Symbolic execution starts from the program entry and keeps updating variable expressions and path predicates to systematically explore feasible paths. In this way the executor can reveal code reachability, find bugs or generate test inputs. Descriptions of a general work-flow of classical symbolic execution techniques are given in many works [ 14 ], [ 15 ]. We refer to these works and present a general algorithm in Algorithm 1. To be concise but without loss of generality, we consider a language made up of three kinds of statements, i.e. assignments, conditional branches and exit statements with exit code to indicate normal termination or failed assertion/error. By unwinding loops and inlining function calls we can transform a program to this form. In the paper, all programs used to describe our method are in such form if not explained particularly.

In symbolic execution, a state of the program is usually encoded as a triple (l; P; M ) where l refers to the current program location, P to path predicate corresponding to the path from the entry to l, and M to symbolic store mapping from variables to their current expressions. The algorithm keeps taking out a state from W orklist, extending the state and pushing newly found ones back to W orklist. Call to selectState at line 3 determines which state is chosen to be visited next, and thus implies the searching strategies of path exploration. The chosen state is then updated according to the next statement just after its location (line 5-21). Call to eval and checkCond in this procedure symbolically calculates expressions and checks satisfiability.

Code at line 22-30 of Algorithm 1 is designed for merging states. For a newly found state s, if there is another state s0 in W orklist sharing the same program location, s could be merged with s0 rather than directly added to W orklist. Definition of shouldM erge makes decisions on whether to merge and thus realizes strategies of state merging.

By defining selectState and shouldM erge differently, the classical symbolic execution algorithm presented in Section II-A acts as two extremes in regard to design space of state merging. Dynamic symbolic execution (DSE, adopted in [ 3 ], [ 22 ]–[ 24 ] etc.) skips merging and every execution state encodes a unique path from the entry to its corresponding location. Static symbolic execution (SSE) ensures all paths joining at each junction node in the control flow structure Algorithm 1 Classical symbolic execution are merged completely, which is common in symbolic model checking and verification condition generation [ 25 ], [ 26 ].

SSE systematically explores all feasible control paths with all possible input values taken into consideration [ 20 ]. It visits states in topological order to ensure that all corresponding states are merged at every junction node in control flow of the program. However, its major trade-offs are great difficulties in calculating path predicates and strict restrictions on searching strategies. DSE techniques are then proposed to interleave concrete and symbolic execution and focus on exploring possible execution paths one by one. A statement can be executed concretely rather than symbolically if all involving variables are concrete. For an assignment, the result is calculated directly if possible. For a conditional branch if cond goto l0, concrete execution is performed if cond can be determined concretely. As a result, interpreting the statement does not need to split the current path. DSE techniques such as [ 3 ], [ 23 ], [ 24 ] introduce concrete inputs to make analysis benefit from concrete execution.

Taking both SSE and DSE into consideration, it requires a compromise of the two extremes to use state merging to deal with path explosion in real code. While dynamic techniques remain to keep symbolic execution benefiting from concrete execution and heuristic search order, states are selectively merged to eliminate duplicated efforts exploring paths joining at a certain location. The work of [ 14 ] tries to introduce state merging in DSE and switch between different searching strategies. The executor keeps discovering merging opportunities with positive effects on performance and prioritizes visit of involving states. Veritesting [ 27 ] proposes combination of SSE and DSE by changing execution mode in process. SSE makes code analyzed one-pass instead of visiting all feasible paths separately in DSE. In this way the executor is able to benefit from solvers and boost path exploration.

Our proposition tries to mix SSE and DSE on the foundation of [ 14 ]. In this article, Kuznetsov et al. have constructed a framework to estimate whether it is worth driving path exploration towards a potential merging action. They present a static bottom-up analysis to find variables which may be frequently used later and suggest merging actions with no impact on values of these variables. Path exploration is then under control of an SSE-like module temporally instead of a normal DSE process. We take a more complicated case into consideration where evaluation on a merging action varies across the code. A static decision - either merging or not - improves efficiency for some pieces of code but burdens performance for others. Actually, an optimal solution usually consists of multiple parts which are drawn in different pieces of code locally and combined together dynamically.

As is discussed in last chapter, influence of a certain merging action varies throughout different pieces of code. We use some example code in Fig.2 to explain the issue in detail and present effect of active state forking. To be concise, some function calls are not inlined.

In function f 1 state merging dismisses the opportunity of concrete execution. There are two if-blocks in f 1, namely line 3 and line 4-5. State forks and path splits when reaching the first if-block (this is passive state forking caused by nonconcrete if-condition), and then two sub-paths join after it. Expression of f lag gets different along two sub-paths, and is instantly used in if-condition at line 4. Expression of f lag is 1 along true case of the first if-block, 0 along false case, and IT E(a == b; 1; 0) if states are merged before line 4. It can be seen that both the two separate states lead concrete execution on the second if-block since its condition can be decided concretely, but the merged one erases concrete value of f lag and results in passive state forking. Therefore, the void f1(int a, int b) { int flag = 0; if (a == b) flag = 1; if (flag) g1(); else g2(); exit(0); merging action after the first if-block just makes expressions and path predicate more complex while number of paths to explore is not changed.

