1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

Semantics Static semantics Dynamic semantics attribute grammars

Intermediate Code Generation

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

1 T.Y. Chen Swinburne University of Technology, Australia T.H. Tse and Zhiquan Zhou The University of Hong Kong Semi-Proving: an Integrated Method Based.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

Introduction to C Programming

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

The IDE (Integrated Development Environment) provides a DEBUGGER for locating and correcting errors in program logic (logic errors not syntax errors) The.

Program Design and Development

Submitted by : Estrella Eisenberg Yair Kaufman Ohad Lipsky Riva Gonen Shalom.

 2007 Pearson Education, Inc. All rights reserved Introduction to C Programming.

C++ for Engineers and Scientists Third Edition

Introduction to C Programming

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

JS Arrays, Functions, Events Week 5 INFM 603. Agenda Arrays Functions Event-Driven Programming.

Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.

CC0002NI – Computer Programming Computer Programming Er. Saroj Sharan Regmi Week 7.

Chapter 4 Context-Free Languages Copyright © 2011 The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.

Binary Decision Diagrams (BDDs)

Chapter 9 Integrity. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.9-2 Topics in this Chapter Predicates and Propositions Internal vs.

DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.

Quantified Formulas - Decision Procedure Daniel Kroening, Ofer Strichman Presented by Changki Hong 07 NOV 08.

© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 4 – Wage Calculator Application: Introducing.

Programming Fundamentals. Today’s lecture Decisions If else …… Switch Conditional Operators Logical Operators.

Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.

Vectors and Matrices In MATLAB a vector can be defined as row vector or as a column vector. A vector of length n can be visualized as matrix of size 1xn.

Flow of Control Part 1: Selection

NP-COMPLETENESS PRESENTED BY TUSHAR KUMAR J. RITESH BAGGA.

Copyright © 2010 Certification Partners, LLC -- All Rights Reserved Perl Specialist.

Control Structures (A) Topics to cover here: Introduction to Control Structures in the algorithmic language Sequencing.

C++ Basics C++ is a high-level, general purpose, object-oriented programming language.

Chapter 7 Selection Dept of Computer Engineering Khon Kaen University.

Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.

Chapter 3 Part II Describing Syntax and Semantics.

NP-Complete Problems. Running Time v.s. Input Size Concern with problems whose complexity may be described by exponential functions. Tractable problems.

Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

Copyright © 2003 ProsoftTraining. All rights reserved. Perl Fundamentals.

Introduction to Loops Iteration Repetition Counting Loops Also known as.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.

1 Test Coverage Coverage can be based on: –source code –object code –model –control flow graph –(extended) finite state machines –data flow graph –requirements.

CSCI 2670 Introduction to Theory of Computing December 2, 2004.

An Introduction to Programming with C++ Sixth Edition Chapter 5 The Selection Structure.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

4 - Conditional Control Structures CHAPTER 4. Introduction A Program is usually not limited to a linear sequence of instructions. In real life, a programme.

OPERATORS IN C CHAPTER 3. Expressions can be built up from literals, variables and operators. The operators define how the variables and literals in the.

COMP 412, FALL Type Systems C OMP 412 Rice University Houston, Texas Fall 2000 Copyright 2000, Robert Cartwright, all rights reserved. Students.

Debugging and Testing Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

Propositional Calculus: Boolean Functions and Expressions

Topics: jGRASP editor ideosyncrasies assert debugger.

The Selection Structure

Propositional Calculus: Boolean Functions and Expressions

Propositional Calculus: Boolean Algebra and Simplification

MSIS 655 Advanced Business Applications Programming

Over-Approximating Boolean Programs with Unbounded Thread Creation

Selection Statements.

The Programming Language L

CS2011 Introduction to Programming I Selections (I)

The Programming Language L

CSE 589 Applied Algorithms Spring 1999

Presentation transcript:

1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center

2/20 Symbolic Execution and Program Testing Charngki PSWLAB Table of Contents  Introduction  Symbolic Execution  Examples  Symbolic Execution Tree  Examples  An Interactive Symbolic Executor – EFFIGY  Symbolic Execution and Program Testing  Conclusion

3/20 Symbolic Execution and Program Testing Charngki PSWLAB Introduction  Testing vs. Formal analysis  Testing  A programmer can be assured that sample test runs work correctly by checking the results  But the correct execution for inputs not in the sample is still in doubt  Formal analysis  Proving the correctness of programs by formal analysis shows great promise  Fundamental problems in reducing the theory to practice are not likely to be solved in the immediate future  So let’s take a practical approach between these two extremes – Symbolic Execution !

4/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (1/8)  What is symbolic execution ?  Instead of supplying the normal inputs to a program, symbolic execution supplies symbols representing arbitrary values  ex) int f(1, 2)  int f( α 1, α 2 )  The execution proceeds as in a normal execution except that values may be symbolic formulae over the input symbols  A program is symbolically executed for a set of classes of inputs, so each symbolic execution result may be equivalent to a large number of normal test cases

5/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (2/8)  Simple Example  Function ADD 1 : int ADD(int a, int b, int c) { 2 :int x = a + b; 3: int y = b + c; 4: int z = x + y – b; 5:return z; 6: } x yzabc Normal execution result of ADD(1,3,5) xyzabc 1--- α1α1 α2α2 α3α3 2 α1+α2α1+α2 -- α1α1 α2α2 α3α3 3 α1+α2α1+α2 α2+α3α2+α3 - α1α1 α2α2 α3α3 4 α1+α2α1+α2 α2+α3α2+α3 α1+α2+α3α1+α2+α3 α1α1 α2α2 α3α3 5 α1+α2α1+α2 α2+α3α2+α3 α1+α2+α3α1+α2+α3 α1α1 α2α2 α3α3 Symbolic execution result of ADD( α 1, α 2, α 3 )

6/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (3/8)  Language syntax and the individual programs written in the language need not be changed  The only opportunity to introduce symbolic data is as input to the program  Assignment and Branch statement must be extended to handle symbolic values  Assignment statement  Right-hand side of the statement may be polynomial  Branch statement  Symbolic execution of the IF statement requires path condition (pc)  pc is a boolean expression over the symbolic input

7/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (4/8)  IF statement (1/2)  The symbolic execution of an IF statement begins in a fashion similar to its normal execution  Since the values of variables are polynomial, the condition is an expression of the form: R ≥ 0, where R is a polynomial  Path Condition  Initial value of pc is true  Using the current path condition(pc), we have two following expressions  (a) pc  q (q is a condition expression) (b) pc  ~ q

8/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (5/8)  IF statement (2/2)  nonforking execution (either of expression is true)  In case that (a) is true, pass control to THEN part In case that (b) is true, pass control to ELSE part  forking execution (neither expressions are true)  Since each alternative is possible in this case, the only complete approach is to explore both control paths  In choosing THEN alternative, the inputs are assumed to satisfy q, this information is recorded in pc by doing assignment pc := pc ∧ q  Similarly choosing the ELSE alternative leads to pc := pc ∧ ~q

9/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (6/8)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } statment jxyzpc 1- α1α1 α2α2 -true 3- α1α1 α2α α1α1 α2α2 1 5 execution in detail : (a) evaluate y ≥ j getting α 2 ≥ 1 (b) use pc and check: (i) true  α 2 ≥ 1 (ii) true  ~ ( α 2 ≥ 1) (c) neither true, so fork case ~ ( α 2 ≥ 1) : 51 α1α1 α2α2 1 ~ ( α 2 ≥ 1) 101 α1α1 α2α2 1 ~ ( α 2 ≥ 1) case α 2 ≥ 1 : 51 α1α1 α2α2 1 α2 ≥1α2 ≥1 71 α1α1 α2α2 α1α1 α2 ≥1α2 ≥1 82 α1α1 α2α2 α1α1 α2 ≥1α2 ≥1

