Li Feiyu,Gong Yunzhan,Wang Yawen

DOI: https://doi.org/10.3969/j.issn.1003-9775.2012.02.020

2012-01-01

Journal of Computer-Aided Design & Computer Graphics

Abstract:Aiming at automatic test data generation for complex structure such as list,tree and map,this paper presents a path-oriented test data generation method based on memory modeling.An Abstract memory model which models structure variables and numerical variables separately is introduced to assist symbolic execution of the tested path.On symbolic execution of the path,the semantic operation of the statement is mapped to the operation of Abstract memory,in this process the alias problem caused by pointers is solved,and the constraints of the path are recorded exactly in the Abstract memory.Finally,test data is generated by constraint solving.The proposed method has been implemented in a self-developed automatic unit test tool called UATS.Experimental results prove that the method is feasible.

Chang Liu,Xiwei Wu,Yuan Feng,Qinxiang Cao,Junchi Yan

2024-06-07

Abstract:Program verification is vital for ensuring software reliability, especially in the context of increasingly complex systems. Loop invariants, remaining true before and after each iteration of loops, are crucial for this verification process. Traditional provers and machine learning based methods for generating loop invariants often require expert intervention or extensive labeled data, and typically only handle numerical property verification. These methods struggle with programs involving complex data structures and memory manipulations, limiting their applicability and automation capabilities. In this paper, we introduce a new benchmark named LIG-MM, specifically for programs with complex data structures and memory manipulations. We collect 312 programs from various sources, including daily programs from college homework, the international competition (SV-COMP), benchmarks from previous papers (SLING), and programs from real-world software systems (Linux Kernel, GlibC, LiteOS, and Zephyr). Based on LIG-MM, our findings indicate that previous methods, including GPT-4, fail to automate verification for these programs. Consequently, we propose a novel LLM-SE framework that coordinates LLM with symbolic execution, fine-tuned using self-supervised learning, to generate loop invariants. Experimental results on LIG-MM demonstrate that our LLM-SE outperforms state-of-the-art methods, offering a new direction toward automated program verification in real-world scenarios.

Programming Languages

Yu Longhai,Luo Chenjie,Wang Xiaoping,Liang Yiyong

DOI: https://doi.org/10.3969/j.issn.1009-623X.2012.02.006

2012-01-01

Abstract:Programs written in assembly language code are incomprehensible and prone to the risk of register memory conflict.Through the introduction of variable definitions,standardized subroutine,interrupt function write structured assembly language programming ideas,we can solve the compilation of the above problems.In this paper,through the design of assembler Tetris game,including the definition of variables,subroutines and interrupt function,we research the structured assembly language design and specific methods,detailed the specific software application methods of Tetris and test results.The structured theory of assembly language programming is an important guide and reference to a large assembler program.

Kenta Tabata,Renato Miyagusuku,Hiroaki Seki,Koichi Ozaki

DOI: https://doi.org/10.1109/access.2024.3401648

IF: 3.9

2024-05-24

IEEE Access

Abstract:In this manuscript, we propose a motion strategy for manipulating strings with unknown properties. Our approach iteratively refines its motion generation based on parameters estimated from observed string behavior, without the need for real-time feedback. This strategy has been shown effective in achieving several motion objectives using uniform strings of similar lengths. In this research, we improve upon this strategy by addressing the challenges posed by varying string lengths and non-uniform strings. For this, we utilize a non-uniform string model and address various string properties to demonstrate the feasibility of our proposed motion strategy. Experiments conducted with different string types and lengths (between 300 to 610mm), including some with non-uniform mass distributions, demonstrate our method's effectiveness. Results show that our proposed method functions effectively with various kinds of strings, regardless of length and mass distribution, without requiring precise model parameters. Unique to this approach is its ability to adapt to various string characteristics through parameter estimation and motion generation, significantly reducing the need for real-world manipulation trials. Our findings illustrate the potential of our method for use in advanced robotic applications that require handling deformable objects.

computer science, information systems,telecommunications,engineering, electrical & electronic

CHEN Ji-feng,ZHU Li,SHEN Jun-yi,CHEN Ling

DOI: https://doi.org/10.3321/j.issn:1001-0920.2005.09.022

2005-01-01

Abstract:A new approach to path-based automatic test data generation is presented. The linear predicate function on a given path is directly used as linear arithmetic representation to construct linear constrains of predicate functions for input variables. Only if the predicate function is nonlinear, the linear arithmetic representation needs to be computed. The constructions of predicate slice, input dependency set and the linear constraint of predicate function on the increments for the input are no longer needed. Theoretical analysis and practical test show that this approach is simple effective, and takes less computation.

Yuchen Dong,XiaoXiang Fang,Yuchen Hu,Renshuang Jiang,Zhe Jiang

2024-08-07

Abstract:The application of large language models to facilitate automated software operations and tool generation (SOTG), thus augmenting software productivity, mirrors the early stages of human evolution when the ability to create and use tools accelerated the progress of civilization. These complex tasks require AI to continuously summarize and improve. Current research often overlooks the importance of converting real-time task experiences into system memory and differentiating the value of existing knowledge for future reference. This paper addresses these issues by evolving external memory models into Memory-Loop Networks for timely memorization and experience referencing. We also enhance a RAG mechanism with knowledge precision segmentation to utilize memory based on value differentiation, and design the MaxMind model for SOTG <a class="link-external link-http" href="http://accordingly.To" rel="external noopener nofollow">this http URL</a> demonstrate our approach, we developed MaxMind4Sheet, an electronic spreadsheet processing system aligned with the MaxMind philosophy. Comparative experiments with SheetCopilot have demonstrated that the accumulation and recycling of task memories lead to a steady enhancement in task success rate, with an improvement rate of approximately 3%-6% per round in this implementation example. Note that as the memories continue to grow, this cumulative improvement may be substantial. The inclusion of memory recycling can also boost the system's task execution efficiency by up to 25%, and it can address the retraining issue faced by LLMs when handling specialized tasks through memories transfer.These suggest that MaxMind has significant potential to enhance the capabilities and productivity of LLM systems in SOTG.

Software Engineering,Artificial Intelligence

Hai-Feng Guo,Zongyan Qiu

DOI: https://doi.org/10.1002/spe.2278

2014-01-01

Abstract:SummaryGrammar‐based test generation provides a systematic approach to producing test cases from a given context‐free grammar. Unfortunately, naive grammar‐based test generation is problematic because of the fact that exhaustive random test case production is often explosive, and grammar‐based test generation with explicit annotation controls often causes unbalanced testing coverage. In this paper, we present an automatic grammar‐based test generation approach, which takes a symbolic grammar as input, requires zero control input from users, and produces well‐distributed test cases. Our approach utilizes a novel dynamic stochastic model where each variable is associated with a tuple of probability distributions, which are dynamically adjusted along the derivation. We further present a coverage tree illustrating the distribution of generated test cases and their detailed derivations. More importantly, the coverage tree supports various implicit derivation control mechanisms. We implemented this approach in a Java‐based system, named Gena. Each test case generated by Gena automatically comes with a set of structural features, which can play an important and effective role on automated failure causes localization. Experimental results demonstrate the effectiveness of our approach, the well‐balanced distribution of generated test cases over grammatical structures, and a case study on grammar‐based failure causes localization. Copyright © 2014 John Wiley & Sons, Ltd.

Xian-zhong ZHOU,Yong-cheng SUN,Jin-long JIANG

DOI: https://doi.org/10.3321/j.issn:1000-1093.2006.06.022

2006-01-01

Abstract:Automatic generation technology of test data is an important field of software test, which is an effective method to promote the efficiency and the effect of software test. In order to ensure that the more frequently used features would be tested more thoroughly, usage model and genetic algorithm were integrated together. One programming model was proposed, in which the optimal objective function was defined as the required test data number for whole software test. The methods to decide the weight of path and to select the target path set were presented. Three key elements, i.e. path weight, path coverage ratio and path approximation level were incorporated for designing the fitness function. An example shows the rationality and validity of the model and the methods.

