A survey of new trends in symbolic execution for software testing and analysis

Abstract Symbolic execution is a well-known program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in part to the progress in decision procedures, availability of powerful computers and new algorithmic developments. We provide here a survey of some of the new research trends in symbolic execution, with particular emphasis on applications to test generation and program analysis. We first describe an approach that handles complex programming constructs such as input recursive data structures, arrays, as well as multithreading. Furthermore, we describe recent hybrid techniques that combine concrete and symbolic execution to overcome some of the inherent limitations of symbolic execution, such as handling native code or availability of decision procedures for the application domain. We follow with a discussion of techniques that can be used to limit the (possibly infinite) number of symbolic configurations that need to be analyzed for the symbolic execution of looping programs. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference

Modélisation par contraintes de programmes en bytecode Java pour la génération automatique de tests

Program verification is essential to maintain a certain level of quality and reliability. Testing is to date the most used software verification mean in industry. Constraint programming is seen as an effective way to automate test data generation. In this thesis we propose a constraint modeling of the Java bytecode semantics, and a method, based on this modeling, to automatically generate test data. Our constraint model of the semantics of a Java bytecode program allows effective deductions, including in the presence of complex data structures or inheritance. In particular, the use of type variables can take into account inheritance and polymorphic method calls. Our method of test data generation uses the constraint model to cover specific instructions of the program under test. It uses a backward progression in the control flow graph to enumerate paths leading to the target instructions. This method suits particularly to cover instructions that are not reached by other methods of test data generation. Finally this method is implemented in a prototype named JAUT (Java Automatic Unit Testing). The experiments show that the prototype can increase the statements coverage obtained with the other available tools.La vérification des programmes est indispensable pour maintenir un certain niveau de qualité et de fiabilité. Le test est à ce jour le moyen de vérification des logiciels le plus utilisé dans l¤industrie. La programmation par contraintes est vue comme un moyen efficace pour automatiser la génération de données de test. Dans cette thèse nous proposons une modélisation par contraintes de la sémantique du bytecode Java, ainsi qu¤une méthode, basée sur cette modélisation, pour générer automatiquement des données de test. Notre modèle à contraintes de la sémantique d¤un programme en bytecode Java permet de faire des déductions efficaces, y compris en présence de structures de données complexes ou d¤héritage. En particulier, l¤utilisation de variables de type permet de prendre en compte l¤héritage et les appels de méthodes polymorphes. Notre méthode de génération de données de test exploite le modèle à contraintes pour couvrir des instructions particulières du programme sous test. Elle se base sur un parcours en arrière du graphe de flot de contrôle pour énumérer des chemins menant aux instructions cibles. Elle est en particulier adaptée à la couverture d¤instructions non couvertes par les autres méthodes de génération de données de test. Enfin cette méthode est mise en application dans un prototype, JAUT (Java Automatic Unit Testing). Les expériences montrent que le prototype permet d¤augmenter la couverture des instructions obtenue avec les autres outils disponibles

Search Techniques for Code Generation

This dissertation explores techniques that synthesize and generate program fragments and test inputs. The main goal of these techniques is to improve and support automation in program synthesis and test input generation. This is important because performing those processes manually is often tedious, time consuming and error prone. The main challenge that these techniques face is exploring the search space in efficient and scalable ways. In the first part of the dissertation, we present tools InSynth and PolySynth that interactively synthesize code fragments. They take as input a partial program and automatically extract type information, the desired type, and set of visible declarations. They use this input to synthesize ranked list of expressions with the desired type. Finally, they present the expressions to a developer in similar manner to code completions in modern IDEs. InSynth is the first tool that uses a complete algorithm to generate expressions with first class functions and higher order functions. We present the theoretical foundation of the InSynth problem, that is based on type inhabitation, and the type-based backward search algorithm that solves it. PolySynth uses type-driven, resolution based algorithm that considers polymorphic types (generics) to generate expressions. Furthermore, the uniqueness of both tools comes from the fact that their algorithms operate using corpus statistics. The statistics are used to steer the algorithms and the search space exploration towards the most relevant solutions. In the second part of the dissertation we present the tool anyCode that uses natural language input to synthesize expressions. As input it accepts English words or Java program language constructs. This allows a developer to encode her intuition about the desired expression using words or the expression that approximates the desired structure. Thanks to this flexibility, anyCode can also repair broken expressions. It uses a pipeline of natural language and related-word tools to analyze the input. This helps anyCode to identify the set of the most relevant components and to reduce the size of search space. To further reduce the size of search space and to create the most relevant expressions, anyCode uses two statistical models: unigram and probabilistic context free grammar. Finally, in the last part of the dissertation we present UDITA, a Java-like language with support for non-determinism, which allows a user to describe test generation programs. Test generation programs are run on a top of Java PathFinder (JPF), a popular explicit-state model checker, that has a built-in backtracking mechanism and supports non-determinism. Using UDITA programs, JPF generates test inputs. The first benefit of UDITA is that non-determinism empowers a user to describe many test inputs as easily as describing a single test input. The second benefit is that it gives a user more flexibility allowing her to describe test generation programs by arbitrarily combining filters and generators. UDITA reduces the size of search space using an algorithm that reduces the number of generated complex isomorphic structures and that delays non-deterministic choices

