A Theory of Predicate-complete Test Coverage and Generation Thomas Ball Testing, Verification and Measurement Microsoft Research FMCO Symposium November.

Slides:



Advertisements
Similar presentations
Model Checking Base on Interoplation
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Abstraction of Source Code (from Bandera lectures and talks)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University,
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Predicate Complete Testing * Thomas Ball * Thomas Ball, A Theory of Predicate-Complete Test Coverage and Generation, Technical Report MSR-TR ,
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Weakest pre-conditions and towards machine consistency Saima Zareen.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
1 Software Testing and Quality Assurance Lecture 9 - Software Testing Techniques.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Abstract Interpretation (Cousot, Cousot 1977) also known as Data-Flow Analysis.
Software Systems Verification and Validation Laboratory Assignment 3
1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.
Software Testing – Lecture #2 Thomas Ball with material from M. Young, A. Memon and MSR’s FSE group.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
Some Probability Theory and Computational models A short overview.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
CMPS 1371 Introduction to Computing for Engineers CONDITIONAL STATEMENTS.
Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
1 Program Testing (Lecture 14) Prof. R. Mall Dept. of CSE, IIT, Kharagpur.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
Workshop on Integrating Software Testing into Programming Courses (WISTPC14:2) Friday July 18, 2014 Introduction to Software Testing.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
1 Test Coverage Coverage can be based on: –source code –object code –model –control flow graph –(extended) finite state machines –data flow graph –requirements.
White-Box Testing Statement coverage Branch coverage Path coverage
CS223: Software Engineering Lecture 26: Software Testing.
1 Software Testing. 2 What is Software Testing ? Testing is a verification and validation activity that is performed by executing program code.
Introduction to Software Testing (2nd edition) Chapter 5 Criteria-Based Test Design Paul Ammann & Jeff Offutt
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Software Testing.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Structural testing, Path Testing
Microsoft Visual Basic 2005 BASICS
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Lecture 8 Functional synthesis
Software Testing (Lecture 11-a)
Over-Approximating Boolean Programs with Unbounded Thread Creation
Predicate Abstraction
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Presentation transcript:

A Theory of Predicate-complete Test Coverage and Generation Thomas Ball Testing, Verification and Measurement Microsoft Research FMCO Symposium November

Control-flow Coverage Criteria Statement/branch coverage widely used in industry 100% coverage ≠ a bug-free program!! More stringent criteria –modified-condition-decision, predicate, data- flow, mutation, path, …

Beyond Statement and Branch Coverage void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Beyond Statement and Branch Coverage void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Beyond Statement and Branch Coverage void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Corrected Program void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (lo<=hi && a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Corrected Program void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (lo<=hi && a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Predicate-complete Testing Program predicates –relational expression such as (x<0) –the expression (x 0) has two predicates Program with m statements and n predicates –m x 2 n possible observable states S –finest partition of behavior based on programmer’s observations Goal –cover all reachable observable states R  S

Reachable Observable States L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

Upper and Lower Bounds m x 2 n possible states S Upper bound U Reachable states R Lower bound L Bound reachable observable states R – predicate abstraction – modal transition systems – |L| / |U| defines “goodness” of abstraction Test generation using L Increase |L| / |U| ratio

Overview Upper and lower bounds Example Test case generation Refinement Discussion Conclusions

Predicate Abstraction of Infinite-state Systems –Graf & Saïdi, CAV ’97 –Abstract Interpretation, Cousot & Cousot ‘77 Idea –Given set of predicates P = { P 1, …, P k } Formulas describing properties of system state Abstract State Space –Set of Abstract Boolean variables B = { b 1, …, b k } b i = true  Set of states where P i holds

a a’ may MCMC MAMA   a a’ total MCMC MAMA   a a’ total & onto   a a’ onto   Modal Transitions [Larsen]

Predicate Abstraction if Q  SP(P,s) then(P,Q)  onto P SP(P,s) Q Q WP(s,Q) P if P  WP(s,Q) then(P,Q)  may Q WP(s,Q) P if P  WP(s,Q) then(P,Q)  total

Example

Upper Bound: May-Reachability a b c may a b c

Upper Bound: May-Reachability a b c may a b c

c d total a b onto Lower Bound may

c d a b Lower Bound may onto total

c d a b Lower Bound may onto total

Overview Upper and lower bounds Example Test case generation Refinement Discussion Conclusions

void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); } Example

Observation Vector [ lo pivot ] lo<hi  lo<=hi  lo pivot)  (  a[lo] pivot) Only 10/16 observations possible

13 labels x 10 observations = 130 observable states But, program constrains reachable observable states greatly. void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; L0: while (lo<=hi) { L1: ; L2: while (a[lo]<=pivot) { L3: lo++; L4: ;} L5: while (a[hi]>pivot) { L6: hi--; L7: ;} L8: if (lo<hi) { L9: swap(a,lo,hi); LA: ;} LB: ;} LC: ; }

Overview Upper and lower bounds Example Test case generation Refinement Discussion Conclusions

Test Generation DFS of lower bound generates covering set of paths Symbolically execute paths to generate tests Run program on tests to find errors and compute coverage of observable states

{ 0,-7,-8 }

Array bounds violations Generated Inputs (L0:TTTT,L4:FTFT) { 0,-8,1 } (L0:TTTT,L4:TTFT) { 0,-8,2,1 } (L0:TTTT,L4:TTTT) { 0,-8,-8,1 } (L0:TTTF,L4:TTFF) { 1,-7,3,0 } (L0:TTTF,L4:FTTF) { 0,-7,-8 } (L0:TTTF,L4:TTTF) { 1,-7,-7,0 } (L0:TTFT,L7:TTFF) { 0,2,-8,1 } (L0:TTFT,L7:FTFT) { 0,1,2 } (L0:TTFT,L7:TTFT){ 0,3,1,2 } (L0:TTFF,L0:TTTT) { 1,2,-1,0 } void partition(int a[]) { assume(a.length>2); int pivot = a[0]; int lo = 1; int hi = a.length-1; L0: while (lo<=hi) { L1: ; L2: while (a[lo]<=pivot) { L3: lo++; L4: ;} L5: while (a[hi]>pivot) { L6: hi--; L7: ;} L8: if (lo<hi) { L9: swap(a,lo,hi); LA: ;} LB: ;} LC: ; }

Results Buggy partition function –U=49, L=43, Tested=42 Fixed partition function –U=56, L=37, Tested=43 What about the remaining 13 states?

Overview Upper and lower bounds Example Test case generation Refinement Discussion Conclusions

Refinement

New Observation Vector [ lo<hi, lo<=hi, lo=hi+1, a[lo] pivot, a[lo-1] pivot ] Only 48/128 observations possible For this set of predicates, L = U

Overview Upper and lower bounds Example Test case generation Refinement Discussion Conclusions

Discussion Comparison to bisimulation Completeness of abstractions Related work

Bisimulation

Abstraction Completeness

Related Work Predicate abstraction Modal transition systems Abstraction-guided test generation Symbolic execution/constraint satisfaction Test coverage criteria

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

L1: if (p) L2: if (q) L3: x=0; L4: y=p+q; Path Coverage does not imply PCT Coverage

L1: if (p) L2: if (q) L3: x=0; L4: y=p+q; Path Coverage does not imply PCT Coverage

Conclusions PCT coverage –new form of state-based coverage –similar to path coverage but finite Upper and lower bounds –computed using predicate abstraction and modal transitions –use lower bound to guide test generation –refine bounds

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.