Ding Li,Yingjun Lyu,Mian Wan,William G. J. Halfond

DOI: https://doi.org/10.1145/2786805.2786879

2015-08-30

Abstract:String analysis is critical for many verification techniques. However, accurately modeling string variables is a challeng- ing problem. Current approaches are generally customized for certain problem domains or have critical limitations in handling loops, providing context-sensitive inter-procedural analysis, and performing efficient analysis on complicated apps. To address these limitations, we propose a general framework, Violist, for string analysis that allows researchers to more flexibly choose how they will address each of these challenges by separating the representation and interpreta- tion of string operations. In our evaluation, we show that our approach can achieve high accuracy on both Java and Android apps in a reasonable amount of time. We also com- pared our approach with a popular and widely used string analyzer and found that our approach has higher precision and shorter execution time while maintaining the same level of recall.

Taolue Chen,Matthew Hague,Anthony W. Lin,Philipp Rummer,Zhilin Wu

DOI: https://doi.org/10.1145/3290362

2019-01-01

Abstract:The design and implementation of decision procedures for checking path feasibility in string-manipulating programs is an important problem, with such applications as symbolic execution of programs with strings and automated detection of cross-site scripting (XSS) vulnerabilities in web applications. A (symbolic) path is given as a finite sequence of assignments and assertions (i.e. without loops), and checking its feasibility amounts to determining the existence of inputs that yield a successful execution. Modern programming languages (e.g. JavaScript, PHP, and Python) support many complex string operations, and strings are also often implicitly modified during a computation in some intricate fashion (e.g. by some autoescaping mechanisms). In this paper we provide two general semantic conditions which together ensure the decidability of path feasibility: (1) each assertion admits regular monadic decomposition (i.e. is an effectively recognisable relation), and (2) each assignment uses a (possibly nondeterministic) function whose inverse relation preserves regularity. We show that the semantic conditions are expressive since they are satisfied by a multitude of string operations including concatenation, one-way and two-way finite-state transducers, replaceAll functions (where the replacement string could contain variables), string-reverse functions, regular-expression matching, and some (restricted) forms of letter-counting/length functions. The semantic conditions also strictly subsume existing decidable string theories (e.g. straight-line fragments, and acyclic logics), and most existing benchmarks (e.g. most of Kaluza's, and all of SLOG's, Stranger's, and SLOTH's benchmarks). Our semantic conditions also yield a conceptually simple decision procedure, as well as an extensible architecture of a string solver in that a user may easily incorporate his/her own string functions into the solver by simply providing code for the pre-image computation without worrying about other parts of the solver. Despite these, the semantic conditions are unfortunately too general to provide a fast and complete decision procedure. We provide strong theoretical evidence for this in the form of complexity results. To rectify this problem, we propose two solutions. Our main solution is to allow only partial string functions (i.e., prohibit nondeterminism) in condition (2). This restriction is satisfied in many cases in practice, and yields decision procedures that are effective in both theory and practice. Whenever nondeterministic functions are still needed (e.g. the string function split), our second solution is to provide a syntactic fragment that provides a support of nondeterministic functions, and operations like one-way transducers, replaceAll (with constant replacement string), the string-reverse function, concatenation, and regular-expression matching. We show that this fragment can be reduced to an existing solver SLOTH that exploits fast model checking algorithms like IC3. We provide an efficient implementation of our decision procedure (assuming our first solution above, i.e., deterministic partial string functions) in a new string solver OSTRICH. Our implementation provides built-in support for concatenation, reverse, functional transducers (FFT), and replace All and provides a framework for extensibility to support further string functions. We demonstrate the efficacy of our new solver against other competitive solvers.

