Enhancing Symbolic Execution of Heap-based Programs with Separation Logic for Test Input Generation

Symbolic execution is a well established method for test input generation. By taking inputs as symbolic values and solving constraints encoding path conditions, it helps achieve a better test coverage. Despite of having achieved tremendous success over numeric domains, existing symbolic execution techniques for heap-based programs (e.g., linked lists and trees) are limited due to the lack of a succinct and precise description for symbolic values over unbounded heaps. In this work, we present a new symbolic execution method for heap-based programs using separation logic. The essence of our proposal is the use of existential quantifiers to precisely represent symbolic heaps. Furthermore, we propose a context-sensitive lazy initialization, a novel approach for efficient test input generation. We show that by reasoning about the heap in an existential manner, the proposed lazy initialization is sound and complete. We have implemented our proposal into a prototype tool, called Java StarFinder, and evaluated it on a set of programs with complex heap inputs. The results show that our approach significantly reduces the number of invalid test inputs and improves the test coverage. ACM Reference Format: Long H. Pham, Quang Loc Le, Quoc-Sang Phan, Jun Sun, and Shengchao Qin. 2017. Enhancing Symbolic Execution of Heap-based Programs with Separation Logic for Test Input Generation. In Proceedings of ACM Conference, Washington, DC, USA, July 2017 (Conference’17), 11 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn