Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Tong Yang,Jaime Valls Miro,Minh Nguyen,Yue Wang,Rong Xiong

DOI: https://doi.org/10.1109/tmech.2023.3275214

2023-01-01

Abstract:A novel mechanism to generate nonrevisiting uniform coverage (NUC) paths on arbitrarily shaped object surfaces is presented in this work. Given a nonplanar surface, nonzero curvature makes traditional homeomorphic fitting of regular template coverage paths from planar regions onto the object surface non-distance-preserving. Any coverage path with a realistic tooling size derived in this way will suffer from overlaps and missing gaps when transformed onto the object surfaces, unable to uniformly cover the target. To overcome this, a discretization process is adopted to represent the object surface as a uniform unstructured mesh, with resolution set in accordance to the tool size. It is proven that a coverage skeleton path must exist by mesh subdivision refinement which, after a local optimization step to improve overlap, missing gaps, and smoothness, gives rise to template-free superior NUC paths. Extensive simulation examples are presented to prove the validity of the proposed strategy in realistic settings. The proposed scheme is able to achieve 95.9% coverage on benchmark surface tests, outperforming comparable coverage algorithms, such as a homeomorphic boustrophedon mapping, which can at best achieve 80.9% coverage, or more recent state-of-the-art methods able to reach 94.7% coverage. An accompanying video is supplied with examples, including a real-world implementation of an NUC path tracked by a manipulator. An open-source implementation has been made available.

Nicky Williams

DOI: https://doi.org/10.48550/arXiv.2105.05517

2021-05-12

Abstract:Branch coverage of source code is a very widely used test criterion. Moreover, branch coverage is a similar problem to line coverage, MC/DC and the coverage of assertion violations, certain runtime errors and various other types of test objective. Indeed, establishing that a large number of test objectives are unreachable, or conversely, providing the test inputs which reach them, is at the heart of many verification tasks. However, automatic test generation for exhaustive branch coverage remains an elusive goal: many modern tools obtain high coverage scores without being able to provide an explanation for why some branches are not covered, such as a demonstration that they are unreachable. Concolic test generation offers the promise of exhaustive coverage but covers paths more efficiently than branches. In this paper, I explain why, and propose different strategies to improve its performance on exhaustive branch coverage. A comparison of these strategies on examples of real code shows promising results.

Software Engineering

文勇,蔡铭,陈刚,杨子江,金星

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.11.037

2010-01-01

Abstract:To effectively carry out the object code analysis and verification,a novel method of control flow and structural coverage measurement for object code verification is presented based on CPU module extension.By branch instruction function extension,along with a new module for dynamic branch target buffer,the control flow of object code is collected effectively.And then,the algorithm for control flow construction and structural coverage measurement are given respectively.Both the overhead and computation complexity are acceptable with analysis study.Competitive advantage of this method is independent of compiler and non-incursive measurement for the object code.

Chen Zhenqiang,Xu Baowen,Guan jie

DOI: https://doi.org/10.1109/iri.2003.1251465

2003-01-01

Abstract:Coverage analysis is a structural testing technique that helps to eliminate gaps in a test suite and determines when to stop testing. To compute test coverage, this letter proposes a new concept—coverage about variables, based on program slicing. By adding powers according to their importance, the users can focus on the important variables to obtain higher test coverage. The letter presents methods to compute basic coverage based on program structure graphs. In most cases, the coverage obtained in the letter is bigger than that obtained by a traditional measure, because the coverage about a variable takes only the related codes into account.