Chen Ji-feng,Zhu Li,Shen Jun-yi,Wang Zhi-hai

DOI: https://doi.org/10.1007/s11771-006-0112-7

2006-01-01

Journal of Central South University of Technology

Abstract:By analyzing some existing test data generation methods, a new automated test data generation approach was presented. The linear predicate functions on a given path was directly used to construct a linear constrain system for input variables. Only when the predicate function is nonlinear, does the linear arithmetic representation need to be computed. If the entire predicate functions on the given path are linear, either the desired test data or the guarantee that the path is infeasible can be gotten from the solution of the constrain system. Otherwise, the iterative refining for the input is required to obtain the desired test data. Theoretical analysis and test results show that the approach is simple and effective, and takes less computation. The scheme can also be used to generate path-based test data for the programs with arrays and loops.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Xiao He,Tian Zhang,Minxue Pan,Zhiyi Ma,Chang-Jun Hu

DOI: https://doi.org/10.1007/s10270-017-0634-5

2017-11-24

Abstract:Given their vital roles in model-based software engineering, the performance of model-related operations (MOs, such as model transformations) must be systematically tested. However, how to produce a set of large input models that conform to structure-related constraints presents a major challenge to such test. This paper proposes a template-based approach to efficient model generation. Firstly, a DSL is provided to describe templates that specify how to generate a valid model that conforms to structure-related constraints. Secondly, a folding semantic is defined to convert templates into a wrapper metamodel. Thirdly, a wrapper model is generated using the existing model generators (e.g., a random model generator) according to the wrapper metamodel. Fourthly, an unfolding semantics is specified to translate the wrapper model into the desired test input. This paper also presents five case studies to evaluate the proposed approach, and the results demonstrate that such approach can generate large models based on structure-related constraints and facilitate the performance testing of MOs.

computer science, software engineering

Yanni Zhao,Jinian Bian,Shujun Deng,Zhiqiu Kong,Kang Zhao

DOI: https://doi.org/10.1587/transfun.E92.A.3086

2009-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Despite the growing research effort in formal verification, industrial verification often relies on the constrained random simulation methodology, which is supported by constraint solvers as the stimulus generator integrated within simulator, especially for the large design with complex constraints nowadays. These stimulus generators need to be fast and well-distributed to maintain simulation performance. In this paper, we propose a dynamic method to guide stimulus generation by SAT solvers. An adjusting strategy named Tabu Search with Memory (TSwM) is integrated in the stimulus generator for the search and prune processes along with the constraint solver. Experimental results show that the method proposed in this paper could generate well-distributed stimuli with good performance.

Taolue Chen,Matthew Hague,Jinlong He,Denghang Hu,Anthony Widjaja Lin,Philipp Rummer,Zhilin Wu

DOI: https://doi.org/10.1007/978-3-030-59152-6_18

2020-01-01

Abstract: Strings are widely used in programs, especially in web applications. Integer data type occurs naturally in string-manipulating programs, and is frequently used to refer to lengths of, or positions in, strings. Analysis and testing of string-manipulating programs can be formulated as the path feasibility problem: given a symbolic execution path, does there exist an assignment to the inputs that yields a concrete execution that realizes this path? Such a problem can naturally be reformulated as a string constraint solving problem. Although state-of-the-art string constraint solvers usually provide support for both string and integer data types, they mainly resort to heuristics without completeness guarantees. In this paper, we propose a decision procedure for a class of string-manipulating programs which includes not only a wide range of string operations such as concatenation, replaceAll, reverse, and finite transducers, but also those involving the integer data-type such as length, indexof, and substring. To the best of our knowledge, this represents one of the most expressive string constraint languages that is currently known to be decidable. Our decision procedure is based on a variant of cost register automata. We implement the decision procedure, giving rise to a new solver OSTRICH+. We evaluate the performance of OSTRICH+ on a wide range of existing and new benchmarks. The experimental results show that OSTRICH+ is the first string decision procedure capable of tackling finite transducers and integer constraints, whilst its overall performance is comparable with the state-of-the-art string constraint solvers.

GAO Hai-chang,FENG Bo-qin,HE Hang-jun,ZHU Li

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.011

2006-01-01

Abstract:Usage of pointer in C/C++ language makes program source code flexible and convenient,but the memory usage errors(memory leak,write overflow,wild pointer and so on.) occur in the process is very difficult to analyze and eliminate.Aimed at errors of dynamic memory management,a dynamic memory detection method based on source file extraction and source code instrumentation on Linux Platform was developed,and a dynamic memory detection module was designed.The module can detect memory leak,write overflow,free wild pointer and mismatch using of memory functions to source code.Finally,an instance to test write overflow was carried to validate the effectiveness of our method and module.

JinHui Shan,Ji Wang,ZhiChang Qi,JianPing Wu

DOI: https://doi.org/10.1007/bf02948890

IF: 1.871

2003-01-01

Journal of Computer Science and Technology

Abstract:Guptet al., proposed a method, which is referred to as the Iterative Relaxation Method, to generate test data for a given path in a program by linearizing the predicate functions. In this paper, a model language is presented and the properties of static and dynamic data dependencies are investigated. The notions in the Iterative Relaxation Method are defined formally. The predicate slice proposed by Guptaet al. is extended to path-wise static slice. The correctness of the constructional algorithm is proved afterward. The improvement shows that the constructions of predicate slice and input dependency set can be omitted. The equivalence of systems of constraints generated by both methods is proved. The prototype of path-wise test data generator is presented in this paper. The experiments show that our method is practical, and fits the path-wise automatic generation of test data for both white-box testing and black-box testing.

Peiqi Chen,Junjie Chen,Chenyao Suo,Xingjian Li,Jiajun Jiang

DOI: https://doi.org/10.1109/ICSE48619.2023.00172

2023-05-01

Abstract:To ensure compilers' quality, compiler testing has received more and more attention, and test-program generation is the core task. In recent years, some approaches have been proposed to explore test configurations for generating more effective test programs, but they either are restricted by historical bugs or suffer from the cost-effectiveness issue. Here, we propose a novel test-program generation approach (called MCS) to further improving the performance of compiler testing. MCS conducts memoized search via multi-agent reinforcement learning (RL) for guiding the construction of effective test configurations based on the memoization for the explored test configurations during the on-the-fly compiler-testing process. During the process, the elaborate coordination among configuration options can be also well learned by multi-agent RL, which is required for generating bug-triggering test programs. Specifically, MCS considers the diversity among test configurations to efficiently explore the input space and the testing results under each explored configuration to learn which portions of space are more bug-triggering. Our extensive experiments on GCC and LLVM demonstrate the performance of MCS, significantly outperforming the state-of-the-art test-program generation approaches in bug detection. Also, MCS detects 16 new bugs on the latest trunk revisions of GCC and LLVM, and all of them have been confirmed or fixed by developers. MCS has been deployed by a global IT company (i.e., Huawei) for testing their in-house compiler, and detects 10 new bugs (covering all the 5 bugs detected by the compared approaches), all of which have been confirmed.

Computer Science

ZHANG Liang,YI Jiang-fang,TONG Dong,CHENG Xu,WANG Ke-yi

2011-01-01

Abstract:Simulation is the major technique used for processor verification.In the late of the verification process,simulation requires a lot of expert time and computer resources to verify residual complicated functional points,which slows down the verification progress.This paper introduces a test generation method based on model checking engine to address this problem.First,an abstract microprocessor model focuses on these uncovered functional points is constructed using local modeling strategy.Second,model checker reads this abstract model and automatically produces test generator directives.Finally,these directives guide random test generator to generate test programs that cover the specified functional points.Experiments on verifying PKUnity UniCore32 microprocessor demonstrated that this method spent little time to cover these uncovered coverage tasks and increased the verification efficiency.

Hao Lan,Yin Tong,Jin Guo,Yadong Zhang,Yao Li,Chang Rao

DOI: https://doi.org/10.1109/qrs-c.2018.00048

2018-07-01

Abstract:The traditional finite state machine (FSM) cannot express complicated systems due to its flattened sequential features. A safe state machine (SSM) is an extension of FSMs with capability of expressing hierarchical structure, parallel structure and historical mechanism. Therefore, it can accurately express complicated functions of a system, and SSMs have strict formal semantics. This paper provides a method for generating test paths based on SSMs. A method of creating the reachability graph (RG) of an SSM is presented, which can eliminate the hierarchical and parallel structure, and mark the history states. Finally, test paths are generated based on certain test coverage criteria of the RG model.