Software Testing – Lecture #2 Thomas Ball with material from M. Young, A. Memon and MSR’s FSE group.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Partial Order Reduction: Main Idea

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University,

ADT Stacks and Queues. Stack: Logical Level “An ordered group of homogeneous items or elements in which items are added and removed from only one end.”

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

Predicate Complete Testing * Thomas Ball * Thomas Ball, A Theory of Predicate-Complete Test Coverage and Generation, Technical Report MSR-TR ,

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.

A Theory of Predicate-complete Test Coverage and Generation Thomas Ball Testing, Verification and Measurement Microsoft Research FMCO Symposium November.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Synergy: A New Algorithm for Property Checking

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Penn ESE 535 Spring DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Probabilistic Verification of Discrete Event Systems Håkan L. S. Younes.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

April 20, 2006 Model Program Based Black-Box Testing, Lentedagen, Vught, The Netherlands 1 Model Program Based Black-Box Testing Margus Veanes Foundations.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

Fundamentals of Python: From First Programs Through Data Structures

Formal Techniques for Verification Using SystemC By Nasir Mahmood.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Software Systems Verification and Validation Laboratory Assignment 3

Fundamentals of Python: First Programs

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CMSC 345 Fall 2000 Unit Testing. The testing process.

Overview of Software Testing 07/12/2013 WISTPC 2013 Peter Clarke.

Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.

Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.

Microsoft Research, Foundations of Software EngineeringW. Grieskamp et. al: Behavioral Compositions in Symbolic Domains Behavioral Composition in Symbolic.

1 Generating FSMs from Abstract State Machines Wolfgang Grieskamp Yuri Gurevich Wolfram Schulte Margus Veanes Foundations of Software Engineering Microsoft.

CALTECH CS137 Spring DeHon CS137: Electronic Design Automation Day 9: May 6, 2002 FSM Equivalence Checking.

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)

1. Black Box Testing  Black box testing is also called functional testing  Black box testing ignores the internal mechanism of a system or component.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.

CS223: Software Engineering Lecture 26: Software Testing.

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

A Review of Software Testing - P. David Coward

Software Testing.

Input Space Partition Testing CS 4501 / 6501 Software Testing

Simulation based verification: coverage

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

UNIT-4 BLACKBOX AND WHITEBOX TESTING

Software Testing (Lecture 11-a)

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

Predicate Abstraction

UNIT-4 BLACKBOX AND WHITEBOX TESTING

Presentation transcript:

Software Testing – Lecture #2 Thomas Ball with material from M. Young, A. Memon and MSR’s FSE group

Testing - The Story So Far

Two Threads Specification-based test generation –Foundations of Software Engineering Implementation-based test generation –Testing, Verification and Measurement Unifying Themes – create finite-state systems from infinite-state systems via predicates – use finite-state algorithms to guide test generation

Specification-based Testing What does this API do? –Executable spec prescribes potential behavior Where do concrete tests come from? –Explore behavior of spec, generate test strategies Does a test execution succeed or fail? –Use spec as oracle for runtime verification How do we know when we’re done testing? –Cover spec (and implementation) What do we know when we’re done testing? –Model and implementation agree!

4 Steps to Testing Heaven –Modeling define infinite transition system –Exploration reduce to finite test graph –Gaming generate test strategies –Monitoring verify conformance

Example: Alternating Bit Protocol This protocol works on the producer-consumer model. Producer wants to send messages in a reliable manner to a consumer through unreliable channel

1 st Step: Model the Infinite Transition System Describe (transition system in Spec# of) all possible runs of ABP Types –Msg, Ack State –Bitstatus, … Controllable action –Send Observable events: –Receive –Lose Msg –Lose Ack s0s0 s1s1 s0s0 s2s2 s3s3 s4s4 s5s5 s3s3 s2s2 s6s6 Send ?LoseMsg ?Receive ?LoseAck Send ?LoseMsg ?Receive ?Timeout Send

ABP: Data Structures class DataMsg {// Message readonly Data data; readonly bool bit; } class Ack {// Acknowledgement readonly bool bit; }

ABP: State bool SenderBit = true; int SenderRecordNr = 0; Ack SenderInbox = null; DataMsg ReceiverInbox = null; bool ReceiverBit = true; Seq ReceivedFile=Seq{}; Sends Message Returns Ack

ABP: Transitions void Send () { require AcknowledgmentArrived() || Timeout(); if(AcknowledgmentArrived()) { if(AcknowledgmentHasTheRightBit()) { ReceiverInbox = DataMsg(SenderRecordNr + 1, !SenderBit); SenderRecordNr += 1; SenderBit = !SenderBit; } SenderInbox = null; } else if(Timeout()) { ReceiverInbox = DataMsg(SenderRecordNr, SenderBit); }} Enabling Condition State change

ABP: Modeling Demo Show model in SpecExplorer Simulate as a console application

2 nd Step: Finitize the Model Generate “all” possible behaviors (test graph): –At each state, execute any enabled method with any allowed argument values –Nondeterministic choice from enabled method explores possible interleavings Control the search, using –Finite unfolding –Stochastic means –User provided predicate abstractions [ISSTA 2002] This generates a test graph

User provided predicate abstraction Tree can be pruned, if an equivalent state has already been visited Example: Generate an FSM from a stack specification. Observation property: stack.IsEmpty() [0,0] Push(0) true false Push(1) Push(0) Top() Pop() [] Push(0) [0] Pop() Top() Pop() Push(1) [1,0] Top()

Test graph A test graph G is a directed graph s.t. there are two kinds of vertices in G: –states –choice points (CP) every edge e has a prob. p(e) s.t. for every CP u ∑{p(e): source of e = u}=1, there is a non-negative cost function c defined on edges state vertex p=0.3 c=1 p=0.7 c=2 CP vertex c=1

ABP: Modeling Demo Explorer options

3 rd Step: Generate Test Strategies  Cover all edges of the test graph (edge coverage)  Reach certain goal states in the test graph (reachability game) [ISSTA 2004] 1.With maximal probability and minimal cost 2.With full certainty and minimal cost

Edge Coverage Strategy 1.Produce a tour of the edges in the graph (e.g. Chinese Postman tour) 2.Divide the tour into segments starting and ending at choice points 3.At a choice point IUT selects an edge e and TT chooses randomly any segment s starting from e and follows s until the end (s ends in a choice point).

Edge Coverage Example The tour is [e8,e2,e1,e5,e7, e9,e4,e3,e6,e7] The segments are: [e8,e2,e1,e5,e7] [e9,e4,e3,e6,e7] s1 e1 e2 e4 e3 e9 e8 e7 e5 e6

4 th Step: Execute Tests and Verify Results Define conformance notion: Probes Rewrite the IUT to insert call backs into model Specify upper bounds on number of repetitions

Probes Given an abstract domain X A probe P m is a function from model states to X A probe P i is a function from implementation states to X Model state A and impl state B conform wrt the pair of probes (P m, P i ) if P m (A) = P i (B) Different probes may be enabled at different states A1A1 A2A2 B1B1 B2B2 B4B4 B3B3 B5B5 A3A3 P1mP1m P1iP1i X P2mP2m P2iP2i

IUT Model Event Buffering During conformance testing all events are buffered in an unbounded queue All enabled probes are checked at every state e1 Events e2 a1 Action Calls s0 s4 s1 s2 s3 a1 e1e2 a2 t0 t2 t1 a1’ (P1m,P1i)(P1m,P1i) e1’ (P2m,P2i)(P2m,P2i)

ABP Demo Test sequence generation Conformance testing

Experience Modeling for Testing –Models are created by testers, not designers –Models are based on informal specs, not impl. –Models are not comprehensive, only issues Several projects –Web services, Passport, Mediaplayer, Distributed File replication system –Models up to 100 pages More than 50 people are using it on a daily basis, steep uptake

More Info Public release of Spec# this Summer Contact if you would like to know more or are interested in a summer internship in Consider submitting something for ICFEM M2004

MSIL Unit Test Tool a hybrid helper Goal capture developer knowledge ASAP via a strong set of unit tests to form a specification of the code’s behavior How –generate tests based on analysis of MSIL –symbolic execution + constraint satisfaction –runtime analysis to check complicated invariants Facets –complements specification-based test generation –positive feedback cycle with programmer

What criteria should guide unit test generation?

Predicate-complete Testing Predicates –relational expression such as (x<0) –the expression (x 0) has two predicates –predicates come from program and safe runtime semantics Consider a program with m statements and n predicates –predicates partition input domain –m x 2 n possible observable states S Goal of Predicate-complete Testing: –cover all reachable observable states R  S

PCT Coverage L2: if (A || B) S else T L3: if (C || D) U else V PCT requires covering all logical combinations over {A,B,C,D} at –L2 and L3 –S, T, U and V Some combinations may not be reachable

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

PCT Coverage does not imply Path Coverage L1: if (x<0) L2: skip; else L3: x = -2; L4: x = x + 1; L5: if (x<0) L6: A;

L1: if (p) L2: if (q) L3: x=0; L4: y=p+q; Path Coverage does not imply PCT Coverage

L1: if (p) L2: if (q) L3: x=0; L4: y=p+q; Path Coverage does not imply PCT Coverage

Denominator Problem Coverage metrics require a denominator –e.g. statements executed / total statements Easy to define for observable states –executed observable states / (m x 2 n ) But (m x 2 n ) is not a very good denominator! –most observable states will not be reachable –R <<< S

Upper and Lower Bounds m x 2 n possible states S Upper bound U Reachable states R Lower bound L Bound reachable observable states – modal transition systems and predicate abstraction – |L| / |U| defines “goodness” of abstraction Test generation using lower bound L Refinement to increase |L| / |U| ratio

a a’ may MCMC MAMA   a a’ total MCMC MAMA   a a’ total & onto   a a’ onto   Abstraction Construction

Upper Bound: May-Reachability a b c may a b c

Upper Bound: May-Reachability a b c may a b c

c d total a b onto Pessimistic Lower Bound may

c d a b Pessimistic Lower Bound may onto total

c d a b Pessimistic Lower Bound may onto total

void partition(int a[]) { assume(a.length()>2); int pivot = a[0]; int lo = 1; int hi = a.length()-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); } Example void partition(int a[]) { assume(a.length()>2); int pivot = a[0]; int lo = 1; int hi = a.length()-1; while (lo<=hi) { while (a[lo]<=pivot) lo++; while (a[hi]>pivot) hi--; if (lo<hi) swap(a,lo,hi); }

Observation Vector [ lo pivot ] lo<hi  lo<=hi  lo pivot)  (  a[lo] pivot) Only 10/16 observations possible

13 labels x 10 observations = 130 observable states But, program constrains reachable observable states greatly. void partition(int a[]) { assume(a.length()>2); int pivot = a[0]; int lo = 1; int hi = a.length()-1; L0: while (lo<=hi) { L1: ; L2: while (a[lo]<=pivot) { L3: lo++; L4: ;} L5: while (a[hi]>pivot) { L6: hi--; L7: ;} L8: if (lo<hi) { L9: swap(a,lo,hi); LA: ;} LB: ;} LC: ; }

void partition() { decl lt, le, al, ah; enforce ( (lt=>le) & ((!lt&le)=>(al&!ah)|(!al&ah)) ); lt,le,al,ah := T,T,*,*; L0: while (le) { L1: ; L2: while (al) { L3: lt,le,al := (!lt ? F:*), lt, *; L4: ;} L5: while (ah) { L6: lt,le,ah := (!lt ? F:*), lt, *; L7: ;} L8: if (lt) { L9: al,ah := !ah,!al; LA: ;} LB: ;} LC: ; } Boolean Program

State Space of Boolean Program Upper Bound = 49 states [ lo pivot ]

plaintext

Test Generation DFS of L p generates covering set of paths Symbolically execute paths to generate tests Run program on tests to find errors and compute coverage of observable states

Array bounds violations Generated Inputs (L0:TTTT,L4:FTFT) { 0,-8,1 } (L0:TTTT,L4:TTFT) { 0,-8,2,1 } (L0:TTTT,L4:TTTT) { 0,-8,-8,1 } (L0:TTTF,L4:TTFF) { 1,-7,3,0 } (L0:TTTF,L4:FTTF) { 0,-7,-8 } (L0:TTTF,L4:TTTF) { 1,-7,-7,0 } (L0:TTFT,L7:TTFF) { 0,2,-8,1 } (L0:TTFT,L7:FTFT) { 0,1,2 } (L0:TTFT,L7:TTFT){ 0,3,1,2 } (L0:TTFF,L0:TTTT) { 1,2,-1,0 } void partition(int a[]) { assume(a.length()>2); int pivot = a[0]; int lo = 1; int hi = a.length()-1; L0: while (lo<=hi) { L1: ; L2: while (a[lo]<=pivot) { L3: lo++; L4: ;} L5: while (a[hi]>pivot) { L6: hi--; L7: ;} L8: if (lo<hi) { L9: swap(a,lo,hi); LA: ;} LB: ;} LC: ; }

Results Buggy partition function –U=49, L=43, Tested=42 Fixed partition function –U=56, L=37, Tested=43 What about the remaining 13 states?

Refinement

New Observation Vector [ lo<hi, lo<=hi, lo=hi+1, a[lo] pivot, a[lo-1] pivot ] Only 48/128 observations possible For this set of predicates, L p = U

Conclusions PCT coverage –new form of state-based coverage –similar to path coverage but finite Upper and lower bounds –computed using predicate abstraction and modal transitions –use lower bound to guide test generation –refine bounds