An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing

Recent efforts in practical symbolic execution have successfully mitigated the path-explosion problem to some extent with search-based heuristics and compositional approaches. Similarly, due to an increase in the performance of cheap multi-core commodity computers, fuzzing as a viable method of random mutation-based testing has also seen promise. However, the possibility of combining symbolic execution and fuzzing, thereby providing an opportunity to mitigate drawbacks in each other, has not been sufficiently explored. Fuzzing could, for example, expedite path-exploration in symbolic execution, and symbolic execution could make seed input generation in fuzzing more efficient. There have only been, in our view, very few hybrid solution proposals with symbolic execution and fuzzing at their centre. By analyzing 77 relevant and systematically selected papers, we (1) present an overview of hybrid solution proposals of symbolic execution and fuzzing, (2) perform a gap analysis in research of hybrid techniques to improve both, plain symbolic execution and fuzzing, (3) propose new ideas for hybrid test-case generation techniques.