Kai Pan,Xintao Wu,Tao Xie

DOI: https://doi.org/10.1109/ASE.2011.6100152

2011-01-01

Abstract:ABSTRACTTesting is essential for quality assurance of database applications. Achieving high code coverage of the database application is important in testing. In practice, there may exist a copy of live databases that can be used for database application testing. Using an existing database state is desirable since it tends to be representative of real-world objects' characteristics, helping detect faults that could cause failures in real-world settings. However, to cover a specific program code portion (e.g., block), appropriate program inputs also need to be generated for the given existing database state. To address this issue, in this paper, we propose a novel approach that generates program inputs for achieving high code coverage of a database application, given an existing database state. Our approach uses symbolic execution to track how program inputs are transformed before appearing in the executed SQL queries and how the constraints on query results affect the application's execution. One significant challenge in our problem context is the gap between program-input constraints derived from the program and from the given existing database state; satisfying both types of constraints is needed to cover a specific program code portion. Our approach includes novel query formulation to bridge this gap. Our approach is loosely integrated into Pex, a state-of-the-art white-box testing tool for .NET from Microsoft Research. Empirical evaluations on two real database applications show that our approach assists Pex to generate program inputs that achieve higher code coverage than the program inputs generated by Pex without our approach's assistance.

Kai Pan,Xintao Wu,Tao Xie

DOI: https://doi.org/10.1145/2491529

IF: 3.685

2014-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Testing database applications typically requires the generation of tests consisting of both program inputs and database states. Recently, a testing technique called Dynamic Symbolic Execution (DSE) has been proposed to reduce manual effort in test generation for software applications. However, applying DSE to generate tests for database applications faces various technical challenges. For example, the database application under test needs to physically connect to the associated database, which may not be available for various reasons. The program inputs whose values are used to form the executed queries are not treated symbolically, posing difficulties for generating valid database states or appropriate database states for achieving high coverage of query-result-manipulation code. To address these challenges, in this article, we propose an approach called SynDB that synthesizes new database interactions to replace the original ones from the database application under test. In this way, we bridge various constraints within a database application: query-construction constraints, query constraints, database schema constraints, and query-result-manipulation constraints. We then apply a state-of-the-art DSE engine called Pex for. NET from Microsoft Research to generate both program inputs and database states. The evaluation results show that tests generated by our approach can achieve higher code coverage than existing test generation approaches for database applications.

Kai Pan,Xintao Wu,Tao Xie

DOI: https://doi.org/10.1145/1988842.1988846

2011-01-01

Abstract:ABSTRACTAutomatically generating sufficient database states is imperative to reduce human efforts in testing database applications. Complementing the traditional block or branch coverage, we develop an approach that generates database states to achieve advanced code coverage including boundary value coverage(BVC) and logical coverage(LC) for source code under test. In our approach, we leverage dynamic symbolic execution to examine close relationships among host variables, embedded SQL query statements, and branch conditions in source code. We then derive constraints such that data satisfying those constraints can achieve the target coverage criteria. We implement our approach upon Pex, which is a state-of-the-art DSE-based test-generation tool for .NET. Empirical evaluations on two real database applications show that our approach assists Pex to generate test database states that can effectively achieve both BVC and LC, complementing the block or branch coverage.

Kai Pan,Xintao Wu,Tao Xie

DOI: https://doi.org/10.1109/iwast.2013.6595801

2013-01-01

Abstract:To assure high quality of database applications, testing database applications remains the most popularly used approach. In testing database applications, tests consist of both program inputs and database states. Assessing the adequacy of tests allows targeted generation of new tests for improving their adequacy (e.g., fault-detection capabilities). Comparing to code coverage criteria, mutation testing has been a stronger criterion for assessing the adequacy of tests. Mutation testing would produce a set of mutants (each being the software under test systematically seeded with a small fault) and then measure how high percentage of these mutants are killed (i.e., detected) by the tests under assessment. However, existing test-generation approaches for database applications do not provide sufficient support for killing mutants in database applications (in either program code or its embedded or resulted SQL queries). To address such issues, in this paper, we propose an approach called MutaGen that conducts test generation for mutation testing on database applications. In our approach, we first apply an existing approach that correlates various constraints within a database application through constructing synthesized database interactions and transforming the constraints from SQL queries into normal program code. Based on the transformed code, we generate program-code mutants and SQL-query mutants, and then derive and incorporate query-mutant-killing constraints into the transformed code. Then, we generate tests to satisfy query-mutant-killing constraints. Evaluation results show that MutaGen can effectively kill mutants in database applications, and MutaGen outperforms existing test-generation approaches for database applications in terms of strong mutant killing.

