Pingfan Kong,Yi Li,Xiaohong Chen,Jun Sun,Meng Sun,Jingyi Wang

DOI: https://doi.org/10.1007/978-3-319-48989-6_28

2016-01-01

Abstract:Hybrid systems exhibit both continuous and discrete behavior. Analyzing hybrid systems is known to be hard. Inspired by the idea of concolic testing (of programs), we investigate whether we can combine random sampling and symbolic execution in order to effectively verify hybrid systems. We identify a sufficient condition under which such a combination is more effective than random sampling. Furthermore, we analyze different strategies of combining random sampling and symbolic execution and propose an algorithm which allows us to dynamically switch between them so as to reduce the overall cost. Our method has been implemented as a web-based checker named HyChecker. HyChecker has been evaluated with benchmark hybrid systems and a water treatment system in order to test its effectiveness.

Xinyu Wang,Jun Sun,Zhenbang Chen,Peixin Zhang,Jingyi Wang,Yun Lin

DOI: https://doi.org/10.1145/3180155.3180177

2018-01-01

Abstract:Concolic testing integrates concrete execution (e.g., random testing) and symbolic execution for test case generation. It is shown to be more cost-effective than random testing or symbolic execution sometimes. A concolic testing strategy is a function which decides when to apply random testing or symbolic execution, and if it is the latter case, which program path to symbolically execute. Many heuristics-based strategies have been proposed. It is still an open problem what is the optimal concolic testing strategy. In this work, we make two contributions towards solving this problem. First, we show the optimal strategy can be defined based on the probability of program paths and the cost of constraint solving. The problem of identifying the optimal strategy is then reduced to a model checking problem of Markov Decision Processes with Costs. Secondly, in view of the complexity in identifying the optimal strategy, we design a greedy algorithm for approximating the optimal strategy. We conduct two sets of experiments. One is based on randomly generated models and the other is based on a set of C programs. The results show that existing heuristics have much room to improve and our greedy algorithm often outperforms existing heuristics.

Sooyoung Cha,Seonho Lee,Xinyu Wang,Jun Sun,Zhenbang Chen,Peixin Zhang,Jingyi Wang

2020-01-01

Abstract:Concolic testing (or dynamic symbolic execution) is an automatic test case generation technique that combines concrete and symbolic execution of the system under test [1]. Symbolic execution employs program analysis to gather constraints on the execution path of the current concrete test input (the path condition). The obtained path condition can then be systematically negated and solved using a constraint solver in order to obtain new test inputs that exercise alternative paths. However, one of the main challenges of concolic testing is the path explosion problem, which makes an exhaustive exploration of the search space intractable. As a result, recent work has proposed advanced search strategies that aim to alleviate this problem, including techniques based on model checking [4] or pattern mining [2]. In this seminar, after examining the theoretic foundations of concolic testing and its traditional search strategies (e.g., DFS, BFS), the student is required to investigate and discuss recent advanced search strategies for concolic testing. The student should compare different approaches and give insights into future research.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Emilio Coppa,Alessio Izzillo

DOI: https://doi.org/10.1016/j.jss.2024.112001

IF: 3.5

2024-02-17

Journal of Systems and Software

Abstract:Symbolic execution is a well-known software testing technique that evaluates how a program runs when considering a symbolic input, i.e., an input that can initially assume any concrete value admissible for its data type. The dynamic twist of this technique is dubbed concolic execution and has been demonstrated to be a practical technique for testing even complex real-world programs. Unfortunately, developing concolic engines is hard. Indeed, an engine has to correctly instrument the program to build accurate symbolic expressions, which represent the program computation. Furthermore, to reason over such expressions, it has to interact with an SMT solver. Hence, several implementation bugs may emerge within the different layers of an engine. In this article, we consider the problem of testing concolic engines. In particular, we propose several testing strategies whose main intuition is to exploit the concrete state kept by the executor to identify inconsistencies within the symbolic state. We integrated our strategies into three state-of-the-art concolic executors ( SymCC , SymQEMU , and Fuzzolic , respectively) and then performed several experiments to show that our ideas can find bugs in these frameworks. Overall, our approach was able to discover more than 12 bugs across these engines.

