pruning the search space in path based test generation
play

Pruning the Search Space in Path-based Test Generation Motivation - PowerPoint PPT Presentation

Dec 21, 2023 •386 likes •837 views

Pruning the Search Space in Path-based Test Generation Motivation SE S ebastien Bardin Heuristics sebastien.bardin@cea.fr Experiments CEA-LIST, Software Security Labs Conclusion (joint work with Philippe Herrmann) S ebastien Bardin,

  1. Pruning the Search Space in Path-based Test Generation Motivation SE S´ ebastien Bardin Heuristics sebastien.bardin@cea.fr Experiments CEA-LIST, Software Security Labs Conclusion (joint work with Philippe Herrmann) S´ ebastien Bardin, Philippe Herrmann 1/ 31

  2. Context Automatic test data generation from source code (STDG) The test suite must achieve a global structural coverage objective all instructions, all branches, etc. Motivation SE Heuristics Experiments Do not consider the oracle generation issue : assume an external Conclusion automatic oracle perfect oracle (back-to-back testing) partial oracle (assertions / contracts) S´ ebastien Bardin, Philippe Herrmann 2/ 31

  3. Symbolic Execution Symbolic Execution (SE) is a very fruitful approach for STDG efficiency robustness Motivation SE in a nutshell SE Heuristics Constraint-based reasoning : translate a part of the program into a Experiments logical formula ϕ , such that a solution of ϕ is a relevant TD Conclusion Path-based approach : focus on a single path at once + enumerate (bounded) paths simple formulas, only conjunctions (no quantifier / fixpoint) Concolic paradigm : combination of symbolic and dynamic execution robustness to “difficult-to-model” programming features S´ ebastien Bardin, Philippe Herrmann 3/ 31

  4. A few prototypes PathCrawler (CEA) 2004 Dart (Bell Labs), Cute (Uni. of Illinois / Berkeley) 2005 Motivation Exe (Stanford) 2006 SE Heuristics Jpf (NASA) 2007 Experiments Osmose (CEA), Sage (Microsoft), Pex (Microsoft) 2008 Conclusion S´ ebastien Bardin, Philippe Herrmann 4/ 31

  5. Main Limitations Two major bottlenecks for Symbolic Execution 1. constraint solving (along a single path) 2. # paths Path explosion phenomenon Motivation nesting loops and conditional instructions SE inlining of function calls Heuristics Experiments Conclusion Moreover : SE require a user-defined path-bound k things get worse if k is over-estimated sometimes, very long paths to exhibit specific behaviours Our goal : lower the path explosion in SE S´ ebastien Bardin, Philippe Herrmann 5/ 31

  6. Not all Paths are Relevant for STDG Irrelevant paths In practice, SE enumerates all k-paths But the true goal is to cover “items” (instr., branches) Some paths are very unlikely to improve the current coverage Motivation SE Heuristics Idea : detect a priori irrelevant paths to discard them and lower the Experiments path explosion Conclusion Our results 1. three complementary heuristics to prune likely redundant paths 2. implementation in the Osmose tool and experiments S´ ebastien Bardin, Philippe Herrmann 6/ 31

  7. Outline Context Symbolic Execution Motivation SE Heuristics Heuristics Experiments Experiments Conclusion Conclusion S´ ebastien Bardin, Philippe Herrmann 7/ 31

  8. Path Predicate π a finite path of the program P D the input space of P V ∈ D an input vector Path predicate A path predicate for π is a formula ϕ π interpreted on D s.t. if Motivation V | = ϕ π then the execution of P on V exercices π at runtime. SE Heuristics Experiments t 1 t 2 t n More formally : let π = − → − → . . . − → Conclusion the greatest path predicate ϕ π = wpre ( t 1 , wpre ( t 2 , . . . wpre ( t n , ⊤ ))) ¯ a path predicate ϕ π such that ϕ π ⇒ ¯ ϕ π A path predicate is typically computed via strongest postcondition S´ ebastien Bardin, Philippe Herrmann 8/ 31

  9. Framework of Symbolic Execution Path-based test data generation 1 choose an uncovered ( k -bounded) path π 2 compute one of its path predicates ϕ π 3 solve ϕ π : solution = TD exercising path π Motivation SE 4 update coverage, if still something to cover then goto 1 Heuristics Experiments Conclusion Parameter 1 - Logical theory : not relevant here Parameter 2 - Path enumeration strategy : here, standard DFS Extension - Concolic execution S´ ebastien Bardin, Philippe Herrmann 9/ 31

  10. Symbolic Execution, Basic Procedure (BP) Motivation SE Heuristics Experiments Conclusion choose path compute path predicate, solve it, update cover choose the next path by DFS backtracking, and so on S´ ebastien Bardin, Philippe Herrmann 10/ 31

  11. Symbolic Execution, Basic Procedure (BP) Motivation SE Heuristics Experiments Conclusion choose path compute path predicate, solve it, update cover choose the next path by DFS backtracking, and so on S´ ebastien Bardin, Philippe Herrmann 10/ 31

  12. Symbolic Execution, Basic Procedure (BP) Motivation SE Heuristics Experiments Conclusion choose path compute path predicate, solve it, update cover choose the next path by DFS backtracking, and so on S´ ebastien Bardin, Philippe Herrmann 10/ 31

  13. Symbolic Execution, Basic Procedure (BP) Motivation SE Heuristics Experiments Conclusion choose path compute path predicate, solve it, update cover choose the next path by DFS backtracking, and so on S´ ebastien Bardin, Philippe Herrmann 10/ 31

  14. Symbolic Execution, Basic Procedure (BP) Motivation SE Heuristics Experiments Conclusion choose path compute path predicate, solve it, update cover choose the next path by DFS backtracking, and so on S´ ebastien Bardin, Philippe Herrmann 10/ 31

  15. Outline Context Symbolic Execution Motivation SE Heuristics Heuristics Experiments Experiments Conclusion Conclusion S´ ebastien Bardin, Philippe Herrmann 11/ 31

  16. Heuristic 1 : Look-Ahead (LA) main Procedure BP tries to cover a new path at each iteration BUT this new path does not necessarily Motivation cover new items False SE the resolution time is wasted Heuristics True Experiments more useless paths will be Conclusion explored from this prefix On the example, full coverage requires at most 3 TD, while there are ≈ 2 k +1 paths of length ≤ k S´ ebastien Bardin, Philippe Herrmann 12/ 31

  17. Idea Check if uncovered items may be reached from the current instruction. If not, solve the current prefix but do not expand it Optimistic check based on the CFG abstraction of the program Motivation The Look-Ahead heuristic enjoys nice properties SE soundness : discard only redundant paths Heuristics relative completeness : BP+LA achieves always the same Experiments coverage than BP Conclusion path reduction : BP+LA explores always less path than BP Difficulty : efficient computation of the (CFG) reachability set S´ ebastien Bardin, Philippe Herrmann 13/ 31

  18. Reachability Set Computation Procedure ReachSet : node → Set(node) Motivation Standard worklist algorithm has the following problems in our context SE Heuristics all reachability sets are computed at the same time, even if BP Experiments will not use all of them Conclusion not designed for interprocedural or context-sensitive analysis S´ ebastien Bardin, Philippe Herrmann 14/ 31

  19. Reachability Set Computation (2) Efficient interprocedural analysis Efficient computation lazy computation Motivation SE computation cache Heuristics Experiments Conclusion Interprocedural analysis compact representation of sets of nodes : manipulate CFG nodes and Call Graph (CG) nodes function summaries : propagate reachable CG nodes (from CG) lazy computation and computation cache extend to CG S´ ebastien Bardin, Philippe Herrmann 15/ 31

  20. Reachability Set Computation (3) Context-sensitive analysis the current stack is passed as an argument, if the current node can reach a ret instruction, then the procedure is recursively launched on the top of the stack (return site) Motivation SE ReachSet-context(node,stack, rset) : Heuristics c := ReachSet(node) ; r := c ∪ rset Experiments Conclusion if (stack.empty or ret �∈ c ) then return r ; else return ReachSet-context(stack.top,stack.tail, r) Remark : the computation cache is still a map from node to set , rather than a map from ( node , stack ) to set S´ ebastien Bardin, Philippe Herrmann 16/ 31

  21. Heuristic 2 : Max-CallDepth (MCD) Nested function calls are often the major source of path explosion main function f BP explores all the paths in cal- Motivation lees SE c =?= 0 True False Heuristics But in unit testing, need to co- b := 1 b := 0 Experiments ver only paths of the top-level call f Conclusion function b =?= 0 Return Example : only two TD to cover the main function, but ≈ 2 k +1 paths S´ ebastien Bardin, Philippe Herrmann 17/ 31

  22. Idea (claim) top-level paths rarely depend only on specific behaviours in deep function calls MCD heuristic : prevent backtracking in deep nested function calls Motivation SE Implementation : a user-defined mcd parameter, a counter depth Heuristics updated by call and ret , performs branching only if depth ≤ mcd Experiments Conclusion Theoretically : take care, the MCD heuristic is not sound Empirically : experimental results show a very large pruning and no loss in coverage (see after) S´ ebastien Bardin, Philippe Herrmann 18/ 31

  23. Heuristic 3 : Solve-First (SF) DFS has two main drawbacks in our context if # TD is limited, DFS focuses only on a deep narrow portion of the program (slow coverage speed) longer (and more complex ?) prefixes are solved first Motivation SE true Heuristics true Example : assume #node = 2n+1, all Experiments paths are feasible, Conclusion true goal = instruction coverage true only two TD are necessary BP+LA : n+1 TD true S´ ebastien Bardin, Philippe Herrmann 19/ 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Properties of - //the leaf node (terminal state) ) 9 ( The - algorithm //the leaf

Properties of - //the leaf node (terminal state) ) 9 ( The - algorithm //the leaf

G Game Playing Pl i - Pruning Pruning Introduction to Artificial Intelligence Hadi Moradi 1 2. - pruning: search cutoff Pruning: eliminating a branch of the search tree from consideration without exhaustive examination

825 views • 67 slides
1 - Pruning Pseudocode - Pruning Properties Pruning has no effect on final result

1 - Pruning Pseudocode - Pruning Properties Pruning has no effect on final result

Recap: Resource Limits Introduction to Artificial Intelligence Cannot search to leaves max 4 V22.0472-001 Fall 2009 -2 4 Depth-limited search min min Instead, search a limited depth of -1 -2 4 9 tree Replace

299 views • 6 slides
MODEL-BASED, MUTATION-DRIVEN TEST CASE GENERATION VIA HEURISTIC-GUIDED BRANCHING SEARCH Andreas

MODEL-BASED, MUTATION-DRIVEN TEST CASE GENERATION VIA HEURISTIC-GUIDED BRANCHING SEARCH Andreas

MODEL-BASED, MUTATION-DRIVEN TEST CASE GENERATION VIA HEURISTIC-GUIDED BRANCHING SEARCH Andreas Fellner FMCAD Student Forum Wien, October 4th 2017 TEST CASE GENERATION WITH 1 Andreas Fellner TEST CASE GENERATION WITH Abstract Model UML /

358 views • 34 slides
Search Based Test Data Generation for Server-side Web Application Testing Nadia Alshahwan and

Search Based Test Data Generation for Server-side Web Application Testing Nadia Alshahwan and

Search Based Test Data Generation for Server-side Web Application Testing Nadia Alshahwan and Mark Harman CREST Centre University College London Automated web application testing using search based software Engineering (ASE 2011) Hill

588 views • 15 slides
Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from SysML Models Jrg Brauer and Jan Peleska Verified Systems International GmbH support@verified.de Space Tech Expo Europe 2015-11-19 Motivation

499 views • 26 slides
Efficient Search-Space Pruning for Integrated Fusion and Tiling Transformations Xiaoyang Gao,

Efficient Search-Space Pruning for Integrated Fusion and Tiling Transformations Xiaoyang Gao,

