directed random testing
play

Directed Random Testing* Wolfram Schulte Microsoft Research Soqua - PowerPoint PPT Presentation

May 25, 2023 •519 likes •895 views

Directed Random Testing* Wolfram Schulte Microsoft Research Soqua 11/2006 Was formerly announced as: Challenge Problems in Testing 1 What my team does Static program verification & language design Verifying multi-threaded

  1. Directed Random Testing* Wolfram Schulte Microsoft Research Soqua 11/2006 Was formerly announced as: “Challenge Problems in Testing” 1

  2. What my team does • Static program verification & language design – Verifying multi-threaded OO programs (Spec#) – Verifying message passing contracts (Sing#) – Integration of data via structural types and monads (Xen,C ω ,C# V3) • Runtime systems – Task concurrency (Futures) – Memory resilience (DieHard) • Development systems – Build/version/deploy • Modeling and test – Model-based testing (Spec Explorer) – White-box testing (Mutt / Unit Meister/ PUT / PEX) 2

  3. Why testing is hard… void AddTest() { ArrayList a = new ArrayList(1); object o = new object(); a.Add(o); Assert.IsTrue(a[0] == o); } Writing a test involves • determining a meaningful sequence of method calls, • selecting exemplary argument values (the test input values), • stating assertions. A test states both the intended behavior, and achieves certain code coverage. 3

  4. Outline • Input generation • Mock object generation • Sequence generation • Compositional testing 4

  5. Test input generation 5

  6. Problem definition • Test Input Generation – Given a statement s in program P , compute input i , such that P ( i ) executes s • Test Suite Generation – Given a set of statements S in P , compute inputs I , such that forall s in S , exists i in I : P ( i ) executes s 6

  7. Existing test generation techniques void Obscure(int x, int y){ if (x==crypt(y)) error(); return 0; } • Static test case generation via symbolic execution often cannot solve constraints (assumes error) • Random testing via concrete execution often cannot find interesting value (misses errors) • Directed Random Testing/ Conc(rete & symb)olic execution finds error: take random y, solve for x 7

  8. Concolic execution Generate a test suite for program P. Algorithm for test suite generation: We use a dynamic predicate Q over the program input. 0. set Q := true 1. choose inputs i such that Q ( i ) holds 2. execute P ( i ) and build up path condition P( i ) 3. set Q := (Q and not P) 4. if Q <> false, goto (1.) Remark: The choice in (1.) is the cornerstone of concolic execution. It can be implemented in a variety of ways: as a random choice (e.g. for the initial inputs), or as a depths- first/iterative deepening/breadth first/… search over the logical structure of the constructed predicate Q, or using any existing constraint solver. 8

  9. Example: Concolic execution Concrete Symbolic values constraints (Assignments) (Predicates) 1. Choose arbitrary value for x, choose null for xs class List { x = 517; xs== null int head; xs = null; List tail; } 2. Negate predicate (xs== null)  choose new list with new arb. head static bool Find(List xs, int x){ xs!=null && x = 517; while (xs!=null) { xs.head != x && xs.head = -3; if (xs.head == x) xs.tail == null xs.tail = null; return true; xs = xs.tail; 3. Negate both predicates, equivalent to xs!=null && (xs.head == x || xs.tail != null) }  let‟s choose xs.head!= x, thus xs.tail== xs return false; } CRASH! x = 517;  xs.head =-3; Cyclic list xs.tail = xs; 9

  10. Why concolic execution is needed Calls to external world Unmanaged x86 code Unsafe managed .NET code (with pointers) Safe managed .NET code • Most .NET programs use unsafe/unmanaged code for legacy and performance reasons • Combining concrete execution and symbolic reasoning still works: all conditions that can be monitored will be systematically explored 10