computer science, theory & methods, software engineering

Weiguang Wang,Qingkai Zeng

DOI: https://doi.org/10.1109/tase.2015.14

2015-01-01

Abstract:Concolic testing is a powerful technique for vulnerability detection. Current concolic testing tools usually randomly select one well-formed concrete input to start their workflow, then employ different path selection methods to explore the execution space. However, experiments have shown that concolic testing tools have different vulnerability detection performance when starting with different well-formed concrete inputs. In this paper, we present an evaluation method to help concolic testing tools select better initial inputs. The key idea is that: if the concolic execution triggered by one candidate initial input covers more error-prone operations with different execution contexts, it is likely to detect more bugs. Specifically, we firstly identify error-prone operations using fine-grained dynamic taint analysis. Then we propose a scoring algorithm to evaluate the vulnerability detection ability of different candidate initial inputs. We implemented this method in a new tool called CrashFinderHB, and applied it to four applications in Linux: readelf, convert, cjpeg, swftool. Experimental results show that using our evaluation method to select starting points can improve the effectiveness of concolic testing. Moreover, starting with carefully selected initial inputs, we found 4 previously unknown errors in readelf and convert.

DOI: https://doi.org/10.1007/s10515-024-00449-6

IF: 1.677

2024-06-11

Automated Software Engineering

Abstract:Automated test data generation for unit testing C/C++ functions using concolic testing has been known for improving software quality while reducing human testing effort. However, concolic testing could face challenging problems when tackling complex practical projects. This paper proposes a concolic-based method named Automated Unit Testing and Stubbing (AUTS) for automated test data and stub generation. The key idea of the proposed method is to apply the concolic testing approach with three major improvements. Firstly, the test data generation, which includes two path search strategies, not only is able to avoid infeasible paths but also achieves higher code coverage. Secondly, AUTS generates appropriate values for specialized data types to cover more test scenarios. Finally, the proposed method integrates automatic stub preparation and generation to reduce the costs of human effort. The method even works on incomplete source code or missing libraries. AUTS is implemented in a tool to test various C/C++ industrial and open-source projects. The experimental results show that the proposed method significantly improves the coverage of the generated test data in comparison with other existing methods.

computer science, software engineering

Hui Xu,Yangfan Zhou,Yu Kang,Michael R. Lyu

DOI: https://doi.org/10.1109/dsn.2017.11

2017-01-01

Abstract:Concolic execution has achieved great success in many binary analysis tasks. However, it is still not a primary option for industrial usage. A well-known reason is that concolic execution cannot scale up to large-size programs. Many research efforts have focused on improving its scalability. Nonetheless, we find that, even when processing small-size programs, concolic execution suffers a great deal from the accuracy and scalability issues. This paper systematically investigates the challenges that can be introduced even by small-size programs, such as symbolic array and symbolic jump. We further verify that the proposed challenges are non-trivial via real-world experiments with three most popular concolic execution tools: BAP, Triton, and Angr. Among a set of 22 logic bombs we designed, Angr can solve only four cases correctly, while BAP and Triton perform much worse. The results imply that current tools are still primitive for practical industrial usage. We summarize the reasons and release the bombs as open source to facilitate further study.

Gary Wassermann,Dachuan Yu,Ajay Chander,Dinakar Dhurjati,Hiroshi Inamura,Zhendong Su

DOI: https://doi.org/10.1145/1390630.1390661

2008-01-01

Abstract:Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications. Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays. In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.

QC Zhao,BH Krogh,P Hubbard

DOI: https://doi.org/10.1109/mcs.2003.1213603

2003-01-01

IEEE Control Systems

Abstract:Embedded control systems are growing rapidly, and there is a need for short design cycles. As a result, there is increasing interest in effective methods for automatic test generation. The authors present a new method for leveraging existing simulation models, involving genetic algorithms, for embedded control system designs to generate test inputs automatically, thereby eliminating the time-consuming task of creating them manually.

