Oasis: Concolic Execution Driven by Test Suites and Code Modifications

Testing remains an important aspect of checking software correctness. Manually constructed test suites are one option: they typically complete quickly, but they require human involvement in producing test cases, and their coverage may be limited. Recently, symbolic execution and concolic execution have been investigated as alternatives to test suites. These approaches require little manual intervention, and coverage can in theory be complete. However, their running times may be prohibitive for programs with complex control flow and large inputs. The system we present in this report, called Oasis, is a research prototype that attempts to combine the advantages of test suites (speed) and concolic execution (coverage). Oasis leverages any valid inputs to the program, from test suites or past execution logs, to quickly explore the paths covered by these inputs and reach deep program paths. It then uses concolic execution to automatically explore alternative paths. This exploration starts with those paths that derive directly from the executions with valid inputs. When used for regression testing, Oasis prioritizes the exploration of paths and constraints resulting from new or modified code. We study our techniques using two real applications, the wget Web client and the uServer Web server. Our experiments demonstrate that Oasis can quickly reach “deep” program paths (in both old and new code), and that it effectively tests the new code more extensively during regression testing. Using bug injection, we demonstrate that Oasis is able to uncover bugs that regular symbolic or concolic engines may not be able to reach within a given time budget.