CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Slides:



Advertisements
Similar presentations
A Survey of Approaches for Automated Unit Testing
Advertisements

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
1 “White box” or “glass box” tests “White Box” (or “Glass Box”) Tests.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Analysis of Complex Data Structures with PEX Vadim Mutilin Evgeniy Gerlits Vladimir Fedotov Mentor: Patrice Godefroid.
Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Path Testing + Coverage Chapter 9 Assigned reading from Binder.
CSEP504: Advanced topics in software systems Tonight: 2 nd of three lectures on software tools and environments – a few tools in some more depth February.
CSE403 Software Engineering Autumn 2001 More Testing Gary Kimura Lecture #10 October 22, 2001.
Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.
Wishnu Prasetya WLP for Automated Testing.
White-box Testing.
1 Program Testing (Lecture 14) Prof. R. Mall Dept. of CSE, IIT, Kharagpur.
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
A Test Case + Mock Class Generator for Coding Against Interfaces Mainul Islam, Christoph Csallner Software Engineering Research Center (SERC) Computer.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.
White-Box Testing Statement coverage Branch coverage Path coverage
CS223: Software Engineering Lecture 26: Software Testing.
White Box Testing. Agenda White-box vs Black-box Program Flow Controls White-box Test Methods Exercises Complexity Q&A.
Wishnu Prasetya Software Testing URL:
Software TestIng White box testing.
White-Box Testing Pfleeger, S. Software Engineering Theory and Practice 2nd Edition. Prentice Hall, Ghezzi, C. et al., Fundamentals of Software Engineering.
Software Testing.
Control Flow Testing Handouts
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Symbolic Execution Suman Jana
CompSci 230 Software Construction
Outline of the Chapter Basic Idea Outline of Control Flow Testing
A Test Case + Mock Class Generator for Coding Against Interfaces
Structural testing, Path Testing
White-Box Testing.
DART and CUTE: Concolic Testing
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim.
Dataflow Testing G. Rothermel.
Stack Memory 1 (also called Call Stack)
White-Box Testing Techniques III
Software Testing (Lecture 11-a)
Dynamic Symbolic Execution
“White box” or “glass box” tests
White-Box Testing.
Elided to examples only
Automatic Test Generation SymCrete
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim.
Example (C code) int double(int x) { return 2 * x; }
CUTE: A Concolic Unit Testing Engine for C
Whitebox Testing.
Software Testing.
Presentation transcript:

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011

Testing if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } CSE 331 Autumn 2011 Visser, Pasareanu & Mehlitz Simple program – what do we want to know about it? Not a new question for us – let’s consider it with white- box testing

Control flow graph (CFG) x >? y x = x + y y = x – y x = x – y x >? y assert(false)end Can this statement ever be executed?

Edge coverage x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [x=0;y=1] [x=1;y=0] E dge ever taken? [x=1;y=1] [x=1;y=0] [x=0;y=1]

Symbolic execution [x=  ;y=  ] x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [  <=  ] [x=  +  ;y=  ] [x=  +  ;y=  ] [x=  ;y=  ]  >  ever here?

Symbolic execution x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [  <=  ] [x=  +  ;y=  ] [x=  +  ;y=  ] [x=  ;y=  ] [  >  ]  <  here

if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } What’s really going on?  Create a symbolic execution tree  Explicitly track path conditions  Solve path conditions – “how do you get to this point in the execution tree?” – to define test inputs  Goal: define test inputs that reach all reachable statements CSE 331 Autumn [true] x = ,y =  [true]  >?  [  >  ] x =  +  [  >  ] x=  ;y=  [  >  ]  >?  [  >  &  >  ] “false” [  >  &  <=  ] end [  <=  ] end

int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} Another example (Sen and Agha) 8 [true] x = ,y =  [true] z = 2 *  [true] 2 *  ==?  [2 *  =  ]  >?  + 10 [2 *  =  &  >  + 10] error [2 *  =  &  <=  + 10] end [2 *  !=  ] end

