PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

Slides:



Advertisements
Similar presentations
Amal Khalil & Juergen Dingel
Advertisements

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic execution © Marcelo d’Amorim 2010.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
FIT Objectives By the end of this lecture, students should: understand how parameters are passed to and from methods understand what the differences.
Chapter 6. 2 Objectives You should be able to describe: Function and Parameter Declarations Returning a Single Value Pass by Reference Variable Scope.
ISBN Chapter 10 Implementing Subprograms –Semantics of Calls and Returns –Implementing “Simple” Subprograms –Implementing Subprograms with.
1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Methods Chapter 6. 2 Program Modules in Java What we call "functions" in C++ are called "methods" in Java Purpose Reuse code Modularize the program This.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
A First Book of C++: From Here To There, Third Edition2 Objectives You should be able to describe: Function and Parameter Declarations Returning a Single.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
Instructor: Alexander Stoytchev CprE 185: Intro to Problem Solving (using C)
Parameter Passing Mechanisms Reference Parameters Read § §
Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.
Parameter Passing Mechanisms Reference Parameters § §
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Symbolic Execution.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Review TEST 2 Chapters 4,5,7. QUESTION For which type of operands does the == operator always work correctly: (a) int, (b) double, or (c) String?
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
A Test Case + Mock Class Generator for Coding Against Interfaces Mainul Islam, Christoph Csallner Software Engineering Research Center (SERC) Computer.
LECTURE 20: RECURSION CSC 212 – Data Structures. Humorous Asides.
Solving Linear Systems by Substitution
Recursion A recursive definition is one which uses the word or concept being defined in the definition itself Example: “A computer is a machine.
Unit Testing Part 2: Drivers and Stubs
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
AP Java Ch. 4 Review Question 1  Java methods can return only primitive types (int, double, boolean, etc).
Chapter 2 – The Little Crab Program:. Little Crab Scenario Inheritance: The Arrows Denote Hierarchy Crab is an Animal Animal is an Actor Therefore, It.
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
Methods What is a method? Main Method the main method is where a stand alone Java program normally begins execution common compile error, trying.
Int fact (int n) { If (n == 0) return 1; else return n * fact (n – 1); } 5 void main () { Int Sum; : Sum = fact (5); : } Factorial Program Using Recursion.
Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
1 A Case Study: Percolation Percolation. Pour liquid on top of some porous material. Will liquid reach the bottom? Applications. [ chemistry, materials.
Testing It is much better to have a plan when testing your programs than it is to just randomly try values in a haphazard fashion. Testing Strategies:
Recursion ITFN The Stack. A data structure maintained by each program at runtime. Push Pop.
Model Counting for Test Coverage, CodeHunt & Mutations Willem Visser Stellenbosch University.
Recursion Recursion is a fundamental programming technique that can provide an elegant solution certain kinds of problems © 2004 Pearson Addison-Wesley.
1-5 Equations Goals: Solve equations with one variable
A Test Case + Mock Class Generator for Coding Against Interfaces
Factoring if/else code
Recursive Thinking Chapter 9 introduces the technique of recursive programming. As you have seen, recursive programming involves spotting smaller occurrences.
Using local variable without initialization is an error.
CSC 253 Lecture 8.
CSC 253 Lecture 8.
Solve a system of linear equation in two variables
Stack Memory 2 (also called Call Stack)
Basic Examples Function Examples Limitation Examples
Elided to examples only
Recursion (part 1) October 24, 2007 ComS 207: Programming I (in Java)
Automatic Test Generation SymCrete
Unit 3 Test: Friday.
Basic Examples Function Examples Limitation Examples
Example (C code) int double(int x) { return 2 * x; }
When a function is called...
Basic Examples Function Examples Limitation Examples
CUTE: A Concolic Unit Testing Engine for C
Building Java Programs
Building Java Programs
Factoring if/else code
Presentation transcript:

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } (1) Interface extraction: parameters of toplevel function external variables return values of external functions main(){ int tmp1 = randomInt(); int tmp2 = randomInt(); test_me(tmp1,tmp2); } (2) Generation of test driver for random testing: Closed (self-executable) program that can be run Problem: probability of reaching abort() is extremely low!

PLDI’2005Page 2June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint x = 36, y = 99 create symbolic variables x, y

PLDI’2005Page 3June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99, z = 72 z = 2 * x

PLDI’2005Page 4June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99, z = 72 z = 2 * x 2 * x != y Solve: 2 * x == y Solution: x = 1, y = 2

PLDI’2005Page 5June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint x = 1, y = 2 create symbolic variables x, y

PLDI’2005Page 6June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2, z = 2 z = 2 * x

PLDI’2005Page 7June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2, z = 2 z = 2 * x 2 * x == y

PLDI’2005Page 8June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y x = 1, y = 2, z = 2 z = 2 * x y != x + 10 Solve: (2 * x == y) and (y == x +10) Solution: x = 10, y = 20

PLDI’2005Page 9June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y != x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint x = 10, y = 20 create symbolic variables x, y

PLDI’2005Page 10June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20, z = 20 z = 2 * x

PLDI’2005Page 11June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20, z = 20 z = 2 * x 2 * x == y

PLDI’2005Page 12June 2005 DART Step (3): Directed Search main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ } Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y y == x +10 z = 2 * x x = 10, y = 20, z = 20 Program Error

PLDI’2005Page 13June 2005 Novelty: Simultaneous Concrete & Symbolic Executions void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x –Cannot handle symbolic value of z! –Stuck?

PLDI’2005Page 14June 2005 Novelty: Simultaneous Concrete & Symbolic Executions void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x –Cannot handle symbolic value of z! –Stuck? –NO! Use concrete value z = 27 and proceed… Take else branch with constraint 27 != y Solve 27 = y to take then branch Execute next run with x = 3 and y = 27 DART finds the error! Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (e.g. non-linear) NOTE: whenever symbolic execution is stuck, static analysis becomes imprecise!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.