Rahul Pandita,Tao Xie,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1109/ICSM.2010.5609565

2010-01-01

Abstract:Test coverage criteria including boundary-value and logical coverage such as Modified Condition/Decision Coverage (MC/DC) have been increasingly used in safety-critical or mission-critical domains, complementing those more popularly used structural coverage criteria such as block or branch coverage. However, existing automated test-generation approaches often target at block or branch coverage for test generation and selection, and therefore do not support testing against boundary-value coverage or logical coverage. To address this issue, we propose a general approach that uses instrumentation to guide existing test-generation approaches to generate test inputs that achieve boundary-value and logical coverage for the program under test. Our preliminary evaluation shows that our approach effectively helps an approach based on Dynamic Symbolic Execution (DSE) to improve boundary-value and logical coverage of generated test inputs. The evaluation results show 30.5% maximum (23% average) increase in boundary-value coverage and 26% maximum (21.5% average) increase in logical coverage of the subject programs under test using our approach over without using our approach. In addition, our approach improves the fault-detection capability of generated test inputs by 12.5% maximum (11% average) compared to the test inputs generated without using our approach.

Tao Sun,Zheng Wang,Geguang Pu,Xiao Yu,Zongyan Qiu,Bin Gu

DOI: https://doi.org/10.1109/QSIC.2009.53

2009-01-01

Abstract:One difficulty of automated test case generation is to deal with compositional units that brings in compositional space explosion of program states. We present a new dynamic execution framework which analyzes program behaviors dynamically for automatic test inputs generation. We utilize forward slicing to explore those functions affecting conditional predicates in program under test.The functions that do not affect the conditional predicates are not in need of being analyzed symbolically. Pointer alias analysis is adopted to make slicing in the presence of pointers more precise. A dynamic partial execution technique is proposed to accelerate the speed of searching the unit space. The proposed approach can be applied to real programs and the experiments are also very encouraging.

Zs Liang,Xl Yan,Jb Wang,Zh Xu

DOI: https://doi.org/10.1109/ICASIC.2003.1277585

2003-01-01

Abstract:An efficient dynamic instruction and stimulus generator and its associated methodology are introduced in this paper. They, have been used in the functional verification of a high performance low-power embedded processor. The generator reads in test scripts with a set of predefined syntax and generates random instructions which are fed to the processor. The generator is also used to generate purely random stimuli with one of the five random modes. It can be running forever, until it catches some function bug. This methodology is proved to have significantly reduced verification cycle, improved test coverage, and facilitated developing a complex embedded processor.

Liang Wang

2009-01-01

Abstract:VxWorks can not provide friendly graphical user interface like Windows system,and developing the graphical interface under VxWorks system has a high degree of difficulty and workload.According to the problems above,a useful method developed by LabWindows/CVI 8.5 is designed to test real-time simulation computer running on VxWorks.The method is successfully applied to the semi-physical simulation test for a certain type of plane,and it is proved useful in checking the I/O system of simulation computer.Quite a practical implementation is provided for diagnosing fault in I/O system for future.

Ming Yan,Junjie Chen,Jie M. Zhang,Xuejie Cao,Chen Yang,Mark Harman

2023-08-25

Abstract:Code generation systems have been extensively developed in recent years to generate source code based on natural language instructions. However, despite their advancements, these systems still face robustness issues where even slightly different instructions can result in significantly different code semantics. Robustness is critical for code generation systems, as it can have significant impacts on software development, software quality, and trust in the generated code. Although existing testing techniques for general text-to-text software can detect some robustness issues, they are limited in effectiveness due to ignoring the characteristics of code generation systems. In this work, we propose a novel technique COCO to test the robustness of code generation systems. It exploits the usage scenario of code generation systems to make the original programming instruction more concrete by incorporating features known to be contained in the original code. A robust system should maintain code semantics for the concretized instruction, and COCO detects robustness inconsistencies when it does not. We evaluated COCO on eight advanced code generation systems, including commercial tools such as Copilot and ChatGPT, using two widely-used datasets. Our results demonstrate the effectiveness of COCO in testing the robustness of code generation systems, outperforming two techniques adopted from general text-to-text software testing by 466.66% and 104.02%, respectively. Furthermore, concretized instructions generated by COCO can help reduce robustness inconsistencies by 18.35% to 53.91% through fine-tuning.

