TY - GEN
T1 - Address-Aware Query Caching for Symbolic Execution
AU - Trabish, David
AU - Itzhaky, Shachar
AU - Rinetzky, Noam
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/4
Y1 - 2021/4
N2 - Symbolic execution (SE) is a popular program analysis technique. SE heavily relies on satisfiability queries during path exploration, often resulting in the majority of the time being spent on solving these queries. Hence, it is not surprising that one of the most vital optimizations SE engines use is query caching. To increase the cache hit rate, queries are transformed into a normal form, which is used as a key for updating the cache. An obstacle to caching queries involving pointers is the presence of numerical address values, which are assigned by the engine according to its memory allocation scheme and are hard to canonicalize across different paths.In this paper, we propose a novel query caching technique that allows efficient handling of queries containing expressions that depend on address values. The key insight is that the result of such queries is in fact agnostic to the concrete address values occurring in them, subject to some basic memory safety constraints. This observation can be used to coalesce more queries during cache lookup, thus further increasing cache utilization.Our extensive evaluation shows that our technique achieves significant performance gains when the analysis encounters queries containing symbolic pointers, while incurring only a modest performance overhead in other cases.
AB - Symbolic execution (SE) is a popular program analysis technique. SE heavily relies on satisfiability queries during path exploration, often resulting in the majority of the time being spent on solving these queries. Hence, it is not surprising that one of the most vital optimizations SE engines use is query caching. To increase the cache hit rate, queries are transformed into a normal form, which is used as a key for updating the cache. An obstacle to caching queries involving pointers is the presence of numerical address values, which are assigned by the engine according to its memory allocation scheme and are hard to canonicalize across different paths.In this paper, we propose a novel query caching technique that allows efficient handling of queries containing expressions that depend on address values. The key insight is that the result of such queries is in fact agnostic to the concrete address values occurring in them, subject to some basic memory safety constraints. This observation can be used to coalesce more queries during cache lookup, thus further increasing cache utilization.Our extensive evaluation shows that our technique achieves significant performance gains when the analysis encounters queries containing symbolic pointers, while incurring only a modest performance overhead in other cases.
KW - Query caching
KW - Symbolic execution
UR - http://www.scopus.com/inward/record.url?scp=85107907187&partnerID=8YFLogxK
U2 - 10.1109/ICST49551.2021.00023
DO - 10.1109/ICST49551.2021.00023
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85107907187
T3 - Proceedings - 2021 IEEE 14th International Conference on Software Testing, Verification and Validation, ICST 2021
SP - 116
EP - 126
BT - Proceedings - 2021 IEEE 14th International Conference on Software Testing, Verification and Validation, ICST 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 14th IEEE International Conference on Software Testing, Verification and Validation, ICST 2021
Y2 - 12 April 2021 through 16 April 2021
ER -