Path-optimal symbolic execution of heap-manipulating programs

TL;DR

This paper introduces POSE, a novel symbolic execution algorithm that achieves path optimality for heap-manipulating programs, reducing path explosion and improving analysis precision.

Contribution

The paper formalizes and demonstrates POSE, the first symbolic execution method that maintains path optimality for heap-manipulating programs, addressing a key limitation of existing approaches.

Findings

POSE achieves path optimality in heap-manipulating programs

Experimental results show POSE outperforms existing symbolic execution methods

POSE reduces path explosion effects significantly

Abstract

Symbolic execution is at the core of many techniques for program analysis and test generation. Traditional symbolic execution of programs with numeric inputs enjoys the property of forking as many analysis traces as the number of analyzed program paths, a property that in this paper we refer to as path optimality. On the contrary, current approaches for symbolic execution of heap-manipulating programs fail to satisfy this property, thereby incurring crucial path explosion effects. This paper introduces POSE, path-optimal symbolic execution, a symbolic execution algorithm that originally achieves path optimality against heap-manipulating programs. We formalize the POSE algorithm and experiment it against a benchmark of programs that take data structures as inputs, supporting the potential of POSE for improving on the state of the art of symbolic execution of heap-manipulating programs.