Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707.

Published byPrimrose Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707."— Presentation transcript:

1 Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707

2 Overview Introduction to symbolic execution o Test generation using dynamic symbolic execution Path explosion problem o NP-complete problem o Greedy algorithm: fitness guided exploration String constraint solver o Hampi: Context free grammar Symbolic Grammar o Context free grammar

3 Symbolic Execution Symbolic execution is the analysis of programs by tracking symbolic rather than actual values. Symbolic execution is used to reason about all the inputs that take the same execution path through a program. int main(int y) { y = 2 * y; if (y == 4){ printf(“y == 4”); }else { printf(“y != 4”); } s 2 * s 2 * s == 4 Example:

4 4 void CoverMe(int[] a) { if (a == null) return; if (a.Length > 0) if (a[0] == 1234567890) throw new Exception("bug"); } a.Length>0 a[0]==123… T F T F F a==null T Constraints to solve a!=null a!=null && a.Length>0 a!=null && a.Length>0 && a[0]==123456890 Input null {} {0} {123…} Execute&Monitor Solve Choose next path Observed constraints a==null a!=null && !(a.Length>0) a==null && a.Length>0 && a[0]!=1234567890 a==null && a.Length>0 && a[0]==1234567890 Done: There is no path left. Slide from Pex group, Microsoft Research Dynamic Symbolic Execution (DSE) DSE is used to generate test inputs systematically

5 Path Explosion CFG (control flow graph) Each program under test could be modeled as CFG. To achieve 100% path coverage is in NPC.

6 Path Explosion Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; } TestLoop(0,{0})

7 Path Explosion Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; } TestLoop(90,{0})

8 Path Explosion Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; } TestLoop(90,{15})

9 Path Explosion Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; }

10 Path Explosion Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; }

11 Fitness Greedy algorithm: Fitness Guided Explosion Fitness Function: Measure the current state and the goal state. Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110)Fitness function: |110-x| return true; } return false; }

12 Fitness Public bool TestLoop(int x, int[] y){ if(x==90){ for(int i=0; i<y.length;i++) if(y[i]==15) x++; If(x==110) return true; } return false; }

13 String Constraint Solver Testing tools could be reduced to constraint generation phase and constraint solving phase. String constraint solvers are needed by testing string-manipulating programs o Web application Hampi

14 HAMPI

15 Input-Space Explosion Programs such as Parsers that accept string inputs Language of string inputs defined using context free grammars Generation of string inputs to achieve 100% branch coverage causes input-space explosion

16 Example The Grammar for SimpleCalc inputs is shown below:

17 SimpleCalc Example Boolean SimpleCalc (string str) { …. … }

18 Previous Approaches Exhaustive Enumeration Uses grammar and generates inputs exhaustively Number of valid strings for size six: 187,765,078 Dynamic Symbolic Execution Uses program source code and generates inputs Number of inputs generated: 248,523

19 Symbolic Grammar Uses both grammar and program source code (1) The Grammar for SimpleCalc inputs is shown below: (2) The Symbolic grammar for SimpleCalc inputs

20 Symbolic Grammar Use Exhaustive Enumeration on Symbolic Grammar and generate inputs Use dynamic symbolic execution for generating concrete values for symbolic values Number of inputs generated: 6,611

21

Download ppt "Symbolic Execution in Software Engineering By Xusheng Xiao Xi Ge Dayoung Lee Towards Partial fulfillment for Course 707."

Similar presentations

1 Automating the Generation of Mutation Tests Mike Papadakis and Nicos Malevris Department of Informatics Athens University of Economics and Business.

1 Automating the Generation of Mutation Tests Mike Papadakis and Nicos Malevris Department of Informatics Athens University of Economics and Business.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.

Automatic test case generation for programs that are coded against interfaces and annotations or use native code Mainul Islam Supervisor: Dr. Christoph.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.

Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.
Automation of Test Case Generation

Automation of Test Case Generation
Tao Xie University of Illinois at Urbana-Champaign Part of the research work described in this talk was done in collaboration with the Pex team (Nikolai.

Tao Xie University of Illinois at Urbana-Champaign Part of the research work described in this talk was done in collaboration with the Pex team (Nikolai.
Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.

Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Pexxxx White Box Test Generation for

Pexxxx White Box Test Generation for
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Data Dependence Based Testability Transformation in Automated Test Generation Presented by: Qi Zhang.

Data Dependence Based Testability Transformation in Automated Test Generation Presented by: Qi Zhang.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Crossword Puzzle Solver Michael Keefe. Solver structure.

Crossword Puzzle Solver Michael Keefe. Solver structure.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Deep Dive into Pex How Pex works, implications for design of Code Hunt puzzles Nikolai Tillmann Principal Software Engineering Manager Microsoft, Redmond,

Deep Dive into Pex How Pex works, implications for design of Code Hunt puzzles Nikolai Tillmann Principal Software Engineering Manager Microsoft, Redmond,

Similar presentations

Ads by Google