Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai.

Published byJoanna Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai."— Presentation transcript:

1 Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai Tillmann, Microsoft Research Michael Y. Levin, Microsoft Center for Software Excellence Publisher :IEEE Software, Vol. 25, No. 5, pp 30–37, September/October 2008.

2 INTRODUCTION Code inspection for standard programming errors has largely been automated with static code analysis during the last decade Software development organizations routinely use commercial static program analysis tool for finding software bugs. The 3 main ingredients of these tools are that they are Automatic Scalable Check many properties

3 GOAL Software testing is an expensive part of software development process. Our long term goal is to automate it. Automating test generation is achieved by Leveraging recent advances in program analysis Automated constraint solving, and Modern computers’ increasing computational power.

4 STATIC VERSUS DYNAMIC TEST GENERATION Automatic code-driven test generation can roughly be partitioned into two groups:  Static  Dynamic

5 STATIC TEST GENERATION Static test generation consists of Analyzing a program P statically by  reading the program code  using symbolic execution techniques  to simulate abstract program executions Compute inputs to drive P along specific execution paths without ever executing the program. For each control path p, symbolic execution constructs a path constraint. It characterizes the input assignments for which the program executes along p. A path constraint is a conjunction of constraints on input values. If a path constraint is satisfiable, then the corresponding control path is feasible.

6 Disadvantages of static test generation This approach doesn’t work whenever the program contains statements involving constraints outside the constraint solvers scope of reasoning. Static test generation is doomed to perform poorly whenever perfect symbolic execution is impossible.

7 DYNAMIC TEST GENERATION Dynamic test generation, consists of  Executing the program P, starting with some given or random inputs;  Gathering symbolic constraints on inputs at conditional statements along the execution; and  Using a constraint solver to infer variants of the previous inputs to steer the program’s next execution toward an alternative program branch. This process is repeated until a specific program statement is reached DART is a recent variant of dynamic test generation

8 DART Directed Automated Random Testing (DART) It blends dynamic test generation with model- checking techniques to systematically execute a program’s feasible program paths. In a DART directed search, each new input vector tries to force the program’s execution through some new path. By repeating this process, such a directed search attempts to force the program to sweep through all its feasible execution paths. It can alleviate imprecision in symbolic execution by using concrete values and randomization.

9 To exercise Automated Software Testing The Authors discuss about tools that are generated using  static program analysis (symbolic execution)  dynamic analysis (testing and runtime instrumentation)  model checking (systematic state-space exploration)  automated constraint solving The tools discussed here are  SAGE (White box fuzz testing for security),  Pex (Automating unit testing for.NET)  Yogi (Combining testing and static analysis).

10 SAGE:WHITE BOX FUZZ TESTING FOR SECURITY SECURITY VULNERABILITIES Security vulnerabilities (like buffer overflows) are a class of dangerous software defects. Causes unintended behavior in a software component by sending it particularly crafted inputs. Fixing security vulnerabilities after a product release is expensive.

11 FUZZ TESTING Fuzz testing is a black-box testing technique. It is a quick and cost effective method for uncovering security bugs. This approach involves randomly mutating well- formed inputs and testing the program on the resulting data. Fuzz-testing tools are inherently limited. White-box fuzz testing extends systematic dynamic test generation. SAGE (scalable, automated, guided execution), implements this approach using instruction level tracing for Windows applications.

12 SAGE ARCHITECTURE SAGE repeatedly performs four main tasks. 1. The tester executes the test program on a given input under a runtime checker looking for various kinds of runtime exceptions, such as hangs and memory access violations. 2. The coverage collector collects instruction addresses executed during the run. 3. The tracer records a complete instruction-level trace of the run using the iDNA framework. 4. Lastly, the symbolic executor  replays the recorded execution,  collects input-related constraints, and  generates new inputs using the constraint solver ‘Disolver’.

13 The symbolic executor is implemented on top of the trace replay infrastructure TruScan.  TruScan consumes the trace files generated by iDNA and virtually re-executes the recorded runs The constraint generation approach in SAGE adopts a machine-code-based-approach.  Sage deviates from previous approaches by using offline trace-based constraint generation rather than online which is completely deterministic as it works with outcomes of all nondeterministic events within a recorded run.

14 GENERATIONAL PATH EXPLORATION SAGE targets large applications with multi source languages, where symbolic execution is its slowest component. Therefore, SAGE implements a novel directed search algorithm, called generational search. It maximizes the number of new input tests generated from each symbolic execution. Given a path constraint,  all the constraints in that path are systematically negated one by one  placed in a conjunction with the prefix of the path constraint leading to it, and  attempted to be solved by a constraint solver.

15 Example figure for all feasible program paths for the function top():

16 PEX: AUTOMATING UNIT TESTING FOR.NET Unit testing is a popular way to ensure early and frequent testing while developing software. Unit tests are written to  Document customer requirements at the API level  Reflect design decisions  Protect against observable changes of implementation details  Achieve certain code coverage  Exercise a single feature in isolation. Tools, such as JUnit and NUnit, support unit testing.

17 PUT- Parameterized Unit Test PUT is a new testing methodology that combines the advantages of automatic test generation with unit tests’ error- detecting capabilities. A PUT is simply a method that takes parameters. The purpose of a PUT is to express an API’s intended behavior. For example, the following PUT asserts that after adding an element to a non-null list, the element is indeed contained in the list: void TestAdd(ArrayList list,object element) { Assume.IsNotNull(list); list.Add (element); Assert.IsTrue(list.Contains(element)); }

18 Pex (Program Exploration) Pex is a tool that helps developers write PUTs in a.NET language. For each PUT, Pex uses dynamic test-generation techniques to compute a set of input values that exercise all the statements and assertions in the analyzed program. For example, for our sample PUT, Pex generates two test cases that cover all the reachable branches: contd.

19 void TestAdd_Generated1(){ TestAdd(new ArrayList(0),new object()); } void TestAdd_Generated 2(){ TestAdd(new ArrayList(1),new object()); }  The first test executes code in the array list that allocates more memory because the initial capacity 0 isn’t sufficient to hold the added element.  The second test initializes the array list with capacity 1, which is sufficient to add one element. When Pex generates a test that fails,it performs a root cause analysis and suggests a code change to the bug.

20 Glimpse of Pex in Visual Studio

21 YOGI:COMBINING TESTING AND STATIC ANALYSIS Testing and static analysis have complementary strengths. Testing executes a program concretely precludes false alarms might not achieve high coverage. Static analysis covers all program behaviors costs potential false alarms ignores several details about the program’s state

22 For combining testing and static analysis, the Yogi tool implements a novel algorithm, Dash. The Yogi tool verifies properties specified by finite-state machines representing invalid program behaviors. For example, we might want to check that along all paths in a program, for a mutex m, the calls acquire(m) and release(m) are called in strict alternation.

23 Program that follows this rule

24 Yogi can prove that acquire(m) and release(m) are correctly called along all paths by constructing a finite abstraction of the program that includes all its possible executions. Programs might have an infinite number of states, denoted by Σ. The states of the finite abstraction are called regions. They are equivalence classes of concrete program states from Σ. There is an abstract transition from region S to region S′ if there are two concrete states s є S and s′ є S′ such that there is a concrete transition from s to s′.

25 One of Yogi’s unique features is that it simultaneously searches for both a test to establish that the program violates the property and an abstraction to establish that the program satisfies the property. If the abstraction has a path that leads to the property’s violation, Yogi attempts to focus test case generation along that path. If such a test case can’t be generated, Yogi uses information from the unsatisfiable constraint from the test-case generator to refine the abstraction. Thus, the construction of test cases and abstraction proceed hand in hand, using error traces in the abstraction to guide test case generation and constraints from failed test case generation attempts to guide refinement of the abstraction.

26 Figure (b) shows a finite-state abstraction for the program in Figure (a) This abstraction is isomorphic to the program’s control-flow graph. By exploring all the abstraction’s states, Yogi establishes that the calls to acquire(m) and release(m) always occur in strict alternation.

27 CONCLUSION AND FUTURE SCENARIO The tools described here might give us a glimpse of what the future of software-defect detection could be. In a few years, mainstream bug-finding tools might be able to generate concrete input exhibiting each bug found an abstract execution trace Such tools would be automatic scalable efficient and would check many properties at once. They would also be integrated with other emerging techniques.

28 QUESTIONS?

Download ppt "Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai."

Similar presentations

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Testing the OPN Language: Rule Coverage and Fuzz Testing Wujie Zheng.

1 Testing the OPN Language: Rule Coverage and Fuzz Testing Wujie Zheng.
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Software testing.

Software testing.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Pexxxx White Box Test Generation for

Pexxxx White Box Test Generation for
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.

Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.

1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Similar presentations

Ads by Google