Symbolic Execution with Value-Range Analysis for Floating-Point Exception Detection

Abstract

Symbolic execution is a classic program analysis technique which uses symbolic inputs to explore feasible program paths. It has been widely used in bug detection and test case generation. However, there is only limited success in applying this technique to detect errors in floating-point programs. The ubiquitous, yet complicated to solve, floating-point constraints make it challenging to apply symbolic execution to floating-point exception detection. This paper proposes to accelerate symbolic execution for floating-point exception detection, using value-range analysis. Our insight is that floating-point exceptions rarely happen in real-world programs, and plenty of floating-point constraints can be effectively solved by a much more efficient value-range analysis. The value-range analysis maintains an over-approximated value range for each program variable, which can efficiently filter out those constraints for checking the operations that are guaranteed to be safe. Hence, we perform value-range analysis together with classic symbolic execution for fast floating-point exception detection. Moreover, the value ranges can be used for mathematical function modeling, and further eliminate false positives. Our experimental results show that 15% of constraints can be solved by our value-range analysis. We can also find more bugs and report fewer false positives than the classic symbolic execution technique.