directed random testing
play

Directed Random Testing* Wolfram Schulte Microsoft Research Soqua - PowerPoint PPT Presentation

May 25, 2023 •519 likes •895 views

Directed Random Testing* Wolfram Schulte Microsoft Research Soqua 11/2006 Was formerly announced as: Challenge Problems in Testing 1 What my team does Static program verification & language design Verifying multi-threaded

  1. Directed Random Testing* Wolfram Schulte Microsoft Research Soqua 11/2006 Was formerly announced as: “Challenge Problems in Testing” 1

  2. What my team does • Static program verification & language design – Verifying multi-threaded OO programs (Spec#) – Verifying message passing contracts (Sing#) – Integration of data via structural types and monads (Xen,C ω ,C# V3) • Runtime systems – Task concurrency (Futures) – Memory resilience (DieHard) • Development systems – Build/version/deploy • Modeling and test – Model-based testing (Spec Explorer) – White-box testing (Mutt / Unit Meister/ PUT / PEX) 2

  3. Why testing is hard… void AddTest() { ArrayList a = new ArrayList(1); object o = new object(); a.Add(o); Assert.IsTrue(a[0] == o); } Writing a test involves • determining a meaningful sequence of method calls, • selecting exemplary argument values (the test input values), • stating assertions. A test states both the intended behavior, and achieves certain code coverage. 3

  4. Outline • Input generation • Mock object generation • Sequence generation • Compositional testing 4

  5. Test input generation 5

  6. Problem definition • Test Input Generation – Given a statement s in program P , compute input i , such that P ( i ) executes s • Test Suite Generation – Given a set of statements S in P , compute inputs I , such that forall s in S , exists i in I : P ( i ) executes s 6

  7. Existing test generation techniques void Obscure(int x, int y){ if (x==crypt(y)) error(); return 0; } • Static test case generation via symbolic execution often cannot solve constraints (assumes error) • Random testing via concrete execution often cannot find interesting value (misses errors) • Directed Random Testing/ Conc(rete & symb)olic execution finds error: take random y, solve for x 7

  8. Concolic execution Generate a test suite for program P. Algorithm for test suite generation: We use a dynamic predicate Q over the program input. 0. set Q := true 1. choose inputs i such that Q ( i ) holds 2. execute P ( i ) and build up path condition P( i ) 3. set Q := (Q and not P) 4. if Q <> false, goto (1.) Remark: The choice in (1.) is the cornerstone of concolic execution. It can be implemented in a variety of ways: as a random choice (e.g. for the initial inputs), or as a depths- first/iterative deepening/breadth first/… search over the logical structure of the constructed predicate Q, or using any existing constraint solver. 8

  9. Example: Concolic execution Concrete Symbolic values constraints (Assignments) (Predicates) 1. Choose arbitrary value for x, choose null for xs class List { x = 517; xs== null int head; xs = null; List tail; } 2. Negate predicate (xs== null)  choose new list with new arb. head static bool Find(List xs, int x){ xs!=null && x = 517; while (xs!=null) { xs.head != x && xs.head = -3; if (xs.head == x) xs.tail == null xs.tail = null; return true; xs = xs.tail; 3. Negate both predicates, equivalent to xs!=null && (xs.head == x || xs.tail != null) }  let‟s choose xs.head!= x, thus xs.tail== xs return false; } CRASH! x = 517;  xs.head =-3; Cyclic list xs.tail = xs; 9

  10. Why concolic execution is needed Calls to external world Unmanaged x86 code Unsafe managed .NET code (with pointers) Safe managed .NET code • Most .NET programs use unsafe/unmanaged code for legacy and performance reasons • Combining concrete execution and symbolic reasoning still works: all conditions that can be monitored will be systematically explored 10

  11. Code instrumentation for symbolic analysis ldtoken Point::X class Point { int x; int y; call __Monitor::LDFLD_REFERENCE public static int GetX(Point p) { ldfld Point::X if (p != null) return p.X; call __Monitor::AtDereferenceFallthrough else return -1; } } br L2 L1: ldtoken Point::GetX Prologue call __Monitor::AtBranchTarget call __Monitor::EnterMethod Record concrete values brfalse L0 call __Monitor::LDC_I4_M1 ldarg.0 to have all information ldc.i4.m1 call __Monitor::NextArgument<Point> L2: Calls to build L0: .try { when this method is called call __Monitor::RET .try { (The real C# compiler path condition with no proper context stloc.0 call __Monitor::LDARG_0 Calls will perform output is actually more ldarg.0 leave L4 call __Monitor::LDNULL } catch NullReferenceException { symbolic computation complicated.) ldnull „ call __Monitor::AtNullReferenceException call __Monitor::CEQ rethrow ceq call __Monitor::BRTRUE } Epilogue brtrueL1 L4: leave L5 call __Monitor::BranchFallthrough } finally { call __Monitor::LDARG_0 call __Monitor::LeaveMethod ldarg.0 Calls to build endfinally … path condition } L5: ldloc.0 ret 11

  12. Finding solutions of constraint systems Concolic execution solutions constraints Constraint solver Theory(CIL) Th(Maps) Th(Integers) Th(Floats) Th(Objects) Arrays Structs Int32 Int64 Objects Strings • linear arithmetic Object Types • non-linear • machine numbers User-provided value factories Random values Mock-objects SAT Boolean Search 12

  13. Closing the environment: Generating mock objects 13

  14. Testing with interfaces Example AppendFormat(null , “{0} {1}!”, “Hello”, “Microsoft”); BCL Implementation public StringBuilder AppendFormat( IFormatProvider provider, char[] chars, params object[] args) { if (chars == null || args == null) throw new ArgumentNullException( …); int pos = 0; int len = chars.Length; char ch = '\x0'; ICustomFormatter cf = null; if (provider != null) cf = (ICustomFormatter)provider.GetFormat( typeof(ICustomFormatter)); … 14

  15. Generating mock objects • Introduce a mock class implementing the interface. • Let an oracle provide the behavior of the mock methods. public class MFormatProvider : IFormatProvider { public object GetFormat(Type formatType) { … object o = call.ChooseResult<object>(); Assume.IsTrue(o is IFormatProvider ); return o; } } • During symbolic execution, pick a new symbol to represent unknowns • Collect constraints over symbols along each execution path • Solve the constraints to obtain concrete values for each execution path • During concrete execution, choose these concrete values 15

  16. DEMO Here is a simple test which catches all documented exceptions and uses a mock MFormatProvider

  17. Fully automatic test case generation!

  18. Generated tests exercise different paths of the implementation

  19. When run…

  20. …produces the error

  21. Method sequence generation 21

  22. Problem definition Given a class C with methods M . Test Sequence Generation – Given a statement s in a method of M , compute a sequence of method calls c , such that c executes s Test Sequence Suite Generation – Given a set of statements S occurring in M , compute a set of sequence of method calls C , such that forall s in S , exists c in C : c executes s 22

  23. Observation We can only reach a statement s in a method m if we have proper states and arguments available, so that the execution of m on that state and argument triggers the execution of s List l = new List(); object o = new object(); l.Append(o); object p = l[l.Count-1]; We create new states of objects by calling • constructors • methods, if they – modify this – modify any other formal parameter – return a new result 23

  24. Plans Plans are DAGs (They shows how to manufacture new objects, arrays, boxed values, and mock objects for interfaces and generics) • Its nodes are objects • Its edges are calls to constructors, methods, static fields, whenever they return a new o new new o l List l = new List(); object o = new object(); .Append( ) Append(o); object p = l[l.Count-1]; l‟ p [l‟.Count -1] 24

  25. Tests are concrete instances of plans Plans Call a method • With symbol for primitive Plans argument types • Using other plans for reference argument types to provide objects Plan Concolic Manager Execution Tests Call a method • With concrete values for primitive argument types Feedback • Using simpler tests to build objects to observe behavior Tests 25

  26. Observation During execution we monitor • what fields a method actually reads and write • what other methods a method actually calls • which arguments actually matter • which instructions are actually covered 26

  27. Method sequence suite generation (i) Phase: Learn dynamic behavior – touch all methods once – gives basic coverage (ii) Phase: Apply strategies – order plans so that • readers appear after writers • methods with coverage potential (transitively) are preferred – prune plans: Don‟t use • pure methods to extend plans, unless they return hidden objects • methods that throw exceptions to extend plans 27

  28. Evaluation • Between 30% and 85% branch coverage on all dlls studied so far • Found many errors: Nullreferences, IndexOutOfRange , InvalidCasts, Non termination • Easy to combine with other dynamic checkers: found many resource leaks, incorrect exception handlings (by using fault injection), to be continued… 28

  29. Compositional Testing 1) Via Parameterized Unit Tests 2) Via Synthesized Specs 29

Recommend

Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik

Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik

introduction algorithm examples Race Directed Random Testing experiments of Concurrent Programs conclusion a paper by Koushik Sen presented by Michail Famelis December 4, 2008 RaceFuzzer is an algorithm for determining real races in

961 views • 28 slides
DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen 2 1 Bell Laboratories, Lucent Technologies 2 University of Illinois at Urbana-Champaign November 10, 2015 Presented by Markus 1/20 Introduction

1.58k views • 102 slides
Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

6/24/2019 CONSUMER CONSUMER CONSUMER CONSUMER- - - -DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING WHAT WHAT IT MEANS FOR MY PATIENT AND MY PRACTICE WHAT WHAT IT

659 views • 23 slides
Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia

Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia

Directed Random Graphs with Given Degree Distributions Mariana Olvera-Cravioto Columbia University molvera@ieor.columbia.edu Joint work with Ningyuan Chen July 23th, 2012 ECT, Trento, Italy Directed Random Graphs with Given Degree

421 views • 39 slides
Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in

Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in

Generalities on random walks Algebraic and probabilistic structures Directed lattices Sketch of proofs Type and type transition for random walks on randomly directed lattices To Iain MacPhee, in memoriam Dimitri Petritis Joint work with

517 views • 32 slides
Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is

Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is

Belton IS Belton ISD Random Drug Random Drug Testing Program Testing Program Who i Who is included? s included? Students in grades 9 -12 who choose to participate in extracurricular activities offered. Academic/Vocational Events

709 views • 31 slides
Random intefaces, geodesics and the directed landscape B alint Vir ag, University of

Random intefaces, geodesics and the directed landscape B alint Vir ag, University of

Random intefaces, geodesics and the directed landscape B alint Vir ag, University of Toronto with Duncan Dauvergne, Janosch Ortmann and Mihai Nica Palac Bedlewo May 21, 2019 B alint Vir ag Directed landscape 5/21/2019 1 / 45

1.31k views • 114 slides
Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer

Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer

Random Testing in PVS Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer Science Laboratory SRI International Menlo Park, CA August 21, 2006 Sam Owre AFM06 presentation: 1 Random Testing in

569 views • 10 slides
Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random

Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random

Faults Found by Random Testing WanChi Chio Justin Molinyawe Introduction Why apply random testing to object oriented software? Cost-efficient in terms of implementation effort and execution time. Introduction (Cont.)

651 views • 24 slides
Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil

Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil

Directed polymer in -stable Random Environments Roberto Viveros IMPA. Rio de Janeiro-Brazil JULY 23, 2019 Roberto Viveros Directed polymer in -stable Random Environments Chemical background Roberto Viveros Directed polymer in -stable

495 views • 37 slides
Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu

Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu

Random matrices: Distribution of the least singular value (via Property Testing) Van H. Vu Department of Mathematics Rutgers vanvu@math.rutgers.edu (joint work with T. Tao, UCLA) 1 Let be a real or complex-valued random variable and M n (

594 views • 31 slides
Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and

Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and

Stochastic Simulation Testing random number generaters Bo Friis Nielsen Applied Mathematics and Computer Science Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfn@imm.dtu.dk Testing random number generaters Testing

452 views • 24 slides
Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a

Testing atomicity Finding race conditions by random testing John Hughes &quot;We know there is a lurking bug somewhere in the dets code. We have got 'bad object' and 'premature eof' every other month the last year. We have not been able to

584 views • 29 slides
Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with :

Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with :

Exact results from the replica Bethe ansatz from KPZ growth and random directed polymers with : Pasquale Calabrese (Univ. Pise, SISSA) P. Le Doussal (LPTENS) Alberto Rosso (LPTMS Orsay) Thomas Gueudre (LPTENS,Torino) most recent: Andrea de

1.01k views • 70 slides
Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many situations, we are interested in numbers associated with the outcomes of a random experiment. For example: Testing cars from a production line, we are

489 views • 38 slides
Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean

Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean

Testing High-Dimensional Distributions: Subcube Conditioning, Random Restrictions, and Mean Testing Cl ement Canonne (IBM Research) February 25, 2020 Joint work with Xi Chen, Gautam Kamath, Amit Levi, and Erik Waingarten 1 Outline

935 views • 60 slides
Directed Automated Randomized Testing (DART) Motivation Verifica(on is really

Directed Automated Randomized Testing (DART) Motivation Verifica(on is really

Directed Automated Randomized Testing (DART) Motivation Verifica(on is really hard Unit tes(ng is also hard and rarely done properly Have to check all corner

186 views • 16 slides
Kernel Density Adaptive Random Testing Matthew Patrick and Yue Jia 13 April 2015 Outline

Kernel Density Adaptive Random Testing Matthew Patrick and Yue Jia 13 April 2015 Outline

Kernel Density Adaptive Random Testing Matthew Patrick and Yue Jia 13 April 2015 Outline Diversification and Intensification Kernel Density Adaptive Random Testing (KD-ART) Is KD-ART more effective than ART? Finding the optimal

503 views • 26 slides
Directed Polymers in Random Environment with Heavy Tails A. Auffinger O. Louidor Courant (New

Directed Polymers in Random Environment with Heavy Tails A. Auffinger O. Louidor Courant (New

Introduction Results Idea of Proof Summary Directed Polymers in Random Environment with Heavy Tails A. Auffinger O. Louidor Courant (New York University) Maryland Probability Seminar, 11/16/2009 Introduction Results Idea of Proof

1.08k views • 78 slides
Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

1 Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax Workshop, CERN, Geneva, July 2016 2 What do we want? Sequences of numbers that look random. 2 What do we want? Sequences of numbers that look

1.31k views • 128 slides
RLRsim : Testing for Random Effects or Nonparametric Regression Functions in Additive Mixed

RLRsim : Testing for Random Effects or Nonparametric Regression Functions in Additive Mixed

Background &amp; Problem Description Implementation &amp; Application Examples Simulation Study RLRsim : Testing for Random Effects or Nonparametric Regression Functions in Additive Mixed Models Fabian Scheipl 1 joint work with Sonja Greven 1 ,

670 views • 23 slides
An Integrated Approach to Assertion-Based Random Testing an 1,4 e F. Morales 1 Ignacio De Casso

An Integrated Approach to Assertion-Based Random Testing an 1,4 e F. Morales 1 Ignacio De Casso

An Integrated Approach to Assertion-Based Random Testing an 1,4 e F. Morales 1 Ignacio De Casso San Rom Jos a 1,2 Manuel V. Hermenegildo 1,4 Pedro L opez Garc 1 IMDEA Software Institute, 2 Spanish Research Council (CSIC), and 4

394 views • 20 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
User testing Results Background User testing conducted throughout November 2012 Three

User testing Results Background User testing conducted throughout November 2012 Three

School of Arts, Languages and Cultures Website User testing Results Background User testing conducted throughout November 2012 Three methods of assessment ALC online staff survey Random sampling Web Ergonomics Lab

277 views • 15 slides

More recommend