Elided to examples only

Slides:



Advertisements
Similar presentations
Symbolic Execution with Mixed Concrete-Symbolic Solving
Advertisements

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic execution © Marcelo d’Amorim 2010.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
CS 312 Spring 2002 Lecture 16 The Environment Model.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Pointers: Part I. Why pointers? - low-level, but efficient manipulation of memory - dynamic objects  Objects whose memory is allocated during program.
Introduction to C Programming CE Lecture 19 Linear Linked Lists.
The modulus function The modulus of x, written  x  and is defined by  x  = x if x  0  x  = -x if x < 0. Sketch of y =  x  y x y =  x  y = x.
3.2 – Solving Linear Equations by Graphing. Ex.1 Solve the equation by graphing. x – y = 1.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
CSEP504: Advanced topics in software systems Tonight: 2 nd of three lectures on software tools and environments – a few tools in some more depth February.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Section 6-2: Polynomials and Linear Factors
What does a computer program look like: a general overview.
CS162 - Topic #11 Lecture: Recursion –Problem solving with recursion –Work through examples to get used to the recursive process Programming Project –Any.
Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.
Solve x 2 +3x – 5 = 11 xx2x2 +3x-5X 2 +3x-5High/ Low L.
FACTOR to SOLVE 1. X 2 – 4x X 2 – 17x + 52 (x-10)(x + 6) x = 10, -6 (x-4)(x - 13) x = 4,13.
Working with means and variances…. Expected Values… How does an insurance company determine its premiums? Weighs probability of “pay-out” against total.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
Int fact (int n) { If (n == 0) return 1; else return n * fact (n – 1); } 5 void main () { Int Sum; : Sum = fact (5); : } Factorial Program Using Recursion.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
1 Recursion Recursive function: a function that calls itself (directly or indirectly). Recursion is often a good alternative to iteration (loops). Its.
White-Box Testing Statement coverage Branch coverage Path coverage
(1-3) Basics of a Linked List I Instructor - Andrew S. O’Fallon CptS 122 (June 9, 2016) Washington State University.
Abstract Data Types and Stacks CSE 2320 – Algorithms and Data Structures Vassilis Athitsos University of Texas at Arlington Last updated: 2/17/
CS 163 Data Structures Chapter 10 Symbolic Differentiation
CSCE 3110 Data Structures & Algorithm Analysis
CSCE 3110 Data Structures & Algorithm Analysis
Dynamic Symbolic Execution
Using Intercepts.
Herbert G. Mayer, PSU CS status 7/29/2013
A Test Case + Mock Class Generator for Coding Against Interfaces
Yung-Hsiang Lu Purdue University
Semantic Analysis Chapter 6.
Linked Lists head One downside of arrays is that they have a fixed size. To solve this problem of fixed size, we’ll relax the constraint that the.
(2-1) Data Structures & The Basics of a Linked List I
DART and CUTE: Concolic Testing
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim.
(2-1) Data Structures & The Basics of a Linked List I
Stack Memory 1 (also called Call Stack)
Stack Memory 2 (also called Call Stack)
Dynamic Symbolic Execution
Recursion Data Structures.
Govt. Polytechnic,Dhangar
Basic Examples Function Examples Limitation Examples
CSE 326: Data Structures Extra Slides on Nested Lists
Automatic Test Generation SymCrete
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim.
Abstract Data Types and Stacks
Example (C code) int double(int x) { return 2 * x; }
ECE 103 Engineering Programming Chapter 64 Tree Implementation
Algorithms: Design and Analysis
CS 242 Types John Mitchell.
CS 242 Types John Mitchell Reading: Chapter 6.
CUTE: A Concolic Unit Testing Engine for C
General List.
Recursion.
Presentation transcript:

Elided to examples only CONCOLIC TESTING Pınar Sağlam Elided to examples only

Example Random Test Driver: random memory graph reachable from p typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; Random Test Driver: random memory graph reachable from p random value for x Probability of reaching abort( ) is extremely low

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0 p , x=236 NULL

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0 p , x=236 NULL

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0 p , x=236 NULL

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 !(p0!=NULL) p=p0, x=x0 p , x=236 NULL

solve: x0>0 and p0NULL CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL x0>0 p0=NULL p=p0, x=x0 p , x=236 NULL

solve: x0>0 and p0NULL CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL x0=236, p0 NULL 634 x0>0 p0=NULL p=p0, x=x0 p , x=236 NULL

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 x0=1, p0 NULL 3 x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 p0NULL

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 2x0+1=v0

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1=v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 n0p0

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; solve: x0>0 and p0NULL and 2x0+1=v0 and n0=p0 . x0>0 p0NULL 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

CUTE Approach typedef struct cell { int v; struct cell *next; } cell; Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 and n0=p0 x0=1, p0 x0>0 p0NULL 3 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3 2x0+1=v0

p=p0, x=x0, p->v =v0, p->next=n0 CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; Program Error x0>0 p0NULL 2x0+1=v0 n0=p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y

Simultaneous Symbolic & Concrete Execution Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y solve x*x*x+ 3*x*x+9 = y to take else branch Don’t know how to solve !! Stuck ? void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }

Simultaneous Symbolic & Concrete Execution Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y solve x*x*x+ 3*x*x+9 = y to take else branch Don’t know how to solve !! Stuck ? NO : CUTE handles this smartly void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y solve 9 = y to take else branch execute next run with x = -3 and y= 9 got error (reaches abort)

Simultaneous Symbolic & Concrete Execution void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y solve 9 = y to take else branch execute next run with x = -3 and y= 9 got error (reaches abort) Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (i.e. non-linear)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.