Combined Static and Dynamic Automated Test Generation

Similar documents
Combined Static and Dynamic Automated Test Generation

Automated Software Testing in the Absence of Specifications

Feedback-directed Random Test Generation

Automated Test-Input Generation

Automated Documentation Inference to Explain Failed Tests

David Glasser Michael D. Ernst CSAIL, MIT

Mutually Enhancing Test Generation and Specification Inference

Combined Static and Dynamic Mutability Analysis 1/31

1. Introduction. ation techniqu. s1.close( s2.close( con.close

Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives

Safety Checks and Semantic Understanding via Program Analysis Techniques

Automatic Extraction of Abstract- Object-State Machines Based on Branch Coverage

Test Factoring: Focusing test suites on the task at hand

Symbolic Execution, Dynamic Analysis

Formal Methods for Java

Mining Specifications

Automatic Generation of Program Specifications

Exploiting Synergy Between Testing and Inferred Partial Specifications

Testing. CMSC 433 Programming Language Technologies and Paradigms Spring A Real Testing Example. Example (Black Box)?

Continuous Testing in Eclipse. David Saff, Michael D. Ernst MIT CSAIL etx 2004, Barcelona, Spain

COP4540 TUTORIAL PROFESSOR: DR SHU-CHING CHEN TA: H S IN-YU HA

Which Configuration Option Should I Change?

Test Advising Framework

Carving Invariants. Andreas Zeller Saarland University. CREST Open Workshop The Oracle Problem for Automated Software Testing, London, May 2012

Testing, Debugging, Program Verification

Improving Program Testing and Understanding via Symbolic Execution

How Good Are the Specs?

Java Database Connectivity

Dynamic Test Generation to Find Bugs in Web Application

Large-Scale API Protocol Mining for Automated Bug Detection

Working with Databases and Java

Automatically Repairing Broken Workflows for Evolving GUI Applications

Leveraging Data Invariants in Model Inference for Test Case Generation

Accessing databases in Java using JDBC

State Extensions for Java PathFinder

assertion-driven analyses from compile-time checking to runtime error recovery

Black Box Testing. EEC 521: Software Engineering. Specification-Based Testing. No Source Code. Software Testing

6.005 Elements of Software Construction Fall 2008

Achievements and Challenges

Lecture 10. Dynamic Analysis

THE ROAD NOT TAKEN. Estimating Path Execution Frequency Statically. ICSE 2009 Vancouver, BC. Ray Buse Wes Weimer

Automatic Generation of Oracles for Exceptional Behaviors

DyGen: Automatic Generation of High-Coverage Tests via Mining Gigabytes of Dynamic Traces

Finding Errors in Multithreaded GUI Applications

Advances in Programming Languages

Heuristics-based Parameter Generation for Java Methods

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing

Learning from Executions

Symbolic and Concolic Execution of Programs

Automated Documentation Inference to Explain Failed Tests

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

Automatic Generation of Unit Regression Tests

Testing Exceptions with Enforcer

Fitness-Guided Path Exploration in Automated Test Generation

CSC System Development with Java. Database Connection. Department of Statistics and Computer Science. Budditha Hettige

The Design Recipe Fall 2017

Understanding and Detecting Wake Lock Misuses for Android Applications

Replaying and Isolating Failing Multi-Object Interactions. Martin Burger Andreas Zeller Saarland University

KLEE: Effective Testing of Systems Programs Cristian Cadar

Understanding and Detecting Wake Lock Misuses for Android Applications

Refresher: Interface Specifications. ADT Documentation. Set Represented as an Array. Representation Invariant, Abstraction Function

Representation Invariant, Abstraction Function

Scaling Regression Testing to Large Software Systems

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Profile-Guided Program Simplification for Effective Testing and Analysis

Microsoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis

Feedback-controlled Random Test Generation

Automatic Test Generation. Galeotti/Gorla/Rau Saarland University

GRT: An Automated Test Generator using Orchestrated Program Analysis

Finding Errors in.net with Feedback-Directed Random Testing

IBM Rational Rhapsody Automatic Test Generation Add On. Limitations

Shin Hwei Tan Darko Marinov Lin Tan Gary T. Leavens University of Illinois. University of Illinois

Introduction to Programming Using Java (98-388)

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

A Novel Approach to Unit Testing: The Aspect-Oriented Way

AVA: Supporting Debugging With Failure Interpretations

Concepts of Object-Oriented Programming Peter Müller

LATEST : Lazy Dynamic Test Input Generation

AJAX: Automating an Informal Formal Method for Systematic JUnit Test Suite Generation

Software Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18

Comparing procedure specifications

Improving Test Suites via Operational Abstraction

Automatically Synthesizing SQL Queries from Input-Output Examples

Compilation 2012 Static Type Checking

Database Applications (15-415)

No Source Code. EEC 521: Software Engineering. Specification-Based Testing. Advantages

COMP 430 Intro. to Database Systems. SQL from application code

Extended Program Invariants: Applications in Testing and Fault Localization

Implementing a List in Java. CSE 143 Java. Just an Illusion? List Interface (review) Using an Array to Implement a List.

Dynamic Inference of Change Contracts

Symbolic Execution. Wei Le April

Static and dynamic analysis: synergy and duality

The Design Recipe Fall 2018

An Extensive Study of Static Regression Test Selection in Modern Software Evolution

Top Down Design vs. Modularization

JASS Java with ASSertions Detlef Bartetzko, Clemens Fischer, Michael Möller, Heike Wehrheim. Presented by Florian Froese (froesef)

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Embedded SQL. csc343, Introduction to Databases Diane Horton with examples from Ullman and Widom Fall 2014

Automatically Identifying Special and Common Unit Tests for Object-Oriented Programs

Automatic Extraction of Abstract-Object-State Machines Based on Branch Coverage

Transcription:

Combined Static and Dynamic Automated Test Generation Sai Zhang University of Washington Joint work with: David Saff, Yingyi Bu, Michael D. Ernst 1

Unit Testing for Object-oriented Programs Unit test = sequence of method calls + testing oracle Automated test generation is challenging: Legal sequences for constrained interfaces Behaviorally-diverse sequences for good coverage Testing oracles (assertions) to detect errors 2

Unit Testing a Database Program public void testconnection() { Driver driver = new Driver(); Constraint 1: Method-call orders 1 2 3 } Connection connection = driver.connect("jdbc:tinysql"); Statement s = connection.createstmt(); s.execute("create table test (name char(25))");... s.close(); connection.close(); Constraint 2: Argument values It is hard to create tests automatically! 3

Palus: Combining Dynamic and Static Analyses Dynamically infer an object behavior model from a sample (correct) execution trace Capture method-call order and argument constraints Statically identify related methods Expand the (incomplete) dynamic model Model-Guided random test generation Fuzz along a specific legal path 4

Outline Motivation Approach Dynamic model inference Static model expansion Model-guided test generation Evaluation Related Work Conclusion and Future Work 5

Overview of the Palus approach Inputs: A Sample Trace Program Under Test Dynamic Model Inference Static Method Analysis Dynamic Model Method Dependence Guided Random Test Generation JUnit Theories Testing Oracles Outputs: JUnit Tests (Optional) 6

(1) Dynamic Model Inference Infer a call sequence model for each tested class Capture possible ways to create legal sequences A call sequence model A rooted, acyclic graph Node: object state Edge: method-call One model per class 7

An Example Trace for Model Inference Driver d = new Driver() Connection con = driver.connection( jdbc:dbname ); Statement stmt1 = new Statement(con); stmt1.executequery( select * from table_name ); stmt1.close(); Statement stmt2 = new Statement(con); stmt2.executeupdate( drop table table_name ); stmt2.close(); con.close(); 8

Model Inference for class Driver Driver d = new Driver(); Driver class A <init>() B 9

Model Inference for class Connection Connection con = driver.connect( jdbc:dbname ); Driver class A Connection class C <init>() Driver.connect( jdbc:dbname ) B D 10 Nested calls are omitted for brevity

Model Inference for class Connection Connection con = driver.connect( jdbc:dbname ); con.close(); Driver class A Connection class C <init>() Driver.connect( jdbc:dbname ) B D close() E 11 Nested calls are omitted for brevity

Model Inference for class Statement Statement stmt1 = new Statement(con); stmt1.executequery( select * from table_name ); stmt1.close(); Driver class Connection class Statement stmt1 12 <init>() A C F <init>(connection) Driver.connect( jdbc:dbname ) B D close() E G Construct a call sequence model for each observed object G executequery( select *.. ); H close()

Model Inference for class Statement Statement stmt2 = new Statement(con); stmt2.executeupdate( drop table table_name ); stmt2.close(); Driver class Connection class Statement stmt1 Statement stmt2 13 <init>() A C F I <init>(connection) Driver.connect( jdbc:dbname ) B D close() E G J executequery( select *.. ); executeupdate( drop *.. ); H G <init>(connection) K close() close() Construct a call sequence model for each observed object L

Merge Models of the Same class Merge Driver class Connection class Statement stmt1 Statement stmt2 14 <init>() A C F I <init>(connection) Driver.connect( jdbc:dbname ) B D close() <init>(connection) G J executequery( select *.. ); executeupdate( drop *.. ); E G Merge models for all objects to form one model per class H close() K L close()

Call Sequence Model after Merging Driver class Connection class <init>() A C Driver.connect( jdbc:dbname ) Statement class F <init>(connection) G B D executequery( select *.. ); executeupdate( drop *.. ); 15 E close() H close() G

Enhance Call Sequence Models with Argument Constraints F <init>(connection) G executequery( select *.. ); executeupdate ( drop *.. ); H close() G Statement class Invoking the constructor requires a Connection object But, how to choose a desirable Connection object? 16

Argument Constraints Argument dependence constraint Record where the argument object values come from Add dependence edges in the call sequence models Abstract object profile constraint Record what the argument value is Map each object field into an abstract domain as a coarse-grained measurement of value similarity 17

Argument Dependence Constraint Represent by a directed edge ( below) Means: transition F G has data dependence on node D, it uses the result object at the node D Guide a test generator to follow the edge to select argument <init> A B Driver class C Driver.connect( jdbc:dbname ) D E close() F <init>(connection) G executequery( select *.. ); H close() 18 Connection class Statement class G executeupdate( drop *.. );

Abstract Object Profile Constraint For each field in an observed object Map the concrete value an abstract state Numeric value > 0, = 0, < 0 Object = null,!= null Array empty, null, not_empty Bool /enum values not abstracted Annotate model edges with abstract object profiles of the observed argument values from dynamic analysis Guide test generator to choose arguments similar to what was seen at runtime 19

Annotate Model Edges with Abstract Object Profiles Class Connection contains 3 fields Driver driver; String url; String usr; All observed valid Connection objects have a profile like: {driver!= null, url!= null, usr!= null} Annotate the method-call edge: <init>(connection) Argument Connection s profile: {driver!= null, url!= null, usr!=null} Palus prefers to pick an argument with the same profile, when invoking : <init>(connection) 20

(2) Static Method Analysis Dynamic analysis is accurate, but incomplete May fail to cover some methods or method invocation orders Palus uses static analysis to expand the dynamicallyinferred model Identify related methods, and test them together Test methods not covered by the sample trace 21

Statically Identify Related Methods Two methods that access the same fields may be related (conservative) Two relations: Write-read: method A reads a field that method B writes Read-read: methods A and B reference the same field 22

Statically Recommends Related Methods for Testing Reach more program states Call setx() before calling getx() Make the sequence more behaviorally-diverse A correct execution observed by dynamic analysis will never contain: Statement.close(); Statement.executeQuery( ) But static analysis may suggest to call close() before executequery( ) 23

Weighting Pair-wise Method Dependence tf-idf weighting scheme [Jones, 1972] Palus uses it to measure the importance of a field to a method Dependence weight between two methods: 24

(3) Model-Guided Random Test Generation: A 2-Phase algorithm 25 Phase1: Loop: 1. Follow the dynamically-inferred model to select methods to invoke 2. For each selected method 2.1 Choose arguments using: - Argument dependent edge - Captured abstract object profiles - Random selection 2.2 Use static method dependence information to invoke related methods Phase 2: Randomly generate sequences for model-uncovered methods - Use feedback-directed random test generation [ICSE 07]

Specify Testing Oracles in JUnit Theory A project-specific testing oracle in JUnit theory @Theory public void checkiternoexception(iterator it) { assumenotnull(it); try { it.hasnext(); } catch (Exception e) { fail( hasnext() should never throw exception! ); } } Palus checks that, for every Iterator object, calling hasnext() should never throw exception! 26

Outline Motivation Approach Dynamic model inference Static model expansion Model-guided test generation Evaluation Related Work Conclusion and Future Work 27

Research Questions Can tests generated by Palus achieve higher structural coverage Can Palus find (more) real-world bugs? Compare with three existing approaches: 28 Approaches Dynamic Static Random Randoop [ICSE 07] Palulu [M-TOOS 06] RecGen [ASE 10] Palus (Our approach)

Subjects in Evaluating Test Coverage 6 open-source projects Program Lines of Code tinysql 7,672 SAT4J 9,565 JSAP 4,890 Rhino 43,584 BCEL 24,465 Apache Commons 55,400 Many Constraints Few Constraints 29

Experimental Procedure Obtain a sample execution trace by running a simple example from user manual, or its regression test suite Run each tool for until test coverage becomes saturated, using the same trace Compare the line/branch coverage of generated tests 30

Test Coverage Results Approaches Dynamic Static Random Avg Coverage Randoop [ICSE 07] 39% Palulu [M-TOOS 06] 41% RecGen [ASE 10] 30% Palus (Our approach) 53% 31 Palus increases test coverage Dynamic analysis helps to create legal tests Static analysis / random testing helps to create behaviorallydiverse tests Palus falls back to pure random approach for programs with few constraints (Apache Commons)

Evaluating Bug-finding Ability Subjects: The same 6 open-source projects 4 large-scale Google products Procedure: Check 5 default Java contracts for all subjects Write 5 simple theories as additional testing oracles for Apache Commons, which has partial spec 32

Finding Bugs in 6 open-source Projects Checking default Java language contracts: E.g., for a non-null object o: o.equals(o) returns true Dynamic Static Random Bugs Randoop [ICSE 07] 80 Palulu [M-TOOS 06] 76 RecGen [ASE 10] 42 Palus (Our approach) 80 Finds the same number of bugs as Randoop 33 Writing additional theories as testing oracle Palus finds one new bug in Apache Commons FilterListIterator.hasNext() throws exception Confirmed by Apache Commons developers

Finding Bugs in 4 Google Products 4 large-scale Google products Google Product Number of tested classes Product A 238 Product B 600 Product C 1,269 Product D 1,455 Each has a regression test suite with 60%+ coverage Go through a rigorous peer-review process 34

Palus Finds More Bugs Palus finds 22 real, previously-unknown bugs Dynamic Static Random Bugs Randoop [ICSE 07] 19 Palulu [M-TOOS 06] 18 RecGen [ASE 10] -- Palus (Our approach) 22 3 more than existing approaches 35 Primary reasons: Fuzz a long specific legal path Create a legal test, diversify it, and reach program states that have not been reached before

Outline Motivation Approach Dynamic model inference Static model expansion Model-guided test generation Evaluation Related Work Conclusion and Future Work 36

37 Related Work Automated Test Generation Random approaches: Randoop [ICSE 07], Palulu [M-Toos 06], RecGen[ASE 10] Challenge in creating legal / behaviorally-diverse tests Systematic approaches: Korat [ISSTA 02], Symbolic-executionbased approaches (e.g., JPF, CUTE, DART, KLEE ) Scalability issues; create test inputs, not object-oriented method sequences Capture-replay -based approaches: OCAT [ISSTA 10], Test Factoring [ASE 05] and Carving [FSE 05] Save object states in memory, not create method sequences Software Behavior Model Inference Daikon [ICSE 99], ADABU [WODA 06], GK-Tail [ICSE 08] For program understanding, not for test generation

Outline Motivation Approach Dynamic model inference Static model expansion Model-guided test generation Evaluation Related Work Conclusion and Future Work 38

Future Work Investigate alternative ways to use program analysis techniques for test generation How to better combine static/dynamic analysis? What is a good abstraction for automated test generation tools? We use an enhanced call sequence model in Palus, what about other models? Explain why a test fails Automated Documentation Inference [ASE 11 to appear] Semantic test simplification 39

Contributions A hybrid automated test generation technique Dynamic analysis: infer model to create legal tests Static analysis: expand dynamically-inferred model Random testing: create behaviorally-diverse tests A publicly-available tool http://code.google.com/p/tpalus/ An empirical evaluation to show its effectiveness Increases test coverage Finds more bugs 40

Backup slides

Sensitivity to the Inputs Investigate on two subjects: tinysql and SAT4J Subject Input Size Coverage tinysql 10 SQL Statements 59% ALL Statements from Manual 61% SAT4J A 5-clause formula 65% A 188-clause formula 66% A 800-clause formula 66% This approach is not very sensitive to the inputs Not too many constraints in subjects?

Breakdown of Contributions in Coverage Increase

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback