Pingfan Kong,Yi Li,Xiaohong Chen,Jun Sun,Meng Sun,Jingyi Wang

DOI: https://doi.org/10.1007/978-3-319-48989-6_28

2016-01-01

Abstract:Hybrid systems exhibit both continuous and discrete behavior. Analyzing hybrid systems is known to be hard. Inspired by the idea of concolic testing (of programs), we investigate whether we can combine random sampling and symbolic execution in order to effectively verify hybrid systems. We identify a sufficient condition under which such a combination is more effective than random sampling. Furthermore, we analyze different strategies of combining random sampling and symbolic execution and propose an algorithm which allows us to dynamically switch between them so as to reduce the overall cost. Our method has been implemented as a web-based checker named HyChecker. HyChecker has been evaluated with benchmark hybrid systems and a water treatment system in order to test its effectiveness.

Xinyu Wang,Jun Sun,Zhenbang Chen,Peixin Zhang,Jingyi Wang,Yun Lin

DOI: https://doi.org/10.1145/3180155.3180177

2018-01-01

Abstract:Concolic testing integrates concrete execution (e.g., random testing) and symbolic execution for test case generation. It is shown to be more cost-effective than random testing or symbolic execution sometimes. A concolic testing strategy is a function which decides when to apply random testing or symbolic execution, and if it is the latter case, which program path to symbolically execute. Many heuristics-based strategies have been proposed. It is still an open problem what is the optimal concolic testing strategy. In this work, we make two contributions towards solving this problem. First, we show the optimal strategy can be defined based on the probability of program paths and the cost of constraint solving. The problem of identifying the optimal strategy is then reduced to a model checking problem of Markov Decision Processes with Costs. Secondly, in view of the complexity in identifying the optimal strategy, we design a greedy algorithm for approximating the optimal strategy. We conduct two sets of experiments. One is based on randomly generated models and the other is based on a set of C programs. The results show that existing heuristics have much room to improve and our greedy algorithm often outperforms existing heuristics.

Xusheng Xiao,Sihan Li,Tao Xie,Nikolai Tillmann

DOI: https://doi.org/10.1109/ase.2013.6693084

2013-01-01

Abstract:Dynamic Symbolic Execution (DSE) is a state-of-the-art test-generation approach that systematically explores program paths to generate high-covering tests. In DSE, the presence of loops (especially unbound loops) can cause an enormous or even infinite number of paths to be explored. There exist techniques (such as bounded iteration, heuristics, and summarization) that assist DSE in addressing loop problems. However, there exists no literature-survey or empirical work that shows the pervasiveness of loop problems or identifies challenges faced by these techniques on real-world open-source applications. To fill this gap, we provide characteristic studies to guide future research on addressing loop problems for DSE. Our proposed study methodology starts with conducting a literature-survey study to investigate how technical problems such as loop problems compromise automated software-engineering tasks such as test generation, and which existing techniques are proposed to deal with such technical problems. Then the study methodology continues with conducting an empirical study of applying the existing techniques on real-world software applications sampled based on the literature-survey results and major open-source project hostings. This empirical study investigates the pervasiveness of the technical problems and how well existing techniques can address such problems among real-world software applications. Based on such study methodology, our two-phase characteristic studies identify that bounded iteration and heuristics are effective in addressing loop problems when used properly. Our studies further identify challenges faced by these techniques and provide guidelines for effectively addressing these challenges.

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Changhai Nie,Huayao Wu,Yalan Liang,Hareton Leung,Fei-Ching Kuo,Zheng Li

DOI: https://doi.org/10.1109/APSEC.2012.16

2012-01-01

Abstract:Search techniques can dramatically change our ability to solve a host of problems in applied science and engineering, many search techniques have been developed and applied successfully in many fields, including search based software engineering (SBSE). As a key problem of combinatorial testing, covering array generation has been widely studied and many search techniques have been applied which can be named as search based combinatorial testing (SBCT). SBCT is a branch of search based software testing (SBST) within SBSE. In this paper, to explore the applicability and effectiveness of SBCT, we design six variants from existing search algorithms: Genetic Algorithm, Particle Swarm Optimization and Ant Colony Algorithm by reversing and randomizing their mechanisms. We study their effectiveness in terms of generating a covering array and compare their performance. Experiments show that these search techniques can work well with distinct performance in covering array generation. We believe that these search techniques can be further improved by fine-tuning their configuration and used in broad ranges of area.

Ting Chen,Xiao-Song Zhang,Xiao-Li Ji,Cong Zhu,Yang Bai,Yue Wu

DOI: https://doi.org/10.1109/tr.2014.2363153

IF: 5.883

2015-01-01

IEEE Transactions on Reliability

Abstract:Traditional software testing methods are not effective for testing embedded software thoroughly due to the fact that generating effective test inputs to cover all code is extremely difficult. In this work, we propose an automatic method to generate test inputs for embedded executables which is based on concolic execution. The core idea of our method is to divide concolic execution into symbolic execution on hosts, and concrete execution on targets, so considerable development work can be saved. Our method overcomes the limitations of the software and hardware abilities of embedded systems by restricting heavy-weight work on resourceful hosts. One feature of our method is that it targets executables, so the source of tested software is not needed. Another feature is that tested programs run in a real environment rather than in a simulator, so accurate run-time information can be acquired. Symbolic execution and concrete execution are coordinated by cross-debugging functions. Then we implement our method on Wind River VxWorks. Experiments show that our method achieves high code coverage with acceptable speed.

Emilio Coppa,Alessio Izzillo

DOI: https://doi.org/10.1016/j.jss.2024.112001

IF: 3.5

2024-02-17

Journal of Systems and Software

Abstract:Symbolic execution is a well-known software testing technique that evaluates how a program runs when considering a symbolic input, i.e., an input that can initially assume any concrete value admissible for its data type. The dynamic twist of this technique is dubbed concolic execution and has been demonstrated to be a practical technique for testing even complex real-world programs. Unfortunately, developing concolic engines is hard. Indeed, an engine has to correctly instrument the program to build accurate symbolic expressions, which represent the program computation. Furthermore, to reason over such expressions, it has to interact with an SMT solver. Hence, several implementation bugs may emerge within the different layers of an engine. In this article, we consider the problem of testing concolic engines. In particular, we propose several testing strategies whose main intuition is to exploit the concrete state kept by the executor to identify inconsistencies within the symbolic state. We integrated our strategies into three state-of-the-art concolic executors ( SymCC , SymQEMU , and Fuzzolic , respectively) and then performed several experiments to show that our ideas can find bugs in these frameworks. Overall, our approach was able to discover more than 12 bugs across these engines.

computer science, theory & methods, software engineering

Arthur Correnson,Dominic Steinhoefel

DOI: https://doi.org/10.48550/arXiv.2305.05570

2023-10-12

Abstract:Symbolic execution is a program analysis technique executing programs with symbolic instead of concrete inputs. This principle allows for exploring many program paths at once. Despite its wide adoption -- in particular for program testing -- little effort was dedicated to studying the semantic foundations of symbolic execution. Without these foundations, critical questions regarding the correctness of symbolic executors cannot be satisfyingly answered: Can a reported bug be reproduced, or is it a false positive (soundness)? Can we be sure to find all bugs if we let the testing tool run long enough (completeness)? This paper presents a systematic approach for engineering provably sound and complete symbolic execution-based bug finders by relating a programming language's operational semantics with a symbolic semantics. In contrast to prior work on symbolic execution semantics, we address the correctness of critical implementation details of symbolic bug finders, including the search strategy and the role of constraint solvers to prune the search space. We showcase our approach by implementing WiSE, a prototype of a verified bug finder for an imperative language, in the Coq proof assistant and proving it sound and complete. We demonstrate that the design principles of WiSE survive outside the ecosystem of interactive proof assistants by (1) automatically extracting an OCaml implementation and (2) transforming WiSE to PyWiSE, a functionally equivalent Python version.

Programming Languages

You Li,Zhendong Su,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2544173.2509553

2013-01-01

ACM SIGPLAN Notices

Abstract:Symbolic execution is a promising testing and analysis methodology. It systematically explores a program's execution space and can generate test cases with high coverage. One significant practical challenge for symbolic execution is how to effectively explore the enormous number of program paths in real-world programs. Various heuristics have been proposed for guiding symbolic execution, but they are generally inefficient and ad-hoc. In this paper, we introduce a novel, unified strategy to guide symbolic execution to less explored parts of a program. Our key idea is to exploit a specific type of path spectra, namely the length-n subpath program spectra , to systematically approximate full path information for guiding path exploration. In particular, we use frequency distributions of explored length- n subpaths to prioritize "less traveled" parts of the program to improve test coverage and error detection. We have implemented our general strategy in KLEE, a state-of-the-art symbolic execution engine. Evaluation results on the GNU Coreutils programs show that (1) varying the length n captures program-specific information and exhibits different degrees of effectiveness, and (2) our general approach outperforms traditional strategies in both coverage and error detection.

