Automated Test-Input Generation

Similar documents
Automated Software Testing in the Absence of Specifications

assertion-driven analyses from compile-time checking to runtime error recovery

An Empirical Study of Structural Constraint Solving Techniques

Korat: Automated Testing Based on Java Predicates. Jeff Stuckman

Evolving Testing and Analysis for Evolving Software Tao Xie Peking University ( ), China North Carolina State University Raleigh, NC, USA

Achievements and Challenges

Efficient Solving of Structural Constraints

Korat: Automated Testing Based on Java Predicates

Automatic Test Generation. Galeotti/Gorla/Rau Saarland University

Repairing Structurally Complex Data

Detecting Redundant Unit Tests for AspectJ Programs

Symbolic Execution, Dynamic Analysis

Model Checking with Abstract State Matching

Rigorous Software Development CSCI-GA

Symbolic and Concolic Execution of Programs

Automatic Extraction of Abstract- Object-State Machines Based on Branch Coverage

Using Coverage Criteria on RepOK to Reduce Bounded-Exhaustive Test Suites

ITI Introduction to Computing II

ITI Introduction to Computing II

State Extensions for Java PathFinder

Bounded Exhaustive Test-Input Generation on GPUs

PKorat: Parallel Generation of Structurally Complex Test Inputs

CUTE: A Concolic Unit Testing Engine for C

JPF SE: A Symbolic Execution Extension to Java PathFinder

! Tree: set of nodes and directed edges. ! Parent: source node of directed edge. ! Child: terminal node of directed edge

A survey of new trends in symbolic execution for software testing and analysis

Combined Static and Dynamic Automated Test Generation

Automatic Extraction of Abstract-Object-State Machines Based on Branch Coverage

Automatically Identifying Special and Common Unit Tests for Object-Oriented Programs

Compositional Symbolic Execution through Program Specialization

Testing, Debugging, Program Verification

Feedback-directed Random Test Generation

STARC: Static Analysis for Efficient Repair of Complex Data

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing

An incremental approach to scope-bounded checking using a lightweight formal method

Data abstractions: ADTs Invariants, Abstraction function. Lecture 4: OOP, autumn 2003

Generic BST Interface

We have the pointers reference the next node in an inorder traversal; called threads

Data Structures. Giri Narasimhan Office: ECS 254A Phone: x-3748

Generation of Test Data Structures Using Constraint Logic Programming

Mutually Enhancing Test Generation and Specification Inference

DART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley

Universal Symbolic Execution and its Application to Likely Data Structure Invariant Generation

A Case for Efficient Solution Enumeration

Christoph Csallner, University of Texas at Arlington (UTA)

Profile-Guided Program Simplification for Effective Testing and Analysis

Tree: non-recursive definition. Trees, Binary Search Trees, and Heaps. Tree: recursive definition. Tree: example.

Fitness-Guided Path Exploration in Dynamic Symbolic Execution

Fitness-Guided Path Exploration in Automated Test Generation

More About Heaps. 14 June 2017 OSU CSE 1

TWO main approaches used to increase software quality

! Tree: set of nodes and directed edges. ! Parent: source node of directed edge. ! Child: terminal node of directed edge

Computer Science II Fall 2009

An Incremental Approach to Scope-Bounded Checking Using a Lightweight Formal Method

Prelim 2. CS 2110, 16 November 2017, 7:30 PM Total Question Name Short Heaps Tree Collections Sorting Graph

CMSC 341 Lecture 10 Binary Search Trees

Incremental Evaluation of OCL invariants in the Essential MOF object model

IAENG International Journal of Computer Science, 41:3, IJCS_41_3_06. Automated Test Generation for Object-Oriented Programs with Multiple Targets

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

Concolic Testing of Sequential and Concurrent Programs

a graph is a data structure made up of nodes in graph theory the links are normally called edges

From Symbolic Execution to Concolic Testing. Daniel Paqué

CUTE: A Concolic Unit Testing Engine for C

Consider the search operation FindKey (): find an element of a particular key value in a binary tree. This operation takes O(n) time in a binary

Automatic Software Verification

CS 206 Introduction to Computer Science II

DART: Directed Automated Random Testing

Prelim 2 SOLUTION. CS 2110, 16 November 2017, 7:30 PM Total Question Name Short Heaps Tree Collections Sorting Graph