Efficient Search-Space Pruning for Integrated Fusion and Tiling Transformations Xiaoyang Gao, Sriram Krishnamoorthy, Swarup Kumar Sahoo, Chi-Chung Lam, P. Sadayappan Ohio State University Gerald Baumgartner, J. Ramanujam, Louisiana State

480 views • 24 slides
S. Scalabrino G. Grano D. Di Nucci A. De Lucia M. Guerra H. Gall R. Oliveto OCELOT a

S. Scalabrino G. Grano D. Di Nucci A. De Lucia M. Guerra H. Gall R. Oliveto OCELOT a

S. Scalabrino G. Grano D. Di Nucci A. De Lucia M. Guerra H. Gall R. Oliveto OCELOT a Search-Based Test-Data Generation Tool for C Testing is expensive Automatic Test Generation Search-Based Test Generation TIOBE Ranking TIOBE Ranking

398 views • 28 slides
Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from

Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from

1 Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from their start to the goal (a path is a sequence of actions, not states) For now we consider problem solving agents who search on atomically

739 views • 38 slides
Parameter Tuning for Search-Based Test-Data Generation Revisited Support for Previous Results

Parameter Tuning for Search-Based Test-Data Generation Revisited Support for Previous Results

Parameter Tuning for Search-Based Test-Data Generation Revisited Support for Previous Results Anton Kotelyanskii Gregory M. Kapfhammer creative commons licensed ( BY-NC-ND ) ickr photo shared by sunface13 Software Testing Software

725 views • 57 slides
Partial-Order Planning 1 State-Space vs. Plan-Space State-space ( situation space ) planning

Partial-Order Planning 1 State-Space vs. Plan-Space State-space ( situation space ) planning

Partial-Order Planning 1 State-Space vs. Plan-Space State-space ( situation space ) planning algorithms search through the space of possible states of the world searching for a path that solves the problem. They can be based on

759 views • 13 slides
Learning Objectives At the end of the class you should be able to: explain how cycle checking and

Learning Objectives At the end of the class you should be able to: explain how cycle checking and

Learning Objectives At the end of the class you should be able to: explain how cycle checking and multiple-path pruning can improve efficiency of search algorithms explain the complexity of cycle checking and multiple-path pruning for different

300 views • 17 slides
State-Space Search and the STRIPS Planner Searching for a Path through a Graph of Nodes

State-Space Search and the STRIPS Planner Searching for a Path through a Graph of Nodes

State-Space Search and the STRIPS Planner Searching for a Path through a Graph of Nodes Representing World States Literature Malik Ghallab, Dana Nau, and Paolo Traverso. Automated Planning Theory and Practice , chapter 2 and 4.

586 views • 47 slides
A UML-Based Testing Approach Using Sequence Diagrams, Statecharts, and OCL Constraints Dehla

A UML-Based Testing Approach Using Sequence Diagrams, Statecharts, and OCL Constraints Dehla

A UML-Based Testing Approach Using Sequence Diagrams, Statecharts, and OCL Constraints Dehla Sokenou TU Berlin Softwaretechnik Overview of the Test System test data test generation driver test case abstract test data generation test

444 views • 20 slides
Search Overview Introduction to Search Blind Search Techniques Heuristic Search

Search Overview Introduction to Search Blind Search Techniques Heuristic Search

Search Overview Introduction to Search Blind Search Techniques Heuristic Search Techniques Game Playing search Perfect play Resource limits pruning Games of chance Constraint Satisfaction Problems

465 views • 25 slides
On Path Generation, Path Following On Path Generation, Path Following and Time Coordination for

On Path Generation, Path Following On Path Generation, Path Following and Time Coordination for

On Path Generation, Path Following On Path Generation, Path Following and Time Coordination for and Time Coordination for Small UAVs UAVs Small I. Kaminer I. Kaminer Department of Mechanical and Astronautical Astronautical Engineering,

924 views • 44 slides
Improved Heuristics for Multi-Agent Path Finding with Conflict-Based Search Jiaoyang Li, Ariel

Improved Heuristics for Multi-Agent Path Finding with Conflict-Based Search Jiaoyang Li, Ariel

