Hybrid Concolic Testing(ICSE'07)

一、本文的主要思想：提出hybrid concolic testing,它交互使用random tests 和 concolic tests以达到对程序状态空间的较深和较广的搜索。程序初始执行时，hybrid concolic testing执行random tests，当random tests达到饱和状态时（It does not produce any new coverage points after running some predetermined number of steps），算法自动从从当前的程序状态切换到concolic execution，对未搜索的点进行限定深度的详尽搜索。一旦发现新的缺陷，就返回到concrete mode。该算法非常适合于周期性的从运行环境中得到输入值的程序。

二、Concolic Testing

      Concolic testing performs symbolic execution of the program together with its concrete execution.It maintains a symbolic memory map μ and a symbolic constraint ξ in addition to the memory.Given a concolic program execution, concolic testing generates a new test in the following way. It selects a conditional l : if(e)goto l' along the path that was executed such that (1) the current execution took the “then” (respectively,“else”) branch of the conditional, and (2) the “else”(respectively, “then”) branch of this conditional is uncovered.

       Let ξl be the symbolic constraint just before executing this instruction and ξe be the constraint generated by the execution of this instruction. Using a decision procedure,concolic testing finds a satisfying assignment for the constraint ξl ∧¬ξe.

       The property of a satisfying assignment is that if these inputs are provided at each input statement,then the new execution will follow the old execution up to the location , but then take the conditional branch opposite to the one taken by the old execution, thus ensuring that the other branch gets covered.

三.Hybrid Concolic Testing: Algorithm

Algorithm 1 Algorithm HCT (nondeterministic)

Input: program P, set of coverage goals Goals.
1: while Goals = ∅ do
2:  = 0, M = M0, IMap = Random
3: while nondet do
4: if stmt at() = halt then
5: break
6: if stmt at() = bug then
7: return bug
8: if nondet then
9: (,M) = Concrete(,M, IMap)
10: remove covered goals from Goals
11: else
12: snapshot(M)
13: IMap = Concolic(,M)
14: M = restore()
15: endwhile
16: endwhile