Generative type-aware mutation for testing SMT solvers-Reference-Cited by-同舟云学术

Generative type-aware mutation for testing SMT solvers

Published:2021-10-20 Issue:OOPSLA Volume:5 Page:1-19
ISSN:2475-1421
Container-title:Proceedings of the ACM on Programming Languages
language:en
Short-container-title:Proc. ACM Program. Lang.

Author:

Park Jiwon¹,Winterer Dominik²,Zhang Chengyu³,Su Zhendong²

Affiliation:

1. École Polytechnique, France

2. ETH Zurich, Switzerland

3. East China Normal University, China

Abstract

We propose Generative Type-Aware Mutation, an effective approach for testing SMT solvers. The key idea is to realize generation through the mutation of expressions rooted with parametric operators from the SMT-LIB specification. Generative Type-Aware Mutation is a hybrid of mutation-based and grammar-based fuzzing and features an infinite mutation space—overcoming a major limitation of OpFuzz, the state-of-the-art fuzzer for SMT solvers. We have realized Generative Type-Aware Mutation in a practical SMT solver bug hunting tool, TypeFuzz. During our testing period with TypeFuzz, we reported over 237 bugs in the state-of-the-art SMT solvers Z3 and CVC4. Among these, 189 bugs were confirmed and 176 bugs were fixed. Most notably, we found 18 soundness bugs in CVC4’s default mode alone. Several of them were two years latent (7/18). CVC4 has been proved to be a very stable SMT solver and has resisted several fuzzing campaigns.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3485529

Reference33 articles.

1. Exploiting the Saturation Effect in Automatic Random Testing of Android Applications

2. NAUTILUS: Fishing for Deep Bugs with Grammars

3. Clark Barrett Christopher L. Conway Morgan Deters Liana Hadarean Dejan Jovanović Tim King Andrew Reynolds and Cesare Tinelli. 2011. CVC4. In CAV ’11. 171–177. https://doi.org/10.1007/978-3-642-22110-1_14 10.1007/978-3-642-22110-1_14 Clark Barrett Christopher L. Conway Morgan Deters Liana Hadarean Dejan Jovanović Tim King Andrew Reynolds and Cesare Tinelli. 2011. CVC4. In CAV ’11. 171–177. https://doi.org/10.1007/978-3-642-22110-1_14 10.1007/978-3-642-22110-1_14

4. Clark Barrett Pascal Fontaine and Cesare Tinelli. 2019. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org Clark Barrett Pascal Fontaine and Cesare Tinelli. 2019. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org

5. Clark Barrett Aaron Stump and Cesare Tinelli. 2010. The SMT-LIB Standard: Version 2.0. In SMT ’10. Clark Barrett Aaron Stump and Cesare Tinelli. 2010. The SMT-LIB Standard: Version 2.0. In SMT ’10.

Cited by 18 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Fuzz4All: Universal Fuzzing with Large Language Models;Proceedings of the IEEE/ACM 46th International Conference on Software Engineering;2024-04-12

2. CaDiCaL 2.0;Lecture Notes in Computer Science;2024

3. Arithmetic Solving in Z3;Lecture Notes in Computer Science;2024

4. SMT Solver Validation Empowered by Large Pre-Trained Language Models;2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE);2023-09-11

5. Large Language Models Are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models;Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis;2023-07-12