-
-
Notifications
You must be signed in to change notification settings - Fork 707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Symbolic execution for Java/Android code #54
Comments
any on-going project to implement this enhancement? |
Hi @scg03 |
Hi @ericbodden |
Hi @scg03
Since this may sound a little bit confusing and is kind of hard to express in written text I want to give you a short example: ExampleaVar = 0;
bVar = 42;
aVar = aVar + bVar - 1;
if (aVar == 42) anInteresstingStatement(); Assume we want to know whether anInteresstingStatement() can be reached or not, we start right there and go backwards.
Since we will only find a single path constraint [ ( a1 == 42 ) ] a SMT solver will easily solve: I am converting my path constraints to SMT Lib 2.0 which allows me to use a large amount of SMT Solver. I hope you get the idea of my approach and can start to work with this. Best regards, |
Hello, When do you think the source code would be open to public? Thanks, |
@sbachala2 We are currently publishing the algorithms in the form of a paper. Afterwards, we can discuss how we can disclose the algorithms and/or the code. |
Thank you for the information. |
Hi, Thanks in advance, |
hi, is there any new message about this topic? |
(copy-pasted from GSOC application)
Explanations:
Symbolic execution is a program analysis technique that has many applications such as test-input generation, bug finding. The basic idea behind symbolic execution is as follows. The program is executed with symbolic values, instead of concrete values, as program inputs, and the values of program variables are represented as symbolic expressions of those inputs. At any point during symbolic execution, the state of a symbolically executed program includes the symbolic values of program variables at that point, a path constraint on the symbolic values to reach that point, and a program counter. The path constraint (PC) is a boolean formula over the symbolic inputs, which is an accumulation of the constraints that the inputs must satisfy for an execution to follow that path. At each branch point during symbolic execution, the PC is updated with constraints on the inputs such that (1) if the PC becomes unsatisfiable, the corresponding program path is infeasible, and symbolic execution does not continue further along that path and (2) if the PC is satisfiable, any solution of the PC is a program input that executes the corresponding path. The program counter identifies the next statement to be executed. In this project, the student is expected to extend the code base of ACTEve (http://code.google.com/p/acteve), which is a symbolic-execution tool for Android apps (available in Java .class format) and uses Soot.
Note: There are many interesting research problems related to symbolic execution. So this project can be equally suitable for students interested in research publication.
Expected Results:
A symbolic-execution tool for Java. Specifically, given a program input, the tool will (1) compute PC for the path that the program takes for that input, and (2) generate new inputs that drive the program along paths that are different than the path that the original input takes.
Knowledge prerequisite:
Good Java programming skills; knowledge of symbolic execution in particular and program analysis in general.
The text was updated successfully, but these errors were encountered: