Testing & Symbolic Execution

Similar documents
Testing, Fuzzing, & Symbolic Execution

CS 520 Theory and Practice of Software Engineering Fall 2018

Symbolic Execution. Wei Le April

Part I: Preliminaries 24

Symbolic and Concolic Execution of Programs

A short manual for the tool Accumulator

Software Testing. Testing: Our Experiences

6.0 ECTS/4.5h VU Programm- und Systemverifikation ( ) June 22, 2016

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

6. Test-Adequacy. Assessment Using Control Flow and Data Flow. Andrea Polini

Facts About Testing. Cost/benefit. Reveal faults. Bottom-up. Testing takes more than 50% of the total cost of software development

n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!

Subject Software Testing Structural Testing

MTAT : Software Testing

Testing Methods: White Box Testing II

MTAT : Software Testing

Static Analysis and Bugfinding

What is Mutation Testing? Mutation Testing. Test Case Adequacy. Mutation Testing. Mutant Programs. Example Mutation

MTAT : Software Testing

Testing Role in Unified Approach Coverage: Structural/Coverage Model Based Test Generation from Model Checking (project) Interaction of

White Box Testing III

Introduction to Dynamic Analysis

Three Important Testing Questions

Second assignment came out Monday evening. Find defects in Hnefetafl rules written by your classmates. Topic: Code Inspection and Testing

Test Automation. 20 December 2017

Testing Tactics. Structural Testing. Why Structural? Why Structural? Functional black box. Structural white box. Functional black box

Advanced Test Coverage Criteria: Specify and Measure, Cover and Unmask

Symbolic Execu.on. Suman Jana

CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution

Software has bugs. Static analysis 4/9/18. CYSE 411/AIT681 Secure Software Engineering. To find them, we use testing and code reviews

CMSC 430 Introduction to Compilers. Fall Symbolic Execution

Abstract Interpretation

Counterexample-Driven Genetic Programming

Written exam TDDD04 Software Testing

Testing: Test design and testing process

Test Design Techniques ISTQB (International Software Testing Qualifications Board)

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Properties of Criteria. 1. Applicability Property. Criteria

Structural Testing. (c) 2007 Mauro Pezzè & Michal Young Ch 12, slide 1

Using the code to measure test adequacy (and derive test cases) Structural Testing

Satisfiability Modulo Theories: ABsolver

EECS 481 Software Engineering Exam #1. You have 1 hour and 20 minutes to work on the exam.

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Automated White-Box Testing Beyond Branch Coverage

Software Testing for Developer Development Testing. Duvan Luong, Ph.D. Operational Excellence Networks

Class 17. Discussion. Mutation analysis and testing. Problem Set 7 discuss Readings

Software Quality Assurance. David Janzen

CMPT 473 Software Quality Assurance. Graph Coverage. Nick Sumner

Symbolic Execution, Dynamic Analysis

CUTE: A Concolic Unit Testing Engine for C

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012

An Introduction to Satisfiability Modulo Theories

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Structural Testing. Testing Tactics. Why Structural? Structural white box. Functional black box. Structural white box. Functional black box

CMSC 631 Program Analysis and Understanding. Spring Symbolic Execution

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Software Testing TEST CASE SELECTION AND ADEQUECY TEST EXECUTION

Advanced Software Testing Understanding Code Coverage

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Lecture 18: Structure-based Testing

Symbolic Execution for Bug Detection and Automated Exploit Generation

Information page for written examinations at Linköping University

Programming Embedded Systems

Testing, Debugging, Program Verification

A survey of new trends in symbolic execution for software testing and analysis

Automatic Software Verification

OpenMath and SMT-LIB

Analysis/Bug-finding/Verification for Security

Verifying C & C++ with ESBMC

18-642: Unit Testing 1/31/ Philip Koopman

Automated Requirements-Based Testing

Fault-based testing. Automated testing and verification. J.P. Galeotti - Alessandra Gorla. slides by Gordon Fraser. Thursday, January 17, 13

Mutation Testing. Leaving the Stone Age

Test Oracles and Mutation Testing. CSCE Lecture 23-11/18/2015

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Specification Centered Testing

Manuel Oriol, CHCRC-C, Software Testing ABB

MONIKA HEINER.

In this Lecture you will Learn: Testing in Software Development Process. What is Software Testing. Static Testing vs.

Structural Testing. White Box Testing & Control Flow Analysis

Reducing Verification Costs through Practical Formal Methods: A Survey

Symbolic Execution. Michael Hicks. for finding bugs. CMSC 631, Fall 2017

Testing Objectives. Successful testing: discovers previously unknown errors

MTAT : Software Testing

Information page for written examinations at Linköping University

Program Analysis and Constraint Programming

Ingegneria del Software Corso di Laurea in Informatica per il Management

MTAT : Software Testing

CMPSCI 521/621 Homework 2 Solutions

Introduction to Software Engineering

MLSA: a static bugs analysis tool based on LLVM IR

Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt

GraphicsFuzz. Secure and Robust Graphics Rendering. Hugues Evrard Paul Thomson

Testing: Coverage and Structural Coverage

TermComp Proposal: Pushdown Systems as a Model for Programs with Procedures

Introduction to Problem Solving and Programming in Python.

