1 / 13

Boosting Concolic Testing via Interpolation

Boosting Concolic Testing via Interpolation. Joxan Jaffar – NUS, Singapore Vijayaraghavan Murali – NUS, Singapore Jorge Navas – Univ. of Melbourne, Australia. Concolic Testing. Our method. Interpolation to attack path-explosion Generate at each point an “interpolant”

annabella-oral
Download Presentation

Boosting Concolic Testing via Interpolation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Boosting Concolic Testing via Interpolation JoxanJaffar– NUS, Singapore VijayaraghavanMurali – NUS, Singapore Jorge Navas – Univ. of Melbourne, Australia

  2. Concolic Testing

  3. Our method • Interpolation to attack path-explosion • Generate at each point an “interpolant” • Succinctly captures why any paththrough the program point is not buggy • When interpolant is implied along a different path, subsume it – guaranteed to not hit the bug • (Potentially) exponential savings!

  4. Example Half interpolant Full interpolant s=0 skip s=s+1 skip skip s=s+2 s=s+2 skip

  5. Points to note • Assumption: “bug conditions” e.g., if (C) throw error • Only nodes with full interpolants capable of subsumption • Half interpolant at a node becomes full interpolant when all paths arising from it have been explored • Catch: We assumed DFS-order • There exist many other heuristics for concolic testing!

  6. Example: non-DFS Half interpolant Full interpolant s=0 skip s=s+1 skip skip s=s+2 s=s+2 Cannot subsume because of half interpolant! skip

  7. Goal: Accelerate full interpolant formation Explore with restriction Tree full of full interpolants Give each PP one chance to be subsumed Demand subsumption! Greedy Confirmation (GC)

  8. Example: with GC Invoke GC at: s=0 skip s=s+1 skip skip s=s+2 s=s+2 skip

  9. Experiments • Evaluate using Directed Automated Random Testing (DART) technique • Interpolation algorithm: TRACER framework for symbolic execution • Concolic tester: Crest, modified to “consult” TRACER for subsumption • Different search heuristics – CFG, Uniform Random Search (URS) and DFS • Benchmarks: device driver programs from SV-COMP

  10. Experiments – Timing

  11. Experiments – Subsumption

  12. Related work • Boonstoppel et al. TACAS’08 “KLEE”, Dawei et al. FSE’11 • Use analysis information – live/dead, dependencies etc. – to discard certain tests • We use logical information (interpolants) to discard paths • Burnim et al. ASE’08 • Use branch coverage as a measure of quality of tests and try to improve it • Branch coverage typically does not suffer from path explosion, so our focus is path coverage

  13. Conclusion • Mitigate path explosion using interpolation – full and half interpolant framework • Challenge: non-DFS search heuristics interfere with full interpolant formation • Greedy confirmation to accelerate formation of full interpolants • Experimental results prove that our method works in practice

More Related