Jinsheng Ba,Manuel Rigger

DOI: https://doi.org/10.48550/arXiv.2312.17510

2023-12-29

Abstract:Database systems are widely used to store and query data. Test oracles have been proposed to find logic bugs in such systems, that is, bugs that cause the database system to compute an incorrect result. To realize a fully automated testing approach, such test oracles are paired with a test case generation technique; a test case refers to a database state and a query on which the test oracle can be applied. In this work, we propose the concept of Query Plan Guidance (QPG) for guiding automated testing towards "interesting" test cases. SQL and other query languages are declarative. Thus, to execute a query, the database system translates every operator in the source language to one of potentially many so-called physical operators that can be executed; the tree of physical operators is referred to as the query plan. Our intuition is that by steering testing towards exploring diverse query plans, we also explore more interesting behaviors-some of which are potentially incorrect. To this end, we propose a mutation technique that gradually applies promising mutations to the database state, causing the DBMS to create diverse query plans for subsequent queries. We applied our method to three mature, widely-used, and extensively-tested database systems-SQLite, TiDB, and CockroachDB-and found 53 unique, previously unknown bugs. Our method exercises 4.85-408.48X more unique query plans than a naive random generation method and 7.46X more than a code coverage guidance method. Since most database systems-including commercial ones-expose query plans to the user, we consider QPG a generally applicable, black-box approach and believe that the core idea could also be applied in other contexts (e.g., to measure the quality of a test suite).

Software Engineering

Ivan R. Ivanov,Joachim Meyer,Aiden Grossman,William S. Moses,Johannes Doerfert

2024-06-13

Abstract:The size and complexity of software applications is increasing at an accelerating pace. Source code repositories (along with their dependencies) require vast amounts of labor to keep them tested, maintained, and up to date. As the discipline now begins to also incorporate automatically generated programs, automation in testing and tuning is required to keep up with the pace - let alone reduce the present level of complexity. While machine learning has been used to understand and generate code in various contexts, machine learning models themselves are trained almost exclusively on static code without inputs, traces, or other execution time information. This lack of training data limits the ability of these models to understand real-world problems in software. In this work we show that inputs, like code, can be generated automatically at scale. Our generated inputs are stateful, and appear to faithfully reproduce the arbitrary data structures and system calls required to rerun a program function. By building our tool within the compiler, it both can be applied to arbitrary programming languages and architectures and can leverage static analysis and transformations for improved performance. Our approach is able to produce valid inputs, including initial memory states, for 90% of the ComPile dataset modules we explored, for a total of 21.4 million executable functions. Further, we find that a single generated input results in an average block coverage of 37%, whereas guided generation of five inputs improves it to 45%.

Software Engineering,Performance,Programming Languages

Tao Xie,Kunal Taneja

2013-01-01

Abstract:Software faults cost USA’s economy over 59 billion dollars. The cost can be brought down by making software testing more effective in finding and fixing faults quickly. Software developers test an application by writing tests with inputs that achieve high structural code coverage. However, manual testing is labor intensive and time consuming. To reduce the efforts of manual software testing, there exist tools for automated test generation. These tools can generate tests that achieve high code coverage. The generated tests can be used to find faults in the software application under test. In addition, these tests can be used as regression tests, i.e., when changes are made to the software application under test, these tests can be executed on the modified application to find regression faults.Database Centric Applications (DCAs) are getting more and more popular in enterprise computing. DCAs consist of a front-end application (FA) that interacts with a back-end database (DB). Testing of DCAs not only requires testing the FA with inputs that achieve high code coverage but also preparing necessary states in its DB to cover various branches in the FA, in short as FA branches, that are dependent on the DB. When existing test generation tools are used to test the DCAs, the tools can generate tests for the FA but cannot generate inputs for the DB. As a result, various FA branches that are dependent on the DB cannot be covered. In addition, the tools are not efficient and effective for regression testing of the FA of the DCAs.This dissertation addresses various problems in test generation for DCAs. First, often testing of DCAs is outsourced to testing centers and is conducted by test engineers there. When proprietary DCAs are released, their DB should also be made available to test engineers. However, different data privacy laws prevent organizations from sharing the records in the DB with test centers because the DB can contain sensitive information. As a result, various FA branches that depend on the DB cannot be covered leading to more regression faults undetected. Second, even if the DB can be released to the test engineers, the DB has insufficient (or no) records in it for effective regression testing of the DCA. As a result, for effective regression testing of a DCA, a test generation tool not only needs to generate inputs for the FA but also generate inputs for the DB to cover various FA branches that are dependent on the DB. Hence, a test generation tool needs to bridge the gap between the FA and the DB. Third, existing test generation tools generate tests to achieve high code coverage of the FA but not specifically to find behavioral differences between the two versions of the FA. As a result, these approaches are ineffective and inefficient for regression test generation.In this dissertation, we propose a framework that addresses the preceding problems in test generation for DCAs. First, we present an approach, called PRIEST, for anonymizing the records in the DB of a DCA such that the anonymized DB can be released to the test engineers (conducting the regression testing) without leaking sensitive information in the DB. With PRIEST, organizations can balance the level of privacy with needs of regression testing. Second, we present an approach, called MODA, that facilitates the generation of inputs for the DB of a DCA to cover various FA branches that are dependent on the DB. To generate tests efficiently, MODA can use the existing records in the DB or the anonymized DB generated by PRIEST. Third, we present approaches, called DiffGen and eXpress, for effective and efficient regression test generation of the FA of a DCA.

