SymCrash is a capture and replay tool, which can perform selective recording of functions and reproduce crashes through dynamic symbolic execution.

  • Description
  • Contributors
  • Publication
  • Tool Download
  • Tool Manual

Software often crashes despite tremendous effort on improving the quality of software. Once developers receive a crash report, they need to reproduce the crash in order to understand the problem and locate the fault. However, limited information from crash reports often makes crash reproduction difficult. Recently, many “capture-and-replay” techniques have been proposed to automatically capture program execution data from the failing code, and help developers replay the crash scenarios based on the captured data. However, such techniques often suffer from heavy overhead and introduce privacy concerns. Recently, methods such as BugRedux were proposed to generate test input that leads to crash through symbolic execution. However, such methods have inherent limitations because they rely on conventional symbolic execution.

In this work, we propose a dynamic symbolic execution method called SymCon, which addresses the limitation of conventional symbolic execution by selecting functions that are hard to be resolved by a constraint solver and use their concrete runtime values to replace the symbols. We then propose SymCrash, a selective recording approach that only instruments and monitors the hard-to-solve functions. SymCrash can then generate test input for crashes through SymCon. We have applied our approach to successfully reproduce 13 failures of 6 real-world programs. Our results confirm that the proposed approach can achieve equivalent accuracy, lower overhead, and better privacy, when compared with the related methods.

Yu Cao:
Hongyu Zhang:

  • A paper titled "Selective Recording for Reproducing Crashes" has been submitted to the 29th IEEE/ACM International Conference on Automated Software Engineering (ASE 2014).

Tool Download:
  • please go to the "DOWNLOADS" page to download the binary release

Tool Manual:
We have implemented SymCrashJ, a Java version of SymCrash. This section shows how to use SymCrashJ with a walk-through example.
  1. Install SPF:
  2. Ensure that JDK (6 or 7) and Apache log4j have been properly installed.
  3. Download SymCrashJ ( "DOWNLOADS" page)
  4. Unzip this SymCrashJ package and there are four files inside:
    • a test case
    • instrumenter.jar : the program for generating an instrumented test case
    • jpf-symbc.jar: our extended SPF module
    • WU-FTPD.jpf: a sample configuration file to run SPF
  5. Suppose your ( is introduced by the documents in step 1) of JPF contains: jpf-symbc = ${user.home}/projects/jpf/jpf-symbc, please overwrite the jar file ${user.home}/projects/jpf/jpf-symbc/jpf-symbc.jar with the SymCrash's version.
  6. Create a normal Eclipse Java project, titled "SymCrashTestCase", and import into it.
  7. Create a folder titled "logs" under the root path of "SymCrashTestCase"
  8. Copy the Instrumenter.jar to the root path of "SymCrashTestCase"
  9. Under the root path of "SymCrashTestCase", use command-line to execute: java -jar instrumenter.jar -instrument bin\ logs\ , noted that "bin" is the folder stroing those .class files, "logs" is the folder storing an instrumented version of WU-FTPD.
  10. Modify the WU-FTPD.jpf:
    • Point "target" to the package name of
    • Point "sourcepath" to the source folder of "SymCrashTestCase"
    • Point "classpath" to the "logs" folder of "SymCrashTestCase".
  11. Use standard SPF command jpf.bat WU-FTPD.jpf to re-run that instrumented version
  12. SPF will generate a set of test cases that cause WU-FTPD crash. And therefore, with these test cases, we are able to reproduce the crash.

Last edited Apr 26, 2014 at 1:48 AM by xyz031702, version 35