Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.

Published byEarl Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center."— Presentation transcript:

1 1/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center

2 2/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Table of Contents  Introduction  Symbolic Execution  Examples  Symbolic Execution Tree  Examples  An Interactive Symbolic Executor – EFFIGY  Symbolic Execution and Program Testing  Conclusion

3 3/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Introduction  Testing vs. Formal analysis  Testing  A programmer can be assured that sample test runs work correctly by checking the results  But the correct execution for inputs not in the sample is still in doubt  Formal analysis  Proving the correctness of programs by formal analysis shows great promise  Fundamental problems in reducing the theory to practice are not likely to be solved in the immediate future  So let’s take a practical approach between these two extremes – Symbolic Execution !

4 4/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (1/8)  What is symbolic execution ?  Instead of supplying the normal inputs to a program, symbolic execution supplies symbols representing arbitrary values  ex) int f(1, 2)  int f( α 1, α 2 )  The execution proceeds as in a normal execution except that values may be symbolic formulae over the input symbols  A program is symbolically executed for a set of classes of inputs, so each symbolic execution result may be equivalent to a large number of normal test cases

5 5/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (2/8)  Simple Example  Function ADD 1 : int ADD(int a, int b, int c) { 2 :int x = a + b; 3: int y = b + c; 4: int z = x + y – b; 5:return z; 6: } x yzabc 1---135 24--135 348-135 4489135 5489135 Normal execution result of ADD(1,3,5) xyzabc 1--- α1α1 α2α2 α3α3 2 α1+α2α1+α2 -- α1α1 α2α2 α3α3 3 α1+α2α1+α2 α2+α3α2+α3 - α1α1 α2α2 α3α3 4 α1+α2α1+α2 α2+α3α2+α3 α1+α2+α3α1+α2+α3 α1α1 α2α2 α3α3 5 α1+α2α1+α2 α2+α3α2+α3 α1+α2+α3α1+α2+α3 α1α1 α2α2 α3α3 Symbolic execution result of ADD( α 1, α 2, α 3 )

6 6/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (3/8)  Language syntax and the individual programs written in the language need not be changed  The only opportunity to introduce symbolic data is as input to the program  Assignment and Branch statement must be extended to handle symbolic values  Assignment statement  Right-hand side of the statement may be polynomial  Branch statement  Symbolic execution of the IF statement requires path condition (pc)  pc is a boolean expression over the symbolic input

7 7/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (4/8)  IF statement (1/2)  The symbolic execution of an IF statement begins in a fashion similar to its normal execution  Since the values of variables are polynomial, the condition is an expression of the form: R ≥ 0, where R is a polynomial  Path Condition  Initial value of pc is true  Using the current path condition(pc), we have two following expressions  (a) pc  q (q is a condition expression) (b) pc  ~ q

8 8/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (5/8)  IF statement (2/2)  nonforking execution (either of expression is true)  In case that (a) is true, pass control to THEN part In case that (b) is true, pass control to ELSE part  forking execution (neither expressions are true)  Since each alternative is possible in this case, the only complete approach is to explore both control paths  In choosing THEN alternative, the inputs are assumed to satisfy q, this information is recorded in pc by doing assignment pc := pc ∧ q  Similarly choosing the ELSE alternative leads to pc := pc ∧ ~q

9 9/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (6/8)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } statment jxyzpc 1- α1α1 α2α2 -true 3- α1α1 α2α2 1 41 α1α1 α2α2 1 5 execution in detail : (a) evaluate y ≥ j getting α 2 ≥ 1 (b) use pc and check: (i) true  α 2 ≥ 1 (ii) true  ~ ( α 2 ≥ 1) (c) neither true, so fork case ~ ( α 2 ≥ 1) : 51 α1α1 α2α2 1 ~ ( α 2 ≥ 1) 101 α1α1 α2α2 1 ~ ( α 2 ≥ 1) case α 2 ≥ 1 : 51 α1α1 α2α2 1 α2 ≥1α2 ≥1 71 α1α1 α2α2 α1α1 α2 ≥1α2 ≥1 82 α1α1 α2α2 α1α1 α2 ≥1α2 ≥1

10 10/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (7/8)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } statment jxyzpc 5 execution in detail : (a) evaluate y ≥ j getting α 2 ≥ 2 (b) use pc and check: (i) α 2 ≥ 1  α 2 ≥ 2 (ii) α 2 ≥ 1  ~ ( α 2 ≥ 2) (c) neither true, so fork case ~ ( α 2 ≥ 2) : 52 α1α1 α2α2 α1α1 α2 = 1α2 = 1 102 α1α1 α2α2 α1α1 α2 = 1α2 = 1 case α 2 ≥ 2 : 52 α1α1 α2α2 α1α1 α 2 ≥ 2 72 α1α1 α2α2 α 1 * α 1 α 2 ≥ 2 83 α1α1 α2α2 α 1 * α 1 α 2 ≥ 2

