Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Zhoulai Fu,Zhendong Su

DOI: https://doi.org/10.48550/arXiv.1610.01133

2016-10-05

Abstract:This paper presents Mathematical Execution (ME), a new, unified approach for testing numerical code. The key idea is to (1) capture the desired testing objective via a representing function and (2) transform the automated testing problem to the minimization problem of the representing function. The minimization problem is to be solved via mathematical optimization. The main feature of ME is that it directs input space exploration by only executing the representing function, thus avoiding static or symbolic reasoning about the program semantics, which is particularly challenging for numerical code. To illustrate this feature, we develop an ME-based algorithm for coverage-based testing of numerical code. We also show the potential of applying and adapting ME to other related problems, including path reachability testing, boundary value analysis, and satisfiability checking. To demonstrate ME's practical benefits, we have implemented CoverMe, a proof-of-concept realization for branch coverage based testing, and evaluated it on Sun's C math library (used in, for example, Android, Matlab, Java and JavaScript). We have compared CoverMe with random testing and Austin, a publicly available branch coverage based testing tool that supports numerical code (Austin combines symbolic execution and search-based heuristics). Our experimental results show that CoverMe achieves near-optimal and substantially higher coverage ratios than random testing on all tested programs, across all evaluated coverage metrics. Compared with Austin, CoverMe improves branch coverage from 43% to 91%, with significantly less time (6.9 vs. 6058.4 seconds on average).

Programming Languages,Software Engineering

Guofeng Zhang,Zhenbang Chen,Ziqi Shuai

DOI: https://doi.org/10.1109/apsec57359.2022.00030

IF: 3.5

2024-10-31

Journal of Systems and Software

Abstract:Floating-point programs are challenging for symbolic execution due to the constraint solving problem. This paper empirically studies five existing symbolic execution methods for floating-point programs to evaluate their effectiveness and limitations. We have implemented the existing methods based on the state-of-the-art symbolic execution tool KLEE and constructed a real-world floating-point program benchmark for evaluation. We evaluate the existing methods with respect to statement coverage and the ability to detect floating-point exceptions. The results demonstrate that the existing methods complement each other. Based on the evaluation results, we propose a synergistic approach to improving the efficiency of the symbolic execution for floating-point programs. The experimental results indicate our synergistic method's effectiveness in finding floating-point exceptions.

computer science, theory & methods, software engineering

Chenghu Ma,Liqian Chen,Xin Yi,Guangsheng Fan,Ji Wang

DOI: https://doi.org/10.1109/APSEC57359.2022.00046

2022-01-01

Abstract:It is difficult to write a numerical program that does not incur floating-point exceptions in practice. To detect floating-point exceptions, most existing methods use static analysis, which may induce false alarms (due to over-approximation), or suffer from scalability issues (since solving floating-point constraints is expensive). Fuzzing is a widely used technique to finding bugs, but existing fuzzing techniques have not yet considered the specific format of floating-point and are lack of guidance for detecting floating-point exceptions. In this paper, we propose a floating-point format aware coverage-based grey-box fuzzing to detect floating-point exceptions for numerical programs. More specifically, we propose a novel mutation strategy for floating-point format aiming at producing valid floating-point test inputs. Moreover, we present a new guidance aiming to search for test inputs that are closer to exposing exceptions. We implement our approach as a tool, named NUMFUZZ, based on AFL. We have conducted experiments to evaluate NUMFUZZ on GNU Scientific Library (GSL) and Sun's C math library respectively. The preliminary experimental results suggest that our approach has promising ability in detecting floating-point exceptions and achieving high floating-point branch coverage in real-world numerical programs.

