Symbolic execution for Java/Android code about soot HOT 9 OPEN

Hi @scg03
I am the guy @ericbodden was talking about. Instead of using a framework, I thought about how to create path constraints and solve them with a SMT solver. Since explaining my approach in detail would probably go beyond the scope of a single comment I try to wrap it up and give you a brief summary and explanation.
When you want to reason about a statement whether it can be reached or not, you have to find all possible paths to that statement and build for each path its corresponding constraints and solve them. To reduce the amount of computation time I start at the statement and go backwards in code. Whenever I encounter a new, unknown variable I introduce a new symbol which has no value itself and store the link between the variable and the symbol in a map. When you come across an assignment statement you have to indroduce yet again new symbols for each variable used in the right side of the assignment and update the symbol which belongs to the left side.

Put simply, you always introduce a new symbol when you do not know the value of a variable you stumble across. (note: not the concrete value but the symbolic one)

Since this may sound a little bit confusing and is kind of hard to express in written text I want to give you a short example:

Example

aVar = 0;
bVar = 42;
aVar = aVar + bVar - 1;
if (aVar == 42) anInteresstingStatement();

Assume we want to know whether anInteresstingStatement() can be reached or not, we start right there and go backwards.

Since we will only find a single path constraint [ ( a1 == 42 ) ] a SMT solver will easily solve:
( 0 + 42 - 1 == 42 ) is not satisfiable and thus the statement cannot be reached.

I am converting my path constraints to SMT Lib 2.0 which allows me to use a large amount of SMT Solver.
You also have to care about other language constructs such as intra- and inter procedural calls, fields, array, lists, maps, objects, loops and many more.

I hope you get the idea of my approach and can start to work with this.

Best regards,
Robert

from soot.

any on-going project to implement this enhancement?

from soot.

Hi @scg03
We currently have a student integrating symbolic execution into Soot. It's almost finished. What exactly are you looking to do?

from soot.

Hi @ericbodden
I'm looking for a symbolic execution framework for Jimple and Google leaded me to this post. Are you using some existing framework? My plan is to modify CPAChecker to support Jimple.

from soot.

Hello,

When do you think the source code would be open to public?

Thanks,
Shakthi

from soot.

@sbachala2 We are currently publishing the algorithms in the form of a paper. Afterwards, we can discuss how we can disclose the algorithms and/or the code.

from soot.

Thank you for the information.

from soot.

Hi,
I'm interested how look like time plan for this pr.
@StevenArzt could you update status of yours publication and whether code will be disclosed ?

Thanks in advance,
Grzesiek

from soot.

hi, is there any new message about this topic?

from soot.