11 11/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution (8/8)  Commutativity  The result which is computed by normal execution with specific integer inputs is same as executing the program symbolically and then instantiating the symbolic result  ex)  Normal execution  ADD(3, 5) = 8  Symbolic execution  ADD( α 1, α 2 ) = α 1 + α 2  Instantiate the symbolic result  α 1 = 3, α 2 = 5  3 + 5 = 8

12 12/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution Tree (1/3)  We can generate symbolic execution tree characterizing the execution paths followed during the symbolic execution  Associate a node with each statement executed  Associate a directed arc connecting the associated nodes with each transition between statements  For IF statement execution, the associated node has two arcs leaving the node which are labeled “T” and “F” for the true and false part, respectively  Associate the complete current execution state, i.e. variable values, statement counter, and pc with each node

13 13/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution Tree (2/3)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } 1 2 4 5 3 6 7 10 8 11 9 5 10 6 F T F T Case pc is ( α 2 < 1) : return 1 Case pc is ( α 2 = 1) : return α 1

14 14/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution Tree (3/3)  Properties  For each terminal leaf in the symbolic execution tree there exists a particular nonsymbolic input to the program  pc’s associated with any two terminal leaves are distinct  ex) 1: if (x > 5) 2: return 1 3: else 4:return 0 1 2 34 F T pc is ~( α 1 > 5) return 0 pc is α 1 > 5 return 1

15 15/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB An Interactive Symbolic Executer – EFFIGY (1/2)  EFFIGY (1/2)  Debugger for symbolic program execution  Basic debugging and testing facilities are provided for symbolic program execution  EFFIGY treats normal execution as a special case  Interactive debugging facilities are available, including:  Tracing  The user can request to see the statement number, the computational results  Breakpoints  The user can insert breakpoints before or after any statement  State saving  SAVE, RESTORE

16 16/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB An Interactive Symbolic Executer – EFFIGY (2/2)  EFFIGY (2/2)  Testing facilities  Test manager  Test manager is available for exploring the alternatives presented in the symbolic execution tree  Program verifier  Check if the program is running correctly  ASSUME(P)  pc := pc ∧ P  PROVE(P)  Check if pc  P is true

17 17/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution and Program Testing (1/2)  To prove the correctness of a program, the programmer supplies an input predicate and an output predicate with the program  The program is correct if for all inputs which satisfy the input predicate the results produced by the program satisfy the output predicate

18 18/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Symbolic Execution and Program Testing (2/2)  We can prove the correctness of each path by executing it symbolically as follows: 1. Place ASSUME at the beginning of the path and PROVE at the end of the path 2. Execute the path symbolically 3. If the PROVE at the end of the path displays true, the path is correct, otherwise it is not

19 19/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Conclusion  Symbolic execution offers the advantage that one symbolic execution may represent a large class of normal executions  EFFIGY system embodies symbolic execution in a general purpose interactive debugging system  Test manager and program verifier are powerful for program testing

20 20/20 Symbolic Execution and Program Testing Charngki Hong @ PSWLAB Discussion

Download ppt "1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Intermediate Code Generation

Intermediate Code Generation
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
1 T.Y. Chen Swinburne University of Technology, Australia T.H. Tse and Zhiquan Zhou The University of Hong Kong Semi-Proving: an Integrated Method Based.

1 T.Y. Chen Swinburne University of Technology, Australia T.H. Tse and Zhiquan Zhou The University of Hong Kong Semi-Proving: an Integrated Method Based.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Introduction to C Programming

Introduction to C Programming
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.

61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.

The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.
Program Design and Development

Program Design and Development
Submitted by : Estrella Eisenberg Yair Kaufman Ohad Lipsky Riva Gonen Shalom.

Submitted by : Estrella Eisenberg Yair Kaufman Ohad Lipsky Riva Gonen Shalom.
 2007 Pearson Education, Inc. All rights reserved. 1 2 2 Introduction to C Programming.

 2007 Pearson Education, Inc. All rights reserved Introduction to C Programming.
C++ for Engineers and Scientists Third Edition

C++ for Engineers and Scientists Third Edition
Introduction to C Programming

Introduction to C Programming

Similar presentations

Ads by Google