Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level."— Presentation transcript:

1 1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level of branch coverage Whitebox fuzz testing (SAGE) Start on debugging Quick start: Zeller’s delta-debugging algorithm and tools

2 2 SMART: Using Summaries in Testing Idea: complete coverage of all paths is too expensive Fix: limit the number of paths, but preserve the level of branch coverage achieved by trying al paths How? Use function boundaries – make the exploration compositional “Compositional Dynamic Test Generation” (Godefroid) paper is a good look at this kind of testing in general

3 3 The Compositional Approach int G = 0; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; } How many paths through this program? 2 4 8 16 32

4 4 The Compositional Approach int G = 0; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; } Traditional DART/CUTE will have to execute the program 32 times, and explore 32 paths. One idea: treat each function independently – don’t worry about paths that cross function boundaries – but still solve for all paths through each function. When we reach a return from a function, use the basic algorithm to find all paths through that function. Afterwards, “don’t care” what path we take through it

5 5 The Compositional Approach int G = 0; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; } Now how many paths? 2 4 4 2 4 4 2 2 Total = 4 + 4 + 2 = 10 (vs. 32)

6 6 The Compositional Approach int G = 0; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; } 2 4 4 2 4 4 2 2 Have we lost anything? Not branch coverage – assuming complete exploration is possible, and all constraints are linear, we preserve level of branch coverage. But we could miss bugs…

7 7 The Compositional Approach int G = 0; int a[4]; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; a[G] = 3; } 2 4 4 2 4 4 2 2 Could handle by adding explicit “branch” for array bounds check, however.

8 8 The Compositional Approach int G = 0; int a[4]; int foo (int x, int y) { if (x < y) G++; if (x == 10) G++; } int bar (int x, int y) { if (x 8) G++; } int main () { foo(x, y); bar(x, y); if (x + y == 40) G++; a[G] = 3; } 2 4 4 2 4 4 2 2 When solving the constraints, SMART makes use of “procedure summaries” to avoid re-analyzing functions in full detail – but these are a static analysis topic more than a testing topic.

9 9 Whitebox Fuzz Testing SAGE Now we’ll take a quick run through Godefroid’s invited talk at the 2007 Workshop on Random Testing

10 10 Debugging

11 11 Debugging, in the Trenches Rasala put his hands on his desk and buried his face in them. It was just another routine day down at debugging headquarters. In the back of Veres’s mind still lies a small suspicion that the problem might after all be noise. And now – much to Guyer’s delight, when he finds out later on – it is Veres himself who disconnects the I-cache. Then he runs the program past the point of failure, and everything works. He puts the I-cache back in and once again Gollum fails. This doesn’t prove the IP is to blame, but it does tend to eliminate noise as a suspect, once and for all... from THE CASE OF THE MISSING NAND GATE (Chapter 10 of Kidder’s The Soul of a New Machine)

12 12 (The Soul of a New Machine) Kidder’s book tells the story of the development of a micro- computer in the early 80s. The book’s a classic – won the American Book Award for non- fiction. Anyone who cares how computers are made (or how people work) should read it. Chapter 10 is a classic story of debugging a hardware problem. The ideas apply just as well to software, and this is the best description of heavy-duty debug I’ve ever seen.

13 13 Debugging Debugging is really hard -- even with a good failing test case in hand One of the most time-consuming tasks in software development [Ball, Eick] Locating the fault is the most time- consuming part of debugging [Vesey]

14 14 Debugging Takes as much as 50% of development time on some projects Arguably the most scientific part of “computer science” practice Even though it’s usually done in a totally ad hoc, haphazard way! “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.” - Brian Kernighan

15 15 Debugging and Testing What are test cases for, anyway? Often: so we can locate and fix a fault Or: so we can understand how serious the failure is, and triage / “flight rule” it away If we have many bugs, and some may not be important enough to merit resources Or if there is a reason we can’t change the code and have to work around the problem In either case, we have a “debugging” task at hand – must at least understand the failure, even if only to triage

16 16 Scientific Debugging Test cases (ones that fail and ones that succeed) can be the experiments we perform to verify our hypotheses The failing test case informs us that there is a phenomenon to explain (apple on the head) Generate (or examine) more test cases to find out more about what is going on in the program

17 17 Scientific Debugging

18 18 Testing for Debugging Several ways to use test cases in debugging: Test case minimization (today) Shrink the test case so we don’t have to look at lots of irrelevant or redundant operations Fault localization Give suggestions about where the fault may be (based on test case executions) Error explanation Give a “story” of causality (A causes B; B causes C; C causes failure) attempt to automate part of scientific debugging

Download ppt "1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level."

Similar presentations

Software Testing. Quality is Hard to Pin Down Concise, clear definition is elusive Not easily quantifiable Many things to many people You'll know it when.

Software Testing. Quality is Hard to Pin Down Concise, clear definition is elusive Not easily quantifiable Many things to many people You'll know it when.
xUnit Test Patterns (Some) xUnit Test Patterns (in practice) by Adam Czepil.

xUnit Test Patterns (Some) xUnit Test Patterns (in practice) by Adam Czepil.
Verification and Validation

Verification and Validation
Design Constraints By: Tuan Ha Cohort: MCIS 21 Class: MISS 470.

Design Constraints By: Tuan Ha Cohort: MCIS 21 Class: MISS 470.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.
Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.

Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
Building Reliable Software Requirements and Methods.

Building Reliable Software Requirements and Methods.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.

1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
Chapter 16 Programming and Languages: Telling the Computer What to Do.

Chapter 16 Programming and Languages: Telling the Computer What to Do.
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.

1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.
Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.

Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.

Similar presentations

Ads by Google