Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Published byJemimah Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011."— Presentation transcript:

1 CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011

2 Testing if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } CSE 331 Autumn 2011 Visser, Pasareanu & Mehlitz Simple program – what do we want to know about it? Not a new question for us – let’s consider it with white- box testing

3 Control flow graph (CFG) x >? y x = x + y y = x – y x = x – y x >? y assert(false)end Can this statement ever be executed?

4 Edge coverage x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [x=0;y=1] [x=1;y=0] E dge ever taken? [x=1;y=1] [x=1;y=0] [x=0;y=1]

5 Symbolic execution [x=  ;y=  ] x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [  <=  ] [x=  +  ;y=  ] [x=  +  ;y=  ] [x=  ;y=  ]  >  ever here?

6 Symbolic execution x >? y x = x + y y = x – y x = x – y x >? y assert(false)end [  <=  ] [x=  +  ;y=  ] [x=  +  ;y=  ] [x=  ;y=  ] [  >  ]  <  here

7 if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } What’s really going on?  Create a symbolic execution tree  Explicitly track path conditions  Solve path conditions – “how do you get to this point in the execution tree?” – to define test inputs  Goal: define test inputs that reach all reachable statements CSE 331 Autumn 2011 7 [true] x = ,y =  [true]  >?  [  >  ] x =  +  [  >  ] x=  ;y=  [  >  ]  >?  [  >  &  >  ] “false” [  >  &  <=  ] end [  <=  ] end

8 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} Another example (Sen and Agha) 8 [true] x = ,y =  [true] z = 2 *  [true] 2 *  ==?  [2 *  =  ]  >?  + 10 [2 *  =  &  >  + 10] error [2 *  =  &  <=  + 10] end [2 *  !=  ] end

9 Error: possible by solving equations [2 *  =  &  >  + 10]  [2 *  >  + 10]  [  > 10]  [  > 10 & 2 *  =  ] CSE 331 Autumn 2011 9

10 Way cool – we’re done!  First example can’t reach assert(false), and it’s easy to reach end via both possible paths  Second example: can reach error and end via both possible paths  Well, what if we can’t solve the path conditions?  Some arithmetic, some recursion, some loops, some pointer expressions, etc.  We’ll see an example  What if we want specific test cases? CSE 331 Autumn 2011 10

11 Concolic testing: Sen et al.  Basically, combine concrete and symbolic execution  More precisely…  Generate a random concrete input  Execute the program on that input both concretely and symbolically simultaneously  Follow the concrete execution and maintain the path conditions along with the corresponding symbolic execution  Use the path conditions collected by this guided process to constrain the generation of inputs for the next iteration  Repeat until test inputs are produced to exercise all feasible paths CSE 331 Autumn 2011 11

12 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example redux 1 st iteration x=22, y=7 12 [true] x =  = 22, y = 7 =  [true] z = 14 = 2 *  [true] 2 *  ==?  14 ==? 22 [2 *  =  ] … [2 *  !=  ] end  Now solve 2 *  =  to force the other branch  x = 1; y = 2 is one solution

13 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example 2 nd iteration x=1, y=2 13 [true] x =  = 1,y =  = 2 [true] z = 2 *  = 4 [true] 2 *  ==?  2 ==? 2 [2 *  =  ]  >?  + 10 1 >? 2 + 10 [2 *  =  &  >  + 10] [2 *  =  &  <=  + 10] [2 *  !=  ] …  Now solve 2 *  =  &  <=  + 10 to force the other branch  x = 30; y = 15 is one solution

14 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }}} 2 nd example 3 nd iteration x=30, y=15 14 [true] x =  = 30,y =  = 15 [true] z = 2 *  = 30 [true] [2 *  =  ]  >?  + 10 30 >? 15 + 10 [2 *  =  &  >  + 10] [30 = 30 & 30 > 25] error [2 *  =  &  <=  + 10] [2 *  !=  ] …  Now solve 2 *  =  &  <=  + 10 to force the other branch  x = 30; y = 15 is one solution

15 Three concrete test cases xy 227Takes first else 21Takes first then and second else 3015Takes first and second then 15 int double (int v){ return 2*v;} void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; }

16 Concolic testing example P. Sa ğ lam  Random seed  x = -3; y = 7  Concrete  z = 9  Symbolic  z = x 3 +3x 2 +9  Take then branch with constraint x 3 +3x 2 +9 != y void test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }  Take else branch with constraint x 3 +3x 2 +9 = y

17 Concolic testing example P. Sa ğ lam CSE 331 Autumn 2011 17 void test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }  Solving is hard for x 3 +3x 2 +9 = y  So use z ’s concrete value, which is currently 9, and continue concretely  9 != 7 so then is good  Symbolically solve 9 = y for else clause Execute next run with x = -3; y = 9 so else is bad When symbolic expression becomes unmanageable (e.g., non-linear) replace it by concrete value

18 Concolic testing example P. Sa ğ lam  Random memory graph reachable from p  Random value for x  Probability of reaching abort( ) is extremely low CSE 331 Autumn 2011 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; }

19 Let’s try it ConcreteSymbolicConstraints 19 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=NULL; x=236

20 Let’s try it ConcreteSymbolicConstraints 20 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=[634,NULL]; x=236

21 Let’s try it ConcreteSymbolicConstraints 21 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; } p=[3,p]; x=1

22 Let’s try it ConcreteSymbolicConstraints 22 typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; }

23 Concolic: status  The jury is still out on concolic testing – but it surely has potential  There are many papers on the general topic  Here’s one that is somewhat high-level Microsoft- oriented  Godefroid et al. Automating Software Testing Using Program Analysis IEEE Software (Sep/Oct 2008)Automating Software Testing Using Program Analysis  They tend to call the approach DART – Dynamic Automated Random Testing CSE 331 Autumn 2011 23

24 Next steps CSE 331 Autumn 2011 24  Worksheets

25 CSE 331 Autumn 2011 25

Download ppt "CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011."

Similar presentations

A Survey of Approaches for Automated Unit Testing

A Survey of Approaches for Automated Unit Testing
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
1 “White box” or “glass box” tests “White Box” (or “Glass Box”) Tests.

1 “White box” or “glass box” tests “White Box” (or “Glass Box”) Tests.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.

PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Analysis of Complex Data Structures with PEX Vadim Mutilin Evgeniy Gerlits Vladimir Fedotov Mentor: Patrice Godefroid.

Analysis of Complex Data Structures with PEX Vadim Mutilin Evgeniy Gerlits Vladimir Fedotov Mentor: Patrice Godefroid.
Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Similar presentations

Ads by Google