  11. Code instrumentation for symbolic analysis ldtoken Point::X class Point { int x; int y; call __Monitor::LDFLD_REFERENCE public static int GetX(Point p) { ldfld Point::X if (p != null) return p.X; call __Monitor::AtDereferenceFallthrough else return -1; } } br L2 L1: ldtoken Point::GetX Prologue call __Monitor::AtBranchTarget call __Monitor::EnterMethod Record concrete values brfalse L0 call __Monitor::LDC_I4_M1 ldarg.0 to have all information ldc.i4.m1 call __Monitor::NextArgument<Point> L2: Calls to build L0: .try { when this method is called call __Monitor::RET .try { (The real C# compiler path condition with no proper context stloc.0 call __Monitor::LDARG_0 Calls will perform output is actually more ldarg.0 leave L4 call __Monitor::LDNULL } catch NullReferenceException { symbolic computation complicated.) ldnull „ call __Monitor::AtNullReferenceException call __Monitor::CEQ rethrow ceq call __Monitor::BRTRUE } Epilogue brtrueL1 L4: leave L5 call __Monitor::BranchFallthrough } finally { call __Monitor::LDARG_0 call __Monitor::LeaveMethod ldarg.0 Calls to build endfinally … path condition } L5: ldloc.0 ret 11

  12. Finding solutions of constraint systems Concolic execution solutions constraints Constraint solver Theory(CIL) Th(Maps) Th(Integers) Th(Floats) Th(Objects) Arrays Structs Int32 Int64 Objects Strings • linear arithmetic Object Types • non-linear • machine numbers User-provided value factories Random values Mock-objects SAT Boolean Search 12

  13. Closing the environment: Generating mock objects 13

  14. Testing with interfaces Example AppendFormat(null , “{0} {1}!”, “Hello”, “Microsoft”); BCL Implementation public StringBuilder AppendFormat( IFormatProvider provider, char[] chars, params object[] args) { if (chars == null || args == null) throw new ArgumentNullException( …); int pos = 0; int len = chars.Length; char ch = '\x0'; ICustomFormatter cf = null; if (provider != null) cf = (ICustomFormatter)provider.GetFormat( typeof(ICustomFormatter)); … 14

  15. Generating mock objects • Introduce a mock class implementing the interface. • Let an oracle provide the behavior of the mock methods. public class MFormatProvider : IFormatProvider { public object GetFormat(Type formatType) { … object o = call.ChooseResult<object>(); Assume.IsTrue(o is IFormatProvider ); return o; } } • During symbolic execution, pick a new symbol to represent unknowns • Collect constraints over symbols along each execution path • Solve the constraints to obtain concrete values for each execution path • During concrete execution, choose these concrete values 15

  16. DEMO Here is a simple test which catches all documented exceptions and uses a mock MFormatProvider

  17. Fully automatic test case generation!

  18. Generated tests exercise different paths of the implementation

  19. When run…

  20. …produces the error

  21. Method sequence generation 21

  22. Problem definition Given a class C with methods M . Test Sequence Generation – Given a statement s in a method of M , compute a sequence of method calls c , such that c executes s Test Sequence Suite Generation – Given a set of statements S occurring in M , compute a set of sequence of method calls C , such that forall s in S , exists c in C : c executes s 22

  23. Observation We can only reach a statement s in a method m if we have proper states and arguments available, so that the execution of m on that state and argument triggers the execution of s List l = new List(); object o = new object(); l.Append(o); object p = l[l.Count-1]; We create new states of objects by calling • constructors • methods, if they – modify this – modify any other formal parameter – return a new result 23

  24. Plans Plans are DAGs (They shows how to manufacture new objects, arrays, boxed values, and mock objects for interfaces and generics) • Its nodes are objects • Its edges are calls to constructors, methods, static fields, whenever they return a new o new new o l List l = new List(); object o = new object(); .Append( ) Append(o); object p = l[l.Count-1]; l‟ p [l‟.Count -1] 24

  25. Tests are concrete instances of plans Plans Call a method • With symbol for primitive Plans argument types • Using other plans for reference argument types to provide objects Plan Concolic Manager Execution Tests Call a method • With concrete values for primitive argument types Feedback • Using simpler tests to build objects to observe behavior Tests 25

  26. Observation During execution we monitor • what fields a method actually reads and write • what other methods a method actually calls • which arguments actually matter • which instructions are actually covered 26

  27. Method sequence suite generation (i) Phase: Learn dynamic behavior – touch all methods once – gives basic coverage (ii) Phase: Apply strategies – order plans so that • readers appear after writers • methods with coverage potential (transitively) are preferred – prune plans: Don‟t use • pure methods to extend plans, unless they return hidden objects • methods that throw exceptions to extend plans 27

  28. Evaluation • Between 30% and 85% branch coverage on all dlls studied so far • Found many errors: Nullreferences, IndexOutOfRange , InvalidCasts, Non termination • Easy to combine with other dynamic checkers: found many resource leaks, incorrect exception handlings (by using fault injection), to be continued… 28

  29. Compositional Testing 1) Via Parameterized Unit Tests 2) Via Synthesized Specs 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik

Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik

introduction algorithm examples Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik Sen presented by Michail Famelis December 4, 2008 RaceFuzzer is an algorithm for determining real races in

961 views • 28 slides
DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen 2 1 Bell Laboratories, Lucent Technologies 2 University of Illinois at Urbana-Champaign November 10, 2015 Presented by Markus 1/20 Introduction

1.58k views • 102 slides
Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

6/24/2019 CONSUMER CONSUMER CONSUMER CONSUMER- - - -DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING WHAT WHAT IT MEANS FOR MY PATIENT AND MY PRACTICE WHAT WHAT IT

659 views • 23 slides
Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia

Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia

Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia University molvera@ieor.columbia.edu Joint work with Ningyuan Chen July 23th, 2012 ECT, Trento, Italy Directed Random Graphs with Given Degree

421 views • 39 slides
Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in

Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in

Generalities on random walks Algebraic and probabilistic structures Directed lattices Sketch of proofs Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in memoriam Dimitri Petritis Joint work with

517 views • 32 slides
Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is

Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is

Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is included? s included? Students in grades 9 -12 who choose to participate in extracurricular activities offered. Academic/Vocational Events

709 views • 31 slides
Random intefaces, geodesics and the directed landscape B alint Vir ag, University of

Random intefaces, geodesics and the directed landscape B alint Vir ag, University of

Random intefaces, geodesics and the directed landscape B alint Vir ag, University of Toronto with Duncan Dauvergne, Janosch Ortmann and Mihai Nica Palac Bedlewo May 21, 2019 B alint Vir ag Directed landscape 5/21/2019 1 / 45

1.31k views • 114 slides
Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer

Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer

Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer Science Laboratory SRI International Menlo Park, CA August 21, 2006 Sam Owre AFM06 presentation: 1 Random Testing in

569 views • 10 slides
Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random

Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random

Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random testing to object oriented software? Cost-efficient in terms of implementation effort and execution time. Introduction (Cont.)

651 views • 24 slides
Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil

Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil

Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil JULY 23, 2019 Roberto Viveros Directed polymer in -stable Random Environments Chemical background Roberto Viveros Directed polymer in -stable

495 views • 37 slides
Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu

Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu

Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu Department of Mathematics Rutgers vanvu@math.rutgers.edu (joint work with T. Tao, UCLA) 1 Let be a real or complex-valued random variable and M n (

594 views • 31 slides
Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and

Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and

Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and Computer Science Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfn@imm.dtu.dk Testing random number generaters Testing

452 views • 24 slides
Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a lurking bug somewhere in the dets code. We have got 'bad object' and 'premature eof' every other month the last year. We have not been able to

584 views • 29 slides
Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with :

Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with :

Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with : Pasquale Calabrese (Univ. Pise, SISSA) P. Le Doussal (LPTENS) Alberto Rosso (LPTMS Orsay) Thomas Gueudre (LPTENS,Torino) most recent: Andrea de

1.01k views • 70 slides
Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many situations, we are interested in numbers associated with the outcomes of a random experiment. For example: Testing cars from a production line, we are

489 views • 38 slides
Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean

Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean

Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean Testing Cl ement Canonne (IBM Research) February 25, 2020 Joint work with Xi Chen, Gautam Kamath, Amit Levi, and Erik Waingarten 1 Outline

935 views • 60 slides
Embedded Quality for Test Embedded Quality for Test Yervant Zorian Yervant Zorian LogicVision,

Embedded Quality for Test Embedded Quality for Test Yervant Zorian Yervant Zorian LogicVision,

Embedded Quality for Test Embedded Quality for Test Yervant Zorian Yervant Zorian LogicVision, Inc. LogicVision, Inc. Electronics I ndustry Electronics I ndustry I Achieved Successful Achieved Successful I Penetration in Diverse

1.36k views • 49 slides
Rules: Process Control Event 2019 PLEASE NOTE THAT SECTIONS WITH SIGNIFICANT CHANGES OR

Rules: Process Control Event 2019 PLEASE NOTE THAT SECTIONS WITH SIGNIFICANT CHANGES OR

Rules: Process Control Event 2019 PLEASE NOTE THAT SECTIONS WITH SIGNIFICANT CHANGES OR CLARIFICATIONS FROM THE 2018 RULES ARE HIGHLIGHTED IN BLUE The process control event for the 2019 Operations Challenge will be very similar to the 2018

352 views • 9 slides
The Algonauts Project: Challenge 2019 Radoslaw Martin Cichy, Gemma Roig, Alex Andonian, Kshitij

The Algonauts Project: Challenge 2019 Radoslaw Martin Cichy, Gemma Roig, Alex Andonian, Kshitij

The Algonauts Project: Challenge 2019 Radoslaw Martin Cichy, Gemma Roig, Alex Andonian, Kshitij Dwivedi, Benjamin Lahner, Alex Lascelles, Yalda Mohsenzadeh, Kandan Ramakrishnan, Aude Oliva Interaction Artificial Natural Intelligence High

1.98k views • 22 slides
The Role of Testbeds in Cyber Security Research CSET Washington, DC August 9, 2010 Douglas

The Role of Testbeds in Cyber Security Research CSET Washington, DC August 9, 2010 Douglas

Dept. of Homeland Security Science &amp; Technology Directorate The Role of Testbeds in Cyber Security Research CSET Washington, DC August 9, 2010 Douglas Maughan, Ph.D. Branch Chief / Program Mgr. douglas.maughan@dhs.gov 202-254-6145 /

369 views • 34 slides
Testing and Accountability Subcommittee O C TO BER 8, 2020 Agenda We lc ome Commissione r

Testing and Accountability Subcommittee O C TO BER 8, 2020 Agenda We lc ome Commissione r

Testing and Accountability Subcommittee O C TO BER 8, 2020 Agenda We lc ome Commissione r s Ove r vie w and Update s Role s and Re sponsibilitie s in Distr ic t and Sc hool Ac c ountability Polic y Re vie wing Re quir e me

471 views • 26 slides
Bubbles for Fama PRESENTER Robin Greenwood, Harvard Business School Bubbles for Fama o Fama does

Bubbles for Fama PRESENTER Robin Greenwood, Harvard Business School Bubbles for Fama o Fama does

Bubbles for Fama PRESENTER Robin Greenwood, Harvard Business School Bubbles for Fama o Fama does not believe in bubbles, which he defines as irrational strong price increase that implies a predictable strong decline . o Famas argument:

4.01k views • 40 slides
Interim Assessments Fall 2020 Mary Williams, Senior Assessment Specialist Jennifer Woo,

Interim Assessments Fall 2020 Mary Williams, Senior Assessment Specialist Jennifer Woo,

Interim Assessments Fall 2020 Mary Williams, Senior Assessment Specialist Jennifer Woo, Assessment Specialist July 2020 Introductions, Agenda, Research Base Agenda: Challenge #1: Learning Needs Challenge #2: Administration

824 views • 25 slides
Randomized Testing of Distributed Systems Burcu Kulahcioglu Ozkan TU Kaiserslautern Summer Term

Randomized Testing of Distributed Systems Burcu Kulahcioglu Ozkan TU Kaiserslautern Summer Term

Randomized Testing of Distributed Systems Burcu Kulahcioglu Ozkan TU Kaiserslautern Summer Term 2019 Burcu Kulahcioglu Ozkan Programming Distributed Systems Summer Term 2019 Distributed systems are prone to bugs! Distribution

635 views • 32 slides

More recommend