Byeongjee Kang,Kyungmin Bae

DOI: https://doi.org/10.1016/j.scico.2024.103097

IF: 1.039

2024-02-25

Science of Computer Programming

Abstract:A concurrent system specified as a rewrite theory can be analyzed symbolically using narrowing-based reachability analysis. Narrowing-based approaches have been applied to formally analyze cryptographic protocols and parameterized protocols. However, existing narrowing-based analysis methods, based on a breadth-first-search strategy, cannot deal with generic distributed systems with objects and messages due to the symbolic state-space explosion problem and implicit constraints imposed on object-oriented systems. This paper proposes a heuristic search approach for narrowing-based reachability analysis to guide the search for counterexamples with a small number of objects. As a result, our method can effectively find a counterexample if an error state is reachable. In addition, this paper also shows how to encode implicit object-oriented constraints using order-sorted signatures and equational constraints. We demonstrate the effectiveness of our technique using a nontrivial distributed consensus algorithm.

computer science, software engineering

Fred Mesnard,Étienne Payet,Germán Vidal

DOI: https://doi.org/10.1017/S1471068415000332

2015-07-20

Abstract:Software testing is one of the most popular validation techniques in the software industry. Surprisingly, we can only find a few approaches to testing in the context of logic programming. In this paper, we introduce a systematic approach for dynamic testing that combines both concrete and symbolic execution. Our approach is fully automatic and guarantees full path coverage when it terminates. We prove some basic properties of our technique and illustrate its practical usefulness through a prototype implementation.

Programming Languages

Kangjing Huang,Xiaokang Qiu,Qi Tian,Yanjun Wang

DOI: https://doi.org/10.48550/arXiv.1802.04428

2018-02-13

Abstract:Syntax-guided synthesis aims to find a program satisfying semantic specification as well as user-provided structural hypothesis. For syntax-guided synthesis there are two main search strategies: concrete search, which systematically or stochastically enumerates all possible solutions, and symbolic search, which interacts with a constraint solver to solve the synthesis problem. In this paper, we propose a concolic synthesis framework which combines the best of the two worlds. Based on a decision tree representation, our framework works by enumerating tree heights from the smallest possible one to larger ones. For each fixed height, the framework symbolically searches a solution through the counterexample-guided inductive synthesis approach. To compensate the exponential blow-up problem with the concolic synthesis framework, we identify two fragments of synthesis problems and develop purely symbolic and more efficient procedures. The two fragments are decidable as these procedures are terminating and complete. We implemented our synthesis procedures and compared with state-of-the-art synthesizers on a range of benchmarks. Experiments show that our algorithms are promising.

Programming Languages,Logic in Computer Science

Jiayi Cao,Angello Astorga,Siwakorn Srisakaokul,Zhengkai Wu,Xueqing Liu,Xusheng Xiao,Tao Xie

DOI: https://doi.org/10.1109/VLHCC.2018.8506484

2018-01-01

Abstract:Dynamic Symbolic Execution (DSE) is among the most effective techniques for structural test generation, i.e., test generation to achieve high structural coverage. Despite its recent success, DSE still suffers from various problems such as the boundary problem when applied on various programs in practice. To assist problem diagnosis for structural test generation, in this paper, we propose a visualization approach named PexViz. Our approach helps the tool users better understand and diagnose the encountered problems by reducing the large search space for problem root causes by aggregating information gathered through DSE exploration.

Przemysław Daca,Ashutosh Gupta,Thomas A. Henzinger

DOI: https://doi.org/10.48550/arXiv.1511.02615

2015-12-30

Abstract:Concolic testing is a promising method for generating test suites for large programs. However, it suffers from the path-explosion problem and often fails to find tests that cover difficult-to-reach parts of programs. In contrast, model checkers based on counterexample-guided abstraction refinement explore programs exhaustively, while failing to scale on large programs with precision. In this paper, we present a novel method that iteratively combines concolic testing and model checking to find a test suite for a given coverage criterion. If concolic testing fails to cover some test goals, then the model checker refines its program abstraction to prove more paths infeasible, which reduces the search space for concolic testing. We have implemented our method on top of the concolic-testing tool CREST and the model checker CpaChecker. We evaluated our tool on a collection of programs and a category of SvComp benchmarks. In our experiments, we observed an improvement in branch coverage compared to CREST from 48% to 63% in the best case, and from 66% to 71% on average.

Logic in Computer Science

xusheng xiao,tao xie,nikolai tillmann,peli de halleux

2010-01-01

Abstract:The process of achieving high structural coverage of the pro- gram under test can be automated using Dynamic Sym- bolic Execution (DSE), which generates test inputs to it- eratively explore paths of the program under test. When applied on real-world applications, DSE faces various chal- lenges in generating test inputs to achieve high structural coverage. Among issues related to these challenges, our preliminary study identified two main types of issues: (1) object-creation issues (OCI), where DSE fails to generate method-call sequences to produce desirable object states; (2) external-method-call issues (EMCI), where symbolic val- ues are passed as arguments to third-party library methods that are not instrumented by DSE. Automatically solving these two main types of issues is challenging, since the explo- ration space of generating method-call sequences for desir- able object states is usually too huge, and instrumenting all third-party libraries can cause explosion of the exploration space. However, when provided with informative informa- tion of issues, users can effectively assist DSE to achieve high structural coverage. In this paper, we propose a gen- eral approach, called Covana, to identify issues faced by DSE via analyzing runtime information, and filter out irrelevant issues using residual structural coverage. We provide two techniques to instantiate our general approach to identify OCIs and EMCIs. To show the effectiveness of Covana, we conduct evaluations on two open source projects. Our re- sults show that Covana effectively identifies 155 OCIs, and 43 EMCIs. Moreover, Covana effectively reduces 296 irrel- evant issues out of 451 OCIs and 1567 irrelevant issues out of 1610 EMCIs produced by a straightforward approach.

