a system to generate test data and symbolically execute programs lori a. clarke september 1976
TRANSCRIPT
![Page 1: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/1.jpg)
A System to Generate Test Data and Symbolically Execute
Programs
Lori A. ClarkeSeptember 1976
![Page 2: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/2.jpg)
Existing Approach
Programmer manually generates test data and tests until satisfied that program is correct
Proposed alternative methods: Program correctness: formal mathematical proofs
used to prove a program is correct Program validation: encompasses wide range of
automated tools that analyze and evaluate programs
![Page 3: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/3.jpg)
Existing Approach - Problems
Success depends on programmer's expertise and system complexity
What criteria do we use to generate tests? Approach inadequate and costly Program correctness:
Frequent human intervention required Complex and tedious, infeasible for large systems
Program validation Aids in testing, but does not guarantee program is
correct
![Page 4: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/4.jpg)
Goals of Proposed System
Generate test data that drives execution down a specific path – tester specifies which path
Detect non-executable program paths Create a symbolic representation of the
program's output variables Detect certain types of program errors
![Page 5: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/5.jpg)
System Overview
![Page 6: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/6.jpg)
System Phases
![Page 7: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/7.jpg)
Phase 1: Preprocessor
Uses DAVE (Osterweil and Fosdick), without its sophisticated features
![Page 8: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/8.jpg)
Control Flow Graph
![Page 9: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/9.jpg)
Control Path
One way of “going” from one point to another – a path that the Control could take
There could be several
![Page 10: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/10.jpg)
Execution Path
A control path that can be executed
![Page 11: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/11.jpg)
Phase 2: Symbolic Execution
![Page 12: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/12.jpg)
Path Selection
Two methods: Static – designed to accept automatically generated
paths Interactive – designed to aid a human user in
selecting a path
![Page 13: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/13.jpg)
Symbolic Execution Example
Expressions, not values, are assigned.
Input Fragment:
READ(UNIT) B, C, D
A = B + C * D
C = A * 3 + 5
WRITE C
How is it done?
B = I1, C = I2, D = I3
A = I1 + I2 * I3
C = ( (I1+I2)*I3 )*3+5
Symbolic Outputs
![Page 14: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/14.jpg)
Why Symbolic Execution?
Creates a human-readable symbolic representation
Facilitates error-detection Aids in assertion generation
Produces path constraints used in test generation
![Page 15: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/15.jpg)
Finding Constraints with Symbolic Execution
J = I1, K = I2 J becomes I1 + 1 For control to go
through path 1-5, 7, 9: I1 + 1 <= I2 [J becomes I2-(I1+1)] I2-(I1+1) > -1
![Page 16: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/16.jpg)
Finding Constraints with Symbolic Execution
J = I1, K = I2 J becomes I1 + 1 For control to go
through path 1-5, 7, 9: I1 + 1 <= I2 [J becomes I2-(I1+1)] I2-(I1+1) > -1
These are the Constraints
![Page 17: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/17.jpg)
Error Checking
Artificial constraints are created to aid in finding some types of errors
For instance, array bounds checking When element X(i) of a 100-element array is
referenced, constraints S(i) < 1 and S(i) > 100 are created
If these constraints are consistent with the existing ones, we have a problem
![Page 18: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/18.jpg)
End: Phase 2: Symbolic Execution
Generate Symbolic Representation,
Detect some types of errors
![Page 19: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/19.jpg)
Phase 3: Inequality Solver
Generate Symbolic Representation,
Detect some types of errors
![Page 20: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/20.jpg)
How the Inequality Solver works
Constraints from previous phase For example, I1+1<=I2 and I2-(I1+1)>-1
Finds values that satisfy the constraints, using linear programming algorithm (Glover)
These sets of values are our test data
![Page 21: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/21.jpg)
How the Inequality Solver works
Constraints to be satisfied:
I1 + 1 <= I2 I2 – (I1 + 1) > -1
Possible to find values? Yes – 0 and 1, for
instance. So, constraints are consistent.
So, control path 1-5, 7, 9 executable for values that satisfy constraints.
![Page 22: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/22.jpg)
How the Inequality Solver works
Constraints to be satisfied:
I1 + 1 > I2 I1 + 1 - I2 <= -1
Possible to find values? Constraints are inconsistent.
So, control path 1-3, 6-9 non-executable for any values of J and K.
![Page 23: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/23.jpg)
End: Phase 3: Inequality Solver
Generate Symbolic Representation,
Detect some types of errors
Generate Test Data,Find Non-executable
Paths
![Page 24: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/24.jpg)
Limitations
System requires each path to be completely specified
Path constraints must be linear Input and output statements are ignored
![Page 25: A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976](https://reader036.vdocument.in/reader036/viewer/2022062515/56649c755503460f94929884/html5/thumbnails/25.jpg)
Related Work
DAVE (Osterweil, Fosdick) – analyzes data flow and finds data flow anomalies between subprograms
PET (Stucki) – maintains relevant information (execution count, min and max values) about statements
ACES (Ramamoorthy et al.) - detects unreliable program constructs
EFFIGY (King) – represents a path's computations by symbolically executing a path
SELECT (Stanford Research Institute) – attempts to generate test data and verify assertions for program inputs