Xusheng Xiao,Tao Xie,Nikolai Tillmann,Jonathan De Halleux

DOI: https://doi.org/10.1145/1985793.1985876

2011-01-01

Abstract:An important goal of software testing is to achieve at least high structural coverage. To reduce the manual efforts of producing such high-covering test inputs, testers or developers can employ tools built based on automated structural test-generation approaches. Although these tools can easily achieve high structural coverage for simple programs, when they are applied on complex programs in practice, these tools face various problems, such as (1) the external-method-call problem (EMCP), where tools cannot deal with method calls to external libraries; (2) the object-creation problem (OCP), where tools fails to generate method-call sequences to produce desirable object states. Since these tools currently could not be powerful enough to deal with these problems in testing complex programs in practice, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. To reduce the efforts of developers in providing guidance to tools, in this paper, we propose a novel approach, called Covana, which precisely identifies and reports problems that prevent the tools from achieving high structural coverage primarily by determining whether branch statements containing not-covered branches have data dependencies on problem candidates. We provide two techniques to instantiate Covana to identify EMCPs and OCPs. Finally, we conduct evaluations on two open source projects to show the effectiveness of Covana in identifying EMCPs and OCPs.

Shi Liang,Xu Baowen,Chen Lin

DOI: https://doi.org/10.1007/bf02687957

2005-01-01

Abstract:Test coverage analysis is a structural testing technique, which helps to evaluate the sufficiency of software testing. This letter presents two test generation algorithms based on binary decision diagrams to produce tests for the Multiple-Condition Criterion(M-CC) and the Modified Condition/Decision Criterion(MC/DC), and describes the design of the C program Coverage Measurement Tool (CCMT), which can record dynamic behaviors of C programs and quantify test coverage.

Xusheng Xiao,Tao Xie,Nikolai Tillmann,Jonathan De Halleux

DOI: https://doi.org/10.1145/1985793.1985976

2011-01-01

Abstract:Achieving high structural coverage is an important goal of software testing. Instead of manually producing test inputs that achieve high structural coverage, testers or developers can employ tools built based on automated test-generation approaches, such as Pex, to automatically generate such test inputs. Although these tools can easily generate test inputs that achieve high structural coverage for simple programs, when applied on complex programs in practice, these tools face various problems, such as the problems of dealing with method calls to external libraries or generating method-call sequences to produce desired object states. Since these tools are currently not powerful enough to deal with these various problems in testing complex programs, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. In this demo, we present Covana, a tool that precisely identifies and reports problems that prevent Pex from achieving high structural coverage. Covana identifies problems primarily by determining whether branch statements containing not-covered branches have data dependencies on problem candidates.

Rahul Pandita,Tao Xie,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1109/ICSM.2010.5609565

2010-01-01

Abstract:Test coverage criteria including boundary-value and logical coverage such as Modified Condition/Decision Coverage (MC/DC) have been increasingly used in safety-critical or mission-critical domains, complementing those more popularly used structural coverage criteria such as block or branch coverage. However, existing automated test-generation approaches often target at block or branch coverage for test generation and selection, and therefore do not support testing against boundary-value coverage or logical coverage. To address this issue, we propose a general approach that uses instrumentation to guide existing test-generation approaches to generate test inputs that achieve boundary-value and logical coverage for the program under test. Our preliminary evaluation shows that our approach effectively helps an approach based on Dynamic Symbolic Execution (DSE) to improve boundary-value and logical coverage of generated test inputs. The evaluation results show 30.5% maximum (23% average) increase in boundary-value coverage and 26% maximum (21.5% average) increase in logical coverage of the subject programs under test using our approach over without using our approach. In addition, our approach improves the fault-detection capability of generated test inputs by 12.5% maximum (11% average) compared to the test inputs generated without using our approach.

Yanhong Zhou,Huawei Li,Tiancheng Wang,Bo Liu,Yingke Gao,Xiaowei Li

DOI: https://doi.org/10.1109/vts.2016.7477265

2016-01-01

Abstract:Traditional coverage metrics in verification focus on controllability without taking observability into account, which may result in an artificially high coverage and a false sense of confidence. In this paper, we present a path constraint solving based test generation method at register-transfer level (RTL) for observability-enhanced branch coverage. The branches executed but not observed by a test sequence are identified as our target branches. The test generation for each target branch is converted to the process of covering multiple intermediate sub-target states sequentially to guarantee the execution and observation of the target branch. Valid input vectors are automatically generated by multicycle path constraint solving and simulation is guided by the abstract distance information to reach the sub-target states. Experimental results show that our approach can reduce the gap between branch coverage and observability-enhanced branch coverage.

