Generating Test Cases
this is an interesting paper, and it seems like the fuzzing mailing list helped out a tad bit.
abstract. we propose an approach that combines symbolic execution and run-time type inference from a sample program run to generate test cases, and we apply our approach to signed/unsigned conversion errors in programs. a signed/unsigned conversion error occurs when a program makes control how decisions about a value based on treating it as a signed integer, but then later converts the value to an unsigned integer in a way that breaks the program’s implicit assumptions. our tool follows the approach of larson and austin in using an example input to pick a program path for analysis , and we use symbolic execution to attempt synthesis of a program input exhibiting an error [19, 17, 8, 34]. we describe a proof of concept implementation that uses the valgrind binary analysis framework and the stp decision procedure, and we report on preliminary experiences. our implementation is available at http://www.sf.net/projects/catchconv. keywords: software security, symbolic execution, test generation, decision procedure, dynamic binary analysis