Hao Jin,Yanyan Jiang,Na Liu,Chang Xu,Xiaoxing Ma,Jian Lu

DOI: https://doi.org/10.1109/COMPSAC.2015.79

2015-01-01

Abstract:Debugging is challenging and labor-intensive. Debugging programs with weak or no oracle is even more difficult due to lack of passing and failing test runs as well as their comparisons. To address these challenges, we exploit metamorphic relations to construct new programs that are enhanced with synthesized oracle, and combine concolic testing and branch-switching debugging to localize potentially faulty places in original programs. We name our approach concolic metamorphic debugging (or Comedy for short). We experimentally evaluated Comedy with real-world Java programs. The experimental results reported that Comedy successfully generated debugging report for 88.4% of 2,330 faulty programs. The average branch distance between the reported locations and the real fault places is only 1.68. Besides, 36% of the debugging reports precisely locate the fault.

Hasini Witharana,Aruna Jayasena,Prabhat Mishra

DOI: https://doi.org/10.1145/3655621

IF: 1.447

2024-03-30

ACM Transactions on Design Automation of Electronic Systems

Abstract:Concolic testing is a scalable solution for automated generation of directed tests for validation of hardware designs. Unfortunately, concolic testing fails to cover complex corner cases such as hard-to-activate branches. In this paper, we propose an incremental concolic testing technique to cover hard-to-activate branches in register-transfer level (RTL) models. We show that a complex branch condition can be viewed as a sequence of easy-to-activate events. We map the branch coverage problem to the coverage of a sequence of events. We propose an efficient algorithm to cover the sequence of events using concolic testing. Specifically, the test generated to activate the current event is used as the starting point to activate the next event in the sequence. Experimental results demonstrate that our approach can be used to generate directed tests to cover complex corner cases in RTL models while state-of-the-art methods fail to activate them.

computer science, software engineering, hardware & architecture

WANG Ziyuan,XU Baowen,NIE Changhai

DOI: https://doi.org/10.3778/j.issn.1673-9418.2008.06.002

2008-01-01

Abstract:As a practical software testing approach,Combinatorial Testing(CT) aims to detect the faults that triggered by interactions among factors (or parameters) in SUT by designing and executing a small combinatorial test suite to cover the required combinations of these factors. Up to date,many works have been done in the field of CT,and one of the most important aspect is combinatorial test generation,which aims to generate a small test suite to satisfy a given combinatorial coverage criteria. By describing some representative combinatorial test generation algorithms for two different combinatorial coverage criteria (N-way combinatorial coverage and variable strength combinatorial coverage),the existing works on combinatorial test generation in this survey are reviewed. Furthermore,combinatorial test generation techniques for prioritization,constraint, and fault location are also presented. At last,the problems of existing works are analyzed,and some future trends in the field of CT are proposed.

Huayao Wu,Changhai Nie

DOI: https://doi.org/10.1145/2593833.2593839

2014-01-01

Abstract:Combinatorial testing (CT) is a branch of software testing, which aims to detect the interaction triggered failures as much as possible. Search based combinatorial testing is to use the search techniques to solve the problem in combinatorial testing. It has been shown to be effective and promising. In this paper, we aim to provide an overview of search based combinatorial testing, especially focusing on test suite generation without constraint, and discuss the potential future directions in this field.

Wu Huayao,Nie Changhai,Petke Justyna,Jia Yue,Harman Mark

2019-01-01

Abstract: Combinatorial Testing (CT) is a potentially powerful testing technique, whereas its failure revealing ability might be dramatically reduced if it fails to handle constraints in an adequate and efficient manner. To ensure the wider applicability of CT in the presence of constrained problem domains, large and diverse efforts have been invested towards the techniques and applications of constrained combinatorial testing. In this paper, we provide a comprehensive survey of representations, influences, and techniques that pertain to constraints in CT, covering 129 papers published between 1987 and 2018. This survey not only categorises the various constraint handling techniques, but also reviews comparatively less well-studied, yet potentially important, constraint identification and maintenance techniques. Since real-world programs are usually constrained, this survey can be of interest to researchers and practitioners who are looking to use and study constrained combinatorial testing techniques.