Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.

Slides:

Advertisements

Similar presentations

Korat Automated Testing Based on Java Predicates Chandrasekhar Boyapati, Sarfraz Khurshid, Darko Marinov MIT ISSTA 2002 Rome, Italy.

Advertisements

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Symbolic execution © Marcelo d’Amorim 2010.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

1 of 24 Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Dept. of Computer Science & Engineering University of Washington,

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

Binary Trees Terminology A graph G = is a collection of nodes and edges. An edge (v 1,v 2 ) is a pair of vertices that are directly connected. A path,

1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.

Automatic Unit Testing Tools Advanced Software Engineering Seminar Benny Pasternak November 2006.

Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.

Automatic Unit Tests Generation Tools SEPL Seminar Benny Pasternak December 2007.

Chapter 9 contd. Binary Search Trees Anshuman Razdan Div of Computing Studies

Solving problems by searching

Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.

1/23/2003University of Virginia1 Korat: Automated Testing Based on Java Predicates CS751 Presentation by Radu Stoleru C.Boyapaty, S.Khurshid, D.Marinov.

Korat: Automated Testing Based on Java Predicates Chandrasekhar Boyapati 1, Sarfraz Khurshid 2, and Darko Marinov 3 1 University of Michigan Ann Arbor.

Feed Back Directed Random Test Generation Carlos Pacheco1, Shuvendu K. Lahiri2, Michael D. Ernst1, and Thomas Ball2 1MIT CSAIL, 2Microsoft Research Presented.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CSCE 3110 Data Structures & Algorithm Analysis Binary Search Trees Reading: Chap. 4 (4.3) Weiss.

Trees Chapter 8. 2 Tree Terminology A tree consists of a collection of elements or nodes, organized hierarchically. The node at the top of a tree is called.

Chapter Tow Search Trees BY HUSSEIN SALIM QASIM WESAM HRBI FADHEEL CS 6310 ADVANCE DATA STRUCTURE AND ALGORITHM DR. ELISE DE DONCKER 1.

Lecture Objectives  To learn how to use a tree to represent a hierarchical organization of information  To learn how to use recursion to process trees.

Korat: Automated Testing Based on Java Predicates

Tao Xie ( ) Advisor: David Notkin Department of Computer Science & Engineering, University of Washington, Seattle Syntactically.

1 Automatic Identification of Common and Special Object-Oriented Unit Tests Dept. of Computer Science & Engineering University of Washington, Seattle Oct.

Building Java Programs Binary Search Trees; TreeSet.

CS 61B Data Structures and Programming Methodology July 15, 2008 David Sun.

S EARCHING AND T REES COMP1927 Computing 15s1 Sedgewick Chapters 5, 12.

Java Pathfinder JPF Tutorial - Test Input Generation With Java Pathfinder.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 6: Exhaustive Bounded Testing and Feedback-Directed Random Testing.

BINARY SEARCH TREE. Binary Trees A binary tree is a tree in which no node can have more than two children. In this case we can keep direct links to the.

Binary Search Trees Binary Search Trees (BST)  the tree from the previous slide is a special kind of binary tree called a binary.

Test Input Generation for Java Containers using State Matching Willem Visser Corina Pasareanu and Radek Pelanek Automated Software Engineering Group NASA.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

jFuzz – Java based Whitebox Fuzzing

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

A Test Case + Mock Class Generator for Coding Against Interfaces Mainul Islam, Christoph Csallner Software Engineering Research Center (SERC) Computer.

Testing Data Structures Tao Xie Visiting Professor, Peking University Associate Professor, North Carolina State University

Improving Structural Testing of Object-Oriented Programs via Integrating Evolutionary Testing and Symbolic Execution Kobi Inkumsah Tao Xie Dept. of Computer.

CS 261 – Fall 2009 Binary Search Trees. Can we do something useful? How can we make a collection using the idea of a binary tree? How about starting with.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.

Random Test Generation of Unit Tests: Randoop Experience

Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

CS261 Data Structures Binary Search Trees Concepts.

(c) University of Washington20c-1 CSC 143 Binary Search Trees.

BSTs, AVL Trees and Heaps Ezgi Shenqi Bran. What to know about Trees? Height of a tree Length of the longest path from root to a leaf Height of an empty.

Automated Object’s Statechart Generation and Testing from Class-Method Contracts Atul Gupta PhD Scholar, IIT Kapur, India.

Experimental evaluation of Navigation piles

A Test Case + Mock Class Generator for Coding Against Interfaces

White-Box Testing.

Marcelo d’Amorim (UIUC)

Tree data structure.

Map interface Empty() - return true if the map is empty; else return false Size() - return the number of elements in the map Find(key) - if there is an.

Tree data structure.

White-Box Testing.

Willem Visser Corina Pasareanu and Radek Pelanek

Automatic Test Generation SymCrete

BST Insert To insert an element, we essentially do a find( ). When we reach a NULL pointer, we create a new node there. void BST::insert(const Comp &

Symbolic Execution and Test-input Generation

CUTE: A Concolic Unit Testing Engine for C

Building Java Programs

Presentation transcript:

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University of Washington University of Illinois at Urbana-Champaign Microsoft Research

Motivations Object-oriented unit tests consist of sequences of method invocations. Behavior of an invocation depends on the method’s arguments and the state of the receiver at the beginning of the invocation. Automated test-input generation needs to produce: Method sequences building relevant receiver object states Relevant method arguments

Motivations Object-oriented unit tests consist of sequences of method invocations. Behavior of an invocation depends on the method’s arguments and the state of the receiver at the beginning of the invocation. Automated test-input generation needs to produce: Method sequences building relevant receiver object states Relevant method arguments Symstra achieves both tasks using symbolic execution of method sequences with symbolic arguments

Outline Motivations Example Test generation by exploring concrete states Symstra: exploring symbolic states Evaluation Conclusion

Binary Search Tree Example public class BST implements Set { Node root; int size; static class Node { int value; Node left; Node right; } public void insert (int value) { … } public void remove (int value) { … } public bool contains (int value) { … } public int size () { … } }

Previous Test-Generation Approaches Straightforward approach: generate all (bounded) possible sequences of calls to the methods under test too many and many are redundant [Xie et al. 04] Concrete-state exploration approach [Willem et al. 04, Xie et al. 04] assume a given set of method call arguments explore new receiver-object states with method calls (in breadth-first manner) Test 1: BST t1 = new BST(); t1.size(); Test 2: BST t2 = new BST(); t2.size(); t2.size();

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3) new BST()

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3) new BST() insert(1) 2 insert(2) remove(2) remove(1) 3 insert(3) remove(3) 1 The first iteration

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3) new BST() insert(1) 2 insert(2) remove(2) remove(1) 3 insert(3) remove(3) insert(3) 1 3 The second iteration insert(2) insert(1) remove(3) remove(2) remove(1) …

Generating Tests from Exploration Collect method sequence along the shortest path (constructor-call edge  each method-call edge) new BST() insert(1) 2 insert(2) remove(2) remove(1) 3 insert(3) remove(3) insert(3) 1 3 insert(2) insert(1) remove(3) remove(2) remove(1) … BST t = new BST(); t.insert(1); t.insert(3);

Issues of Concrete-State Exploration State explosion (still) need at least N different insert arguments to reach a BST with size N run out of memory when N reaches 7 Relevant-argument determination assume a set of given relevant arguments e.g., insert(1), insert(2), insert(3), etc.

Exploring Concrete States new BST() insert(1) 2 insert(2) 3 insert(3) insert(2) 1 3 The second iteration …

State Abstraction: Symbolic States new BST() insert(1) 2 insert(2) 3 insert(3) x1 insert(x 1 ) 1 3 new BST() The second iteration … insert(3)insert(2)

State Abstraction: Symbolic States new BST() insert(1) 2 insert(2) 3 insert(3) insert(2) x1 x2 x 1 < x 2 insert(x 1 ) insert(x 2 ) 1 3 new BST() The second iteration …