In function f 2, exit(0) at line 6 in f 1 is replaced with another function call g3(a; b). While things go the same as for f 1, it is required to reason about call to g3 on each path. If paths are merged before line 14, call to g3 will be analyzed only once rather than once along each path. Hence, it is expected that states forked in the first if-block should be merged at the exit of the second if-block.

For function f 3, call to g3 goes before the second ifblock. As is discussed for f 1 and f 2, we can make a similar conclusion that states forked in the first if-block should be merged immediately to avoid repeated efforts reasoning about call to g3, but later ”restored” to two separate paths with concrete value for f lag along each. Common methods try to compare advantages and disadvantages to reveal a static decision on state merging, and our approach, in another way, makes it possible to fork a merged state as if a historical merging action were not taken. In f 3, paths are made to join after line 19 and fork actively before line 21 with f lag restored to concrete along each forked path. In this way, the benefit of state merging is maximized while its negative impact on concrete execution is avoid as far as possible.

The motivating examples figure out that an optimal merging strategy may promote contrast decisions for different pieces of code. Active state forking together with state merging makes it possible to change how paths are combined during exploration. To maintain information of historical merging actions and support forking states, we make extensions to the formalism in classical symbolic execution.

A DSE method as shown in Algorithm 1 conducts path exploration by visiting execution states and creating new ones. This process can be efficiently represented as a graph in which nodes are execution states and edges indicate transitions between them. Since DSE does not merge states, such a graph would be a tree, which is so called symbolic execution tree. Definitions of execution state and symbolic execution tree are given in Definition 1 and 2.

Definition 1: An execution state is defined as a tuple es = (l; P; M ) where - l 2 L is the current program location.

- P 2 F ( ; Const) is the path predicate, which is a formula over symbolic inputs and constants Const encoding all decisions of branches along the path from entry to l.

- M : V ! F ( ; Const) is the symbolic store, which maps a program variable to the formula corresponding to its expression.

Definition 2: A symbolic execution tree is a tree T = (ES; T ) where - ES is the set of execution states.

- T ES ES is the set of transitions between execution states.

Symbolic execution tree records every explored state and path, and is widely used to characterize the process of symbolic execution [ 25 ]. Our extended formalism is built on top of it. While state merging is performed, an execution state could encode multiple nodes in the corresponding symbolic execution tree. Such relations naturally extract information of merging actions, and thus, we introduce virtual states to hold the similar structure. Definition 3 presents how virtual states are defined.

Definition 3: A virtual state is defined as a tuple vs = (es; CV ) where - es 2 ES is the corresponding execution state.

- CV V Const is the set of variables with concrete values together with their values.

When two execution states are merged to be one, we create virtual state for each sub-state respectively and map them to the produced state. Every virtual state tracks its exclusive concrete variables. Our formalism then constructs transitions between execution states and virtual states, resulting in a directed acyclic graph. An execution state contains data of path predicate and symbolic store, and is used to actually execute statement. It appears as a node in the graph only if it never experiences merging or we are not concerned with its historical merging actions anymore. Otherwise, its corresponding virtual states are used instead to make up the graph. Definition 4 describes our extended execution graph formally.

Definition 4: An extended execution graph is a directed acyclic graph G = (S; T; ; ) where - S ES [ V S is the set of states. - T S S denotes transitions between states. - : ES ! 2V S maps a execution state to the set of its corresponding virtual states.

- : V S ! F ( ; Const) maps a virtual state to its newly added conditions compared to its predecessor’s path predicate.

While execution states hold essential data and drive execution to explore paths, virtual states simulate the structure of symbolic execution tree and preserve merging history. If there is no further operation on virtual state, our extended execution graph would degenerate into a tree. However, virtual states are merged and swapped for execution states when updates on variables efface complexity introduced by merging. In the remaining part of this section, we explain in detail how to perform state merging and forking with our extended execution graph.

Merging. When trying to merge es1 = (l; P1; M1) and es2 = (l; P2; M2) into es3 = (l; P1 _ P2; M ) where M (v) = I T E(P1; M1(v); M2(v)) for each v 2 V , we first create virtual states and then update the graph G = (S; T ; ; ).

If es1 appears as a node in G (in other word es1 2 S and (es1) = ;), we create a virtual state directly to represent its corresponding sub-state encoded by es3: vs = (es3; CV ). CV denotes exclusive concrete variables of this sub-state, so it is made up of variables concrete in es1 but not in es2. That is, CV = (M1) n (M2) where (M ) = f(v; M (v)jM (v) 2 F (Const)g.

If es1 encodes multiple sub-states so that es1 = S or 2 (es1) 6= ;, we create a virtual state for every sub-state in (es1) and add up CV of sub-state and exclusive concrete variables of es1 to assign to newly created one.

Creating virtual states for es2 is in the same way, except that exclusive concrete variables of es2 is calculated as (M2) n (M1).

All these generated virtual states are then added to G, together with corresponding transitions. (es3) is set to be all these new states. of them can be simply set to empty since there is no change between their and their predecessors’ path predicates.

Update of Assignment. Updating an execution state es in G can be done immediately. However, if es 2= S, set of concrete variables of each virtual state vs = (es; CV ) 2 (es) requires update. Those not concrete or not exclusively concrete anymore should be removed from concrete variables, while those becoming exclusively concrete should be added to concrete variables.

E.g. for assignment v := e, (v; cv ) 2 CV is removed if e is not concrete, or it is but calculation does not involve any concrete variables in CV . Otherwise v and its value is added to CV if there is no (v; cv ) 2 CV , and e is concrete and depends on certain variables and values in CV .

When updating virtual states, ones might point to the same execution state and possess equal concrete variables and values. These states can be merged in the graph since distinguishing such sub-states makes no sense to merging and forking. If all virtual states of an execution state are merged, we can swap the production for the execution state itself, which means that all its historical merging actions do not influence any concrete variable and hence, will never invoke active forking.

Forking. For an execution state es in G, passive forking by conditional branch is the same as in traditional DSE. Otherwise, forking action is applied to every sub-state vs 2 (es) and is updated with branch decision accordingly for forked productions.

In the case of active forking aimed at eliminating historical merging actions, the work flow gets more complicated: it is required to partitioning sub-states, constructing path predicates and updating expressions.

The execution state es to be forked encodes multiple substates which are represented by virtual states in (es). Active forking is invoked because some variables are turned from concrete to symbolic by merging actions. Thus, the first step is to identify concerned variables. Every virtual state vs 2 (es) where these variables are concrete is separated to be a forked state. For sake of efficiency, states with same concrete values for these variables can be joined. In this way, all substates of es are partitioned into several groups and each group corresponds to a potential forked state.

For each sub-state vs, its path predicate can be calculated by backtracking to its ancestor execution state and combining with newly added conditions denoted by along the path. The results are used to construct path predicate for each potential forked state and decide I T E selections of variables expressions. The original state es is then forked into several execution states as if some historical merging actions were eliminated. Besides, it is remarkable in real case that optimization of expressions and constraints based on data structure, constant propagation, query cache and other practical techniques is adopted to cut down efforts and boost speed of calculation in state forking.

State merging avoids repeated efforts in analysis but may burden underlying solvers as trade-off. Considering examples in Fig.2, the ideal solution would be that we can selectively merge states so that 1) variables turned symbolic are used to calculate future if-conditions as little as possible; 2) merging actions with no influence on future if-conditions are as many as possible. The former prevents state merging from being obstacle to concrete execution while the latter indicates greater benefit from merging.

A bottom-up estimation identifying variables frequently used is presented in [ 14 ]. The basic idea is tracking variables used in if-conditions along use-def chain. Our method also pays attention to use in if-condition, but works in top-down order instead because analysis will be break down in different pieces of code. A list of variables with concrete values is maintained and updated when executing. Thus, we can identify possible concrete values and in turn, find out chances of concrete execution.

Active state forking makes it possible to redraw decisions on merging actions, so we can cut a program into pieces and analyze code piece by piece. The division is randomly made under these rules: difference in scale between pieces is limited within a proper bound; cut points are located at exit of if-blocks, end of inlined functions, or terminators of sequential blocks. And a piece is divided further if it contains greatly different parts, e.g. variables used in one part are totally disjoint with ones in another. Nevertheless, too detailed division achieves little increase in performance while goes time-consuming, so we limit the times of further division.

After code is divided into pieces, we can make decision for states whether they should be merged or not in a piece. There are still situations where different parts of code have opposite votes for a merging action in the same piece. To resolve the issue, we propose another two types of decision: merge until a location and merge after a location. The former performs merging temporally and invokes analysis again later, while the latter make a delay to merging. Because of these choices of merging decision, analysis of how to combine paths is invoked at junction node in control flow structure, at the beginning of each piece, and at locations specified by ”merge until” and ”merge after” decisions.

Hence, our merge-fork analysis determines locally how to handle each merging opportunities within a piece of code. For the simplified language used in our discussion, this process can be implemented by counting occurrences of if-condition and in turn estimating number of queries needed. Besides, unresolved function call and code block difficult to reason can also be counted to influence strategy of merging and forking. When decided to merge two states, path exploration is temporally taken over from searching heuristics and involving states are prioritized to visit.