Rahul Pandita,Tao Xie,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1109/ICSM.2010.5609565

2010-01-01

Abstract:Test coverage criteria including boundary-value and logical coverage such as Modified Condition/Decision Coverage (MC/DC) have been increasingly used in safety-critical or mission-critical domains, complementing those more popularly used structural coverage criteria such as block or branch coverage. However, existing automated test-generation approaches often target at block or branch coverage for test generation and selection, and therefore do not support testing against boundary-value coverage or logical coverage. To address this issue, we propose a general approach that uses instrumentation to guide existing test-generation approaches to generate test inputs that achieve boundary-value and logical coverage for the program under test. Our preliminary evaluation shows that our approach effectively helps an approach based on Dynamic Symbolic Execution (DSE) to improve boundary-value and logical coverage of generated test inputs. The evaluation results show 30.5% maximum (23% average) increase in boundary-value coverage and 26% maximum (21.5% average) increase in logical coverage of the subject programs under test using our approach over without using our approach. In addition, our approach improves the fault-detection capability of generated test inputs by 12.5% maximum (11% average) compared to the test inputs generated without using our approach.

T. Grabs,Steve Herbert,Xin Zhang

DOI: https://doi.org/10.1145/1385269.1385272

2008-06-13

Abstract:With enterprise-class database systems like Microsoft SQL Server, changing mission-critical components such as the relational database engine pose significant challenges to the engineering teams involved. This is because customers carefully configure, tune, and test applications and the underlying database system for their specific scenario to ensure they achieve desirable performance. This situation poses particular challenges for developing and extending existing database components of high complexity such as relational query processing where a change to a policy or heuristics may adversely affect performance of a customer workload [1]. Mitigating risk of regressions through a variety of testing and validation techniques during development is essential for the database system engineering team. In this paper, we present a case study to demonstrate the challenges of testing an extension to the query processor in Microsoft SQL Server 2008 targeted at improved query performance for star join queries [2]. We discuss the unique range of problem spaces which must be addressed, and present an overview of the variety of techniques that are used to provide a high level of quality. Our main contribution is an iterative process of interleaved development and performance test phases using customer workloads to quantify performance improvement and to limit regressions. We present our experiences with this approach and explore some future opportunities with the hope that they will encourage discussion and additional research in the area of query processor architecture and testing.

Computer Science

Gary Wassermann,Dachuan Yu,Ajay Chander,Dinakar Dhurjati,Hiroshi Inamura,Zhendong Su

DOI: https://doi.org/10.1145/1390630.1390661

2008-01-01

Abstract:Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications. Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays. In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.

Lingming Zhang,Tao Xie,Lu Zhang,Nikolai Tillmann,Jonathan de Halleux,Hong Mei

DOI: https://doi.org/10.1109/ICSM.2010.5609672

2010-01-01

Abstract:Mutation testing has been used to assess and improve the quality of test inputs. Generating test inputs to achieve high mutant-killing ratios is important in mutation testing. However, existing test-generation techniques do not provide effective support for killing mutants in mutation testing. In this paper, we propose a general test-generation approach, called PexMutator, for mutation testing using Dynamic Symbolic Execution (DSE), a recent effective test-generation technique. Based on a set of transformation rules, PexMutator transforms a program under test to an instrumented meta-program that contains mutant-killing constraints. Then PexMutator uses DSE to generate test inputs for the meta-program. The mutant-killing constraints introduced via instrumentation guide DSE to generate test inputs to kill mutants automatically. We have implemented our approach as an extension for Pex, an automatic structural testing tool developed at Microsoft Research. Our preliminary experimental study shows that our approach is able to strongly kill more than 80% of all the mutants for the five studied subjects. In addition, PexMutator is able to outperform Pex, a state-of-the-art test-generation tool, in terms of strong mutant killing while achieving the same block coverage.

