformation. Proc Int Symp on Code Generation and Optimization, p.75-88.

[38]Li Y, Su Z, Wang L, et al., 2013. Steering symbolic execution to less traveled paths. ACM SIGPLAN Not, 48(10):19-32.

[39]Lopes NP, Menendez D, Nagarakatte S, et al., 2015. Provably correct peephole optimizations with alive. ACM SIGPLAN Not, 50(6):22-32.

[40]Ma KK, Phang KY, Foster JS, et al., 2011. Directed symbolic execution. Proc Int Static Analysis Symp, p.95-111.

[41]McKeeman WM, 1998. Differential testing for software. Dig Techn J, 10(1):100-107.

[42]Pan ZL, Eigenmann R, 2006. Fast and effective orchestration of compiler optimizations for automatic performance tuning. Proc Int Symp on Code Generation and Optimization, p.319-332.

[43]Perry DM, Mattavelli A, Zhang X, et al., 2017. Accelerating array constraints in symbolic execution. Proc 26^th ACM SIGSOFT Int Symp on Software Testing and Analysis, p.68-78.

[44]Sen K, Marinov D, Agha G, 2005. CUTE: a concolic unit testing engine for C. Proc 10^th European Software Engineering Conf held jointly with 13^th ACM SIGSOFT Int Symp on Foundations of Software Engineering, p.263-272.

[45]Sen K, Necula G, Gong L, et al., 2015. MultiSE: multi-path symbolic execution using value summaries. Proc 10^th Joint Meeting on Foundations of Software Engineering, p.842-853.

[46]Seo H, Kim S, 2014. How we get there: a context-guided search strategy in concolic testing. Proc 22^nd ACM SIGSOFT Int Symp on Foundations of Software Engineering, p.413-424.

[47]Staats M, Päsäreanu C, 2010. Parallel symbolic execution for structural test generation. Proc 19^th Int Symp on Software Testing and Analysis, p.183-194.

[48]Su T, Ke W, Miao W, et al., 2017. A survey on data-flow testing. ACM Comput Surv, 50(1):5.

[49]Tillmann N, de Halleux J, 2008. Pex—white box test generation for .NET. Proc Int Conf on Tests and Proofs, p.134-153.

[50]Tiwari A, Chen C, Chame J, et al., 2009. A scalable auto-tuning framework for compiler optimization. Proc IEEE Int Symp on Parallel & Distributed Processing, p.1-12.

[51]Wagner J, Kuznetsov V, Candea G, 2013. -OVERIFY: optimizing programs for fast verification. 14^th USENIX Conf on Hot Topics in Operating Systems, p.1-6.

[52]Wang X, Sun J, Chen Z, et al., 2018. Towards optimal concolic testing. Proc 40^th Int Conf on Software Engineering, p.291-302.

[53]Wong E, Zhang L, Wang S, et al., 2015. DASE: document-assisted symbolic execution for improving automated software testing. Proc 37^th IEEE Int Conf on Software Engineering, p.620-631.

[54]Wong WE, 2001. Mutation Testing for the New Century. Springer, Boston, USA.

[55]Yu H, Chen Z, Wang J, et al., 2018. Symbolic verification of regular properties. Proc 40^th Int Conf on Software Engineering, p.871-881.

[56]Zhang Y, Chen Z, Wang J, et al., 2015. Regular property guided dynamic symbolic execution. Proc 37^th IEEE Int Conf on Software Engineering, p.643-653.

[57]Zhu H, Hall PA, May JH, 1997. Software unit test coverage and adequacy. ACM Comput Surv, 29(4):366-427.