Bounded Exhaustive Test Input Generation from Hybrid Invariants

Symbolic Execution of Java Byte-code. Corina Pãsãreanu Perot Systems/NASA Ames Research

Prelim 2 Solution. CS 2110, November 19, 2015, 5:30 PM Total. Sorting Invariants Max Score Grader

Binary Decision Diagrams

Emblematic Execution for Software Testing based on DART AND CUTE

Lecture 23: Binary Search Trees

Programming Languages and Techniques (CIS120)

CIS 120 Midterm I February 16, 2015 SOLUTIONS

HEAPS & PRIORITY QUEUES

Data Structures in Java

Automated Testing of Cloud Applications

Section 1: True / False (2 points each, 30 pts total)

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

CS 135 Winter 2018 Tutorial 7: Accumulative Recursion and Binary Trees. CS 135 Winter 2018 Tutorial 7: Accumulative Recursion and Binary Trees 1

Software Model Checking. Xiangyu Zhang

IC-Cut: A Compositional Search Strategy for Dynamic Test Generation

Trees. Chapter 6. strings. 3 Both position and Enumerator are similar in concept to C++ iterators, although the details are quite different.

Exploiting Synergy Between Testing and Inferred Partial Specifications

Fig. 1. Syntax of MPIL

182 review 1. Course Goals

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Abstract vs concrete data structures HEAPS AND PRIORITY QUEUES. Abstract vs concrete data structures. Concrete Data Types. Concrete data structures

Total Score /1 /20 /41 /15 /23 Grader

Finite State Verification. CSCE Lecture 21-03/28/2017

Rostra: A Framework for Detecting Redundant Object-Oriented Unit Tests

Announcements HEAPS & PRIORITY QUEUES. Abstract vs concrete data structures. Concrete data structures. Abstract data structures

4.1 Review - the DPLL procedure

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Concolic Testing of Functional Logic Programs

Software Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18

void insert( Type const & ) void push_front( Type const & )

Prelim 2 SOLUTION. 5:30 PM, 25 April Total Question Name Short Search/ Collections Trees Graphs

Transcription:

Automated Test-Input Generation Tao Xie North Carolina State University Department of Computer Science Nov 2005 http://www.csc.ncsu.edu/faculty/xie/

Why Automate Testing? Software testing is important Software errors cost the U.S. economy about $59.5 billion each year (0.6% of the GDP) [NIST 02] Improving testing infrastructure could save 1/3 cost Software testing is costly Account for even half the total cost of software development [Beizer 90] Automated testing reduces manual testing effort Test execution:junit framework Test generation: Parasoft Jtest, AgitarAgitator, etc. Test-behavior inspection: Agitar Agitator

Software Quality Assurance Static analysis Theorem proving Model checking Testing Adapted from Doron Peled s slide

Software Quality Assurance Static analysis Theorem proving Model checking Testing Adapted from Doron Peled s slide

Binary Search Tree Example public class BST implements Set { static class Node { int val; Node left; Node right; Node root; int size; public void insert (int value) { public void remove (int value) { public bool contains (int value) {

Approaches Method-sequence exploration Parasoft Jtest 4.5 and others Specification-based state exploration TestEra [Marinov&Khurshid ASE 01], Korat [Boyapati et al. ISSTA 02] Concrete-state exploration Rostra [Xie et al. ASE 04], NASA JPF [Visser et al. ISSTA 04] Symbolic-state exploration Symstra [Xie et al. TACAS 05]

Exploring Method Sequences Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3), contains(1)

Exploring Method Sequences Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3), contains(1) insert(3) contains(1) insert(1) remove(2) insert(2) remove(1) remove(3) Iteration 1

Exploring Method Sequences Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3), contains(1) insert(3) contains(1) insert(1) remove(2) insert(2) remove(1) remove(3) insert(1) contains(1) Iteration 2

Generating Tests from Exploration Collect method sequence along the shortest path (constructor-call edge each method-call edge) insert(3) contains(1) insert(1) remove(2) insert(2) remove(1) remove(3) insert(1) contains(1) BST t = ; t.insert(1); t.insert(1); Iteration 2

Pruning State-Preserving Methods Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3), contains(1) insert(3) contains(1) insert(1) remove(2) insert(2) remove(1) remove(3) insert(1) contains(1) Iteration 2

