Shadow Symbolic Execution for Better Testing of Evolving Software Cristian Cadar and Hristina Palikareva Department of Computing Imperial College London.

Slides:

Advertisements

Similar presentations

1_Panel Production. 380 pannelli 45 giorni di produzione = 8.4 pannelli/day.

Advertisements

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Chapter 8 Software Prototyping.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. *See PowerPoint Lecture Outline for a complete, ready-made.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 116.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 107.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 40.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 28.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 44.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 101.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 58.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 112.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 75.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Continuous Improvement Update June 11, (Your School/Departments Mission Statement Here) (Your School/Departments SMART Goals Here)

Chapter 12 Analysing quantitative data

WARC 14/15 - S.S.O.R.T. / ByeBye / / KI. UM DIE WELT SEGELN ByeBye-Party Gstaad WARC 14/15 - S.S.O.R.T. / ByeBye / / KI.

Photo Slideshow Instructions (delete before presenting or this page will show when slideshow loops) 1.Set PowerPoint to work in Outline. View/Normal click.

Measuring Time. Learning Goals To measure time, we start counting units of time when the activity begins and stop counting when the activity ends. The.

Break Time Remaining 10:00.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Automatic Test Data Generation of Character String Zhao Ruilian.

Source: IEEE Pervasive Computing, Vol. 8, Issue.4, Oct.2009, pp. 14 – 23 Author: Satyanarayanan, M., Bahl, P., Caceres, R., Davies, N. Adviser: Chia-Nian.

California Roundup: Summary of DR Activity in California John Goodin Lead, Demand Response 2008 National Town Meeting on Demand Response June 3, 2008.

15. Oktober Oktober Oktober 2012.

Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.

Solving Equations How to Solve Them

Differential Forms for Target Tracking and Aggregate Queries in Distributed Networks Rik Sarkar Jie Gao Stony Brook University 1.

MONDAY DART I can solve problems involving percent of change. DART I can solve problems involving percent of change.

We are learning how to read the 24 hour clock

Covrig: A Framework for the Analysis of Code, Test, and Coverage Evolution in Real Software Paul Marinescu, Petr Hosek, Cristian Cadar Imperial College.

Combining Dynamic Symbolic Execution (DSE) with Search-Based Software Testing (SBST) Cristian Cadar Department of Computing Imperial College London SBST.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software processes 2.

Prescriptive Process models

Weisburd, Lawton, Ready, Rudes, Cave, and Nelson Presented by Breanne Cave 1.

Visions of Australia – Regional Exhibition Touring Fund Applicant organisation Exhibition title Exhibition Sample Support Material Instructions 1) Please.

Clock will move after 1 minute

NI Executive Budget 2010 Pre-Consultation. Outline Background and Context UK Fiscal Position Implications for NI Budget Way Forward Key Questions.

Weekly Attendance by Class w/e 6 th September 2013.

1 Symbolic Execution Kevin Wallace, CSE

Highlights From the Survey on the Use of Funds Under Title II, Part A

Select a time to count down from the clock above

Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.

Anupam Saxena Associate Professor Indian Institute of Technology KANPUR

From Model-based to Model-driven Design of User Interfaces.

L.C.Smith College of Engineering and Computer Science AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking.

Amal Khalil & Juergen Dingel

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

ASE’14, 18 th September 2014 This work is supported by Microsoft Research through its PhD Scholarship Programme Microsoft is a registered trademark of.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

CS590 Z Software Defect Analysis Xiangyu Zhang. CS590F Software Reliability What is Software Defect Analysis  Given a software program, with or without.

Tao Xie North Carolina State University Supported by CACC/NSA Related projects supported in part by ARO, NSF, SOSI.

1 Towards Optimal Custom Instruction Processors Wayne Luk Kubilay Atasu, Rob Dimond and Oskar Mencer Department of Computing Imperial College London HOT.

Which Configuration Option Should I Change? Sai Zhang, Michael D. Ernst University of Washington Presented by: Kıvanç Muşlu.

Synchronization Transformations for Parallel Computing Pedro Diniz and Martin Rinard Department of Computer Science University of California, Santa Barbara.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Symbolic Execution.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 4 Slide 1 Software Processes.

Cruise Training Introduction of Continuous Integration.

Shadow Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina PalikarevaTomasz KuchtaCristian Cadar ICSE’16, 20 th May 2016 This.

Chapter 25 – Configuration Management 1Chapter 25 Configuration management.

