1 / 27

DySy: Dynamic Symbolic Execution for Invariant Inference

DySy: Dynamic Symbolic Execution for Invariant Inference. Authors. Christoph Csallner Nikolai Tillmann Yannis Smaragdakis. Christoph Csallner. College of Computing, Georgia Tech Research interest :Software engineering, especially in program analysis and automated testing Other papers:

raanan
Download Presentation

DySy: Dynamic Symbolic Execution for Invariant Inference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DySy: Dynamic Symbolic Execution for Invariant Inference

  2. Authors Christoph Csallner Nikolai Tillmann Yannis Smaragdakis

  3. Christoph Csallner College of Computing, Georgia Tech Research interest :Software engineering, especially in program analysis and automated testing Other papers: 1.Combining static and dynamic reasoning for bug detection(TAP 2007) 2.Combining over- and under-approximating program analyses for automatic software testing

  4. Nikolai Tillmann Microsoft Research Leader of project Pex Papers: 1.Pex-White Box Test Generation for .NET(TAP 2008) 2. Unit Tests Reloaded: Parameterized Unit Testing with Symbolic Execution. IEEE Software(4): 38-47 (2006)

  5. Yannis Smaragdakis Associate Professor,Department of Computer Science, University of Massachusetts, Amherst Research:Applied programming languages and software engineering Papers: 1.C&Y’s papers 2.Exception Analysis and Points-To Analysis: Better Together(ISSTA'09)

  6. Background Dynamic Invariant Inference: Daikon Sybolic execution Pex

  7. Invariant a predicate is called an invariant to a sequence of operation if the predicate always evaluates at the end of the sequence to the same value than before starting the sequence Example:MU puzzle

  8. Daikon • The first and most mature dynamic invariant inference tool. • Daikon tracks a program's variables during execution and generalizes the observed behavior to invariants by variant relation models. • Relation model exmaples: Constant value (x= a, or x > 0), Linear relationships (y == a*x + b), Ordering (x <= y) and Membership

  9. Symbolic execution Symbolic Execution and Program Testing 1975 by James King. the analysis of programs by tracking symbolic rather than actual values Path condition(pc): A precondition for a program path

  10. Simple example • 1.y = read() • 2.y = 2 * y • 3.if (y == 12) • 4.fails() • 5.print("OK")

  11. Pex • a dynamic analysis and test generation framework for .NET, developed by the Foundations of Software Engineering group at Microsoft Research • shadow interpreter • Relation between DySy and Pex.

  12. Overview • Basic idea • Implementation details • Abstraction for Loops

  13. Basic idea • 1.For one test suite. Take pc as precondition. Take the conduction rule from precondition to return value of a method as postcondition • 2.Repeat 1 for all test suites. • 3.Combine all precondition by disjunction, and all postcondition by conjunction.

  14. example • public Object top() { if(Empty) return null; return theArray[topOfStack]; } • Two test suites: 1. Empty == true 2. Empty == false && topOfStack >= 0 && topOfStack < theArray.Length

  15. Example(2) • Conbined precondition: Empty == true ||(Empty == false && topOfStack >= 0 && topOfStack < theArray.Length) • Combined postcondition: Empty == true ==> (\result == null) and (Empty == false && topOfStack >= 0 && topOfStack < theArray.Length) ==> (\result == theArray[topOfStack])

  16. Implementation details • Usage of Pex • Handling nested method calls • Abstraction for Loops

  17. Usage of Pex • For the duration of each method call, DySy registers a separate interpreter with Pex's monitoring framework.

  18. Nested calls • DySy builds a set of quadruples (method, pathCondition, result, finalState) to represent methods as it monitors the program

  19. Abstraction for Loops • Traditional method : Record preconditions for every cycle. • precise but useless, causing heavy overhead

  20. Abstraction for Loops • heuristic method : 1.Loop variants are treated as inputs(symbol) 2.Loop conditions are ignored, except that the loop body is not entered. 3.Only latest value of loop variants are recorded.

  21. example public int linSearch(int ele, int[] arr) { if (arr == null) throw new ArgumentException(); for (int i = 0; i < arr.Length; i++) { if (ele == arr[i]) return i; } return -1; }

  22. Program state • arr != null && ($i < arr.Length && !(ele == arr[$i]) && $i >= 0 || $i < arr.Length && ele == arr[$i] && $i >= 0 ) public int linSearch(int ele, int[] arr) { if (arr == null) throw new ArgumentException(); for (int i = 0; i < arr.Length; i++) { if (ele == arr[i]) return i; } return -1; }

  23. Simplified program state !(ele == arr[$i]) ==> \result == -1 || ele == arr[$i] ==> \result == $i

  24. evaluation • Test code: StackAr: an example program originally by Weiss • Overhead: DySy: 28seconds Daikon: 9seconds

  25. Thank you!

More Related