Pruning State-Preserving Methods Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3), contains(1) contains(1) insert(3) insert(1) remove(2) insert(2) remove(1) remove(3) insert(1) contains(1) Iteration 2

Observation Some method sequences lead receiver object states back to earlier explored states contains(1) insert(3) insert(1) remove(2) insert(2) remove(1) remove(3) insert(1) remove(1) contains(1) Iteration 2

Rationale Focus on each method execution individually When method executions are deterministic, unnecessary to test a method with the same inputs (same inputs same behavior) method inputs: incoming program states receiver-object state: transitively-reachable-field values arguments

Binary Search Tree Example public class BST implements Set { //@ invariant //@ repok(); Node root; // class invariant for BST int size; public void insert (int value) { public void remove (int value) { public bool contains (int value) { If receiver-object states are directly constructed, we need to have a way to know valid object states defined by a Java predicate: repok

repok(class Invariant) boolean repok() { if (root == null) return size == 0; // empty tree has size 0 Set visited = new HashSet(); visited.add(root); List worklist = new LinkedList(); worklist.add(root); while (!worklist.isempty()) { Node current = (Node)workList.removeFirst(); if (current.left!= null) { if (!visited.add(current.left)) return false; // acyclicity worklist.add(current.left); if (current.right!= null) { if (!visited.add(current.right)) return false; // acyclicity worklist.add(current.right); if (visited.size()!= size) return false; // consistency of size if (!isordered(root)) return false; // data is ordered return true;

Korat [Boyapatiet al. ISSTA 02] Given predicate p and finitization f, generate all inputs for which p returns true uses finitizationto define input space e.g., defines #nodes and what values can be on a BST node. systematically explores valid input space prunes input space using field accesses 1 right 1 right 3 left 3 left left 2 right 2 right 3 2 3 left 1 right 2 1 2 left 1 3 3 nodes Node vals: {1, 2, 3

Korat ssmart Search candidate is a vector of field domain indices for each candidate vector, Korat creates corresponding structure invokes repok and monitors the execution builds field ordering, i.e., list of fields ordered by time of first access if repok returns true, outputs structure(s) if repok returns false, backtracks on the last field accessed using field ordering BST N0 N1 N2 left N1 N0 right N2 root size val left right val left right val left right [ N0, 3, 1, N1, N1, 2, null, null, 3, null, null ]

What if repok is not there Then direct construction of valid object states seem impossible Solution: fall back to building valid object states with method sequences but in a smarter way method-sequence exploration assume a state-modifying method leads to a new object state explicit-state exploration inspect whether an object state is actually new (defined by transitively-reachable-field values)

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3)

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3) remove(1) remove(2) remove(3) insert(1) insert(2) insert(3) 1 2 3 Iteration 1

Exploring Concrete States Method arguments: insert(1), insert(2), insert(3), remove(1), remove(2), remove(3) remove(1) remove(1) remove(2) remove(3) insert(1) remove(2) remove(3) insert(1) 1 insert(2) 2 insert(3) 3 insert(2) 1 insert(3) 1 2 3 Iteration 2

Generating Tests from Exploration Collect method sequence along the shortest path (constructor-call edge each method-call edge) remove(1) remove(2) remove(3) insert(1) insert(1) 1 insert(2) 2 insert(3) remove(1) remove(2) remove(3) 3 insert(2) 1 1 insert(3) BST t = ; t.insert(1); t.insert(3); 2 3

Improvement over Method-Sequence Exploration Industry standard tool adopting previous approach based on method sequences Parasoft Jtest 4.5 www.parasoft.com Generate tests with method-call lengths up to three UseJtestto generate tests for 11 Java classes from various sources most are complex data structures Apply Rostra on the Jtest-generated tests 90% of generated tests are redundant, i.e., 90% tests contain no new method inputs

Issues of Concrete-State Exploration State explosion need at least N different insert arguments to reach a BST with size N run out of memory when N reaches 7 Relevant-argument determination assume a set of given relevant arguments e.g., insert(1), insert(2), insert(3), etc.