Jarrod Goschen,Anna Sergeevna Bosman,Stefan Gruner

DOI: https://doi.org/10.48550/arXiv.2302.07646

2023-02-15

Abstract:Ongoing progress in computational intelligence (CI) has led to an increased desire to apply CI techniques for the purpose of improving software engineering processes, particularly software testing. Existing state-of-the-art automated software testing techniques focus on utilising search algorithms to discover input values that achieve high execution path coverage. These algorithms are trained on the same code that they intend to test, requiring instrumentation and lengthy search times to test each software component. This paper outlines a novel genetic programming framework, where the evolved solutions are not input values, but micro-programs that can repeatedly generate input values to efficiently explore a software component's input parameter domain. We also argue that our approach can be generalised such as to be applied to many different software systems, and is thus not specific to merely the particular software component on which it was trained.

Neural and Evolutionary Computing,Artificial Intelligence,Software Engineering

Ling Li,Junxin Qi,Nan Liu,Lifang Han,Baojiang Cui

DOI: https://doi.org/10.1109/bwcca.2015.59

2015-01-01

Abstract:We proposed a novel approach to generate test cases for detecting SQLIVs (SQL Injection vulnerabilities), one of the most foremost threats to Web applications. Dynamic testing procedures need to construct an appropriate test to launch a simulated attack on the target system, so test case generation is a crucial step, which directly affects the efficiency of detection. The traditional test case generation technologies have many flaws, for example, blind injection would create a lot of invalid test cases that fail to reach the sink point of vulnerability after filtered out. On the other hand, the test structure far from comprehensive would lead to blind test spots, giving rise to inefficiency and high false alarm rate. Therefore, we propose to use static analysis results to guide test case dynamic generation. A sequence of injection points and filter missing information of SQL vulnerabilities obtained in the static analysis can be passed as parameters to the dynamic detection module to generate more targeted test parameters. In order to generate more accurate test set, we parse the test parameters into two parts: the parameter basic structure and the parameter control information, which will help eliminate a lot of unnecessary redundancy attacks. This kind of joint test case generation is just the innovative point of our paper, practically making for more efficient and accurate dynamic detection.

Dawei Qi,Abhik Roychoudhury,Zhenkai Liang

DOI: https://doi.org/10.1145/1858996.1859083

2010-01-01

Abstract:Software constantly undergoes changes throughout its life cycle, and thereby it evolves. As changes are introduced into a code base, we need to make sure that the effect of the changes is thoroughly tested. For this purpose, it is important to generate test cases that can stress the effect of a given change. In this paper, we propose an automatic test generation solution to this problem. Given a change c, we use dynamic symbolic execution to generate a test input t, which stresses the change. This is done by ensuring (i) the change c is executed by t, and (ii) the effect of c is observable in the output produced by the test t. To construct a change-reaching input, our technique uses distance in control-dependency graph to guide path exploration towards the change. Then, our technique identifies the common programming patterns that may prevent a given change from affecting the program's output. For each of these patterns we propose methods to tune the change-reaching input into an input that reaches the change and propagates the effect of the change to the output. Our experimental results show that our test generation technique is effective in generating change-exposing inputs for real-world programs.

Tao Xie,David Notkin

2004-01-01

Abstract:Common and special test inputs can be created to exercise some common and special behavior of the class under test, respectively. Although manually created tests ar e valuable, programmers often overlook some special or even common test inputs. We have developed a new approach for automatically identifying special and common unit tests fo r a class without requiring any specification. Given a class, we automatically generates test inputs and identifies common and special tests among the generated tests. Programmers can inspect these identified tests and use them to augment existing tests. Our approach is based on statistical algebraic abstractions, program properties (in the form of algebraic specifications) dynamically inferred from test e xecutions. We use statistical algebraic abstractions to cha racterize program behavior and identify special and common tests. Our initial experience has shown that many interesting test inputs could be identified among a large number of generated tests.