Lecture Notes on Real-world SMT

Testing Theory. Agenda - What will you learn today? A Software Life-cycle Model Which part will we talk about today? Theory Lecture Plan

Runtime Checking and Test Case Generation for Python

Transcription:

Testing & Symbolic Execution

Software Testing The most common way of measuring & ensuring correctness Input 2

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior 3

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle 4

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome 5

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome Test Suite Test 1 Test 2 Test 3 Test 4 Test 5 Test 6 Test 7 6

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome Key Issues: Are the tests adequate? Test Suite Test 1 Test 2 Test 3 Test 4 Test 5 Test 6 Test 7 7

Software Testing The most common way of measuring & ensuring correctness Input? Observed Behavior Oracle Outcome Key Issues: Are the tests adequate? Automated input generation Test Suite Test 1 Test 2 Test 3 Test 4 Test 5 Test 6 Test 7 8

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome Key Issues: Are the tests adequate? Automated input generation Automated oracles Test Suite Test 1 Test 2 Test 3 Test 4 Test 5 Test 6 Test 7 9

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome Test 1 Are the tests adequate? Test 2 Test 3 Automated input generation Test 4 Automated oracles Test 5 Test 6 Robustness / flakiness / maintainability Test 7 Key Issues: Test Suite 10

Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior Oracle Outcome Test 1 Are the tests adequate? Test 2 Test 3 Automated input generation Test 4 Automated oracles Test 5 Test 6 Robustness / flakiness / maintainability Test 7... Key Issues: Test Suite 11

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? 12

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage def my_lovely_fun(a,b,c): if (a && b) c: Is each statement executed by at least one test in the test suite? else: print('awesome') score= # covered # statements 13

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage score= # covered # branches def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') b T a c F 14

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage More common in safety critical systems where full coverage may be required. def my_lovely_fun(a,b,c): if (a & b) c: else: print('awesome') 15

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage def my_lovely_fun(a,b,c): if (a & b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') 16

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage # covered/killed score= # non-equivalent mutants def my_lovely_fun(a,b,c): if (a & b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') def my_lovely_fun(a,b,c): if (a && b) c: else: print('awesome') 17

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage Path Coverage B E ENTRY A D C F EXIT 18

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage Path Coverage Can apply EPP! B E ENTRY A D C F EXIT 19

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage Path Coverage... 20

Test Suite Adequacy Questions Is a test suite good enough? What parts of software need to be tested better? Metrics Statement Coverage Branch Coverage MC/DC Coverage Mutation Coverage Path Coverage BUT reducing test suites for St, Br, MC/DC coverage decrease defect detection! 21

Generating Inputs Sample all possible inputs for test in allpossibleinputs: check_test(test) 22

Generating Inputs Sample all possible inputs for test in allpossibleinputs: check_test(test) Target specific goals or other coverage criteria for s in statements: test = findtestthrough(s) check_test(test) 23

Generating Inputs Sample all possible inputs for test in allpossibleinputs: check_test(test) Target specific goals or other coverage criteria for s in statements: test = findtestthrough(s) check_test(test) for i in inputmodel: test = findrepresentative(i) check_test(test) 24

Generating Inputs Usually broken into black box & white box approaches 25

Generating Inputs Usually broken into black box & white box approaches Black Box Treat the program as opaque / unknown e.g. specification based, naive fuzzing, boundary value analysis,... 26

Generating Inputs Usually broken into black box & white box approaches Black Box Treat the program as opaque / unknown White Box Program structure & semantics can be used e.g. symbolic execution, call chain synthesis, white box fuzzing, boundary value analysis,... 27

Generating Oracles? 28

Generating Oracles Likely invariants? Careful variable selection & monitoring? Differential Testing Metamorphic Testing A very open (hard) problem. 29

Interesting Problems Random Testing Test Suite Adequacy Test Suite Minimization Test Generation Oracle Generation Test Maintenance Performance Testing Field Testing Power Testing Test Prioritization... 30

Interesting Problems Random Testing Test Suite Adequacy Test Suite Minimization Test Generation Oracle Generation Test Maintenance Performance Testing Field Testing Power Testing Test Prioritization... Test generation techniques have also proven to be critical in security research. 31

Symbolic Execution An approach for generating test inputs. Cadar & Sen, 2013 x input() y input() if x == 2*y if x > y+10 32

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 33

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 34

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 x = 2*y y > 10 Path Constraint 35

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 A path constraint represents all executions along that path x = 2*y y > 10 Path Constraint 36

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Solve for the symbolic symbols to find inputs that yield the path. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 x=30 y=15 37

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Solve for the symbolic symbols to find inputs that yield the path. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 x=30 y=15 x=2 y=1 38

