Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi.

Slides:



Advertisements
Similar presentations
Review: Search problem formulation
Advertisements

Reinforcement Learning
Global States.
Openflow App Testing Chao SHI, Stephen Duraski. Motivation Network is still a complex stuff ! o Distributed mechanism o Complex protocol o Large state.
Primitives for Achieving Reliability 3035/GZ01 Networked Systems Kyle Jamieson Department of Computer Science University College London.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Grey Box testing Tor Stålhane. What is Grey Box testing Grey Box testing is testing done with limited knowledge of the internal of the system. Grey Box.
Guide to TCP/IP, Third Edition
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Planning under Uncertainty
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
Review: Search problem formulation
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
CS510 Advanced OS Seminar Class 10 A Methodology for Implementing Highly Concurrent Data Objects by Maurice Herlihy.
CPSC Tutorial: TCP 101 r The Transmission Control Protocol (TCP) is the protocol that sends your data reliably r Used for , Web, ftp, telnet,
Run time vs. Compile time
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Cmpt-225 Simulation. Application: Simulation Simulation  A technique for modeling the behavior of both natural and human-made systems  Goal Generate.
Gursharan Singh Tatla Transport Layer 16-May
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Go-Back-N ARQ  packets transmitted continuously (when available) without waiting for ACK, up to N outstanding, unACK’ed packets  a logically different.
1 Solving problems by searching This Lecture Chapters 3.1 to 3.4 Next Lecture Chapter 3.5 to 3.7 (Please read lecture topic material before and after each.
Representing and Using Graphs
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
3: Transport Layer 3a-1 8: Principles of Reliable Data Transfer Last Modified: 10/15/2015 7:04:07 PM Slides adapted from: J.F Kurose and K.W. Ross,
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 14.
DEBUGGING. BUG A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected.
CSE403 Software Engineering Autumn 2001 More Testing Gary Kimura Lecture #10 October 22, 2001.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Christopher Moh 2005 Competition Programming Analyzing and Solving problems.
MultiPath TCP Proxy Presented by: Yongzhi Zhuang, Wei Zeng, Jianlei Zhang.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
Lecture 3: Uninformed Search
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
1 RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong, Edith C.-Ngai, Yangfan Zhou, Michael R. Lyu.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Software Reliability in Wireless Sensor Networks (WSN) -Xiong Junjie
4343 X2 – The Transport Layer Tanenbaum Ch.6.
GC Assertions: Using the Garbage Collector To Check Heap Properties Samuel Z. Guyer Tufts University Edward Aftandilian Tufts University.
Studies of LHCb Trigger Readout Network Design Karol Hennessy University College Dublin Karol Hennessy University College Dublin.
Day 13 Intro to MANs and WANs. MANs Cover a larger distance than LANs –Typically multiple buildings, office park Usually in the shape of a ring –Typically.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
Understanding AI of 2 Player Games. Motivation Not much experience in AI (first AI project) and no specific interests/passion that I wanted to explore.
Optimistic Hybrid Analysis
Software Testing.
Software Testing.
CSC 321: Data Structures Fall 2015
Effective Data-Race Detection for the Kernel
Magda El Zarki Professor, ICS UC, Irvine
Structural testing, Path Testing
Software Testing (Lecture 11-a)
RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong
Process-to-Process Delivery:
Problem Solving and Searching
ECE 544 Software Project 3: Description and Timeline
ECE 544 Software Project 3: Description and Timeline
ECE 544 Software Project 3: Description and Timeline
ECE 544 Software Project 3: Description and Timeline
Problem Solving and Searching
ECE 544 Software Project 3: Description and Timeline
CSE403 Software Engineering Autumn 2000 More Testing
CSC 321: Data Structures Fall 2018
Process-to-Process Delivery: UDP, TCP
Presentation transcript:

Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi

Motivation Many Systems can be modeled as state machines that interact with each other e.g. Networking Protocols Subtle bugs in such systems involve sequences of rare corner cases: TCP Impl in FIN-WAIT state, on receiving a retransmitted FIN packet, sends an ACK with a corrupted checksum. AODV on receiving a RERR packet out of order, just after a link failure, leads to a routing loop. Conventional testing misses these errors Such errors are difficult to detect using Static Analyses

Explicit State Enumeration Explicit State Enumeration is a promising approach to test such systems. It systematically explores the entire state space of the system. Better than “brute force” testing as it visits each system state only once Usually runs out of resources before it terminates The trick is to guide the search to interesting parts of state space Our Proposal: Use dynamic analyses to detect corner cases Search corner cases first

CMC – A C Model Checker CMC is an explicit state enumerator Runs C Code directly State consists of variables in the program Current Implementation restricts state to Global and Heap variables. State transitions are performed by transferring control to different points in the C code. Current Implementation requires each transition to be performed by a handler function in the code By executing code, CMC is able to handle implementation errors as well as protocol errors. It is Sound: No false positives

An Example SynSentListen SYN Client Connect SynSentListen empty SynSentSynRcv SYN-ACK Pkt Loss Pkt Recv ClosedListen empty ClientServer Network Retransmit Pkt Recv Pkt Loss State Transitions are performed by the Actual C Code

Fundamental Problem Real systems have infinite or large state space Memory (not time) is the key bottleneck Need to maintain a queue of unexplored states Each state can be as huge as 10K Partial solutions are available However, prioritizing state search essential Visit interesting states before running out of resources Can flush out low priority states to the disk

Prioritizing the State Search Idea Gather information from the runs that have been executed Use this information to rank how interesting the state generated from the current run are Techniques: Track values and simple invariants Look for complex “invariants” Path profiling

Values and simple invariants Tracking values and simple invariants: Inspiration: DIDUCE On-line detection Look at simple invariants, relax after a counterexample One heuristic: at exit point track the variables that are in the state Observation so far: get saturated very fast Use knowledge of the code or algorithm with heuristics to choose other expressions of interest

Complex Invariants More complex relationships between variables a>b may be more important for the output than the exact values of a or b. Inspiration: Daikon Overhead management analyze the collected information in intervals Observation: the number of bugs found goes down with time so, after the first stages it is worth spending the time to analyze such information Only look at some of the possible invariants at a time Use static analysis or heuristics to suggest more interesting invariants to gather information on After invalidating most of the current invariants, can add a new set to track and give it a lower confidence degree Side effect: can suggest real invariants But should reflect intervals on confidence level

Profiling Path/Edge Profiling Observation: code coverage matters Keep track about which branches/paths of the program has been taken more often then others Use existing profiling techniques

Challenges and Future Work Challenges Memory management Scaling Picking the right heuristics Evaluating which heuristics are more useful Future work Look into more complicated protocols Can we guide the generation of the test set? Intuition: executing the code at least once is probably good Unless it was the assert(false) case Try to find a counterexample and test case such that to get to this code?

Related Work Diduce Daikon JavaPathfinder Uses thread-interleaving heuristic to model-check A lot of work on Profiling A lot of Model Checking work

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.