Xingming Wu,Zhenbo Xu,Dong Yan,Tianyong Wu,Jun Yan,Jian Zhang

DOI: https://doi.org/10.1109/apsec.2016.045

2016-01-01

Abstract:Many existing symbolic execution engines for bug detection often ignore floating-point types and operations. That will result in imprecise reasoning about the feasibility of program paths, which in turn leads to false positives and negatives. Recently, there are quite some progress in satisfiability modulo theories (SMT) solving, and some tools are able to support floating-point arithmetic. Nevertheless, naturally extending a symbolic execution engine and directly replacing the back-end with the new SMT solver will not make a good static analyzer for floating-point programs.In this paper, we extend an existing symbolic execution engine for C program bug finding, so that it can deal with floating-point arithmetic and mathematical functions. For the mathematical functions, we employ an abstract model to keep a balance between overhead and precision. We also introduce a strategy, Lazy-verification, to reduce the number of SMT solver calls. We implemented our approach as a tool called Canalyze-fp. Experiments with self-developed benchmarks and non-trivial open source programs show that the proposed approach can effectively avoid the false positives and negatives, without introducing too much overhead.

Yunlong Sheng,Chao Sun,Shouda Jiang,Chang'an Wei

DOI: https://doi.org/10.3390/sym10050146

2018-01-01

Symmetry

Abstract:Although combinatorial testing has been widely studied and used, there are still some situations and requirements that combinatorial testing does not apply to well, such as a system under test whose test cases need to be performed contiguously. For thorough testing, the testing requirements are not only to cover all the interactions among factors but also to cover all the value sequences of every factor. Generally, systems under test always involve constraints and dependencies in or among test cases. The constraints among test cases have not been effectively specified. First, we introduce extended covering arrays that can achieve both t-way combinatorial coverage and t-wise sequence coverage, and propose a clocked computation tree logic-based formal specification method for specifying constraints. Then, Particle Swarm Optimization (PSO) based Extended covering array Generator (PEG) is elaborated. To evaluate the constructed test suites, a method for verifying the constraints' validity is presented, and kernel functions for measuring the coverage are also introduced. Finally, the performance of the proposed PEG is evaluated using several sets of benchmark experiments for some common constraints, and the feasibility and usefulness of PEG is validated.

Roberto Bagnara,Matthieu Carlier,Roberta Gori,Arnaud Gotlieb

DOI: https://doi.org/10.48550/arXiv.1308.3847

2015-08-01

Abstract:Floating-point computations are quickly finding their way in the design of safety- and mission-critical systems, despite the fact that designing floating-point algorithms is significantly more difficult than designing integer algorithms. For this reason, verification and validation of floating-point computations is a hot research topic. An important verification technique, especially in some industrial sectors, is testing. However, generating test data for floating-point intensive programs proved to be a challenging problem. Existing approaches usually resort to random or search-based test data generation, but without symbolic reasoning it is almost impossible to generate test inputs that execute complex paths controlled by floating-point computations. Moreover, as constraint solvers over the reals or the rationals do not natively support the handling of rounding errors, the need arises for efficient constraint solvers over floating-point domains. In this paper, we present and fully justify improved algorithms for the propagation of arithmetic IEEE 754 binary floating-point constraints. The key point of these algorithms is a generalization of an idea by B. Marre and C. Michel that exploits a property of the representation of floating-point numbers.

Artificial Intelligence,Software Engineering

Yu Zhang,Wenlong Feng,Mengxing Huang

DOI: https://doi.org/10.48550/arXiv.1602.06038

2016-02-19

Abstract:Register Transfer Level (RTL) design validation is a crucial stage in the hardware design process. We present a new approach to enhancing RTL design validation using available software techniques and tools. Our approach converts the source code of a RTL design into a C++ software program. Then a powerful symbolic execution engine is employed to execute the converted C++ program symbolically to generate test cases. To better generate efficient test cases, we limit the number of cycles to guide symbolic execution. Moreover, we add bit-level symbolic variable support into the symbolic execution engine. Generated test cases are further evaluated by simulating the RTL design to get accurate coverage. We have evaluated the approach on a floating point unit (FPU) design. The preliminary results show that our approach can deliver high-quality tests to achieve high coverage.