Symbolic Execution Execute a method on symbolic input values inputs: insert(SymbolicInt x) Explore paths of the method Build a path condition for each path conjunct conditionals or their negations Produce symbolic states ( ) e.g., if (P)...; if (Q)...; PC: P PC: P && Q x1 x2 x 1 < x 2

Symbolic Execution Example public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; }

Exploring Symbolic States public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() S1S1 true

Exploring Symbolic States public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The first iteration true

Exploring Symbolic States public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The second iteration true x1x1 x 1 < x 2 x2x2 insert(x 2 ) S3S3

Exploring Symbolic States public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The second iteration true x1x1 x 1 < x 2 x2x2 S3S3 insert(x 2 ) x1x1 x 1 > x 2 x2x2 S4S4

Exploring Symbolic States public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The second iteration true x1x1 x 1 < x 2 x2x2 S3S3 insert(x 2 ) x1x1 x 1 > x 2 x2x2 S4S4 x1x1 x 1 = x 2 S5S5

Which States to Explore Next? public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The third iteration true x1x1 x 1 < x 2 x2x2 S3S3 insert(x 2 ) x1x1 x 1 > x 2 x2x2 S4S4 x1x1 x 1 = x 2 S5S5 ?

Symbolic State Subsumption Symbolic state S 2 : subsumes S 5 : Heaps H 2 and H 5 are isomorphic Path condition c 5  c 2 [CVC Lite, Omega] Concrete states represented by S 2 are a superset of concrete states represented by S 5 If S 2 has been explored, S 5 is pruned. Still guarantee path coverage within a method x1x1 true S5S5 x1x1 x 1 = x 2 S2S2 subsumes (x1 = x2)  true 123 … 23 … 1 superset of Symbolic states Concrete states

Pruning Symbolic State public void insert(SymbolicInt x) { if (root == null) { root = new Node(x); } else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... } else if (t.value > x) { //explore the left subtree... } else return; } size++; } new BST() x1x1 S2S2 insert(x 1 ) S1S1 The third iteration true x1x1 x 1 < x 2 x2x2 S3S3 insert(x 2 ) x1x1 x 1 > x 2 x2x2 S4S4 x1x1 x 1 = x 2 S5S5 Pruned!

new BST() x1x1 S2S2 insert(x 1 ) S1S1 true x1x1 x 1 < x 2 x2x2 S3S3 insert(x 2 ) x1x1 x 1 > x 2 x2x2 S4S4 x1x1 x 1 = x 2 S5S5 Collect method sequence along the shortest path (constructor-call edge  each method-call edge) Generate concrete arguments by using a constraint solver [POOC] BST t = new BST(); t.insert(x 1 ); t.insert(x 2 ); x 1 < x 2 BST t = new BST(); t.insert( ); t.insert( ); Generating Tests from Exploration

Evaluation Generate tests up to N (1..8) iterations Concrete-State vs. Symstra Focus on the key methods (e.g., add, remove ) of seven Java classes from various sources most are complex data structures Measure #states, time, and code coverage Pentium IV 2.8 GHz, Java 2 JVM with 512 MB Experimental results show Symstra effectively reduces the state space for exploration reduces the time for achieving code coverage

Statistics of Some Programs classN Concrete-StateSymstra Time (sec) #states%covTime (sec) #states%cov BinarySearchTree BinomialHeap LinkedList TreeMap Out of Memory

Code Coverage and (Seeded-)Bug Coverage with Iterations (Binary Search Tree)

Related Work Generating tests with concrete-state construction e.g., TestEra [Marinov&Khurshid 01] and Korat [Boyapati et al. 02] require specifications or repOK (class invariants) Generating tests with symbolic execution e.g. NASA Java Pathfinder [Khurshid et al. 03, Visser et al. 04] require repOK (class invariants) Directly construct new valid object states

Conclusion Automated test-input generation needs to produce: method sequences building relevant receiver object states relevant method arguments Symstra exhaustively explores method sequences with symbolic arguments prune exploration based on state subsumption generate concrete arguments using a constraint solver The experimental results show Symstra ’ s effectiveness over the existing concrete-state exploration approaches

Questions?