Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,

mm

Lazy Annotation for Program Testing and Verification

(Supplementary Materials)

Speaker: Chen-Hsuan Adonis LinAdvisor: Jie-Hong Roland Jiang

December 3, 2010

1

mm

OutlineHow to compute Interpolants of

program sequenceConcolic Approach (without learning)

Dart: Directed Automated Random Testing

December 3, 2010

2

mm

Strongest and Weakest InterpolantsIf I and I′ are both interpolants for (F,G), then

so are I∧I′ and I∨I′Let F ∧ G be unsatisfiable. The strongest

interpolant for (F, G), denoted SI (F, G), is the unique interpolant for (F, G) that implies any other interpolant. The weakest interpolant for (F,G), denoted WI(F,G), is the unique interpolant that is implied by any other interpolant

SI (F, G) implies WI (F, G)

December 3, 2010

3

mm

Interpolants of SequencesWe want to handle program paths, therefore a

generalization of interpolant is needed.Given a sequence of formulas Γ = A1,A2,…,An, we

say that Ā 0, Ā 1,…, Ā n is in an interpolant for Γ when:Ā 0 = TRUE and Ā n = FALSE,For all 1≤i≤n, Ā i-1∧Ai implies Ā i, andFor all 1≤i≤n, Ā i is in L(A1,…,Ai)∩L(Ai+1,…,An)

If Γ is quantifier-free we can derive a quantifier-free interpolant for Γ (from the refutation of Γ )

December 3, 2010

4

mm

Interpolants for Sequences (con’t)

An intuition:

So this is a structured refutation of A1, …, Ak

(Ā i ∧ Ai+1) implies Ā i+1

December 3, 2010

5

A1 A2 A3 Ak...

Ā1 Ā2 Ā3 Āk-1...True False

mm

Iterative Computation of Interpolants

Given a formula F = F1 ∧ . . . ∧ Fn, determine whether F is unsatisfiable, and if so, find interpolants for the pairs (F ..i, F i+1..), i∈{1,...,n}, where F..i := F1∧...∧Fi and Fi+1.. :=Fi+1∧...∧Fn

Each formula Fi models a program instruction

A formula F = F1 ∧ . . . ∧ Fn models a trace through a program

In order to check if the trace is feasible or spurious, one can check if F is satisfiable or unsatisfiable

December 3, 2010

6

mm

Iterative Computation of Interpolants (con’t)

Definition (Tracking Property) Let F1 ∧ . . . ∧ Fn be unsatisfiable, and let Ki be interpolants

for (F ..i, F i+1..). We say that the family {Ki} satisfies the tracking property if ( Ki ∧ Fi+1 |= Ki+1)

Proposition: Let F1 ∧ F2 ∧ . . . ∧ Fn be unsatisfiable. Let {Ii} and {Ji} be families of predicates defined according to the following procedures: I0 := true, Ii+1 := any interpolant for (Ii ∧Fi+1, Fi+2..),

where i=0, ..., n−1 Jn := false, Ji−1 := any interpolant for (F ..i−1, ¬(Fi → Ji)),

where i=n, ..., 1{Ii} and {Ji} are interpolants for (F ..i,F i+1..) and satisfy

the tracking property

December 3, 2010

7

mm


Ｉ nterpolants satisfying the tracking property “explain” the infeasibility of a trace by providing Hoare annotations

Evaluate strongest interpolants (Ii) {true} X := true {X} Y := X {X ∧ Y } assume(¬Y ∧ Z)

{false}

Evaluate weakest interpolants (Ji) {true} X := true {X ∨ ¬Z} Y := X {Y ∨ ¬Z} assume(¬Y ∧ Z)

{false}

By definition, Ii |= Ji; Ex: (X∧Y) |= (Y∨¬Z)

December 3, 2010

8

mm


Evaluate strongest interpolants (Ii) {true} X := true {X} Y := X {X ∧ Y } assume(¬Y ∧ Z) {false

Evaluate weakest interpolants (Ji) {true} X := true {X ∨ ¬Z} Y := X {Y ∨ ¬Z} assume(¬Y ∧ Z) {false}

Intuitively, the strongest interpolants at node n records all facts that are established by the path leading up to n Ex: the strongest interpolant at node 2 is {X ∧ Y}

Intuitively, the weakest interpolant at n represents the disjunction of all conditions that make the trace infeasible if they hold at n Ex: the weakest interpolant at node 2 is {Y ∨¬Z}

December 3, 2010

9

mm

OutlineHow to compute Interpolants of

program sequenceConcolic Approach (without learning)

Dart: Directed Automated Random Testing

December 3, 2010

10

mm

Motivation of software testingToday, QA is mostly testing

“50% of my company employees are testers, and the rest spends 50% of their time testing!”

