Upload
raanan
View
73
Download
2
Embed Size (px)
DESCRIPTION
DySy: Dynamic Symbolic Execution for Invariant Inference. Authors. Christoph Csallner Nikolai Tillmann Yannis Smaragdakis. Christoph Csallner. College of Computing, Georgia Tech Research interest :Software engineering, especially in program analysis and automated testing Other papers: - PowerPoint PPT Presentation
Citation preview
DySy: Dynamic Symbolic Execution for Invariant
Inference
Authors
Christoph Csallner Nikolai Tillmann Yannis Smaragdakis
Christoph Csallner
College of Computing, Georgia Tech Research interest :Software
engineering, especially in program analysis and automated testing
Other papers:1.Combining static and dynamic reasoning for bug
detection(TAP 2007)2.Combining over- and under-approximating
program analyses for automatic software testing
Nikolai Tillmann
Microsoft Research Leader of project Pex Papers:1.Pex-White Box Test Generation
for .NET(TAP 2008)2. Unit Tests Reloaded: Parameterized
Unit Testing with Symbolic Execution. IEEE Software(4): 38-47 (2006)
Yannis Smaragdakis Associate Professor,
Department of Computer Science, University of Massachusetts, Amherst Research:Applied programming
languages and software engineering Papers:1.C&Y’s papers2. Exception Analysis and Points-To
Analysis: Better Together(ISSTA'09)
Background
Dynamic Invariant Inference: Daikon
Sybolic execution Pex
Invariant
a predicate is called an invariant to a sequence of operation if the predicate always evaluates at the end of the sequence to the same value than before starting the sequence
Example:MU puzzle
Daikon The first and most mature dynamic
invariant inference tool. Daikon tracks a program's variables
during execution and generalizes the observed behavior to invariants by variant relation models.
Relation model exmaples: Constant value (x= a, or x > 0), Linear relationships (y == a*x + b), Ordering (x <= y) and Membership
Symbolic execution
Symbolic Execution and Program Testing 1975 by James King.
the analysis of programs by tracking symbolic rather than actual values
Path condition(pc):A precondition for a program path
Simple example
1.y = read() 2.y = 2 * y 3.if (y == 12) 4.fails() 5.print("OK")
Pex
a dynamic analysis and test generation framework for .NET, developed by the Foundations of Software Engineering group at Microsoft Research
shadow interpreter Relation between DySy and Pex.
Overview
Basic idea Implementation details Abstraction for Loops
Basic idea 1.For one test suite. Take pc as
precondition. Take the conduction rule from precondition to return value of a method as postcondition
2.Repeat 1 for all test suites. 3.Combine all precondition by
disjunction, and all postcondition by conjunction.
example public Object top() { if(Empty) return null; return theArray[topOfStack]; } Two test suites:1. Empty == true2. Empty == false && topOfStack >= 0
&& topOfStack < theArray.Length
Example(2) Conbined precondition: Empty == true ||(Empty == false &&
topOfStack >= 0 && topOfStack < theArray.Length)
Combined postcondition:Empty == true ==> (\result == null) and(Empty == false && topOfStack >= 0 &&topOfStack < theArray.Length)==> (\result == theArray[topOfStack])
Implementation details Usage of Pex
Handling nested method calls
Abstraction for Loops
Usage of Pex
For the duration of each method call,
DySy registers a separate interpreter with Pex's monitoring framework.
Nested calls
DySy builds a set of quadruples (method, pathCondition, result,
finalState) to represent methods as it monitors the program
Abstraction for Loops
Traditional method :Record preconditions for every
cycle. precise but useless, causing heavy
overhead
Abstraction for Loops
heuristic method :1.Loop variants are treated as
inputs(symbol)2.Loop conditions are ignored, except
that the loop body is not entered.3.Only latest value of loop variants
are recorded.
example
public int linSearch(int ele, int[] arr) {if (arr == null)throw new ArgumentException();for (int i = 0; i < arr.Length; i++) {if (ele == arr[i])return i;}return -1;}
Program state arr != null &&($i < arr.Length && !
(ele == arr[$i]) && $i >= 0 ||
$i < arr.Length && ele == arr[$i] && $i >= 0 )
public int linSearch(int ele, int[] arr) {
if (arr == null)throw new
ArgumentException();for (int i = 0; i < arr.Length; i+
+) {if (ele == arr[i])return i;}return -1;}
Simplified program state
!(ele == arr[$i]) ==> \result == -1 ||ele == arr[$i] ==> \result == $i
evaluation
Test code: StackAr: an example program originally
by Weiss Overhead: DySy: 28seconds Daikon: 9seconds
Thank you!