Differential Symbolic Execution

Size: px

Start display at page:

Download "Differential Symbolic Execution"

Beryl Oliver
6 years ago
Views:

1 Differential Symbolic Execution Suzette Person, Matthew B. Dwyer, Sebastian Elbaum University of Nebraska Lincoln Corina Păsăreanu NASA Ames Research Center Funded in part by the National Science Foundation and NASA EPSCoR 1

2 Motivation Locate and fix faults Refactor code Extend functionality Merge versions 2

3 Motivation 3

4 Motivation 4

5 Differential Symbolic Execution (DSE) Detect and characterize the effects of program changes in terms of behavioral differences between program versions Symbolic Execution + Over-approximating Symbolic Summaries 5

6 Differential Symbolic Execution (DSE) No functional differences found. OK Validate Refactoring 6

7 Overview of Presentation DSE methodology Summaries of program behavior Notions of equivalence and deltas Applications of DSE Related work Conclusions and future work 7

8 Symbolic Execution int m(int y){ 1: if (y > 0) 2: y++; 3: else 4: y--; 5: return y; } m sum = {(Y > 0, RETURN==Y+1)} 8

9 Symbolic Execution int m(int y){ 1: if (y > 0) 2: y++; 3: else 4: y--; 5: return y; } m sum = {(Y > 0, RETURN==Y+1), RETURN==Y+1)} (!(Y > 0), RETURN==Y-1)} 9

10 Differential Symbolic Execution m Δ m m m Δm m 10

11 Differential Symbolic Execution 11

12 Incomplete Summaries It is not always possible to compute complete summaries Non-linear arithmetic Loops and recursion Actual Program Behaviors Summary Incomplete 12

13 Incomplete Summaries Program Summary Is all of the input space accounted for by the summary? Actual Program Behaviors 13

14 Incomplete Summaries m sum = {(i 1, e 1 ),(i 2, e 2 ), (i 3,e 3 )} Program Summary Is the disjunction of inputs valid? Actual Program Behaviors i 1 V i 2 V i 3 14

15 Incomplete Summaries Explicitly define the input space covered by the summary i 1 V i 2 V i 3 Program Behaviors 15

16 Incomplete Summaries Focus subsequent analysis tool on behaviors not covered Program Behaviors![i 1 V i 2 V i 3 ] 16

17 Abstract Summaries on Common Blocks void test(){ //v1 s 1 ; s 2 ; for (int i=0; i<len; i++;){ val = val + x[i]; } old = val; s n ; } Abstract Summary Read set:{x,val} Write set:{val,old} void test(){ //v2 s a ; s b ; for (int i=0; i<len; i++;){ val = val + x[i]; } old = val; s m ; } Boolean IP B (int[] X, int val) int old B (int[] X, int val) int val B (int[] X, int val) 17

18 Abstract Summaries on Common Blocks void test(){ //v1 s 1 ; s 2 ; for (int i=0; i<len; i++;){ val = val + x[i]; } old = val; s n ; } Standard Symbolic Execution Instantiate abstract summary Standard Symbolic Execution IP B (x,val) old == old B (x,val) val== val B (x,val) 18

19 Functional Equivalence m Δ m m m Δm m 19

20 Functional Equivalence m sum = {(Y > 0, RETURN==Y+1), (!(Y > 0), RETURN==Y-1)} m sum = (Y > 0 Λ RETURN==Y+1) V (!(Y > 0) Λ RETURN==Y-1) 20

21 Functional Equivalence int m(int y){//v1 1: if (y > 0) 2: y++; 3: else 4: y--; 5: return y; } ((Y > 0 Λ RETURN==Y+1) V (!(Y > 0) Λ RETURN==Y-1))? int m(int y){//v2 1: if (y <= 0) 2: y--; 3: else 4: y++; 5: return y; } ((Y <= 0 Λ RETURN==Y-1) V (!(Y <= 0) Λ RETURN==Y+1)) Functionally Equivalent? 21

22 Functional Deltas Δm =m Λ m Δm = m Λ m m m m m 22

23 Partition-effects Equivalence m m 23

24 Partition-effects Delta m m Δm 24

25 Application of DSE Prototype based on Symbolic PathFinder (JPF) & CVC3 theorem prover Applied to artifacts from SIR JMeter Siena Client applications Refactoring assurance Test suite evolution Change characterization 25

26 Change Characterization //Siena version 3 public static boolean match(byte[] x, byte[] y){ if (x.len!= y.len) return false; for(int i=0; i<x.len; ++i) if (x[i]!= y[i]) return false; return true; } //Siena version 4 public static boolean match(byte[] x, byte[] y){ if (x == null && y == null) return true; if (x == null y ==null x.len!= y.len) return false; for(int i=0; i<x.len; ++i) if (x[i]!= y[i]) return false; return true; } 26

27 Input Partition X==null Y==null Change Characterization!(X==null) Λ!(Y==null) Λ (X.l!=Y.l)!(X==null) Λ!(Y==null) Λ (X.l!=Y.l) Λ IP B1 (T, X, Y) X==null Λ Y==null X==null Λ!(Y==null)!(X==null) Λ Y==null!(X==null) Λ!(Y==null) Λ (X.l!=Y.l)!(X==null) Λ!(Y==null) Λ (X.l!=Y.l) Λ IP B1 (T, X, Y) match() Version 3 Effect match() Version 4 RETURN == EXCEPTION RETURN == EXCEPTION RETURN == FALSE RETURN == RET B1 (T, X, Y) RETURN == TRUE RETURN == FALSE RETURN == FALSE RETURN == FALSE RETURN == RET B1 (T, X, Y) 27

28 Change Characterization On input match() Version 3 match() Version 4 x == null Λ y == null throws NRE RETURN == TRUE x == null Λ y!=null throws NRE RETURN == FALSE x!= null Λ y == null throws NRE RETURN == FALSE 28

29 Related Work Jackson et al. (ICSM 94) Neamtiu et al. (MSR 05) Apiwattanapong et al. (ASE 07) Santelices et al., Apiwattanapong et al. (ASE 08, TAIC PART 06) Siegel et al. (ISSTA 06, PVM/MPI 08) Notkin (PASTE 02) 29

30 Conclusion Differential symbolic execution precisely detects and characterizes behavioral differences between two program versions Functional equivalence and deltas Partition-effects equivalence and deltas DSE leverages program commonalities to address summary completeness 30

31 Future Work Further explore DSE algorithms and extend theoretical foundations Automate support for client applications Study the cost and effectiveness of DSE in automating software maintenance tasks 31

32 Differential Symbolic Execution Suzette Person, Matthew B. Dwyer, Sebastian Elbaum University of Nebraska Lincoln Corina Păsăreanu NASA Ames Research Center Funded in part by the National Science Foundation and NASA EPSCoR 32

Automatic Extraction of Abstract- Object-State Machines Based on Branch Coverage

Automatic Extraction of Abstract- Object-State Machines Based on Branch Coverage Hai YUAN Tao XIE Department of Computer Science North Carolina State University hyuan3@ncsu.edu xie@csc.ncsu.edu Agenda