Kunal Taneja,Yi Zhang,Tao Xie

DOI: https://doi.org/10.1145/1858996.1859053

2010-01-01

Abstract:ABSTRACTSoftware testing has been commonly used in assuring the quality of database applications. It is often prohibitively expensive to manually write quality tests for complex database applications. Automated test generation techniques, such as Dynamic Symbolic Execution (DSE), have been proposed to reduce human efforts in testing database applications. However, such techniques have two major limitations: (1) they assume that the database that the application under test interacts with is accessible, which may not always be true; and (2) they usually cannot create necessary database states as a part of the generated tests. To address the preceding limitations, we propose an approach that applies DSE to generate tests for a database application. Instead of using the actual database that the application interacts with, our approach produces and uses a mock database in test generation. A mock database mimics the behavior of an actual database by performing identical database operations on itself. We conducted two empirical evaluations on both a medical device and an open source software system to demonstrate that our approach can generate, without producing false warnings, tests with higher code coverage than conventional DSE-based techniques.

Xusheng Xiao,Tao Xie,Nikolai Tillmann,Jonathan De Halleux

DOI: https://doi.org/10.1145/1985793.1985976

2011-01-01

Abstract:Achieving high structural coverage is an important goal of software testing. Instead of manually producing test inputs that achieve high structural coverage, testers or developers can employ tools built based on automated test-generation approaches, such as Pex, to automatically generate such test inputs. Although these tools can easily generate test inputs that achieve high structural coverage for simple programs, when applied on complex programs in practice, these tools face various problems, such as the problems of dealing with method calls to external libraries or generating method-call sequences to produce desired object states. Since these tools are currently not powerful enough to deal with these various problems in testing complex programs, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. In this demo, we present Covana, a tool that precisely identifies and reports problems that prevent Pex from achieving high structural coverage. Covana identifies problems primarily by determining whether branch statements containing not-covered branches have data dependencies on problem candidates.

Zheng Wang,Xiao Yu,Tao Sun,Geguang Pu,Zuohua Ding,JueLiang Hu

DOI: https://doi.org/10.1109/tase.2009.10

2009-01-01

Abstract:Test data generation is one of the important tasks during software testing. This paper proposes an approach to generating test cases automatically for the unit test of C programs with derived types including pointers, structures and arrays. Our approach combines symbolic execution and concrete execution. The approach captures operations on variables precisely by concrete execution, and thus it is capable of handling derived types. Benefited from symbolic execution, accessing variables as array index can be solved by a substitution strategy. The substitution strategy also translates a path constraint involving variables of derived type to the one containing only primitive variables. An implementation of this approach is integrated into our test case generation tool called CAUT. Experimental results show that our approach is effective to generate test data for derived types.

Tao Xie

DOI: https://doi.org/10.1145/1028664.1028785

2004-01-01

Abstract:Common and special test inputs can be created to exercise some common and special behavior of the class under test, respectively. Although manually created tests are valuable, programmers often overlook some special test inputs. If programmers write down specifications, special or common tests can be automatically generated and selected by tools. However, specifications are not commonly written in practice. This research develops a novel approach for automatically identifying common and special unit tests for a class without requiring any specification. Given a class, our approach automatically generates test inputs and identifies common and special tests among the generated tests. Programmers can inspect these identified tests and use them to augment existing (manual) tests. Our approach is based on statistical algebraic abstractions, program properties (in the form of algebraic specifications) dynamically inferred from test executions. We use statistical algebraic abstractions to characterize program behavior. A test is identified to be common if the test exercises a behavior that is universally or commonly exercised by generated tests, or to be special if the test violates a behavior that is commonly exercised by generated tests.

Lei Xue,Huang Wei,Fan Wenqing,Yang Yixian

DOI: https://doi.org/10.1049/cje.2015.07.007

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Concolic testing is an integrated approach of symbolic execution and dynamic analysis, which is widely adopted by security researchers for program behavior analysis. This approach fails on hidden path discovery of environment-intensive program. We investigated on existing concolic testing tools and found out that several of them does not take this issue into account while others solved this issue with overloaded working model. We proposed a systematic and unified approach of automatically identifying and modifying the output of the Data input interacting functions（DIIF） based on fine-grained taint analysis, which detects and updates the data interacting with the runtime environment and generating a new customized set of inputs to execute hidden paths, to reveal the hidden paths on only particular runtime configuration or context. A prototype was developed and evaluated with a set of complex and environment-intensive programs. The experimental result demonstrated that our approach could detect the DIIF precisely and improve the code coverage.