点击次数：

论文类型：期刊论文

发表时间：2017-01-01

发表刊物：IEEE ACCESS

收录刊物：SCIE、EI

卷号：5

页面范围：8752-8762

ISSN号：2169-3536

关键字：Dynamic symbolic execution; branch history; test case generation; heuristic search; cyber-physical system

摘要：Heuristic search is an important part of modern dynamic symbolic execution (DSE) tools, as heuristic search can be used to effectively explore the large program input space. Searching task remains one of several research challenges due to the fact that the input space grows exponentially with the increase of program size, and different programs may have very different structures. The challenge is compounded in a cyber-physical system or cloud-based Internet of Things environment. In this paper, we propose a novel heuristic search algorithm, which analyzes the program execution history and uses the refined history information to inform the search. This paper is based on the observation that the branch and input history generated during dynamic symbolic execution can help memorize the explored input space, and infer the partial structure of the program. With a summarized branch history, the proposed heuristic search makes informed (and better) decisions about which input area to search next for better efficiency. To evaluate the search algorithm, we implement the core DSE engine, integrated with modules to perform execution history collection and analysis. To make our method practical, we incorporate taint analysis and constraint solving statistics to guide the search algorithm. Experimental results demonstrate that with the rich history information, the newsearch algorithm can explore the input space more effectively, thus resulting in detecting software defects faster.