Using Symbolic Execution to Guide Test Generation

Document Type

Journal Article


John Wiley & Sons, Ltd.


Faculty of Computing, Health and Science


School of Computer and Security Science




This article was originally published as: Lee, G., Morris, J., Parker, K., Bundell, G. A., & Lam, C. P. (2005). Using symbolic execution to guide test generation. Software Testing, Verification and Reliability, 15(1), 41-61. Original article available here


Although a number of weaknesses of symbolic execution, when used for software testing, have been highlighted in the literature, the recent resurgence of strongly-typed languages has created opportunities for re-examining symbolic execution to determine whether these shortfalls can be overcome. This paper discusses symbolic execution in general and makes two contributions: (a) overcoming one of the key problems, analysing programs with indexed arrays; and (b) describing the incorporation of a symbolic execution module for test case generation into an integrated testing tool. For methods which index arrays, a new approach determines all the possible values of each array index, allowing the generation of equivalence classes for every possible combination of array element aliases. An incremental simplification approach, which converts path expressions to canonical forms in order to identify infeasible paths at the earliest opportunity and thus reduce the analysis time, is also described. Symbolic execution is most effective when included in an integrated test and analysis environment: a component test bench was built with a symbolic execution module integrated into it, providing a toolbox of software component test and code analysis methods aimed at programmers at all levels.




Link to publisher version (DOI)