Software Engineering,Hardware Architecture

Yingquan Zhao,Zan Wang,Shuang Liu,Jun Sun,Junjie Chen,Xiang Chen

DOI: https://doi.org/10.1109/tse.2022.3144480

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Testing multi-threaded programs is challenging due to the enormous space of thread interleavings. Recently, a code coverage criterion for multi-threaded programs called MAP-coverage has been proposed and shown to be effective for testing concurrent programs. Existing approaches for achieving high MAP-coverage are based on random testing with simple heuristics, which is ineffective in systematically triggering rare thread interleavings. In this study, we propose a novel approach called pattern constraint reduction (PCR), which employs optimized constraint solving to generate thread interleavings for high MAP-coverage. The idea is to iteratively encode and solve path conditions to generate thread interleavings which are guaranteed to improve MAP-coverage. Furthermore, we effectively apply interpolation techniques to reduce the efforts of constraint solving by avoiding solving infeasible constraints. The experiment results on 20 benchmark programs show that our approach complements existing random testing based approaches when there are rare failure-inducing interleaving in the whole search space. Specifically, PCR finds concurrency bugs faster in 18 out of 20 programs, with an average speedup of 4.2x and a maximum speedup of 11.4x.

engineering, electrical & electronic,computer science, software engineering

Peter Ohmann,David Bingham Brown,Naveen Neelakandan,Jeff Linderoth,Ben Liblit

DOI: https://doi.org/10.1145/2970276.2970351

2016-08-25

Abstract:Program coverage is used across many stages of software development. While common during testing, program coverage has also found use outside the test lab, in production software. However, production software has stricter requirements on run-time overheads, and may limit possible program instrumentation. Thus, optimizing the placement of probes to gather program coverage is important. We introduce and study the problem of customized program coverage optimization. We generalize previous work that optimizes for complete coverage instrumentation with a system that adapts optimization to customizable program coverage requirements. Specifically, our system allows a user to specify desired coverage locations and to limit legal instrumentation locations. We prove that the problem of determining optimal coverage probes is NP-hard, and we present a solution based on mixed integer linear programming. Due to the computational complexity of the problem, we also provide two practical approximation approaches. We evaluate the effectiveness of our approximations across a diverse set of benchmarks, and show that our techniques can substantially reduce instrumentation while allowing the user immense freedom in defining coverage requirements. When naive instrumentation is dense or expensive, our optimizations succeed in lowering execution time overheads.

Tai Yue,Yibo Jin,Fengwei Zhang,Zhenyu Ning,Pengfei Wang,Xu Zhou,Kai Lu

DOI: https://doi.org/10.1145/3678890.3678933

2024-01-01

Abstract:Coverage-based greybox fuzzing (CGF) is an efficient technique for detecting vulnerabilities, but its coverage-feedback mechanism introduces significant overhead in binary-only fuzzing. Although hardware-assisted greybox fuzzing (HGF) has been proposed to address this issue, existing approaches struggle to achieve a balance between the efficiency and sensitivity of coverage, as well as to cope with trace buffer overflow. In this paper, we review the typical HGF tools and identify several challenges in their coverage-feedback mechanisms, including efficiency, sensitivity, and stability. Taking Arm CoreSight as an example, we present an efficient tool called Stalker to address these challenges. To achieve high-speed execution while maintaining a branch-sensitivity coverage, we propose two coverage strategies with different overheads and sensitivities and design a novel double-layer coverage mechanism that maximizes the benefits of these strategies. We further accelerate Stalker by conducting many optimizations in the decoder and kernel. To mitigate the imprecision and instability in coverage introduced by trace buffer overflow, we propose an adaptive CPU frequency modulation mechanism that adjusts the bandwidth of the trace units. We implement Stalker on an Arm Juno R2 development board and thoroughly evaluate the efficiency and sensitivity of coverage-feedback mechanisms in existing tools. Our comprehensive evaluations demonstrate that Stalker outperforms other state-of-the-art (SOTA) tools in addressing these challenges. Compared with Armored-Edge, Armored-Path, and μ AFL, Stalker accelerates the execution speed by 2.81 ×, 1.74 ×, and 1.4 × and covers Math 1, Math 2, and Math 3 more branches, as well as Math 4, Math 5, and Math 6 more paths, respectively.

Yingjie Qu,Hong Xia,Qin Wang

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.07.014

2001-01-01

Abstract:A functional testing method for floating-point arithmetic is proposed in thispaper,it spends little testingwork and time,but it has high test coverage rate relatively. Practice of engineering proves that this method is practicable and effective.

