Concolic testing implementors noticed that implementation of full-fledged symbolic execution can be avoided if symbolic execution can be piggy-backed with the normal execution of a program through instrumentation. This idea of simplifying implementation of symbolic execution gave birth to concolic testing. Development of SMT Solvers[ edit ] An important reason for the rise of concolic testing and more generally, symbolic-execution based analysis of programs in the decade since it was introduced in is the dramatic improvement in the efficiency and expressive power of SMT Solvers. Three tests are generated corresponding to the three leaf nodes in the tree, and three execution paths in the program.
|Published (Last):||25 November 2007|
|PDF File Size:||17.36 Mb|
|ePub File Size:||10.37 Mb|
|Price:||Free* [*Free Regsitration Required]|
CUTE combines concrete and symbolic execution in a way that avoids redundant test cases as well as false warnings. The tool also introduces a race-? Our research on concolic testing [1, 6, 4] shows that we can combine random testing and symbolic testing of a program to provide a scalable tool for automatically generating test cases, which improves test coverage and avoids redundant test cases as well as false warnings.
Concolic testing involves explicit path model-checking in which our goal is to generate data inputs and schedules that would exercise all feasible execution paths of a program.
The algorithm executes a program both concretely and symbolically. The symbolic execution di? During the execution, the algorithm collects the constraints over the symbolic values at each branch point i. At the end of the execution, the algorithm has computed a sequence of symbolic constraints corresponding to each branch point. We call the conjunction of these constraints a path constraint. Observe that all input values that satisfy a given path constraint will explore the same execution path, provided that we follow the same thread schedule.
Apart from collecting symbolic constraints, the algorithm also computes the race condition both data race and lock race between various events in the execution of a program, where, informally, an event represents the execution of a statement in the program by a thread. The algorithm? Then the algorithm does the following in a loop: it executes the code with the generated input and the schedule.
At the same time the algorithm computes the race conditions between various events as well as the symbolic constraints. It backtracks and generates a new schedule or a new input, either by re-ordering the events involved in a race or by solving symbolic constraints, respectively, to explore all possible distinct execution paths using a depth? Note that because the algorithm does concrete executions, it is sound, i. There is one complication: for some symbolic constraints, our constraint solver may not be powerful enough to compute concrete values that satisfy the constraints.
To address this di? Because of this, our algorithm is complete only if given an oracle that can solve the constraints in a program, and the length and the number of paths is? The instrumentation module inserts code in the program under test so that the instrumented program calls the library at runtime for performing symbolic execution. Instrumentation of jCUTE associates a semaphore with each thread and adds operations on these semaphores before each shared-memory access.
These semaphores are used to control the schedule of the threads at runtime. To solve arithmetic inequalities, the constraint solver of CUTE uses lpsolve , a library for integer linear programming.
The replay can also be performed with the aid of a debugger. For sequential programs, jCUTE can generate JUnit test cases, which can be used by the user for regression testing as well as for debugging. CUTE provides a macro CUTE input x , which allows the user to specify that the variable x of any type, including a pointer is an input to the program.
This comes in handy to replace any external user input, e. Note that this macro can be used anywhere in the program. The library has been extensively used to implement the commercial tool Xrefactory. The second bug is an in?
Further details about this case study along with branch coverage, runtime for testing, number of inputs generated, etc. We tested the threadsafe Collection framework implemented as part of the java.
A number of data structures provided by the package java. This implies that multiple invocation of methods on the objects of these data structures by multiple threads must be equivalent to a sequence of serial invocation of the same methods on the same objects by a single thread.
We chose this library as a case study primarily to evaluate the e? Much to our surprise, we found several previously undocumented data races, deadlocks, uncaught exceptions, and an in?
Note that, although the number of potential bugs is high, these bugs are all caused by a couple of problematic design patterns used in the implementation. The details of this case study can be found in . Here we brie? We present a simple scenario under which the in? Then we concurrently allow a new thread to invoke l1. However, the program never goes into an in? This helped us to detect the cause of the bug. A summary of the results of testing various Java synchronized Collection classes is provided in Table 1.
Results for testing synchronized Collection classes of JDK 1. Godefroid, N. Klarlund, and K. DART: Directed automated random testing. In Proc. Necula, S. McPeak, S. Rahul, and W. In Proceedings of Conference on compiler Construction, pages —, Sen and G. Automated systematic testing of open distributed programs. Springer, Concolic testing of multithreaded programs and its application to testing security protocols. Sen, D. Marinov, and G. ACM, Vallee-Rai, L.
Hendren, V. Sundaresan, P. Lam, E. Gagnon, and P. Soot a Java optimization framework.
Subscribe to RSS
8.37 CUTE: A Concolic Unit Testing Engine for C