1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Slides:



Advertisements
Similar presentations
Chapter 22 Implementing lists: linked implementations.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Korat Automated Testing Based on Java Predicates Chandrasekhar Boyapati, Sarfraz Khurshid, Darko Marinov MIT ISSTA 2002 Rome, Italy.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
A Survey of Approaches for Automated Unit Testing
Symbolic Execution with Mixed Concrete-Symbolic Solving
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Symbolic execution © Marcelo d’Amorim 2010.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Static and Dynamic Contract Verifiers For Java Hongming Liu.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
Efficient Software Model Checking of Soundness of Type Systems Michael Roberson, Melanie Harries, Paul T. Darga, Chandrasekhar Boyapati University of Michigan.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
1/23/2003University of Virginia1 Korat: Automated Testing Based on Java Predicates CS751 Presentation by Radu Stoleru C.Boyapaty, S.Khurshid, D.Marinov.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 8: Semi-automated test generation via UDITA.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Feed Back Directed Random Test Generation Carlos Pacheco1, Shuvendu K. Lahiri2, Michael D. Ernst1, and Thomas Ball2 1MIT CSAIL, 2Microsoft Research Presented.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
Automatic Assumption Generation for Compositional Verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
Java Pathfinder JPF Tutorial - Test Input Generation With Java Pathfinder.
Yang Liu, Jun Sun and Jin Song Dong School of Computing National University of Singapore.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.
Model Counting A Quest for Nails 2 Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Model Checking Java Programs using Structural Heuristics
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
Symbolic Execution and Model Checking for Testing Corina Păsăreanu and Willem Visser Perot Systems/NASA Ames Research Center and SEVEN Networks.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Dynamic White-Box Testing What is code coverage? What are the different types of code coverage? How to derive test cases from control flows?
Over-Approximating Boolean Programs with Unbounded Thread Creation
Willem Visser Corina Pasareanu and Radek Pelanek
Automatic Test Generation SymCrete
Symbolic Execution and Test-input Generation
CUTE: A Concolic Unit Testing Engine for C
Predicate Abstraction
Presentation transcript:

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

2 Paper Khurshid, S., Pasareanu, C.S., and Vissser, W., “Generalized Symbolic Execution for Model Checking and Testing”, in Proc. of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2003). April 2003, Warsaw, Poland.

3 Motivation void Executive:: startExecutive(){ runThreads(); …} void Executive:: executePlan(…) { while(!empty) executeCurrentPlanNode(); } … Rover Executive Future mission software: - concurrent - complex, dynamically allocated data structures (e.g., lists or trees) - highly interactive: - with complex inputs - large environment - should be extremely reliable Input plan complex input structure concurrency, dynamic data (lists, trees) execute action environment/ rover status Current practice in checking complex software: large environment data Mars Rover Testing: - requires manual input - typically done for a few nominal input cases - not good at finding concurrency bugs - not good at dealing with complex data structures Model checking: - automatic, good at finding concurrency bugs - not good at dealing with complex data structures - feasible only with a small environment - and a small set of input values

4 Our symbolic execution framework Extends model checking to programs that have complex inputs with unbounded (very large) data Automates test input generation Provides: A novel symbolic execution algorithm Handles dynamic data (e.g., lists and trees), concurrency Uses lazy initialization: –Initializes the components of the program’s inputs on an ``as-needed'' basis –No a priori bound on input sizes –Uses preconditions to initialize inputs only with valid values A source to source translation to instrument a program Enables standard model checkers to perform symbolic execution of the program Uses “off-the-shelf” decision procedures

5 Symbolic Execution Code: (PC=“path condition”) - “Simulate” the code using symbolic values instead of program numeric data Symbolic execution tree: x:X,y:Y PC: true x:X,y:Y PC: X>Y x:X,y:Y PC: X<=Y true false x:X+Y,y:Y PC: X>Y x:X+Y,y:X PC: X>Y x:Y,y:X PC: X>Y x:Y,y:X PC: X>Y  Y-X>0 x:Y,y:X PC:X>Y  Y-X<=0 true false FALSE! Not reachable int x, y; if (x > y) { x = x + y; y = x - y; x = x - y; if (x – y > 0) assert (false); }

6 Algorithm: Lazy Initialization To symbolically execute method m of class C: create a new object, o, of class C set all its fields to uninitialized values invoke o.m() when m accesses field f if (f is uninitialized) { if (f is reference field of type T) { non-deterministically initialize f to –null –a new object of class T (with un-initialized field values) –a previously initialized object of class T } if (f is numeric (string) field) initialize f to a new symbolic value }

