Fitness-Guided Path Exploration in Dynamic Symbolic Execution

Tao Xie, Nikolai Tillmann, Peli de Halleux, and Wolfram Schulte

Abstract

Dynamic symbolic execution is a structural testing technique that systematically explores feasible paths of the program under test by running the program with different test inputs to improve code coverage. To address the space-explosion issue in path exploration, we propose a novel approach called Fitnex, a search strategy that uses state-dependent fitness values (computed through a fitness function) to guide path exploration. The fitness function measures how close an already discovered feasible path is to a particular test target (e.g., covering a not-yet-covered branch). Our new fitness-guided search strategy is integrated with other strategies that are effective for exploration problems where the fitness heuristic fails. We implemented the new approach in Pex, an automated structural testing tool developed at Microsoft Research. We evaluated our new approach by comparing it with existing search strategies. The empirical results show that our approach is effective since it consistently achieves high code coverage faster than existing search strategies.

Details

Publication typeInproceedings
Published inProc. the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2009)
PublisherIEEE

Previous versions

Tao Xie, Nikolai Tillmann, Peli de Halleux, and Wolfram Schulte. Fitness-Guided Path Exploration in Dynamic Symbolic Execution, Microsoft Research, September 2008.

> Publications > Fitness-Guided Path Exploration in Dynamic Symbolic Execution