RDE: Replay DEbugging for Diagnosing Production Site Failures

VUzzer: Application-aware Evolutionary Fuzzing

CSC-682 Advanced Computer Security

Presentation transcript:

Shadow Symbolic Execution for Better Testing of Evolving Software Cristian Cadar and Hristina Palikareva Department of Computing Imperial College London ICSE NIER June 2014, Hyderabad, India

Patches, patches, patches… Software evolves, with new versions and patches being released frequently Patches add new features, fix existing bugs, improve performance, usability, etc. But are usually poorly tested, and oftentimes introduce new bugs and vulnerabilities Crameri, O., Knezevic, N., Kostic, D., Bianchini, R., Zwaenepoel, W. Staged deployment in Mirage, an integrated software upgrade testing and distribution system. SOSP’07 70% of the sys admins interviewed refuse to upgrade 2/13

Dynamic Symbolic Execution Dynamic symbolic execution is a technique for automatically exploring paths through a program Determines the feasibility of each explored path using a constraint solver For each path, can generate a concrete input triggering the path 3/13

Dynamic Symbolic Execution Received significant interest in the last few years Most work on whole program testing/bug-finding Recent focus on evolving software –Person et al. FSE’08, PLDI’11 –Babic et al, ISSTA’11 –Bohme et al. ICSE’13, FSE’13 –Marinescu and Cadar, SPIN’12, FSE’13 –etc. 4/13 [CACM 2013]

1 1 test 4 SymEx for Testing Software Patches commit SymEx test 1 test klee/trunk/lib/Core/Executor.cpp2009/08/01 22:31: klee/trunk/lib/Core/Executor.cpp2009/08/02 23:09: , ,11 info << "none\n"; } else { const MemoryObject *mo = lower->first; + std::string alloc_info; + mo->getAllocInfo(alloc_info); info address - size << "\n"; + size << "\n" + << "\t\t" << alloc_info << "\n“; test 3 test 4 bug test 4 bug test 4 5/13

Generate Inputs to Cover Each Line in the Patch Our symex tool KATCH Tested several hundreds patches Significantly increased patch coverage Found (crash) bugs in the process Unreachable by standard symbolic execution given similar time budget [Marinescu and Cadar, SPIN’12, ESEC/FSE’13]

Is Line Coverage Enough? x = 6x = 7x = 8 x = 9 if (x % 2 == 0)... if (x % 3 == 0)... If I change a statement, what tests should I add? Old New 7/13

Is Line Coverage Enough? if (x % 2 == 0)... if (x % 3 == 0)... x = 6x = 7x = 8 Full branch coverage in the new version x = 9 If I change a statement, what tests should I add? Old New 8/13

Is Line Coverage Enough? if (x % 2 == 0)... if (x % 3 == 0)... x = 6x = 7x = 8 x = 9 However, totally useless for testing the patch! If I change a statement, what tests should I add? Old New 9/13

Is Line Coverage Enough? If I change a statement, what tests should I add? if (x % 2 == 0)... if (x % 3 == 0)... x = 6x = 7x = 8 x = 9 old  then new  else old  else new  then Old New

Shadow Symbolic Execution y = x + 2; z = x + 3; if (y + z > 10)... The novelty of shadow symbolic execution is to run the two versions together (in the same symbolic execution instance), with the old version shadowing the new Provides the ability to reason about specific values and prune large parts of the search space y = x + 2; z = x + 7; if (y + z > 10)... Old New y = x + 2; z = (x + 3, x+7); if (2x + 5, 2x+9) > 10)... Shadow SymEx 11/13

Shadow Symbolic Execution y = x + 2; z = (x + 3, x + 7); if (2x + 5, 2x + 9) > 10)... (2x+5 > 10) ∧ (2x+9 ≤ 10) old  then new  else old  else new  then (2x+5 ≤ 10) ∧ (2x+9 > 10) x = 1 No solutions1 ≤ x ≤ 2 No need to explore the else side of the branch, potentially pruning a huge # of paths. We only need to explore the then path under the constraint 1 ≤ x ≤ 2 *Assumes the current path constraints allow no arithmetic overflow, and no further uses of z

Shadow Symbolic Execution Opportunities (Potential impact) Prune large parts of the search space, for which the two versions behave identically Obtain simpler constraints Save memory by sharing large parts of the symbolic store (symbolic constraints) Find bugs in patches quicker, add relevant inputs to the regression test suite Challenges Map statements from one version to another (static+dynamic analysis) Deal with changes in multiple parts of the program (when can we still prune?) 13/13

Shadow Symbolic Execution for Better Testing of Evolving Software Cristian Cadar and Hristina Palikareva Department of Computing Imperial College London ICSE NIER June 2014, Hyderabad, India