lect-7-symbolic-testing-and-more

lect-7-symbolic-testing-and-more - 4/19/2011 CFG for (edge)...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
4/19/2011 1 CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011 CFG for (edge) coverage x >? y x = x + y y = x – y x = x – y x >? y assert(false) end 2 Test inputs {[x=1;y=0],[x=0;y=1]} Cover 6/7 edges, 86% Which edge isn’t covered? Can it be covered? With what test input? Symbolic execution [x= ;y= ] x >? y x = x + y y = x – y x = x – y x >? y assert(false) end [ ] [x= +  y= ] [x= + y= ] [x= y= ] [ > ] [x=  y= ] Is > ever here? 3 [ ] [x=  y= ] [ > ] if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert(false) } What’s really going on? Create a symbolic execution tree Explicitly track path conditions Solve path conditions – “how do you get to this point in the execution tree?” – to defines test inputs Goal: define test inputs that reach all reachable statements 4 [true] x=  y= [true] >? [ > ] x= + [ > ] x=  y= [ > ] >? [ >  > ] “false” [ >  ] end [ ] end 503 11sp © UW CSE • D. Notkin >  > has no solution, so the assert statement can never be executed
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4/19/2011 2 int double (int v){ return 2*v; } void testme (int x, int y){ z = double (y); if (z == x) { if (x > y+10) { ERROR; } } } Another example (Sen and Agha) 5 [true] x=  y= [true] z=2* [true] 2* ==? [2* = ] >? +10 [2* =  > +10] error [2* =  +10] end [2* ] end Error: possible by solving equations 2* = > +10 2* = 2* > +10 2* = >10 2* = >10 Any solution to this will cause the error state to be reached {x=22, y=11}, {x=200, y=100}, … 6 503 11sp © UW CSE • D. Notkin OK, do this in small groups for… 503 11sp © UW CSE • D. Notkin 7 if x ≠ 0 then y := 5; else z := z - x; endif; if z > 1 then z := z / x; else z := 0; end 8 if x ≠ 0 then y := 5; else z := z - x; endif; if z > 1 then z := z / x; else z := 0; end [true] x=  y=  z= x≠0? [x≠0] x=  y=5 z= [x=0] x=0 y=  z= [true] ((x≠0 y=5) (x=0 y= )) z= z>?1 [z>1] (x≠0 y=5 z= /x) (x=0 y=  z= /0) [z≤1] x=0 y=  z=0 [true] (x≠0 y=5 z= /x) (x=0 y=  z=0)
Background image of page 2
4/19/2011 3 Way cool – we’re done! First example can’t reach assert(false) , and it’s easy to reach end via both possible paths Second example: can reach error and end via both possible paths Third example: can avoid edge coverage weakness Well, what if we can’t solve the path conditions? Some arithmetic, some recursion, some loops, some pointer expressions, etc. We’ll see an example What if we want specific test cases? 9 503 11sp © UW CSE • D. Notkin Concolic testing: Sen et al. Basically, combine concrete and symbolic execution More precisely… Generate a random concrete input Execute the program on that input both concretely and symbolically simultaneously Follow the concrete execution and maintain the path conditions along with the corresponding symbolic execution
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 12

lect-7-symbolic-testing-and-more - 4/19/2011 CFG for (edge)...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online