A Survey of Approaches for Automated Unit Testing

Slides:



Advertisements
Similar presentations
Chapter 4: Control Structures I (Selection)
Advertisements

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
1 Software Testing and Quality Assurance Lecture 5 - Software Testing Techniques.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.
White-Box Testing Eshcar Hillel Michael Beder. White Box Testing 2 Tutorial Outline What is White Box Testing? Flow Graph and Coverage Types Symbolic.
Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.
Overview of Software Testing 07/12/2013 WISTPC 2013 Peter Clarke.
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Starting Out with Programming Logic & Design First Edition by Tony Gaddis.
Agenda Introduction Overview of White-box testing Basis path testing
PAGES:51-59 SECTION: CONTROL1 : DECISIONS Decisions.
Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley STARTING OUT WITH Python Python First Edition by Tony Gaddis Chapter 4 Decision.
Parameterized Unit Tests By Nikolai Tillmann and Wolfram Schulte Proc. of ESEC/FSE 2005 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts.
Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.
Model Counting A Quest for Nails 2 Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
jFuzz – Java based Whitebox Fuzzing
Tarsia puzzle in groups of 3-4. Confidence intervals To calculate confidence intervals. To understand what a confidence interval is.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Condition Testing. Condition testing is a test case design method that exercises the logical conditions contained in a program module. A simple condition.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
HW7: Due Dec 5th 23:59 1.Describe test cases to reach full path coverage of the triangle program by completing the path condition table below. Also, draw.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
Digitaalsüsteemide verifitseerimise kursus1 Exercises Binary decision diagrams ROBDD generation. Shannon expansion Finding an optimal ordering Dynamic.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
Model Counting for Test Coverage, CodeHunt & Mutations Willem Visser Stellenbosch University.
Software Testing.
Software Engineering (CSI 321)
Chapter 4: Decision Structures and Boolean Logic
CONTROL FLOW TESTING.
Structural testing, Path Testing
Moonzoo Kim CS Dept. KAIST
Microsoft Visual Basic 2005 BASICS
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Example: Finding the Mode
Lecture Notes – Week 3 Lecture-2
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Chapter 4: Decision Structures and Boolean Logic
Algorithms Take a look at the worksheet. What do we already know, and what will we have to learn in this term?
Automatic Test Generation SymCrete
Mathematical Reasoning
Lecture 5 Binary Operation Boolean Logic. Binary Operations Addition Subtraction Multiplication Division.
CS2011 Introduction to Programming I Selections (I)
CUTE: A Concolic Unit Testing Engine for C
The Zoo of Software Security Techniques
Whitebox Testing.
Chapter 4: Decision Structures and Boolean Logic
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Presentation transcript:

A Survey of Approaches for Automated Unit Testing Peter Carr Ron Kneusel

Outline Introduction/Motivation Concolic Testing Random Testing Evolutionary Testing Random/Evolutionary Experiment and Results Comparison of the Different Approaches Future Work

Introduction – Why Automate Unit Testing? Motivation: We’d like to write quality code but doing this requires testing it with inputs to see its behavior Must have a good path coverage to ensure reliability, but coming up with inputs to exercise all paths is hard Bugs tend to occur in boundary cases, but we don’t think of these cases, hence we don’t test them!

Concolic Testing – A (Very) Brief Overview Concolic is a modified form of symbolic execution (sym-ex) utilizing concrete inputs and path enumeration Example: 1: if(x>y) { 2: x = x + y; 3: y = x - y; 4: x = x - y; 5: if (x - y > 0) 6: assert(false); } (From S. Khurshid, C.S. Pasareanu, and W. Visser. Generalized Symbolic Execution for Model Checking and Testing. In Proc. 9th Int. Conf. on TACAS, pages 553-568, 2003.)

Concolic Example (1) Sym-ex represents x and y as variables x0 and y0, whereas x and y get concrete int values in concolic Path condition (pc) a boolean formula representing the path currently taken, initialized to true At each branch, a logic formula is conjoined to pc representing the possible inputs At 1), x0 <y0 or x0 >=y0 can hold so this represents a fork in the path: ie. pc = x0 <y0 and pc’ = x0 >= y0 6) cannot be executed because pc = x0 > y0 & (y0 – x0 > 0) is false

Concolic Example (2) For concolic, a concrete input causes a certain branch to be taken, and that is recorded to the pc If x = 3 and y = 4 then AND x <= y to the pc At next execution negate the conjunct to generate inputs that force a different path Constraint solver is required to generate inputs (concolic) or to see if pc has become false (symbolic)

Concolic vs. Symbolic Execution Sym-ex is computationally infeasible for many programs Tries to find every execution path, which is exponential in the number of branches Concolic tries to reduce the number of paths and also address problem with constraint solver If constraint can’t be solved in concolic, default to random values

Random Testing Conceptually simple- To test function, f(a,b), randomly select arguments, a and b, and apply them to f. If there is an error, a bug has been found. Depending upon the dimensionality and domain of f, one might wait a very long time before getting a representative set of inputs to f. Something this simple is just begging to be expanded upon...