Improved Heuristics for Multi-Agent Path Finding with Conflict-Based Search Jiaoyang Li, Ariel Felner, Eli Boyarski, Hang Ma and Sven Koenig Macao, China 08/13/2019 Outlines Background: Multi-Agent Path Finding. Conflict-Based

302 views • 16 slides
VectorVest Stock Valuation and Stock Market Cycles AAII Chapter Meeting April 12 th , 2008

VectorVest Stock Valuation and Stock Market Cycles AAII Chapter Meeting April 12 th , 2008

VectorVest Stock Valuation and Stock Market Cycles AAII Chapter Meeting April 12 th , 2008 Alexandria, Virginia How The Market Works What Causes Stock Prices to Rise and Fall? How The Market Works Rising Earnings Rising earnings cause

387 views • 26 slides
Indirect Causes in Dynamic Bayesian Networks Revisited 24 th International Joint Conference on

Indirect Causes in Dynamic Bayesian Networks Revisited 24 th International Joint Conference on

INSTITUTE OF INFORMATION SYSTEMS Indirect Causes in Dynamic Bayesian Networks Revisited 24 th International Joint Conference on Artificial Intelligence Alexander Motzek Ralf Mller Universitt zu Lbeck Institute of Information

479 views • 17 slides
KBO Orientability Harald Zankl Nao Hirokawa Aart Middeldorp Japan Advanced

KBO Orientability Harald Zankl Nao Hirokawa Aart Middeldorp Japan Advanced

KBO Orientability Harald Zankl Nao Hirokawa Aart Middeldorp Japan Advanced Institute of Science and Technology University of Innsbruck KBO Orientability 1/32 Reference Harald Zankl, Nao Hirokawa, and Aart Middeldorp JAR

1.33k views • 102 slides
Exploiting Innocuousness in Bayesian Networks 28 th Australasian Joint Conference on Artificial

Exploiting Innocuousness in Bayesian Networks 28 th Australasian Joint Conference on Artificial

INSTITUTE OF INFORMATION SYSTEMS Exploiting Innocuousness in Bayesian Networks 28 th Australasian Joint Conference on Artificial Intelligence Alexander Motzek Ralf Mller Universitt zu Lbeck Institute of Information Systems

416 views • 31 slides
Light Matter Interactions (II) Light Matter Interactions (II) Peter Oppeneer Department

Light Matter Interactions (II) Light Matter Interactions (II) Peter Oppeneer Department

Light Matter Interactions (II) Light Matter Interactions (II) Peter Oppeneer Department of Physics and Astronomy Uppsala University, S-751 20 Uppsala, Sweden 1 Outline Lecture II Light-magnetism interaction Phenomenology of

741 views • 53 slides
Doubly Reflected BSDEs with Call Protection and their Approximation J.-F. Chassagneux , S.

Doubly Reflected BSDEs with Call Protection and their Approximation J.-F. Chassagneux , S.

Markovian RIBSDE Approximation Results Numerics Doubly Reflected BSDEs with Call Protection and their Approximation J.-F. Chassagneux , S. Crpey , A. Rahal quipe Analyse et Probabilit Universit dvry Val dEssonne 91025 vry

703 views • 46 slides
Portfolio Optimization # 1 A. Charpentier (Universit de Rennes 1) Universit de Rennes 1,

Portfolio Optimization # 1 A. Charpentier (Universit de Rennes 1) Universit de Rennes 1,

Arthur Charpentier, Universit de Rennes 1, Portfolio Optimization - 2017 Portfolio Optimization # 1 A. Charpentier (Universit de Rennes 1) Universit de Rennes 1, 2017/2018 1 @freakonometrics freakonometrics freakonometrics.hypotheses.org

1.21k views • 83 slides
Reducing medical spending of the publicly insured: the case for cash-out option Svetlana

Reducing medical spending of the publicly insured: the case for cash-out option Svetlana

Introduction Theoretical analysis Quantitative model Calibration Model performance Results Improving target efficiency A Reducing medical spending of the publicly insured: the case for cash-out option Svetlana Pashchenko Ponpoje

1.94k views • 166 slides

More recommend