10/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (7/8)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } statment jxyzpc 5 execution in detail : (a) evaluate y ≥ j getting α 2 ≥ 2 (b) use pc and check: (i) α 2 ≥ 1  α 2 ≥ 2 (ii) α 2 ≥ 1  ~ ( α 2 ≥ 2) (c) neither true, so fork case ~ ( α 2 ≥ 2) : 52 α1α1 α2α2 α1α1 α2 = 1α2 = α1α1 α2α2 α1α1 α2 = 1α2 = 1 case α 2 ≥ 2 : 52 α1α1 α2α2 α1α1 α 2 ≥ 2 72 α1α1 α2α2 α 1 * α 1 α 2 ≥ 2 83 α1α1 α2α2 α 1 * α 1 α 2 ≥ 2

11/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution (8/8)  Commutativity  The result which is computed by normal execution with specific integer inputs is same as executing the program symbolically and then instantiating the symbolic result  ex)  Normal execution  ADD(3, 5) = 8  Symbolic execution  ADD( α 1, α 2 ) = α 1 + α 2  Instantiate the symbolic result  α 1 = 3, α 2 = 5  = 8

12/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution Tree (1/3)  We can generate symbolic execution tree characterizing the execution paths followed during the symbolic execution  Associate a node with each statement executed  Associate a directed arc connecting the associated nodes with each transition between statements  For IF statement execution, the associated node has two arcs leaving the node which are labeled “T” and “F” for the true and false part, respectively  Associate the complete current execution state, i.e. variable values, statement counter, and pc with each node

13/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution Tree (2/3)  Example  Function POWER(x, y) 1: int POWER(x, y) 2: { 3:int z = 1; 4:int j = 1; 5:while ( y ≥ j ) 6:{ 7:z = z * x; 8:j++; 9:} 10:return z; 11: } F T F T Case pc is ( α 2 < 1) : return 1 Case pc is ( α 2 = 1) : return α 1

14/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution Tree (3/3)  Properties  For each terminal leaf in the symbolic execution tree there exists a particular nonsymbolic input to the program  pc’s associated with any two terminal leaves are distinct  ex) 1: if (x > 5) 2: return 1 3: else 4:return F T pc is ~( α 1 > 5) return 0 pc is α 1 > 5 return 1

15/20 Symbolic Execution and Program Testing Charngki PSWLAB An Interactive Symbolic Executer – EFFIGY (1/2)  EFFIGY (1/2)  Debugger for symbolic program execution  Basic debugging and testing facilities are provided for symbolic program execution  EFFIGY treats normal execution as a special case  Interactive debugging facilities are available, including:  Tracing  The user can request to see the statement number, the computational results  Breakpoints  The user can insert breakpoints before or after any statement  State saving  SAVE, RESTORE

16/20 Symbolic Execution and Program Testing Charngki PSWLAB An Interactive Symbolic Executer – EFFIGY (2/2)  EFFIGY (2/2)  Testing facilities  Test manager  Test manager is available for exploring the alternatives presented in the symbolic execution tree  Program verifier  Check if the program is running correctly  ASSUME(P)  pc := pc ∧ P  PROVE(P)  Check if pc  P is true

17/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing (1/2)  To prove the correctness of a program, the programmer supplies an input predicate and an output predicate with the program  The program is correct if for all inputs which satisfy the input predicate the results produced by the program satisfy the output predicate

18/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing (2/2)  We can prove the correctness of each path by executing it symbolically as follows: 1. Place ASSUME at the beginning of the path and PROVE at the end of the path 2. Execute the path symbolically 3. If the PROVE at the end of the path displays true, the path is correct, otherwise it is not

19/20 Symbolic Execution and Program Testing Charngki PSWLAB Conclusion  Symbolic execution offers the advantage that one symbolic execution may represent a large class of normal executions  EFFIGY system embodies symbolic execution in a general purpose interactive debugging system  Test manager and program verifier are powerful for program testing

20/20 Symbolic Execution and Program Testing Charngki PSWLAB Discussion