Yibiao Yang,Maolin Sun,Yang Wang,Qingyang Li,Ming Wen,Yuming Zhou

DOI: https://doi.org/10.1145/3611643.3616340

2023-01-01

Abstract:Ensuring the correctness of code coverage profilers is crucial, given the widespread adoption of code coverage for various software engineering tasks. Existing validation techniques, such as differential testing and metamorphic testing, have shown effectiveness in uncovering bugs in coverage profilers. However, these techniques have limitations as they primarily rely on homogeneous sources, i.e., different coverage profilers or the profilers themselves, for validation. In this paper, we propose Decov, a novel heterogeneous testing technique, to validate coverage profilers using the information provided by debuggers as a heterogeneous source. Coverage profilers record execution counts for each source line in the program, while debuggers monitor hit counts for each source line when running the program in debug mode. Our key insight is that the execution counts obtained from coverage profilers should align with the hit counts monitored by debuggers, without conflicts. Decov constructs multiple heterogeneous relations and utilizes them to uncover bugs in coverage profilers. Through experiments on Gcov and LLVM-cov, two widely used code coverage profilers, we discovered 21 new bug reports, with 19 of them directly confirmed by developers. Notably, developers have resolved 5 bugs in the latest trunk version. Decov serves as a simple yet effective coverage profiler validator and offers a complementary approach to existing techniques.

Yunlong Sheng,Chao Sun,Shouda Jiang,Chang'an Wei

DOI: https://doi.org/10.3390/sym10050146

2018-01-01

Symmetry

Abstract:Although combinatorial testing has been widely studied and used, there are still some situations and requirements that combinatorial testing does not apply to well, such as a system under test whose test cases need to be performed contiguously. For thorough testing, the testing requirements are not only to cover all the interactions among factors but also to cover all the value sequences of every factor. Generally, systems under test always involve constraints and dependencies in or among test cases. The constraints among test cases have not been effectively specified. First, we introduce extended covering arrays that can achieve both t-way combinatorial coverage and t-wise sequence coverage, and propose a clocked computation tree logic-based formal specification method for specifying constraints. Then, Particle Swarm Optimization (PSO) based Extended covering array Generator (PEG) is elaborated. To evaluate the constructed test suites, a method for verifying the constraints' validity is presented, and kernel functions for measuring the coverage are also introduced. Finally, the performance of the proposed PEG is evaluated using several sets of benchmark experiments for some common constraints, and the feasibility and usefulness of PEG is validated.

邱晓康,李宣东

2004-01-01

Abstract:Software testing is an important method of assuring quality and enhancing reliability and path coverage is an essential criterion for testing adequacy.Since the rigid path-cover testing is infeasible,we select and test some key paths,which outweigh others on affecting the overall quality of the system,to enhance test efficiency and profit.A general statistics-based automated tool aiming at object-oriented software systems was proposed.By static analysis and interpolation on code,this tool offers a diagnosis of statistical data derived from continual executions,which are driven by random test cases,for information of selecting key paths in correctness testing and reliability testing.Primary idea,corresponding algorithms of this tool,and some problems in implementation are exposed.

