ParSym: Parallel Symbolic Execution(20IO 2nd International Coriference on Software Technology and Engineering(ICSTE))
本文提出了一种符号并行执行的算法:ParSym,它支持符号执行和具体值执行的结合。
算法由三部分组成:
首先,Symbolic Execution Engine
它具体执行程序,构建路径约束并求解约束,基于符号执行和具体值执行相结合。
Parallel Symbolic Execution:
function PARS YM( workItem )
(depth, pos, inputs) <- workItem
(constraints) <- EXECANDOBSERvE(testProgram)
while depth>O 1\ POS<SIzE(constraints) do
NEGATE(constraints[posJ)
(success, inputs) <- SOLvE(constraints[O ... posJ)
if success then
depth <- depth-l
newWork <- (depth, pos+1, inputs)
NEWWORKITEM(newWork)
end if
NEGATE( constraints[pos J)
pos <- pos+l
end while
end function
其次, Symbolic Execution Monitor
它把要执行的“测试”通过各个机器运行的代理分布到各个节点,通过Symbolic Execution Engine执行相应的测试工作。他拥有一个符号执行的工作队列作为所有节点符号执行的输入,所有其他具有Symbolic Execution Engine的节点都要与他通信以获得符号执行的初始输入,并把产生的项送给Symbolic Execution Monitor让他重新排列队列。
Algorithm for symbolic execution monitor
function MONITOR(agentCount, initialWorkItem)
workQ <- CREATEQUEUE( )
agentQ <- CREATEQUEUE( )
exitQ <- CREATEQUEUE( )
QUEuE(workQ, initialWorkItem)
while SIzE(agentQ) #agentCount
1\ SIzE(exitQ) # agentCount do
(agent, cmd, workItem) <- REcv(any)
if cmd = QUEUE then
if EMPTY(agentQ) then
QUEUE(workQ, workItem)
else
agent' <- DEQuEuE(agentQ)
SEND(agent', WORK, workItem)
end if
else if cmd = DEQUEUE then
REMovE(exitQ, agent)
if EMPTY(workQ) then
QUEuE(agentQ, agent)
else
workItem <- DEQUEuE(workQ)
SEND(agent, WORK, workItem)
end if
else if cmd = EXIT then
QUEuE(exitQ, agent)
end if
end while
for all s <- agentQ do
SEND(S, EXIT)
end for
end function
这个monitor维持一个代理的列表(包括两种代理:agent Q——想要“工作”,exit Q——无工作可做),以及一个挂起的工作项的列表。它支持在客户端的双缓存。从代理到monitor有三种消息:
QUEUE: is used to ask the monitor to add new work items to the work queue.
• DEQUEUE: is used to ask the monitor for a new work item to process. If a work item is not readily available,the agent is remembered in agent queue. Wheneverwork items become available, they are sent to these free agents instead of being queued in work queue.
• EXIT: is used to tell the monitor that the agent has finished all work and is safe to exit. However this message does not mean that the agent will exit. In fact it may get more work from the monitor soon.
从monitor到代理有两种消息:
WORK: is used to give new work to the agent. It is sent in response to a DEQUEUE request so the agent should be ready and willing to receive it.
• EXIT: is used to ask the agent to exit. It is sent only when the agent has expressed will to exit by an EXIT message in the other direction. Therefore it should be able to safely exit immediately.、
最后,Symbolic Execution Agent
Symbolic Execution Agent负责为Symbolic Execution Engine提供工作项,两个缓冲器(workltem and workltemBack) 允许双缓冲。
Algorithm for agent processors
function AGENT( )
workItem <- CREATEBUFFER( )
workItemBack <- CREATEBuFFER( )
SEND(monitor, DEQUEUE)
SEND(monitor, EXIT)
(cmd, workItem) <- REcv(monitor)
while cmd = WORK do
SEND(monitor, DEQUEUE)
(cmd, workItemBack) <- RECVSTART(monitor)
PARSYM(workItem)
if not REcvFINISH( )then
SEND(monitor, EXIT)
WA ITFoRREcvFINISH( )
end if
workItem <- workItemBack
end while
end function
function NEWWORKITEM(workItem)
SEND(monitor, QUEUE, workItem)
end function
