197,652 research outputs found
Symbolic search-based testing
We present an algorithm for constructing fitness functions that improve the efficiency of search-based testing when trying to generate branch adequate test data. The algorithm combines symbolic information with dynamic analysis and has two key advantages: It does not require any change in the underlying test data generation technique and it avoids many problems traditionally associated with symbolic execution, in particular the presence of loops. We have evaluated the algorithm on industrial closed source and open source systems using both local and global search-based testing techniques, demonstrating that both are statistically significantly more efficient using our approach. The test for significance was done using a one-sided, paired Wilcoxon signed rank test. On average, the local search requires 23.41% and the global search 7.78% fewer fitness evaluations when using a symbolic execution based fitness function generated by the algorithm
Badger: Complexity Analysis with Fuzzing and Symbolic Execution
Hybrid testing approaches that involve fuzz testing and symbolic execution
have shown promising results in achieving high code coverage, uncovering subtle
errors and vulnerabilities in a variety of software applications. In this paper
we describe Badger - a new hybrid approach for complexity analysis, with the
goal of discovering vulnerabilities which occur when the worst-case time or
space complexity of an application is significantly higher than the average
case. Badger uses fuzz testing to generate a diverse set of inputs that aim to
increase not only coverage but also a resource-related cost associated with
each path. Since fuzzing may fail to execute deep program paths due to its
limited knowledge about the conditions that influence these paths, we
complement the analysis with a symbolic execution, which is also customized to
search for paths that increase the resource-related cost. Symbolic execution is
particularly good at generating inputs that satisfy various program conditions
but by itself suffers from path explosion. Therefore, Badger uses fuzzing and
symbolic execution in tandem, to leverage their benefits and overcome their
weaknesses. We implemented our approach for the analysis of Java programs,
based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java
applications, showing that our approach is significantly faster in generating
worst-case executions compared to fuzzing or symbolic execution on their own
Improve Model Testing by Integrating Bounded Model Checking and Coverage Guided Fuzzing
The control logic models built by Simulink or Ptolemy have been widely used
in industry scenes. It is an urgent need to ensure the safety and security of
the control logic models. Test case generation technologies are widely used to
ensure the safety and security. State-of-the-art model testing tools employ
model checking techniques or search-based methods to generate test cases.
Traditional search based techniques based on Simulink simulation are plagued by
problems such as low speed and high overhead. Traditional model checking
techniques such as symbolic execution have limited performance when dealing
with nonlinear elements and complex loops. Recently, coverage guided fuzzing
technologies are known to be effective for test case generation, due to their
high efficiency and impressive effects over complex branches of loops.
In this paper, we apply fuzzing methods to improve model testing and
demonstrate the effectiveness. The fuzzing methods aim to cover more program
branches by mutating valuable seeds. Inspired by this feature, we propose a
novel integration technology SPsCGF, which leverages bounded model checking for
symbolic execution to generate test cases as initial seeds and then conduct
fuzzing based upon these worthy seeds. In this manner, our work combines the
advantages of the model checking methods and fuzzing techniques in a novel way.
Since the control logic models always receive signal inputs, we specifically
design novel mutation operators for signals to improve the existing fuzzing
method in model testing. Over the evaluated benchmarks which consist of
industrial cases, SPsCGF could achieve 8% to 38% higher model coverage and
3x-10x time efficiency compared with the state-of-the-art works.Comment: 10 page
Diversifying focused testing for unit testing
Software changes constantly because developers add new features or modifications. This directly affects the effectiveness of the testsuite associated with that software, especially when these new modifications are in a specific area that no test case covers. This paper tackles the problem of generating a high quality test suite to cover repeatedly a given point in a program, with the ultimate goal of exposing faults possibly affecting the given program point. Both search based software testing and constraint solving offer ready, but low quality, solutions to this: ideally a maximally diverse covering test set is required whereas search and constraint solving tend to generate test sets with biased distributions. Our approach, Diversified Focused Testing (DFT), uses a search strategy inspired by GödelTest. We artificially inject parameters into the code branching conditions and use a bi-objective search algorithm to find diverse inputs by perturbing the injected parameters, while keeping the path conditions still satisfiable. Our results demonstrate that our technique, DFT, is able to cover a desired point in the code at least 90% of the time. Moreover, adding diversity improves the bug detection and the mutation killing abilities of the test suites. We show that DFT achieves better results than focused testing, symbolic execution and random testing by achieving from 3% to 70% improvement in mutation score and up to 100% improvement in fault detection across 105 software subjects
- …