Yibiao Yang,Yanyan Jiang,Zhiqiang Zuo,Yang Wang,Hao Sun,Hongmin Lu,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1109/ase.2019.00018

2019-01-01

Abstract:Code coverage as the primitive dynamic program behavior information, is widely adopted to facilitate a rich spectrum of software engineering tasks, such as testing, fuzzing, debugging, fault detection, reverse engineering, and program understanding. Thanks to the widespread applications, it is crucial to ensure the reliability of the code coverage profilers. Unfortunately, due to the lack of research attention and the existence of testing oracle problem, coverage profilers are far away from being tested sufficiently. Bugs are still regularly seen in the widely deployed profilers, like gcov and llvm-cov, along with gcc and llvm, respectively. This paper proposes Cod, an automated self-validator for effectively uncovering bugs in the coverage profilers. Starting from a test program (either from a compiler's test suite or generated randomly), Cod detects profiler bugs with zero false positive using a metamorphic relation in which the coverage statistics of that program and a mutated variant are bridged. We evaluated Cod over two of the most well-known code coverage profilers, namely gcov and llvm-cov. Within a four-month testing period, a total of 196 potential bugs (123 for gcov, 73 for llvm-cov) are found, among which 23 are confirmed by the developers.

Jun-Ru Chang,Chin-Yu Huang

DOI: https://doi.org/10.1109/compsac.2007.44

2007-01-01

Abstract:The coverage criteria of verification techniques play an important role in software development and testing. The goal is to reduce the size of test suites to economize on time, and to ensure whether all statements (or conditions) are covered. We can use these criteria to track test progress, assess current situations, predict emerging events, and so on. Thus we can take the necessary actions upon early indications that testing activity is falling behind. Modified condition/decision coverage (MC/DC) was proposed by NASA in 1994, and had been widely adopted and discussed since then. As evident from the definition, MC/DC criterion is used to judge whether each Boolean operator can be satisfied or not. However, we find that the selected test cases sometimes may not be able to satisfy the original definition of MC/DC under some Boolean expressions. In this paper, we will propose a simple but useful method which focuses on all conditions of Boolean expression to practice MC/DC. Specifically, our proposed approach will use n-cube graph and Gray code to implement the MC/DC criterion. We will further show how to use the proposed method to differentiate the necessary and redundancy test cases. Finally, a practical regression testing tool, TASTE (Tool for Automatic Software regression TEsting), will be presented in this paper. An example is given to illustrate the detailed working process and is explained in detail.

Yibiao Yang,Yuming Zhou,Hao Sun,Zhendong Su,Zhiqiang Zuo,Lei Xu,Baowen Xu

DOI: https://doi.org/10.1109/ICSE.2019.00061

2019-01-01

Abstract:Reliable code coverage tools are critically important as it is heavily used to facilitate many quality assurance activities, such as software testing, fuzzing, and debugging. However, little attention has been devoted to assessing the reliability of code coverage tools. In this study, we propose a randomized differential testing approach to hunting for bugs in the most widely used C code coverage tools. Specifically, by generating random input programs, our approach seeks for inconsistencies in code coverage reports produced by different code coverage tools, and then identifies inconsistencies as potential code coverage bugs. To effectively report code coverage bugs, we addressed three specific challenges: (1) How to filter out duplicate test programs as many of them triggering the same bugs in code coverage tools; (2) how to automatically reduce large test programs to much smaller ones that have the same properties; and (3) how to determine which code coverage tools have bugs? The extensive evaluations validate the effectiveness of our approach, resulting in 42 and 28 confirmed/fixed bugs for gcov and llvm-cov, respectively. This case study indicates that code coverage tools are not as reliable as it might have been envisaged. It not only demonstrates the effectiveness of our approach, but also highlights the need to continue improving the reliability of code coverage tools. This work opens up a new direction in code coverage validation which calls for more attention in this area.

Weidi Sun,Xiaoyong Xue,Yuteng Lu,Jia Zhao,Meng Sun

DOI: https://doi.org/10.1016/j.sysarc.2023.102999

IF: 5.836

2023-01-01

Journal of Systems Architecture

Abstract:Though Deep Neural Networks (DNNs) have been widely deployed and achieved great success in many domains, they have severe safety and reliability concerns. To provide testing evidence for DNNs' reliable behaviors, various coverage testing techniques inspired by traditional software testing have been proposed. However, the coverage criteria in these techniques are either not fine enough to capture subtle behaviors of DNNs, or too time-consuming to be applied on large-scale DNNs. In this paper, we propose a coverage testing framework named HashC, which makes mainstream coverage criteria (e.g., NC and KMNC) much finer. Meanwhile, HashC reduces the time complexity of combinatorial coverage testing from polynomial time to linear time. We also develop the corresponding test sample selection method. Our experiments show that, (1) the existing mainstream coverage criteria are becoming finer after being equipped with HashC, (2) HashC greatly accelerates combinatorial coverage testing and can handle the testing of large-scale DNNs.

