Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example (C code) int double(int x) { return 2 * x; }

Published byNora Andrews Modified over 5 years ago

Similar presentations

Presentation on theme: "Example (C code) int double(int x) { return 2 * x; }"— Presentation transcript:

1 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ (1) Interface extraction: parameters of toplevel function external variables return values of external functions main(){ int tmp1 = randomInt(); int tmp2 = randomInt(); test_me(tmp1,tmp2); } (2) Generation of test driver for random testing: Closed (self-executable) program that can be run Problem: probability of reaching abort() is extremely low!

2 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99

3 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 36, y = 99, z = 72 z = 2 * x

4 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Solve: 2 * x == y Solution: x = 1, y = 2 create symbolic variables x, y 2 * x != y x = 36, y = 99, z = 72 z = 2 * x

5 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2

6 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 1, y = 2, z = 2 z = 2 * x

7 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y x = 1, y = 2, z = 2 z = 2 * x

8 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Solve: (2 * x == y) and (y == x +10) Solution: x = 10, y = 20 create symbolic variables x, y 2 * x == y y != x + 10 x = 1, y = 2, z = 2 z = 2 * x

9 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y != x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20

10 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y x = 10, y = 20, z = 20 z = 2 * x

11 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint create symbolic variables x, y 2 * x == y x = 10, y = 20, z = 20 z = 2 * x

12 DART Step (3): Directed Search
main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int double(int x) {return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) abort(); /* error */ Concrete Execution Symbolic Execution Path Constraint Program Error create symbolic variables x, y 2 * x == y x = 10, y = 20, z = 20 z = 2 * x y == x +10

13 Novelty: Simultaneous Concrete & Symbolic Executions
void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck?

14 Novelty: Simultaneous Concrete & Symbolic Executions
void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { abort(); /* error */ } Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck? NO! Use concrete value z = 27 and proceed… Take else branch with constraint 27 != y Solve 27 = y to take then branch Execute next run with x = 3 and y = 27 DART finds the error! Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (e.g. non-linear) NOTE: whenever symbolic execution is stuck, static analysis becomes imprecise!

Download ppt "Example (C code) int double(int x) { return 2 * x; }"

Similar presentations

Amal Khalil & Juergen Dingel

Amal Khalil & Juergen Dingel
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.

PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
06/12/2007SE 652 - 2007_6_12_Design.ppt1 Design Phase Outputs: Completed & Inspected SDS & Integration Test Plan Completed & Inspected System Test Plan.

06/12/2007SE _6_12_Design.ppt1 Design Phase Outputs: Completed & Inspected SDS & Integration Test Plan Completed & Inspected System Test Plan.
ISBN 0-321-19362-8 Chapter 10 Implementing Subprograms –Semantics of Calls and Returns –Implementing “Simple” Subprograms –Implementing Subprograms with.

ISBN Chapter 10 Implementing Subprograms –Semantics of Calls and Returns –Implementing “Simple” Subprograms –Implementing Subprograms with.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Instructor: Alexander Stoytchev CprE 185: Intro to Problem Solving (using C)

Instructor: Alexander Stoytchev CprE 185: Intro to Problem Solving (using C)
Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.

Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Similar presentations

Ads by Google