Exploring Concrete States insert(1) insert(2) insert(3) 1 2 3 insert(2) 1 2 insert(3) 1 3 Iteration 2

State Abstraction: Symbolic States insert(1) insert(2) insert(3) insert() 1 2 3 insert(2) 1 2 insert(3) 1 3 Iteration 2

State Abstraction: Symbolic States insert(1) 1 insert(2) insert(3) 2 3 insert() insert(2) 1 insert(3) 1 insert(x2) < x2 2 3 x2 Iteration 2

Symbolic Execution Execute a method on symbolic input values inputs: insert(symbolicint x) Explore paths of the method PC: P PC: P && Q Build a path condition for each path conjunct conditionals or their negations if (P)...; if (Q)...; Produce symbolic states (<heap, path condition>) e.g., < x2 x2

Symbolic Execution Example public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... else if (t.value > x) { //explore the left subtree... else return; size++;

Exploring Symbolic States public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... else if (t.value > x) { //explore the left subtree... else return; size++; S1 true

Exploring Symbolic States public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... else if (t.value > x) { //explore the left subtree... else return; size++; S1 S2 true true insert() Iteration 1

Exploring Symbolic States public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... S1 S2 true true insert() else if (t.value > x) { //explore the left subtree... else return; size++; S3 < x2 insert(x2) Iteration 2 x2

Exploring Symbolic States public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... S1 S2 true true insert() else if (t.value > x) { //explore the left subtree... else return; size++; S3 < x2 insert(x2) S4 > x2 Iteration 2 x2 x2

Exploring Symbolic States public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... S1 S2 true true insert() else if (t.value > x) { //explore the left subtree... else return; size++; S3 S4 insert(x2) S5 < x2 > x2 = x2 Iteration 2 x2 x2

Which States to Explore Next? public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... S1 S2 true true insert() else if (t.value > x) { //explore the left subtree... else return; size++; S3 S4 insert(x2) < x2 > x2 S5 = x2 Iteration 3 x2 x2?

Symbolic State Subsumption Symbolic state S2:<H2,c2> subsumes S5:<H5,c5> Heaps H2 and H5 are isomorphic Path condition c5 c2 [checked using CVC Lite, Omega] If S2 has been explored, S5 is pruned. Still guarantee path coverage within a method S2 ( = x2) true S5 Symbolic states true = x2 subsumes Concrete states 1 2 3 superset of 1 2 3

Pruning Symbolic State public void insert(symbolicint x) { if (root == null) { root = new Node(x); else { Node t = root; while (true) { if (t.value < x) { //explore the right subtree... S1 S2 true true insert() else if (t.value > x) { //explore the left subtree... else return; size++; S3 S4 insert(x2) S5 < x2 > x2 = x2 Iteration 3 x2 x2 Pruned!

Generating Tests from Exploration Collect method sequence along the shortest path (constructor-call edge each method-call edge) Generate concrete arguments by using a constraint solver [POOC] S1 S2 true true insert() BST t = ; t.insert(); t.insert(x2); < x2 BST t = ; t.insert(-1000000); t.insert(-999999); insert(x2) S3 S4 S5 < x2 > x2 = x2 x2 x2

Improvement over Concrete-State Exploration Focus on the key methods (e.g., add, remove) Generate tests up to 8 iterations Concrete-State vs. Symstra Measure #states, time, and branch coverage Experimental results show Symstra effectively reduces the state space for exploration reduces the time for achieving branch coverage

Statistics of Some Programs class BinarySearchTree BinomialHeap LinkedList TreeMap N 6 7 8 6 7 8 6 7 8 6 7 8 Concrete-State Time #states (sec) 23 731 51 412 12 42 Out of Memory 3036 Out of Memory 9331 Out of Memory 185 537 Out of Memory %cov (branch) 100 84 100 83 84 Time (sec) 29 137 318 3 4 9 0.6 0.8 1 8 19 63 Symstra #states %cov (branch) 197 100 626 100 1458 100 7 84 8 90 9 91 7 100 8 100 9 100 28 83 59 84 111 84

Summary Method-sequence exploration Parasoft Jtest 4.5 and others Specification-based state exploration TestEra [Marinov&Khurshid ASE 01], Korat [Boyapati et al. ISSTA 02] Concrete-state exploration Rostra [Xie et al. ASE 04], NASA JPF [Visser et al. ISSTA 04] Symbolic-state exploration Symstra [Xie et al. TACAS 05] More recently: concolic-state exploration DART [Godefroid et al. PLDI 05], EGT [Cadar&Engler SPIN 05], CUTE [Senet al. FSE 05]

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback