system to generate test data: the analysis program syed nabeel
DESCRIPTION
Phase1: Symbolic Execution Symbolic Execution Constraint Simplification Inequality Solver Symbolic Representation Generated Test Case Path DescriptionTRANSCRIPT
System To Generate Test System To Generate Test Data:Data:
The Analysis ProgramThe Analysis Program
Syed NabeelSyed Nabeel
Phases of the Analysis Phases of the Analysis ProgramProgram
Symbolic Execution
Constraint Simplification
Inequality Solver
Symbolic Representation
Generated Test Case
Phase1: Symbolic ExecutionPhase1: Symbolic Execution
Symbolic Execution
Constraint Simplification
Inequality Solver
Symbolic Representation
Generated Test Case
Path Description
Symbolic ExecutionSymbolic Execution
Assigning Assigning expressions instead of expressions instead of valuesvalues to variable while following a to variable while following a program path program path
Expression Expression is the representation of is the representation of the computation that would have the computation that would have evolved to associate value to a evolved to associate value to a variablevariable
Structures Used in Symbolic Structures Used in Symbolic ExecutionExecution
Computation TableComputation Table Symbol TableSymbol Table Evolution GraphEvolution Graph
Computation TableComputation Table Value number: Value number: all unary and binary all unary and binary
expressions are allocated value numbersexpressions are allocated value numbers
Components Of Computation TableComponents Of Computation Table OperatorOperator Value Number for operandsValue Number for operands Computation Value number for the Computation Value number for the
computationcomputation
ExampleExample
OperatOperatoror
Op1Op1 Op2Op2 ExpressioExpression Valuen Value
** X2X2 X3X3 T1T1++ X1X1 T1T1 T2T2++ T2T2 C1C1 T3T3
Assigned Value NumbersBX1CX2DX3
Read (UINT) B,C,DA=B+C*DC=A+5WRITE C Computation Table
Symbol TableSymbol Table
Internal Data Structure that maps Internal Data Structure that maps variables to value numbers variables to value numbers generatedgenerated
Its values are updated as the Its values are updated as the program is symbolically executedprogram is symbolically executed
ExampleExampleOperatorOperator Op1Op1 Op2Op2 ExpressioExpressio
n Valuen Value** X2X2 X3X3 T1T1++ X1X1 T1T1 T2T2++ T2T2 C1C1 T3T3
Read (UINT) B,C,DA=B+C*DC=A+5WRITE C
Assigned Value NumbersBX1CX2DX3
NameName Value Value NumberNumber
AA T2T2BB X1X1CC ??DD ??Symbol Table
ExampleExampleOperatorOperator Op1Op1 Op2Op2 ExpressioExpressio
n Valuen Value** X2X2 X3X3 T1T1++ X1X1 T1T1 T2T2++ T2T2 C1C1 T3T3
Read (UINT) B,C,DA=B+C*DC=A+5WRITE C
Assigned Value NumbersBX1CX2DX3
NameName Value Value NumberNumber
AA T2T2BB X1X1CC T3T3DD X3X3
Symbol Table
Evolution GraphEvolution Graph
A directed graph A directed graph Internal representation for Internal representation for
expressions expressions Contains representations for several Contains representations for several
statements and variablesstatements and variables
ExampleExample
Read (UINT) B,C,DA=B+C*DC=A+5WRITE C
Folding to simplify Evolution Folding to simplify Evolution GraphGraph
Evaluation of constant expressionsEvaluation of constant expressionsExampleExample
A=2A=2B=3B=3C=A-B+1C=A-B+1
Simplifies the evolution graphSimplifies the evolution graph Can be suppressed if causes a Can be suppressed if causes a
hindrancehindrance
Constraint ConstructionConstraint Construction Predicates from conditional Predicates from conditional
statements are inserted into the statements are inserted into the computation tablecomputation table
Evolution Graph for constraints is Evolution Graph for constraints is extracted from the computation extracted from the computation tabletable
Additional ConstraintsAdditional Constraints Artificial constraints temporarily Artificial constraints temporarily
created to simulate error conditionscreated to simulate error conditions Solution is evaluated for augmented Solution is evaluated for augmented
set of constraintsset of constraints If solution exists then error is possible If solution exists then error is possible Increases chances of detecting an Increases chances of detecting an
errorerror
Subscript ExampleSubscript Example Consider an array of X of size 100Consider an array of X of size 100 Allowable subscripts 1..100Allowable subscripts 1..100 For an array access X(I) symbol S(I) For an array access X(I) symbol S(I)
is generatedis generated
QuestionQuestion Consider an array of X of size 100Consider an array of X of size 100 Allowable subscripts 1..100Allowable subscripts 1..100 For an array access X(I) symbol S(I) For an array access X(I) symbol S(I)
is generatedis generated
Any constraints that can be Any constraints that can be added in this example ?added in this example ?
