dysy: dynamic symbolic execution for invariant inference
DESCRIPTION
DySy: Dynamic Symbolic Execution for Invariant Inference. Authors. Christoph Csallner Nikolai Tillmann Yannis Smaragdakis. Christoph Csallner. College of Computing, Georgia Tech Research interest :Software engineering, especially in program analysis and automated testing Other papers: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/1.jpg)
DySy: Dynamic Symbolic Execution for Invariant
Inference
![Page 2: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/2.jpg)
Authors
Christoph Csallner Nikolai Tillmann Yannis Smaragdakis
![Page 3: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/3.jpg)
Christoph Csallner
College of Computing, Georgia Tech Research interest :Software
engineering, especially in program analysis and automated testing
Other papers:1.Combining static and dynamic reasoning for bug
detection(TAP 2007)2.Combining over- and under-approximating
program analyses for automatic software testing
![Page 4: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/4.jpg)
Nikolai Tillmann
Microsoft Research Leader of project Pex Papers:1.Pex-White Box Test Generation
for .NET(TAP 2008)2. Unit Tests Reloaded: Parameterized
Unit Testing with Symbolic Execution. IEEE Software(4): 38-47 (2006)
![Page 5: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/5.jpg)
Yannis Smaragdakis Associate Professor,
Department of Computer Science, University of Massachusetts, Amherst Research:Applied programming
languages and software engineering Papers:1.C&Y’s papers2. Exception Analysis and Points-To
Analysis: Better Together(ISSTA'09)
![Page 6: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/6.jpg)
Background
Dynamic Invariant Inference: Daikon
Sybolic execution Pex
![Page 7: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/7.jpg)
Invariant
a predicate is called an invariant to a sequence of operation if the predicate always evaluates at the end of the sequence to the same value than before starting the sequence
Example:MU puzzle
![Page 8: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/8.jpg)
Daikon The first and most mature dynamic
invariant inference tool. Daikon tracks a program's variables
during execution and generalizes the observed behavior to invariants by variant relation models.
Relation model exmaples: Constant value (x= a, or x > 0), Linear relationships (y == a*x + b), Ordering (x <= y) and Membership
![Page 9: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/9.jpg)
Symbolic execution
Symbolic Execution and Program Testing 1975 by James King.
the analysis of programs by tracking symbolic rather than actual values
Path condition(pc):A precondition for a program path
![Page 10: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/10.jpg)
Simple example
1.y = read() 2.y = 2 * y 3.if (y == 12) 4.fails() 5.print("OK")
![Page 11: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/11.jpg)
Pex
a dynamic analysis and test generation framework for .NET, developed by the Foundations of Software Engineering group at Microsoft Research
shadow interpreter Relation between DySy and Pex.
![Page 12: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/12.jpg)
Overview
Basic idea Implementation details Abstraction for Loops
![Page 13: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/13.jpg)
Basic idea 1.For one test suite. Take pc as
precondition. Take the conduction rule from precondition to return value of a method as postcondition
2.Repeat 1 for all test suites. 3.Combine all precondition by
disjunction, and all postcondition by conjunction.
![Page 14: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/14.jpg)
example public Object top() { if(Empty) return null; return theArray[topOfStack]; } Two test suites:1. Empty == true2. Empty == false && topOfStack >= 0
&& topOfStack < theArray.Length
![Page 15: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/15.jpg)
Example(2) Conbined precondition: Empty == true ||(Empty == false &&
topOfStack >= 0 && topOfStack < theArray.Length)
Combined postcondition:Empty == true ==> (\result == null) and(Empty == false && topOfStack >= 0 &&topOfStack < theArray.Length)==> (\result == theArray[topOfStack])
![Page 16: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/16.jpg)
Implementation details Usage of Pex
Handling nested method calls
Abstraction for Loops
![Page 17: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/17.jpg)
Usage of Pex
For the duration of each method call,
DySy registers a separate interpreter with Pex's monitoring framework.
![Page 18: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/18.jpg)
Nested calls
DySy builds a set of quadruples (method, pathCondition, result,
finalState) to represent methods as it monitors the program
![Page 19: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/19.jpg)
Abstraction for Loops
Traditional method :Record preconditions for every
cycle. precise but useless, causing heavy
overhead
![Page 20: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/20.jpg)
Abstraction for Loops
heuristic method :1.Loop variants are treated as
inputs(symbol)2.Loop conditions are ignored, except
that the loop body is not entered.3.Only latest value of loop variants
are recorded.
![Page 21: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/21.jpg)
example
public int linSearch(int ele, int[] arr) {if (arr == null)throw new ArgumentException();for (int i = 0; i < arr.Length; i++) {if (ele == arr[i])return i;}return -1;}
![Page 22: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/22.jpg)
Program state arr != null &&($i < arr.Length && !
(ele == arr[$i]) && $i >= 0 ||
$i < arr.Length && ele == arr[$i] && $i >= 0 )
public int linSearch(int ele, int[] arr) {
if (arr == null)throw new
ArgumentException();for (int i = 0; i < arr.Length; i+
+) {if (ele == arr[i])return i;}return -1;}
![Page 23: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/23.jpg)
Simplified program state
!(ele == arr[$i]) ==> \result == -1 ||ele == arr[$i] ==> \result == $i
![Page 24: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/24.jpg)
evaluation
Test code: StackAr: an example program originally
by Weiss Overhead: DySy: 28seconds Daikon: 9seconds
![Page 25: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/25.jpg)
![Page 26: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/26.jpg)
![Page 27: DySy: Dynamic Symbolic Execution for Invariant Inference](https://reader036.vdocuments.mx/reader036/viewer/2022062315/5681593c550346895dc67965/html5/thumbnails/27.jpg)
Thank you!