Weidi Sun,Xiaoyong Xue,Yuteng Lu,Meng Sun

DOI: https://doi.org/10.1007/978-3-031-21213-0_1

2022-01-01

Abstract:Though Deep Neural Networks (DNNs) have been widely deployed and achieved great success in many domains, they have severe safety and reliability concerns. To provide testing evidence for DNNs' reliable behaviors, various coverage testing techniques inspired by traditional software testing have been proposed. However, the coverage criteria in these techniques are either not fine enough to capture subtle behaviors of DNNs, or too time-consuming to be applied on large-scale DNNs. In this paper, we develop a coverage testing framework named HashC, which makes mainstream coverage criteria (e.g., NC and KMNC) much finer. Meanwhile, HashC reduces the time complexity of combinatorial coverage testing from polynomial time to linear time. Our experiments show that, 1) the HashC criteria are finer than existing mainstream coverage criteria, 2) HashC greatly accelerates combinatorial coverage testing and can handle the testing of large-scale DNNs.

M. Ammar Ben Khadra,Dominik Stoffel,Wolfgang Kunz

DOI: https://doi.org/10.48550/arXiv.2004.14191

2020-09-10

Abstract:Code coverage analysis plays an important role in the software testing process. More recently, the remarkable effectiveness of coverage feedback has triggered a broad interest in feedback-guided fuzzing. In this work, we introduce bcov, a tool for binary-level coverage analysis. Our tool statically instruments x86-64 binaries in the ELF format without compiler support. We implement several techniques to improve efficiency and scale to large real-world software. First, we bring Agrawal's probe pruning technique to binary-level instrumentation and effectively leverage its superblocks to reduce overhead. Second, we introduce sliced microexecution, a robust technique for jump table analysis which improves CFG precision and enables us to instrument jump table entries. Additionally, smaller instructions in x86-64 pose a challenge for inserting detours. To address this challenge, we aggressively exploit padding bytes and systematically host detours in neighboring basic blocks. We evaluate bcov on a corpus of 95 binaries compiled from eight popular and well-tested packages like FFmpeg and LLVM. Two instrumentation policies, with different edge-level precision, are used to patch all functions in this corpus - over 1.6 million functions. Our precise policy has average performance and memory overheads of 14% and 22% respectively. Instrumented binaries do not introduce any test regressions. The reported coverage is highly accurate with an average F-score of 99.86%. Finally, our jump table analysis is comparable to that of IDA Pro on gcc binaries and outperforms it on clang binaries.

Software Engineering

Henry Cox

DOI: https://doi.org/10.48550/arXiv.2008.07947

2020-08-18

Abstract:While it is easy to automate coverage data collection, it is a time consuming/difficult/expensive manual process to analyze the data so that it can be acted upon. Complexity arises from numerous sources, of which untested or poorly tested legacy code and third-party libraries are two of the most common. Differential coverage and date binning are methods of combining coverage data and project/file history to determine if goals have been met and to identify areas of code which should be prioritized. These methods can be applied to any coverage metric which can be associated with a location -- statement, function, expression, toggle, etc. -- and to any language, including both software (C++, Python, etc.) and hardware description languages (SystemVerilog, VHDL). The goal of these approaches is to reduce the cost and the barrier to entry of using coverage data analysis in large-scale projects. The approach is realized in gendiffcov, a recently released open-source tool.

Software Engineering