Error: possible by solving equations [2 *  =  &  >  + 10]  [2 *  >  + 10]  [  > 10]  [  > 10 & 2 *  =  ] CSE 331 Autumn

Way cool – we’re done!  First example can’t reach assert(false), and it’s easy to reach end via both possible paths  Second example: can reach error and end via both possible paths  Well, what if we can’t solve the path conditions?  Some arithmetic, some recursion, some loops, some pointer expressions, etc.  We’ll see an example  What if we want specific test cases? CSE 331 Autumn

Concolic testing: Sen et al.  Basically, combine concrete and symbolic execution  More precisely…  Generate a random concrete input  Execute the program on that input both concretely and symbolically simultaneously  Follow the concrete execution and maintain the path conditions along with the corresponding symbolic execution  Use the path conditions collected by this guided process to constrain the generation of inputs for the next iteration  Repeat until test inputs are produced to exercise all feasible paths CSE 331 Autumn

int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example redux 1 st iteration x=22, y=7 12 [true] x =  = 22, y = 7 =  [true] z = 14 = 2 *  [true] 2 *  ==?  14 ==? 22 [2 *  =  ] … [2 *  !=  ] end  Now solve 2 *  =  to force the other branch  x = 1; y = 2 is one solution

int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example 2 nd iteration x=1, y=2 13 [true] x =  = 1,y =  = 2 [true] z = 2 *  = 4 [true] 2 *  ==?  2 ==? 2 [2 *  =  ]  >?  >? [2 *  =  &  >  + 10] [2 *  =  &  <=  + 10] [2 *  !=  ] …  Now solve 2 *  =  &  <=  + 10 to force the other branch  x = 30; y = 15 is one solution

int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example 3 nd iteration x=30, y=15 14 [true] x =  = 30,y =  = 15 [true] z = 2 *  = 30 [true] [2 *  =  ]  >?  >? [2 *  =  &  >  + 10] [30 = 30 & 30 > 25] error [2 *  =  &  <=  + 10] [2 *  !=  ] …  Now solve 2 *  =  &  <=  + 10 to force the other branch  x = 30; y = 15 is one solution

Three concrete test cases xy 227Takes first else 21Takes first then and second else 3015Takes first and second then 15 int double (int v){ return 2*v;} void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }

Concolic testing example P. Sa ğ lam  Random seed  x = -3; y = 7  Concrete  z = 9  Symbolic  z = x 3 +3x 2 +9  Take then branch with constraint x 3 +3x 2 +9 != y void test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }  Take else branch with constraint x 3 +3x 2 +9 = y

Concolic testing example P. Sa ğ lam CSE 331 Autumn void test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }  Solving is hard for x 3 +3x 2 +9 = y  So use z ’s concrete value, which is currently 9, and continue concretely  9 != 7 so then is good  Symbolically solve 9 = y for else clause Execute next run with x = -3; y = 9 so else is bad When symbolic expression becomes unmanageable (e.g., non-linear) replace it by concrete value

Concolic testing example P. Sa ğ lam  Random memory graph reachable from p  Random value for x  Probability of reaching abort( ) is extremely low CSE 331 Autumn 2011 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; }

Let’s try it ConcreteSymbolicConstraints 19 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=NULL; x=236

Let’s try it ConcreteSymbolicConstraints 20 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=[634,NULL]; x=236

Let’s try it ConcreteSymbolicConstraints 21 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=[3,p]; x=1

Let’s try it ConcreteSymbolicConstraints 22 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; }

Concolic: status  The jury is still out on concolic testing – but it surely has potential  There are many papers on the general topic  Here’s one that is somewhat high-level Microsoft- oriented  Godefroid et al. Automating Software Testing Using Program Analysis IEEE Software (Sep/Oct 2008)Automating Software Testing Using Program Analysis  They tend to call the approach DART – Dynamic Automated Random Testing CSE 331 Autumn

Next steps CSE 331 Autumn  Worksheets

CSE 331 Autumn

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.