Random Testing ART – Adaptive Random Testing Quasi-Random Testing Still random, but consciously select new “random” inputs to f() that are “well away” from any previous input – attempt to cover the input space of f() in a more intelligent manner. Adaptive Random Testing, T.Y. Chen, et al., ASIAN 2004, pp. 320-329, 2004 Quasi-Random Testing RT, but use a shuffled quasi-random generator – this is also “space filling” Quasi-random Testing, T. Chen, R. Merkel, Proc 20th IEEE/ACM Intl Conf Automated Soft Eng, 2005 Plus many more... see the paper!

Evolutionary Testing Use an evolutionary (genetic) algorithm to evolve a set of inputs to f(). Part of “dynamic test data generation” Instrument the code to report information about the function as it is executed. Use this information to decide on the “fitness” of the inputs. Evolve a new set of inputs based on previous fitness scores. Generating Software Test Data by Evolution, C. Michael, et al, IEEE Trans on Soft Eng, Vol 27, No 12, December 2001.

The Experiment Motivation Most RT/EA testing designed to uncover bugs – to work until a specific target piece of code has been reached In some cases branch coverage is more desirable goal. ie, to prove all code paths have been executed by the test suite. For example, this is of high interest to the FDA when certifying a new medical device.

The Setup Tested 100 randomly generated IDL functions A series of nested If-Else statements instrumented to track when a branch has been taken 2 to 5 input parameters Constrained to scalar 32-bit integer inputs Cyclomatic complexity: Mean 16.2 +/- 4.6, min 7, max 29 Goal: a set of inputs that maximizes branch coverage

Randomized Testing Approach RT Pick some inputs, evaluate f(), if this adds a new branch to the existing set of covered branches, keep this set of inputs Repeat ad nauseam So simple my six year old gets it! Quasi-RT RT but use a quasi-random generator

Quasi-Random Numbers Quasi-random Pseudo-random

RT results Coverage Min Max Mean Median Stddev p-value RT 0.10 1.0 0.76 0.79 0.19 0.10 Quasi 0.10 1.0 0.81 0.86 0.20 #inputs Min Max Mean Median Stddev p-value RT 1 8 3.1 2 1.5 <10-6 Quasi 1 11 4.5 3 2.3 Surprisingly, no statistically significant difference between plain RT and Quasi-RT, contrary to other papers. Possible causes: - “Irrational” auto-generated code - Excessive number of tests – space filling regardless of generation type (mean tests ~2,000,000) ???

How EA Works from Ch 2, A.E. Eiben and J.E. Smith

EA Results EA- - 100 organisms (a collection of inputs)‏ Coverage Min Max Mean Median Stddev p-value EA 0.10 0.87 0.59 0.59 0.15 RT 0.10 1.0 0.76 0.79 0.19 <10-6 Quasi 0.10 1.0 0.81 0.86 0.20 <10-6 EA- - 100 organisms (a collection of inputs)‏ - 100 cells per organism (an input)‏ - run until no change for 30 generations - keep the best organism found so far (apart from the population)‏ Probabilities- - of mating, 70% - otherwise mutate or replicate, (split 50/50)‏

EA Results Poor performance compared to RT Why? Simple coverage metric as objective function inadequate to force a true search of the input space A targeted branch approach is (probably) necessary

So Which Technique to Use? OOP testing requires good inputs and good method call sequences to get objects into desirable states Concolic is good at generating inputs to cover code with complex logic and structure Evolutionary techniques can be used to find desirable method call sequences Combine the two! (recent work in this area)

Future Work Explore EVACON framework which combines aspects of concolic and evolutionary testing for OOP Select a better objective function Target branches Evolve a set of inputs towards specific branches Switch from EA to PSO Demonstrated more powerful than EA in many cases Recall that IDL is an array-processing language How to select inputs when the space of inputs consists of multi-dimensional arrays?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.