To evaluate the effect of our merge-fork framework, we implement active state forking and dynamic merge-fork analysis in a prototype on the foundation of the famous symbolic execution engine KLEE. It takes LLVM bitcode compiled from source code as input. The original executor of KLEE performs 100 10 path exploration with no approximation, and path feasibility is checked at every conditional branch. State forking is invoked for each non-determined branch, and states at the same control location are never merged. KLEE guides exploration with a number of optional search strategies including random search, traditional breadth/depth first search, strategy prioritizing visiting previously unexplored code, and combination of various strategies.

KLEE has built in models of execution state and symbolic execution tree. We extend them to implement our active state forking method. Thanks to implementation of expressions and optimization of constraints in KLEE, it is easy to track updates of path predicates and we could perform state forking by directly imposing conditions of dismissed merging action on path predicates and symbolic store. To support dynamic merge-fork analysis, we make a call in state selection (selectState) to an LLVM Pass constructing concrete dependence graph and estimating merging effects locally. If merging is suggested, search strategy is temporally fixed to continuously extending paths to target merging location. Otherwise, states are explored according to original search strategies of KLEE.

The original work of KLEE presents an experiment on GNU Coreutils programs which are widely used UNIX commandline utilities. There are 101 files in total adding up to over 70,000 lines of code. We test these programs using our prototype and collect information from output files.

Our merge-fork framework is aimed at identifying valuable merging opportunities and conducting state merging, so we are first concerned with the influence of our method on number of explored paths.

A direct comparison is measuring number of explored paths with different time spent. However, the number is hard to figure out since there are paths explored partially if exhaustive exploration is not completed. We therefore choose to calculate the number of paths at a specific location instead of with some time spent during the execution. The size of symbolic inputs is properly set to make it possible for exhaustive exploration, so the accurate number of feasible paths of the program is known. Then we run our prototype and count paths at given control locations. In this way we can reveal how state merging

50 500 Completion time of plain KLEE (s) 3600

Files

Fig. 7: Decrease in queries comparing with [ 14 ]. efficiently joins branches and decrease paths. It is remarkable that paths getting through a certain location might enclose a large gap in time.

Fig.3 shows the growth of path exploration ratio corresponding to program locations for 3 representative files. The final ratio is obtained at the exit of code. It can be seen that the effect in decreasing paths varies among the programs. While a large part of paths are merged in echo, state merging makes little influence on seq. The trend of growth indicates structure of control flow and involvement of active state forking. Since merging and forking work simultaneously, change in path numbers appear smooth.

The target of decreasing paths is to free underlying solvers’ burden and achieve faster execution by omitting duplicated analysis efforts. Hence, we run Coreutils under symbolic inputs with growing size and compare completion time of plain KLEE and our prototype. In order to compare with [ 14 ] easily, we draw a similar graph Fig.4 showing the result within 1 hour time limit. The black dots correspond to experiment instances and the gray disks indicate the relative size of the symbolic inputs used in each instance. The result presents that in the majority of cases, our prototype achieves positive speedup over KLEE. The rightmost dots represent those exceed time limit in KLEE but can be solved completely in our framework.

We now look into the situation where tasks can not be finished completely. We choose a proper size of symbolic inputs to keep the engine busy and measure statement coverage in limited time. Plain KLEE uses coverage-oriented search strategy to guide path exploration towards uncovered locations. Our merge-fork framework would interrupt the process and temporally drive exploration towards merging states. Fig.5 shows its influence on statement coverage. While state merging saves analysis efforts, there are more paths can be visited in some cases, which leads to increase in coverage. However, other cases suffer from change in search order and in turn coverage is decreased. Data in Fig.5 confirms that estimation of merging opportunities and fast-forwarding some states do not cause any obvious troubles to the original exploration goal of searching heuristics.

While our proposition is on the foundation of the previous work of Kuznetsov et al. [ 14 ], we make some comparison with their experiment results. All the data is obtained from their official website http://cloud9.epfl.ch. Since experimental environment and KLEE version may vary, all the data used in our comparison is increase/decrease over our respective KLEE baseline.

First we compare the completion time under the same size of symbolic inputs. Fig.6 illustrates the result. We use completion time of plain KLEE to normalize data of both tools and then calculate the effect of speedup. Over 80% of the tasks get faster with our merge-fork method and average speedup is around 10%. Most instances with negative speedup are finished in a rather short time (101 magnitude in seconds).

We also collect queries generated during the execution. Fig.7 shows the comparison. The number of queries is also normalized against data from plain KLEE. It confirms the effect of active state forking since some queries are omitted on separate paths by concrete execution. The improvement in performance is achieved through decreasing paths via state merging and invoking concrete execution by restoring merged paths when needed.