Distributed Symbolic Execution using Test-Depth Partitioning
This is an incremental improvement for researchers and practitioners in software verification, addressing a specific bottleneck in distributed symbolic execution.
The paper tackles the scalability challenge in distributed symbolic execution by introducing test-depth partitioning, which allows workers to use different search strategies while maintaining completeness, and preliminary results indicate it can efficiently speed up symbolic execution.
Symbolic execution is a classic technique for systematic bug finding, which has seen many applications in recent years but remains hard to scale. Recent work introduced ranged symbolic execution to distribute the symbolic execution task among different workers with minimal communication overhead using test inputs. However, each worker was restricted to perform only a depth-first search. This paper introduces a new approach to ranging, called test-depth partitioning, that allows the workers to employ different search strategies without compromising the completeness of the overall search. Experimental results show that the proposed approach provides a more flexible ranging solution for distributed symbolic execution. The core idea behind test-depth partitioning is to use a test-depth pair to define a region in the execution space. Such a pair represents a partial path or a prefix, and it obviates the need for complete tests to determine boundaries as was the case in the previous ranging scheme. Moreover, different workers have the freedom to select the search strategy of choice without affecting the functioning of the overall system. Test-depth partitioning is implemented using KLEE, a well-known symbolic execution tool. The preliminary results show that the proposed scheme can prove to be an efficient tool to speed up symbolic execution.