7 Generalized Symbolic Execution E0 next E1 next t E2 next... Code: ( = “unknown yet”) E0 next E1 next t E0 next E1 next t E2 next PC: E0-E1>0PC: E0-E1<=0 truefalse... -“Simulate” the code using symbolic values instead of program numeric data. -Enumerate input structures lazily. Symbolic execution tree: E0 next PC: true Precondition: acyclic list! E0 next null E0 next E1 next E0 next... E0 next E1 next t null E0 next E1 next t E2 next E0 next E1 tnext E0 next E1 next t... class Node { int elem; Node next; Node swapNode() { if (next != null) if (elem – next.elem > 0) { Node t = next; next = t.next; t.next = this; return t; } return this; } }

8 class Node { int elem; Node next; Node swapNode() { if (next != null) if (elem – next.elem > 0) { Node t = next; next = t.next; t.next = this; return t; } return this; } } Code: Results of Analysis E0 next null E0 next E1 next E0 next E0 next E1 next null E0 next E1 next E2 next E0 next E1 next E0 next E1 next Input list +ConstraintOutput list E0>E1 none E0≤E1 none E0>E1 E1 next E0 next E2 next E1 next E0 next E1 next E0 next E1 next E0 next null E0 next E1 next E0 next E0 next null Null pointer exception!

9 Framework Model checking Program instrumentation Decision procedures Instrumented program Correctness specification continue/ backtrack Counterexample(s)/ test suite [heap+constraint+thread scheduling] Source program Path condition (data) Heap configuration Thread scheduling State:

10 Implementation for Java Uses Korat (MIT) for program instrumentation Uses Java PathFinder model checker toolset Uses Omega library as a decision procedure –for integer linear constraints Framework: Can be used as a symbolic execution tool with backtracking –Handles multithreaded programs No state matching –Un-decidable in general Good for finding counter-examples to safety properties –Programs with loops can have infinite execution trees –Uses breadth first search or depth first search with limited depth Used to –check for null pointer exceptions, rich properties in multithreaded programs –generate test inputs for code coverage of an Altitude Switch used in flight control software (~ 2000 Java lines)

11 Code Instrumentation Code: class Expression { static PathCondition _pc; Expression_minus(Expression e) { … } } class PathCondition { … Constraints c; boolean _updateGT (Expression e1, Expression e2) { boolean result = choose_boolean(); if (result) c.add_constraintGT(e1,e2)); else c.add_constraintLE(e1,e2)); if (! c.is_satisfiable()) backtrack(); return result; } class Node { Expression elem; boolean _elem_is_initialized; Node next; boolean _next_is_initialized; Node swapNode() { if (_get_next() != null) if (Expression._pc._updateGT(_get_elem()._minus(_get_next(). _get_elem() ), new IntegerConstant(0) ) { Node t = _get_next() ; _set_next (t._get_next() ); t._set_next (this); return t; } return this; } } class Node { int elem; Node next; Node swapNode() { if (next != null) if (elem – next.elem > 0) { Node t = next; next = t.next; t.next = this; return t; } return this; } }

12 Related work Symbolic execution and program testing –EFFIGY [King’76] Static analysis –ESC [Detlefs et al’98] –TVLA [Sagiv et al’98] Software model checking –VeriSoft [Godefroid’97] –JPF [Visser et al’00] –Bandera (KSU), SLAM (Microsoft) Specification-based testing –Korat [ISSTA ’02]...

13 Conclusions Framework for symbolic execution –Handles dynamic data and concurrency –Program instrumentation enables any model checker to perform symbolic execution –Used for checking rich properties of multithreaded programs with complex inputs and for test input generation Future work: –Investigate Widening and abstraction techniques to help termination Different decision procedures and constraint solvers (to handle non-linear constraints and floats) –Case studies

14 Demo class List { Node header; static class Node { int elem; Node next; } void swap2() { // swaps the first two nodes if (header == null) return; if (header.next == null) return; Node t = header; header = header.next; t.next = t.next.next; header.next = t; }

15 Problem: convergence Symbolic execution tree: void test(int n) { int x = 0; while(x < n) x = x + 1; } Code: n:S PC:true n:S,x:0 PC:true n:S,x:1 PC:0<S n:S,x:0 PC:0<S n:S,x:0 PC:0>=S n:S,x:1 PC:0 =S n:S,x:1 PC:0<S & 1<S....

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.