Software Engineering

Chen Bing,Qingkai Zeng,Weiguang Wang

DOI: https://doi.org/10.1145/2554850.2554875

2014-01-01

Abstract:Concolic testing is a popular method based on symbolic execution and constraint solving, designed for security testing of applications. Unfortunately, the current effectiveness of concolic testing tools are limited when testing large applications due to the enormous number of control paths and limited budget. In this paper, we introduce selective symbolic execution, path selecting, random and incorrect seed input, three approaches to ease the path explosion and speed up bugs exploration. We also develop Crashmaker, a dynamic symbolic execution tool based on Valgrind and constraints solver STP, implementing our three improvement measures. To check the effectiveness and efficiency of Crashmaker, we make experiments with 7 different real-life programs, and compare with Avalanche. The evaluation results show that Crashmaker can effectively find more bugs in a more efficient way.

Xusheng Xiao,Tao Xie,Nikolai Tillmann,Jonathan De Halleux

DOI: https://doi.org/10.1145/1985793.1985876

2011-01-01

Abstract:An important goal of software testing is to achieve at least high structural coverage. To reduce the manual efforts of producing such high-covering test inputs, testers or developers can employ tools built based on automated structural test-generation approaches. Although these tools can easily achieve high structural coverage for simple programs, when they are applied on complex programs in practice, these tools face various problems, such as (1) the external-method-call problem (EMCP), where tools cannot deal with method calls to external libraries; (2) the object-creation problem (OCP), where tools fails to generate method-call sequences to produce desirable object states. Since these tools currently could not be powerful enough to deal with these problems in testing complex programs in practice, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. To reduce the efforts of developers in providing guidance to tools, in this paper, we propose a novel approach, called Covana, which precisely identifies and reports problems that prevent the tools from achieving high structural coverage primarily by determining whether branch statements containing not-covered branches have data dependencies on problem candidates. We provide two techniques to instantiate Covana to identify EMCPs and OCPs. Finally, we conduct evaluations on two open source projects to show the effectiveness of Covana in identifying EMCPs and OCPs.

Hao Jin,Yanyan Jiang,Na Liu,Chang Xu,Xiaoxing Ma,Jian Lu

DOI: https://doi.org/10.1109/COMPSAC.2015.79

2015-01-01

Abstract:Debugging is challenging and labor-intensive. Debugging programs with weak or no oracle is even more difficult due to lack of passing and failing test runs as well as their comparisons. To address these challenges, we exploit metamorphic relations to construct new programs that are enhanced with synthesized oracle, and combine concolic testing and branch-switching debugging to localize potentially faulty places in original programs. We name our approach concolic metamorphic debugging (or Comedy for short). We experimentally evaluated Comedy with real-world Java programs. The experimental results reported that Comedy successfully generated debugging report for 88.4% of 2,330 faulty programs. The average branch distance between the reported locations and the real fault places is only 1.68. Besides, 36% of the debugging reports precisely locate the fault.

Junjie Chen,Guancheng Wang,Dan Hao,Yingfei Xiong,Hongyu Zhang,Lu Zhang

DOI: https://doi.org/10.1109/ase.2019.00037

2019-01-01

Abstract:Compilers, like other software systems, contain bugs, and compiler testing is the most widely-used way to assure compiler quality. A critical task of compiler testing is to generate test programs that could effectively and efficiently discover bugs. Though we can configure test generators such as Csmith to control the features of the generated programs, it is not clear what test configuration is effective. In particular, an effective test configuration needs to generate test programs that are bug-revealing, i.e., likely to trigger bugs, and diverse, i.e., able to discover different types of bugs. It is not easy to satisfy both properties. In this paper, we propose a novel test-program generation approach, called HiCOND, which utilizes historical data for configuration diversification to solve this challenge. HiCOND first infers the range for each option in a test configuration where bug-revealing test programs are more likely to be generated based on historical data. Then, it identifies a set of test configurations that can lead to diverse test programs through a search method (particle swarm optimization). Finally, based on the set of test configurations for compiler testing, HiCOND generates test programs, which are likely to be bug-revealing and diverse. We have conducted experiments on two popular compilers GCC and LLVM, and the results confirm the effectiveness of our approach. For example, HiCOND detects 75.00%, 133.33%, and 145.00% more bugs than the three existing approaches, respectively. Moreover, HiCOND has been successfully applied to actual compiler testing in a global IT company and detected 11 bugs during the practical evaluation.