Heiko Becker,Pavel Pancheckha,Eva Darulova,Zachary Tatlock

DOI: https://doi.org/10.48550/arXiv.1805.02436

2018-05-07

Programming Languages

Abstract:Recent renewed interest in optimizing and analyzing floating-point programs has lead to a diverse array of new tools for numerical programs. These tools are often complementary, each focusing on a distinct aspect of numerical programming. Building reliable floating point applications typically requires addressing several of these aspects, which makes easy composition essential. This paper describes the composition of two recent floating-point tools: Herbie, which performs accuracy optimization, and Daisy, which performs accuracy verification. We find that the combination provides numerous benefits to users, such as being able to use Daisy to check whether Herbie's unsound optimizations improved the worst-case roundoff error, as well as benefits to tool authors, including uncovering a number of bugs in both tools. The combination also allowed us to compare the different program rewriting techniques implemented by these tools for the first time. The paper lays out a road map for combining other floating-point tools and for surmounting common challenges.

Ting Su,Geguang Pu,Bin Fang,Jifeng He

DOI: https://doi.org/10.1109/SERE.2014.23

2014-01-01

Abstract:Recently code transformations or tailored fitness functions are adopted to achieve coverage (structural or logical criterion) driven testing to ensure software reliability. However, some internal threats like negative impacts on underlying search strategies or local maximum exist. So we propose a dynamic symbolic execution (DSE) based framework combined with a path filtering algorithm and a new heuristic path search strategy, i.e., predictive path search, to achieve faster coverage-driven testing with lower testing cost. The empirical experiments (three open source projects and two industrial projects) show that our approach is effective and efficient. For the open source projects w.r.t branch coverage, our approach in average reduces 25.5% generated test cases and 36.3% solved constraints than the traditional DSE-based approach without path filtering. And the presented heuristic strategy, on the same testing budget, improves the branch coverage by 26.4% and 35.4% than some novel search strategies adopted in KLEE and CREST.

W. Eric Wong,Yu Qi,Lei Zhao,Kai-Yuan Cai

DOI: https://doi.org/10.1109/compsac.2007.109

2007-01-01

Abstract:Localizing a bug in a program can be a complex and time- consuming process. In this paper we propose a code coverage-based fault localization method to prioritize suspicious code in terms of its likelihood of containing program bugs. Code with a higher risk should be examined before that with a lower risk, as the former is more suspicious (i.e., more likely to contain program bugs) than the latter. We also answer a very important question: how can each additional test case that executes the program successfully help locate program bugs? We propose that with respect to a piece of code, the aid introduced by the first successful test that executes it in computing its likelihood of containing a bug is larger than or equal to that of the second successful test that executes it, which is larger than or equal to that of the third successful test that executes it, etc. A tool, chiDebug, was implemented to automate the computation of the risk of the code and the subsequent prioritization of suspicious code for locating program bugs. A case study using the Siemens suite was also conducted. Data collected from our study support the proposal described above. They also indicate that our method (in particular Heuristics III (c), (d), and (e)) can effectively reduce the search domain for locating program bugs.

Yibiao Yang,Yuming Zhou,Hao Sun,Zhendong Su,Zhiqiang Zuo,Lei Xu,Baowen Xu

DOI: https://doi.org/10.1109/ICSE.2019.00061

2019-01-01

Abstract:Reliable code coverage tools are critically important as it is heavily used to facilitate many quality assurance activities, such as software testing, fuzzing, and debugging. However, little attention has been devoted to assessing the reliability of code coverage tools. In this study, we propose a randomized differential testing approach to hunting for bugs in the most widely used C code coverage tools. Specifically, by generating random input programs, our approach seeks for inconsistencies in code coverage reports produced by different code coverage tools, and then identifies inconsistencies as potential code coverage bugs. To effectively report code coverage bugs, we addressed three specific challenges: (1) How to filter out duplicate test programs as many of them triggering the same bugs in code coverage tools; (2) how to automatically reduce large test programs to much smaller ones that have the same properties; and (3) how to determine which code coverage tools have bugs? The extensive evaluations validate the effectiveness of our approach, resulting in 42 and 28 confirmed/fixed bugs for gcov and llvm-cov, respectively. This case study indicates that code coverage tools are not as reliable as it might have been envisaged. It not only demonstrates the effectiveness of our approach, but also highlights the need to continue improving the reliability of code coverage tools. This work opens up a new direction in code coverage validation which calls for more attention in this area.

