Presentation is loading. Please wait.

Presentation is loading. Please wait.

Elided to examples only

Published byIda Halim Modified over 6 years ago

Similar presentations

Presentation on theme: "Elided to examples only"— Presentation transcript:

1 Elided to examples only
CONCOLIC TESTING Pınar Sağlam Elided to examples only

2 Example Random Test Driver: random memory graph reachable from p
typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; Random Test Driver: random memory graph reachable from p random value for x Probability of reaching abort( ) is extremely low

3 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0 p , x=236 NULL

4 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0 p , x=236 NULL

5 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0 p , x=236 NULL

6 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 !(p0!=NULL) p=p0, x=x0 p , x=236 NULL

7 solve: x0>0 and p0NULL
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL x0>0 p0=NULL p=p0, x=x0 p , x=236 NULL

8 solve: x0>0 and p0NULL
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL x0=236, p0 NULL 634 x0>0 p0=NULL p=p0, x=x0 p , x=236 NULL

9 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

10 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

11 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

12 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

13 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

14 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

15 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 x0=1, p0 NULL 3 x0>0 p0NULL 2x0+1v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=236 NULL 634

16 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

17 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

18 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 p0NULL

19 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 2x0+1=v0

20 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1=v0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3 n0p0

21 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

22 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; solve: x0>0 and p0NULL and 2x0+1=v0 and n0=p0 . x0>0 p0NULL 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

23 CUTE Approach typedef struct cell { int v; struct cell *next; } cell;
Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints solve: x0>0 and p0NULL and 2x0+1=v0 and n0=p0 x0=1, p0 x0>0 p0NULL 3 2x0+1=v0 n0p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 NULL 3

24 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

25 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

26 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

27 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; concrete state symbolic state constraints x0>0 p0NULL p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3 2x0+1=v0

28 p=p0, x=x0, p->v =v0, p->next=n0
CUTE Approach Concrete Execution Symbolic Execution concrete state symbolic state constraints typedef struct cell { int v; struct cell *next; } cell; int f(int v) { return 2*v + 1; } int testme(cell *p, int x) { if (x > 0) if (p != NULL) if (f(x) == p->v) if (p->next == p) abort(); return 0; Program Error x0>0 p0NULL 2x0+1=v0 n0=p0 p=p0, x=x0, p->v =v0, p->next=n0 p , x=1 3

29 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver

30 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y

31 Simultaneous Symbolic & Concrete Execution
Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y solve x*x*x+ 3*x*x+9 = y to take else branch Don’t know how to solve !! Stuck ? void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }

32 Simultaneous Symbolic & Concrete Execution
Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 take then branch with constraint x*x*x+ 3*x*x+9 != y solve x*x*x+ 3*x*x+9 = y to take else branch Don’t know how to solve !! Stuck ? NO : CUTE handles this smartly void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); }

33 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver

34 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z

35 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed

36 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y

37 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y solve 9 = y to take else branch execute next run with x = -3 and y= 9 got error (reaches abort)

38 Simultaneous Symbolic & Concrete Execution
void again_test_me(int x,int y){ z = x*x*x + 3*x*x + 9; if(z != y){ printf(“Good branch”); } else { printf(“Bad branch”); abort(); } Let initially x = -3 and y = 7 generated by random test-driver concrete z = 9 symbolic z = x*x*x + 3*x*x+9 cannot handle symbolic value of z make symbolic z = 9 and proceed take then branch with constraint 9 != y solve 9 = y to take else branch execute next run with x = -3 and y= 9 got error (reaches abort) Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (i.e. non-linear)

Download ppt "Elided to examples only"

Similar presentations

Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
CS 312 Spring 2002 Lecture 16 The Environment Model.

CS 312 Spring 2002 Lecture 16 The Environment Model.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.

PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.

Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Pointers: Part I. Why pointers? - low-level, but efficient manipulation of memory - dynamic objects  Objects whose memory is allocated during program.

Pointers: Part I. Why pointers? - low-level, but efficient manipulation of memory - dynamic objects  Objects whose memory is allocated during program.
Introduction to C Programming CE00312-1 Lecture 19 Linear Linked Lists.

Introduction to C Programming CE Lecture 19 Linear Linked Lists.
The modulus function The modulus of x, written  x  and is defined by  x  = x if x  0  x  = -x if x < 0. Sketch of y =  x  y x y =  x  y = x.

The modulus function The modulus of x, written  x  and is defined by  x  = x if x  0  x  = -x if x < 0. Sketch of y =  x  y x y =  x  y = x.
3.2 – Solving Linear Equations by Graphing. Ex.1 Solve the equation by graphing. x – y = 1.

3.2 – Solving Linear Equations by Graphing. Ex.1 Solve the equation by graphing. x – y = 1.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
CSEP504: Advanced topics in software systems Tonight: 2 nd of three lectures on software tools and environments – a few tools in some more depth February.

CSEP504: Advanced topics in software systems Tonight: 2 nd of three lectures on software tools and environments – a few tools in some more depth February.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Section 6-2: Polynomials and Linear Factors

Section 6-2: Polynomials and Linear Factors

Similar presentations

Ads by Google