DySy: Dynamic Symbolic Execution for Invariant Inference

Authors Christoph Csallner Nikolai Tillmann Yannis Smaragdakis

Christoph Csallner College of Computing, Georgia Tech Research interest :Software engineering, especially in program analysis and automated testing Other papers: 1.Combining static and dynamic reasoning for bug detection(TAP 2007) 2.Combining over- and under-approximating program analyses for automatic software testing

C&Y ’ s papers Dynamically discovering likely interface invariants ICSE 2006 Check 'n' crash: combining static checking and testing ICSE 2005 Yannis Smaragdakis

Nikolai Tillmann Microsoft Research Leader of project Pex Papers: 1.Pex-White Box Test Generation for.NET(TAP 2008) 2. Unit Tests Reloaded: Parameterized Unit Testing with Symbolic Execution. IEEE Software(4): (2006)

Yannis Smaragdakis Associate Professor, Department of Computer Science, University of Massachusetts, Amherst Research:Applied programming languages and software engineering Papers: 1.C&Y ’ s papers 2. Exception Analysis and Points-To Analysis: Better Together(ISSTA'09)

Background Dynamic Invariant Inference: Daikon Sybolic execution Pex

Invariant a predicate is called an invariant to a sequence of operation if the predicate always evaluates at the end of the sequence to the same value than before starting the sequence Example:MU puzzleMU puzzle

The puzzle: 1.If a string ends with an I, a U may be appended (xI → xIU) 2.Any string after an M may be completely duplicated (Mx → Mxx) 3.Any three consecutive Is (III) may be replaced with a single U (xIIIy → xUy) 4.And two consecutive Us may be removed (xUUy → xy) Is it possible to convert MI into MU using these four transformation rules only? Invariant

Daikon The first and most mature dynamic invariant inference tool. Daikon tracks a program's variables during execution and generalizes the observed behavior to invariants by variant relation models. Relation model exmaples: Constant value (x= a, or x > 0), Linear relationships (y == a*x + b), Ordering (x <= y) and Membership

Symbolic execution Symbolic Execution and Program Testing 1975 by James King. the analysis of programs by tracking symbolic rather than actual values Path condition(pc): A precondition for a program path

Simple example 1.y = read() 2.y = 2 * y 3.if (y == 12) 4.fails() 5.print("OK")

Pex a dynamic analysis and test generation framework for.NET, developed by the Foundations of Software Engineering group at Microsoft Research shadow interpreter Relation between DySy and Pex.

Overview Basic idea Implementation details Abstraction for Loops

Basic idea 1.For one test suite. Take pc as precondition. Take the conduction rule from precondition to return value of a method as postcondition 2.Repeat 1 for all test suites. 3.Combine all precondition by disjunction, and all postcondition by conjunction.

example public Object top() { if(Empty) return null; return theArray[topOfStack]; } Two test suites: 1. Empty == true 2. Empty == false && topOfStack >= 0 && topOfStack < theArray.Length

Example(2) Conbined precondition: Empty == true ||(Empty == false && topOfStack >= 0 && topOfStack < theArray.Length) Combined postcondition: Empty == true ==> (\result == null) and (Empty == false && topOfStack >= 0 && topOfStack < theArray.Length) ==> (\result == theArray[topOfStack])

Implementation details Usage of Pex Handling nested method calls Abstraction for Loops

Usage of Pex For the duration of each method call, DySy registers a separate interpreter with Pex's monitoring framework.

Nested calls DySy builds a set of quadruples (method, pathCondition, result, finalState) to represent methods as it monitors the program

Abstraction for Loops Traditional method : Record preconditions for every cycle. precise but useless, causing heavy overhead

Abstraction for Loops heuristic method : 1.Loop variants are treated as inputs(symbol) 2.Loop conditions are ignored, except that the loop body is not entered. 3.Only latest value of loop variants are recorded.

example public int linSearch(int ele, int[] arr) { if (arr == null) throw new ArgumentException(); for (int i = 0; i < arr.Length; i++) { if (ele == arr[i]) return i; } return -1; }

Program state arr != null && ($i = 0 || $i = 0 ) public int linSearch(int ele, int[] arr) { if (arr == null) throw new ArgumentException(); for (int i = 0; i < arr.Length; i++) { if (ele == arr[i]) return i; } return -1; }

Simplified program state !(ele == arr[$i]) ==> \result == -1 || ele == arr[$i] ==> \result == $i

evaluation Test code: StackAr: an example program originally by Weiss Overhead: DySy: 28seconds Daikon: 9seconds

Thank you!