Hongbo Li,Zizhong Chen,Rajiv Gupta

DOI: https://doi.org/10.1145/3302516.3307353

2019-01-01

Abstract:Software testing is widely used in industry, but its application in the High Performance Computing area has been scarce. Concolic testing, that automates testing via generation of inputs, has been highly successful for desktop applications and thus recent work on the COMPI tool has extended it to MPI programs. However, COMPI has two limitations. First, it requires the user to specify an upper limit on input size – if the chosen limit is too big, considerable time is wasted and if the chosen limit is too small, the branch coverage achieved is limited. Second, COMPI does not support floating point arithmetic that is common in HPC applications. In this paper, we overcome the above limitations as follows. We propose input tuning that eliminates the need for users to set hard limits and generates inputs such that the testing achieves high coverage while avoiding waste of testing time by selecting suitable input sizes. Moreover, we enable handling of floating point data types and operations and demonstrate that the efficiency of constraint solving can be improved if we rely on the use of reals instead of floating point values. Our evaluation demonstrates that with input tuning the coverage we achieve in 10 minutes is typically higher than the coverage achieved in 1 hour when input tuning is not used. Without input tuning, 9.6-57.1% loss in coverage occurs for a real-world physics simulation program. For the physics simulation program, using our floating-point extension that uses reals covers 46 more branches than without using the extension. Also, we cover 122 more branches when solving floating-point constraints using reals rather than directly using floating-point numbers.

Guang-yin HU,Zi-ou WANG,Sheng-guang WU,Shen-zhuo WANG

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2016.11.017

2016-01-01

Abstract:In order to verify the function of the floating-point unit in the microprocessor high-efficiently,numerous corner cases of floating-point arithmetic has been studied.Several arithmetics are introduced to solve the constriants of the intermediate results.Compared with the traditional function verification of floating-point unit,the floating-point number generator based on the constraint solved algorithms has widened the scope of the optional floating-point corner cases,which effectively improves the verification efficiency.Experimental results show that the UVM verification platform which integrated the generator can test one floating-point subunit efficiently,which achieves high coverage beyond 98%,within 12 hours of testing time.

Caroline Lemieux,Koushik Sen

DOI: https://doi.org/10.1145/3238147.3238176

2018-09-03

Abstract:In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to its ease-of-use and bug-finding power. However, AFL remains limited in the bugs it can find since it simply does not cover large regions of code. If it does not cover parts of the code, it will not find bugs there. We propose a two-pronged approach to increase the coverage achieved by AFL. First, the approach automatically identifies branches exercised by few AFL-produced inputs (rare branches), which often guard code that is empirically hard to cover by naively mutating inputs. The second part of the approach is a novel mutation mask creation algorithm, which allows mutations to be biased towards producing inputs hitting a given rare branch. This mask is dynamically computed during fuzz testing and can be adapted to other testing targets. We implement this approach on top of AFL in a tool named FairFuzz. We conduct evaluation on real-world programs against state-of-the-art versions of AFL. We find that on these programs FairFuzz achieves high branch coverage at a faster rate that state-of-the-art versions of AFL. In addition, on programs with nested conditional structure, it achieves sustained increases in branch coverage after 24 hours (average 10.6% increase). In qualitative analysis, we find that FairFuzz has an increased capacity to automatically discover keywords.

文勇,蔡铭,陈刚,杨子江,金星

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.11.037

2010-01-01

Abstract:To effectively carry out the object code analysis and verification,a novel method of control flow and structural coverage measurement for object code verification is presented based on CPU module extension.By branch instruction function extension,along with a new module for dynamic branch target buffer,the control flow of object code is collected effectively.And then,the algorithm for control flow construction and structural coverage measurement are given respectively.Both the overhead and computation complexity are acceptable with analysis study.Competitive advantage of this method is independent of compiler and non-incursive measurement for the object code.