-- Bill Gates 1995

December 3, 2010

11

mm

Concolic ApproachCombine concrete and symbolic execution for

unit testing (Concrete + Symbolic = Concolic)DART: Directed Automated Random Testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation

Authors Patrice Godefroid (Bell Labs)Nils Klarlund (Bell Labs)Koushik Sen (CS, UIUC)

December 3, 2010

12

mm

Example (C code)int double(int x) {

return 2 * x;

}

void test_me(int x, int y) {

int z = double(x);

if (z==y) {

if (y == x+10)

abort(); /* error */

}

}

(1) Interface extraction:• parameters of toplevel function• external variables• return values of external functions

main(){

int tmp1 = randomInt();

int tmp2 = randomInt();

test_me(tmp1,tmp2);

}

(2) Generation of test driver for random testing:

Problem: probability of reaching abort() is extremely low!December 3, 2010

13

mm

DART: Directed Searchmain(){

int t1 = randomInt();


test_me(t1,t2);

}

int double(int x) {return 2 * x; }


int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint

x = 36, y = 99x = 36, y = 99create create symbolicsymbolicvariables x, y variables x, y

December 3, 2010

14

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint

create symboliccreate symbolicvariables x, y variables x, y

x = 36, y = 99,x = 36, y = 99,z = 72z = 72

z = 2 * xz = 2 * x

December 3, 2010

15

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


x = 36, y = 99,x = 36, y = 99,z = 72z = 72

z = 2 * xz = 2 * x

2 * x != y2 * x != y

Solve: 2 * x == ySolve: 2 * x == y

Solution: x = 1, y = 2Solution: x = 1, y = 2

December 3, 2010

16

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint

x = 1, y = 2x = 1, y = 2create symboliccreate symbolicvariables x, y variables x, y

December 3, 2010

17

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


x = 1, y = 2, z = 2x = 1, y = 2, z = 2 z = 2 * xz = 2 * x

December 3, 2010

18

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


x = 1, y = 2, z = 2x = 1, y = 2, z = 2 z = 2 * xz = 2 * x 2 * x == y2 * x == y

December 3, 2010

19

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


2 * x == y2 * x == y

x = 1, y = 2, z = 2x = 1, y = 2, z = 2 z = 2 * xz = 2 * x

y != x + 10y != x + 10

Solve: (2 * x == y) Solve: (2 * x == y) Æ Æ (y == x +10)(y == x +10)

Solution: x = 10, y = 20Solution: x = 10, y = 20

December 3, 2010

20

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint

x = 10, y = 20x = 10, y = 20create symboliccreate symbolicvariables x, y variables x, y

December 3, 2010

21

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


x = 10, y = 20, z = 20x = 10, y = 20, z = 20 z = 2 * xz = 2 * x

December 3, 2010

22

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


x = 10, y = 20, z = 20x = 10, y = 20, z = 20 z = 2 * xz = 2 * x 2 * x == y2 * x == y

December 3, 2010

23

mm




test_me(t1,t2);

}



int z = double(x);

if (z==y) {

if (y == x+10)


}

}

Concrete Execution

Symbolic Execution

Path Constraint


2 * x == y2 * x == y

y == x +10y == x +10z = 2 * xz = 2 * xx = 10, y = 20, z = 20x = 10, y = 20, z = 20

Program Error

December 3, 2010

24

mm

Concolic Testing: A Middle Approach

+ Complex programs

+ Efficient

- Less coverage

+ No false positive

- Simple programs

- Not efficient

+ High coverage

- False positive

Random Testing

Symbolic Testing

Concolic Testing

+ Complex programs+/- Somewhat efficient+ High coverage+ No false positive

December 3, 2010

25

mm

Limitations: A Comparative View

Concolic: Broad, shallow

Random: Narrow, deepDecember 3, 2010

26

mm

Hybrid Concolic Testing Interleave Random Testing and Concolic Testing to increase

coverage

Deep, broad, hybrid Search

December 3, 2010

27

mm

Thanks for your attention

December 3, 2010

28

Documents

Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,