lect-7-symbolic-testing-and-more

# lect-7-symbolic-testing-and-more - CFG for(edge coverage 2...

This preview shows pages 1–4. Sign up to view the full content.

4/19/2011 1 CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011 CFG for (edge) coverage x >? y x = x + y y = x – y x = x – y x >? y assert(false) end 2 Test inputs {[x=1;y=0],[x=0;y=1]} Cover 6/7 edges, 86% Which edge isn’t covered? Can it be covered? With what test input? Symbolic execution [x= ;y= ] x >? y x = x + y y = x – y x = x – y x >? y assert(false) end [ ] [x= +  y= ] [x= + y= ] [x= y= ] [ > ] [x=  y= ] Is > ever here? 3 [ ] [x=  y= ] [ > ] if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } What’s really going on? Create a symbolic execution tree Explicitly track path conditions Solve path conditions – “how do you get to this point in the execution tree?” – to defines test inputs Goal: define test inputs that reach all reachable statements 4 [true] x=  y= [true] >? [ > ] x= + [ > ] x=  y= [ > ] >? [ >  > ] “false” [ >  ] end [ ] end 503 11sp © UW CSE • D. Notkin >  > has no solution, so the assert statement can never be executed

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
4/19/2011 2 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; } } } Another example (Sen and Agha) 5 [true] x=  y= [true] z=2* [true] 2* ==? [2* = ] >? +10 [2* =  > +10] error [2* =  +10] end [2* ] end Error: possible by solving equations 2* = > +10 2* = 2* > +10 2* = >10 2* = >10 Any solution to this will cause the error state to be reached {x=22, y=11}, {x=200, y=100}, … 6 503 11sp © UW CSE • D. Notkin OK, do this in small groups for… 503 11sp © UW CSE • D. Notkin 7 if x ≠ 0 then y := 5; else z := z - x; endif; if z > 1 then z := z / x; else z := 0; end 8 if x ≠ 0 then y := 5; else z := z - x; endif; if z > 1 then z := z / x; else z := 0; end [true] x=  y=  z= x≠0? [x≠0] x=  y=5 z= [x=0] x=0 y=  z= [true] ((x≠0 y=5) (x=0 y= )) z= z>?1 [z>1] (x≠0 y=5 z= /x) (x=0 y=  z= /0) [z≤1] x=0 y=  z=0 [true] (x≠0 y=5 z= /x) (x=0 y=  z=0)
4/19/2011 3 Way cool – we’re done! First example can’t reach assert(false) , and it’s easy to reach end via both possible paths Second example: can reach error and end via both possible paths Third example: can avoid edge coverage weakness Well, what if we can’t solve the path conditions? Some arithmetic, some recursion, some loops, some pointer expressions, etc. We’ll see an example What if we want specific test cases? 9 503 11sp © UW CSE • D. Notkin Concolic testing: Sen et al. Basically, combine concrete and symbolic execution More precisely… Generate a random concrete input Execute the program on that input both concretely and symbolically simultaneously Follow the concrete execution and maintain the path conditions along with the corresponding symbolic execution

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 12

lect-7-symbolic-testing-and-more - CFG for(edge coverage 2...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online