enhancing symbolic execution for coverage oriented testing
play

Enhancing Symbolic Execution for Coverage-Oriented Testing S - PowerPoint PPT Presentation

Apr 08, 2023 •671 likes •1.43k views

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

  1. Enhancing Symbolic Execution for Coverage-Oriented Testing S´ ebastien Bardin, Nikolai Kosmatov, Micka¨ el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40

  2. Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Coverage criteria [decision, mcdc, mutants, etc.] play a major role definition = systematic way of deriving test requirements generate tests, decide when to stop, assess quality of testing beware : infeasible test requirements [waste generation effort, imprecise coverage ratios] beware : lots of different coverage criteria Bardin et al. CFV 2015 2/ 40

  3. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Bardin et al. CFV 2015 3/ 40

  4. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Symbolic Execution [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ can be used for bounded-path testing ! old idea, recent renew interest [requires powerful solvers] Bardin et al. CFV 2015 3/ 40

  5. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Symbolic Execution [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ can be used for bounded-path testing ! old idea, recent renew interest [requires powerful solvers] Dynamic Symbolic Execution [Korel+, Williams+, Godefroid+] interleave dynamic and symbolic executions drive the search towards feasible paths for free give hints for relevant under-approximations [robustness] Bardin et al. CFV 2015 3/ 40

  6. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  7. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  8. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  9. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  10. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  11. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  12. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  13. The problem DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Bardin et al. CFV 2015 5/ 40

  14. The problem DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Yet, no real support for structural coverage criteria [except path coverage and branch coverage] Would be useful : when required to produce tests achieving some criterion for producing “good” tests for an external oracle [functional correctness, security, performance, etc.] Recent efforts [Active Testing, Augmented DSE, Mutation DSE] limited or unclear expressiveness explosion of the search space [ APex : 272x avg, up to 2,000x] Bardin et al. CFV 2015 5/ 40

  15. Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Bardin et al. CFV 2015 6/ 40

  16. Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Results � generic low-level encoding of coverage criteria [ICST 14] � efficient variant of DSE for coverage criteria [ICST 14] � sound and quasi-complete detection of infeasibility [ICST 15] Bardin et al. CFV 2015 6/ 40

  17. Outline Introduction Labels Efficient DSE for Labels Infeasible label detection The GACC criterion Conclusion Bardin et al. CFV 2015 7/ 40

  18. Focus : Labels Annotate programs with labels ◮ predicate attached to a specific program instruction Label ( loc , ϕ ) is covered if a test execution ◮ reaches the instruction at loc ◮ satisfies the predicate ϕ Good for us ◮ can easily encode a large class of coverage criteria [see after] ◮ in the scope of standard program analysis techniques Bardin et al. CFV 2015 8/ 40

  19. Simulation of standard coverage criteria statement_1 ; statement_1 ; // l1: x==y && a<b if (x==y && a<b) // l2: !(x==y && a<b) − − − − − → {...}; if (x==y && a<b) statement_3 ; {...}; statement_3 ; Decision Coverage ( DC ) Bardin et al. CFV 2015 9/ 40

  20. Simulation of standard coverage criteria statement_1 ; // l1: x==y statement_1 ; // l2: !(x==y) if (x==y && a<b) // l3: a<b − − − − − → {...}; // l4: !(a<b) statement_3 ; if (x==y && a<b) {...}; statement_3 ; Condition Coverage ( CC ) Bardin et al. CFV 2015 9/ 40

  21. Simulation of standard coverage criteria statement_1 ; // l1: x==y && a<b statement_1 ; // l2: x==y && a>=b if (x==y && a<b) // l3: x!=y && a<b − − − − − → {...}; // l4: x!=y && a>=b statement_3 ; if (x==y && a<b) {...}; statement_3 ; Multiple-Condition Coverage ( MCC ) Bardin et al. CFV 2015 9/ 40

  22. Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC , GACC large part of Weak Mutations Input Domain Partition Run-Time Error Bardin et al. CFV 2015 9/ 40

  23. Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC , GACC large part of Weak Mutations Input Domain Partition Run-Time Error Out of scope : . strong mutations, MCDC . (side-effect weak mutations) Bardin et al. CFV 2015 9/ 40

  24. Focus : Simulation of Weak Mutations mutant M = syntactic modification of program P weakly covering M = finding t such that P( t ) � = M( t ) just after the mutation Bardin et al. CFV 2015 10/ 40

  25. From weak mutants to labels (1) Bardin et al. CFV 2015 11/ 40

  26. From weak mutants to labels (2) One label per mutant Mutation inside a statement �→ lhs := e lhs := e’ ◮ add label : e � = e ′ �→ lhs := e lhs’ := e ◮ add label : & lhs � = & lhs ′ ∧ ( lhs � = e ∨ lhs ′ � = e ) Mutation inside a decision �→ if (cond) if (cond’) ◮ add label : cond ⊕ cond ′ Beware : no side-effect inside labels Bardin et al. CFV 2015 12/ 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan University) Carlo Ghezzi (Politecnico di Milano) Shi Ying (Wuhan University) Outline Motivation Logical Basis of our Approach GreenTrie

589 views • 36 slides
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1 Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin 2 1 University of Washington 2 University of Illinois at Urbana-Champaign 3

709 views • 31 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska

Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska

Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska Intel Corporation Haifa, Israel Agenda Agenda Introduction Coverage-Driven vs. Coverage-Oriented verification Functional coverage in

397 views • 18 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Elliptic Curve Hash (and Sign) ECOH (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom

Elliptic Curve Hash (and Sign) ECOH (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom

Elliptic Curve Hash (and Sign) ECOH (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43 Outline ECOH 1 Background

1.37k views • 74 slides
Baker-Akhiezer functions and configurations of hyperplanes Alexander Veselov, Loughborough

Baker-Akhiezer functions and configurations of hyperplanes Alexander Veselov, Loughborough

Baker-Akhiezer functions and configurations of hyperplanes Alexander Veselov, Loughborough University ENIGMA conference on Geometry and Integrability, Obergurgl, December 2008 Plan BA function related to configuration of hyperplanes

938 views • 49 slides
Inner models from extended logics Joint work with Juliette Kennedy and Menachem Magidor

Inner models from extended logics Joint work with Juliette Kennedy and Menachem Magidor

Introduction The cof-model The aa-model HOD 1 Inner models from extended logics Joint work with Juliette Kennedy and Menachem Magidor Department of Mathematics and Statistics, University of Helsinki ILLC, University of Amsterdam January 2017

717 views • 42 slides
Webinar The economics of Electric Freight in urban areas Tuesday 5 th September 2017 Programme

Webinar The economics of Electric Freight in urban areas Tuesday 5 th September 2017 Programme

Webinar The economics of Electric Freight in urban areas Tuesday 5 th September 2017 Programme 15.00-15.05: Welcome 15.05-15.15: Presentation of the FREVUE project 15.15-15.45: Presentation on the economice of electric freight in

961 views • 58 slides
Modern Electronic Structure: Modern Electronic Structure: many- -body physics body physics

Modern Electronic Structure: Modern Electronic Structure: many- -body physics body physics

Modern Electronic Structure: Modern Electronic Structure: many- -body physics body physics many in nano nano- -world world in Liviu Chioncel Chioncel Liviu Graz University of Technology Graz University of Technology Austria Austria

685 views • 44 slides
Tracing the innards of YOUR application Alexandre Montplaisir, Ericsson Florian Wininger,

Tracing the innards of YOUR application Alexandre Montplaisir, Ericsson Florian Wininger,

Tracing the innards of YOUR application Alexandre Montplaisir, Ericsson Florian Wininger, Polytechnique EclipseCon 2014, PolarSys Day pRESENTERS Alexandre Montplaisir Software Developer, Ericsson Committer on the Eclipse Linux

675 views • 31 slides
Multivariate Polynomial maps Noncommutative and non-associative structures, braces and

Multivariate Polynomial maps Noncommutative and non-associative structures, braces and

1 Multivariate Polynomial maps Noncommutative and non-associative structures, braces and applications. Malte, March 2018 Part of this talk is extracted from a few joint works with T.Y. Lam, A. Ozturk, J. Delenclos. . 2 I) Noncommutative

523 views • 14 slides
Sealing the Universally Baire sets Nam Trang (joint with G.Sargsyan) University of North Texas

Sealing the Universally Baire sets Nam Trang (joint with G.Sargsyan) University of North Texas

Sealing LSA over UB Results Sealing and Inner Model Theory Open problems Proof outlines Sealing the Universally Baire sets Nam Trang (joint with G.Sargsyan) University of North Texas Luminy Workshop in Set Theory September 2227,

979 views • 86 slides

More recommend