Additional ConstraintsAdditional Constraints Additional constraints: S(I)>100 and Additional constraints: S(I)>100 and
S(I)<1S(I)<1 If any of the above constraints is If any of the above constraints is
consistent with existing constraints consistent with existing constraints an error is detectedan error is detected
Phase2: Constraint Phase2: Constraint SimplificationSimplification
Symbolic Execution
Constraint Simplification
Inequality Solver
Symbolic Representation
Generated Test Case
Path Description
Constraint SimplificationConstraint Simplification
Before solving inequalities generated as Before solving inequalities generated as constraints an attempt is made to simplify constraints an attempt is made to simplify them if possiblethem if possible
Example:Example: I1-I2<=3*I2I1-I2<=3*I2 simplifies to simplifies to I1-4*I2<=0I1-4*I2<=0
ALTRAN for simplification ALTRAN for simplification phasephase
ALTRAN a language for algebraic ALTRAN a language for algebraic manipulation used for the FORTRAN manipulation used for the FORTRAN program constraints program constraints
Recognize and flag non linear Recognize and flag non linear constraintsconstraints
Manipulate expressions to obtain linear Manipulate expressions to obtain linear form. form.
ExampleExample :I1/I2 <=7 is transformed to :I1/I2 <=7 is transformed to linear expression I1-7*I2<=0linear expression I1-7*I2<=0
Phase3: Inequality SolverPhase3: Inequality SolverSymbolic Execution
Constraint Simplification
Inequality Solver
Symbolic Representation
Generated Test Case
Path Description
Phase 3: Inequality SolverPhase 3: Inequality SolverSolves the constraints that have been generated Solves the constraints that have been generated and simplified in the previous phasesand simplified in the previous phases
ProcedureProcedure Each constraint is added one at a timeEach constraint is added one at a time On each addition it is checked whether new On each addition it is checked whether new
constraint is consistent with previous solution constraint is consistent with previous solution If consistent new constraints are addedIf consistent new constraints are added If not consistent a new solution is attemptedIf not consistent a new solution is attempted
If all constraints are consistent then the final If all constraints are consistent then the final solution is a test data set that would cause solution is a test data set that would cause execution of the pathexecution of the path
Algorithm for Inequality Algorithm for Inequality SolvingSolving
Linear programming algorithmLinear programming algorithmMAX O(X)MAX O(X)Subject to AX<=B and X>=0Subject to AX<=B and X>=0
OO Objective Function (a linear function) Objective Function (a linear function)XXN Vector of unknowns (input variables)N Vector of unknowns (input variables)BBM Vector of constantsM Vector of constantsAAM*N matrix coefficient matrix for constraintsM*N matrix coefficient matrix for constraintsRules to convert all inequalities to this standard formRules to convert all inequalities to this standard form
To Sum it up….To Sum it up…. symbolic execution of a path symbolic execution of a path symbolic representation of the output symbolic representation of the output
variables and path constraints in terms of variables and path constraints in terms of the program's input variablesthe program's input variables
Subscript out of bound, division by zero Subscript out of bound, division by zero also detectedalso detected
Using path constraints Using path constraints Test data is generated for a particular pathTest data is generated for a particular path Determined that a particular path is infeasibleDetermined that a particular path is infeasible
Linear Programming technique used for Linear Programming technique used for equation solving hence is limited to linear equation solving hence is limited to linear constraintsconstraints
DiscussionDiscussion Limitations Limitations
Program Correctness vs Program Program Correctness vs Program ValidationValidation
Any other topic brought upAny other topic brought up