Symbolic Execution An approach for generating test inputs. Replace the concrete inputs of a program with symbolic values Execute along a path using the symbolic values to build a formula over the input symbols. Solve for the symbolic symbols to find inputs that yield the path. Cadar & Sen, 2013 x symbolic() y symbolic() if x == 2*y if x > y+10 x=30 y=15 x=2 y=1 x=0 y=1 39

How Can We Solve Constraints? SMT Solvers Satisfiability Modulo Theories SAT with extra logic Standard interfaces through SMTLIB2 40

How Can We Solve Constraints? SMT Solvers Satisfiability Modulo Theories SAT with extra logic Standard interfaces through SMTLIB2 x = 2*y y > 10 (declare-const x Int) (declare-const y Int) (assert (= x (* 2 y))) (assert (> y 10)) (check-sat) (get-model) 41

How Can We Solve Constraints? SMT Solvers Satisfiability Modulo Theories SAT with extra logic Standard interfaces through SMTLIB2 x = 2*y y > 10 (declare-const x Int) (declare-const y Int) (assert (= x (* 2 y))) (assert (> y 10)) (check-sat) (get-model) Z3 42

How Can We Solve Constraints? SMT Solvers Satisfiability Modulo Theories SAT with extra logic Standard interfaces through SMTLIB2 x = 2*y y > 10 (declare-const x Int) (declare-const y Int) (assert (= x (* 2 y))) (assert (> y 10)) (check-sat) (get-model) x=22 y=11 Z3 sat (model (define-fun y () Int 11) (define-fun x () Int 22) ) 43

How Can We Solve Constraints? SMT Solvers Satisfiability Modulo Theories SAT with extra logic Standard interfaces through SMTLIB2 x = 2*y y > 10 (declare-const x Int) (declare-const y Int) (assert (= x (* 2 y))) (assert (> y 10)) (check-sat) (get-model) x=22 y=11 Z3 sat (model (define-fun y () Int 11) (define-fun x () Int 22) ) Try it online: 44 http://www.rise4fun.com/z3/tutorial/

Useful Questions If ɸ holds after a statement, what must have been true at the point before? weakest precondition 45

Useful Questions If ɸ holds after a statement, what must have been true at the point before? weakest precondition If ɸ holds before a statement, what can we guarantee to be true after? strongest poscondition 46

Useful Questions If ɸ holds after a statement, what must have been true at the point before? weakest precondition If ɸ holds before a statement, what can we guarantee to be true after? strongest poscondition e.g. Given two versions of a program v1,v2 and assertions on output ɸi in each from an input I What is wp(ɸ1) wp(ɸ2)? 47

Useful Questions If ɸ holds after a statement, what must have been true at the before? weakest precondition If ɸ holds before a statement, what can we guarantee to be true after? strongest poscondition e.g. Given two versions of a program v1,v2 and assertions on output ɸi in each from an input I What is wp(ɸ1) wp(ɸ2)? wp(ɸ1) wp(ɸ2) 48

Useful Questions If ɸ holds after a statement, what must have been true at the before? weakest precondition If ɸ holds before a statement, what can we guarantee to be true after? strongest poscondition e.g. Given two versions of a program v1,v2 and assertions on output ɸi in each from an input I What is wp(ɸ1) wp(ɸ2)? wp(ɸ1) wp(ɸ2) What is the intuitive meaning? 49

Exploring the Execution Tree The possible paths of a program form an execution tree. x input() y input() Cadar & Sen, 2013 if x == 2*y if x > y+10 50

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. x input() y input() if x == 2*y Cadar & Sen, 2013 if x > y+10 51

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 52

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 53

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 54

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 (x=2*y) (x>y+10) 55

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 (x=2*y) (x>y+10) 56

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 57

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) Execution Generated Testing x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 58

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches Concolic (dynamic symbolic) Execution Generated Testing x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 X=? y=10 59

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches X=20 Concolic (dynamic symbolic) y=10 Execution Generated Testing x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 X=? 20 y=10 60

Exploring the Execution Tree The possible paths of a program form an execution tree. Traversing the tree will yield tests for all paths. Mechanizing the traversal yields two main approaches X=20 Concolic (dynamic symbolic) y=10 Execution Generated Testing Execution on this side is concrete from this point on. x input() y input() if x == 2*y if x > y+10 Cadar & Sen, 2013 X=? 20 y=10 61

Symbolic Execution Increasingly scalable every year 62

Symbolic Execution Increasingly scalable every year Can automatically generate test inputs from constraints 63

Symbolic Execution Increasingly scalable every year Can automatically generate test inputs from constraints The resulting symbolic formulae have many uses beyond just testing. 64

Symbolic Execution Increasingly scalable every year Can automatically generate test inputs from constraints The resulting symbolic formulae have many uses beyond just testing. Try it out: 1) https://github.com/klee/klee 2) Symbolic PathFinder 3) http://research.microsoft.com/pex/ 4) http://angr.io/ 65

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback