Abstract
In this paper, we provide a formal explanation of symbolic execution in terms of a symbolic transition system and prove its correctness and completeness with respect to an operational semantics which models the execution on concrete values.We first introduce a formalmodel for a basic programming languagewith a statically fixed number of programming variables. This model is extended to a programming language with recursive procedures which are called by a call-by-value parameter mechanism. Finally, we present a more general formal framework for proving the soundness and completeness of the symbolic execution of a basic object-oriented language which features dynamically allocated variables.
Highlights
Symbolic execution [Kin76] plays a crucial role in modern testing techniques, debugging, and automated program analysis
In this paper, following [dBB19], we first formalize the standard approach to symbolic execution which consists of generating a path condition on-the-fly by maintaining during the symbolic execution a symbolic representation of the concrete program state, i.e., the assignment of values to program variables
A major difference with our approach is that in [LRA17] symbolic execution is defined in terms of a general logic for the description of transition systems which abstracts from the specific characteristics of the programming language
Summary
Symbolic execution [Kin76] plays a crucial role in modern testing techniques, debugging, and automated program analysis. It is used for generating test cases [AAGR14, BCD+18]. There exists a plethora of different techniques for one of the major problems in symbolic execution, namely the presence of dynamically allocated program variables, e.g., describing arrays and (object-oriented) pointer structures (“heaps”). Powerful symbolic execution tools [CDE08, CGP+08, EGL09] handling arrays exploit various code pre-processing techniques, though formal correctness of the theory behind these tools is acknowledged as a potential problem that might limit the validity of the internal engine, and is validated only experimentally by testing [PMZC17]. In all of the above work no explicit formal account of the underlying model of the symbolic execution, and its correctness, is presented
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have