Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generating Tests from Counterexamples Jinseong Jeon ARCS, KAIST.

Published byGabriel Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "Generating Tests from Counterexamples Jinseong Jeon ARCS, KAIST."— Presentation transcript:

1 Generating Tests from Counterexamples Jinseong Jeon ARCS, KAIST

2 2006-11-14 CS750b, KAIST 2/16 Actual Anxiety Counterexample! What makes him panic? What makes C.E. happen makes him panic!

3 2006-11-14 CS750b, KAIST 3/16 Greater Goals Counterexample! How can it happen?  a test vector Any other cases?  a test suite

4 2006-11-14 CS750b, KAIST 4/16 The Greatest Goal Automated Debugger! Program Target Pred. Test Driver Generator Test Suite Generator Test Driver Test Suite Testing

5 2006-11-14 CS750b, KAIST 5/16 Contents Program Target Pred. Test Driver Generator Test Suite Generator Test Driver Test Suite Testing How to generate a test vector? How to generate a test suite? How to generate a test driver?

6 2006-11-14 CS750b, KAIST 6/16 from Trace to Test (1/2) Example() { if (y == x) y++; if (z <= x) y++; a = y – z; if (a < x) LOC: } [ Program ] assume (y = x) y = y + 1 assume !(z <= x) a = y – z assume (a < x) [ Trace ] = = + 1 :  z,0> · = - [ Trace formula ] p, ( pc  LOC )

7 2006-11-14 CS750b, KAIST 7/16 from Trace to Test (2/2) = = + 1 :  z,0> · = - [ Trace formula ]  0  y,1>  1  2  -1 [ Assignment ]  0  2 [ Test vector ] integer linear programming (ILP) solver

8 2006-11-14 CS750b, KAIST 8/16 Linear Programming object function –maximize c 1 x 1 + c 2 x 2 problem constraints –a 11 x 1 + a 12 x 2 · b 1 –a 12 x 1 + a 22 x 2 · b 2 Algorithms –Simplex, Branch and Bound, etc. feasible region

9 2006-11-14 CS750b, KAIST 9/16 An ILP Application Buffer Overrun Detection using Liner Programming and Static Analysis int main() { char header[2048], buf[1024], *cc1, *cc2, *ptr; int i; FILE *fp;... ptr = fgets(header, 2048, fp); cc1 = copy_buffer(header); for (i = 0; i < 10; i++) { ptr = fgets(buf, 1024, fp); cc2 = copy_buffer(buf); } header!alloc!max · 2048 header!alloc!min ¸ 0... header!used!max · 2048 header!used!min ¸ 1 cc1!used!max ¸ header!used!max cc1!used!min · header!used!min... i’!max ¸ i!max + 1 I’!min · i!min + 1...

10 2006-11-14 CS750b, KAIST 10/16 Test Suite Gen. worklist à all locations in decreasing order of d.f.numbering Reach. Tree à a single node, the root test suite à ; while (worklist  ; ) { q à pop(worklist) p-trace à MC(Reach. Tree, p, q) if Reach. Tree is complete then worklist à ; else test suite à test suite [ { test_vector(p-trace) } } return test suite

11 2006-11-14 CS750b, KAIST 11/16 Heuristics A test vector can cover several locations.  we can remove those locations from the worklist. MC’s unfolding (visiting) order  uncovered first, covered last Time-out option

12 2006-11-14 CS750b, KAIST 12/16 Test Driver Gen. Original code Lib. call User input Test suite Test-feeding func. Test Driver

13 2006-11-14 CS750b, KAIST 13/16 A Security Example (1/2) int saved_uid, saved_euid; work_and_drop_priv() { L5: FILE *fp = fopen(FILENAME,”w”); L6: if (!fp) { L7: return; } L8: // work L9: seteuid(saved_uid); } int get_root_privileges() { L1: if (saved_euid == 0) { L2: return -1; } L3: seteuid(0); L4: return 0; } int main(int argc, char *argv[]) { L10: saved_uid = getuid(); L11: saved_euid = geteuid(); L12: seteuid(saved_uid); L13: // work under normal mode L14: if (get_root_privileges() == 0 ) { L15: work_and_drop_priv(); } L16: execv(argv[1], argv+1); }

14 2006-11-14 CS750b, KAIST 14/16 A Security Example (2/2) L10: saved_uid = getuid(); L11: saved_euid = geteuid(); L12: seteuid(saved_uid); L14: tmp = get_root_privileges(); L1: if (saved_euid != 0) /* fails */ L3: seteuid(saved_euid); L4: return 0; L14: if (tmp == 0) /* succeeds */ L15: work_and_drop_priv(); L5: fp = fopen(FILENAME, “w”); L6: if (!fp) /* succeeds */ L7: return; L16: /* uid = 0 */ [ A trace generated by BLAST ]

15 2006-11-14 CS750b, KAIST 15/16 Experiments kbfiltr, floppy, cdaudio, parport, parclass  Microsoft Windows device drivers ping  an implementation of the ping utility ftpd  a Linux port of the ftp daemon

16 2006-11-14 CS750b, KAIST 16/16 Conclusions pros –generate a test suite using model-checker –generate an automated debugger dead code detection, safety verification cons –only integer variables –what is really affected by BLAST?

Download ppt "Generating Tests from Counterexamples Jinseong Jeon ARCS, KAIST."

Similar presentations

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.

P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SCIP Optimization Suite

SCIP Optimization Suite
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.

Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Counter Example Guided Refinement CEGAR Mooly Sagiv.

Counter Example Guided Refinement CEGAR Mooly Sagiv.
Recursion CS-240/CS341. What is recursion? a function calls itself –direct recursion a function calls its invoker –indirect recursion f f1 f2.

Recursion CS-240/CS341. What is recursion? a function calls itself –direct recursion a function calls its invoker –indirect recursion f f1 f2.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.

Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Branch and Bound Algorithm for Solving Integer Linear Programming

Branch and Bound Algorithm for Solving Integer Linear Programming
May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.

Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Similar presentations

Ads by Google