Towards an Orthodox Marxist Critique of Critical Health Policy

Major Research Paper (Master's), Health, Faculty of Health, School of Health Policy and Management, York UniversityCritical health policy researchers have, over the past few decades, shown beyond doubt the connection between socioeconomic inequalities and disparities in health and disease outcomes. The evidence is strong enough that mainstream outlets like the World Health Organization now acknowledge the centrality of the social determinants of health. However, researchers and activists have largely been frustrated in their attempts to mobilize this knowledge into practice. By most accounts, social health inequalities are increasing on intranational and global scales, especially following the 2008 economic crisis (Cash-Gibson, et al., 2018). The present Covid-19 pandemic – which has caused unemployment levels to rise to historic heights in most advanced economies – has made understanding the connection between socioeconomics and individual health even more urgent. The concept of health inequality as a field of study emerged alongside the pioneers of the socialist tradition; Frederick Engels’ 1845 The Condition of the Working Class in England is a seminal work in the field, and his lifelong collaborator Karl Marx elaborated at length the deleterious (physical, psychological, and spiritual) effects of capitalism on the lower classes. However, a properly Marxist tradition is largely absent even in more radical circles of health research today. To the extent that it is present, it is “neo-Marxist” – that is, it comes from a second generation of Marxists who took influence from Marx, but use fundamentally different methodological and theoretical assumptions. I argue that this is because, for the past century, a mathematical inconsistency (the “transformation problem”) in Marx’s original political economy was thought to make it internally incoherent, and as a result it has been excluded from serious academic consideration. However, in recent years, a school of Marxist economists have disproven the inconsistency, and in doing so paved the way for the possibility of a reclamation of the Marxist tradition in the social sciences. In this paper I argue that a Marxist political economy could serve as a superior methodological basis for the study of social health inequities

The Representation of Gender in Contemporary Chinese Television Advertising: An Analysis of Content, Meaning, and Production

This thesis examines how gender is portrayed in Chinese television commercials and how these representations reflect the social and cultural contexts of their production and the institutional practices of advertising production personnel. To date, while there have been a plethora of studies on gender representation in advertising in western contexts only limited attention has been given to Chinese advertising portrayals of gender. This study, therefore, explores particular ways in which femininity and masculinity are discursively constructed, and how this process, in turn, contributes to reinforcing and/or challenging certain gender ideologies, in particular those found in Chinese Confucian culture. The study is unique in its approach to Chinese television advertising in that it combines methods from textual analysis (quantitative content analysis, semiotic analysis and critical discourse analysis) and empirical research (interview). A sample of 679 television commercials was collected and analysed in this investigation. Content analysis was initially applied to identify recurrent patterns and characteristics of gender representation which, in turn, formed the basis for in-depth semiotic and discourse analysis. Specific signs, images, codes, discourses and myths were subsequently discussed. The study also included semi-structured interviews with 26 Chinese advertising personnel in order to understand their multiple dispositions toward gender and their actual experiences of depicting female and male characters in the creative process. Several main findings emerged from this study. The portrayal of gender in Chinese television commercials is complex because it embodies a series of simultaneously conflicting and complementary discourses on what constitute femininity and masculinity. The results of the content analysis revealed that the representation of gender in this study’s sample still remains stereotypical in terms of the different distribution of the sexes across product category, role, dress, age, credibility and voice-over. By focusing on the constructs of gender in domestic, occupational and recreational contexts, the use of semiotic and discourse analysis revealed that Chinese television advertising not only portrays women and men in line with the significant aspects embedded in both Chinese and western patriarchal traditions, but is also constitutive of cultural shifts in gender ideologies through highlighting modern (western) values. In addition, the interview findings yielded support for the conclusions of textual analysis, demonstrating that the process of advertising production is significantly influenced by traditional and modern gender values, the restriction of advertising regulations, client expectations, and the professionals’ divergent perceptions of gender and their assumptions about the audience

Witness-based validation of verification results with applications to software-model checking

In the scientific world, formal verification is an established engineering technique to ensure the correctness of hardware and software systems. Because formal verification is an arduous and error-prone endeavor, automated solutions are desirable, and researchers continue to develop new algorithms and optimize existing ones to push the boundaries of what can be verified automatically. These efforts do not go unnoticed by the industry. Hardware-circuit designs, flight-control systems, and operating-system drivers are just a few examples of systems where formal verification is already part of the quality-assurance repertoire. Nevertheless, the primary fields of application for formal verification are mainly those where errors carry a high risk of significant damage, either financial or physical, because the costs of formal verification are considered to be too high for most other projects, despite the fact that the research community has made vast advancements regarding the effectiveness and efficiency of formal verification techniques in the last decades. We present and address two potential reasons for this discrepancy that we identified in the field of automated formal software verification. (1) Even for experts in the field, it is often difficult to decide which of the multitude of available techniques is the most suitable solution they should recommend to solve a given verification problem. Moreover, even if a suitable solution is found for a given system, there is no guarantee that the solution is sustainable as the system evolves. Consequently, the cost of finding and maintaining a suitable approach for applying formal software verification to real-world systems is high. (2) Even assuming that a suitable and maintainable solution for applying formal software verification to a given system is found and verification results could be obtained, developers of the system still require further guidance towards making practical use of these results, which often differ significantly from the results they obtain from classical quality-assurance techniques they are familiar with, such as testing. To mitigate the first issue, using the open-source software-verification framework CPAchecker, we investigate several popular formal software-verification techniques such as predicate abstraction, Impact, bounded model checking, k -induction, and PDR, and perform an extensive and rigorous experimental study to identify their strengths and weaknesses regarding their comparative effectiveness and efficiency when applied to a large and established benchmark set, to provide a basis for choosing the best technique for a given problem. To mitigate the second issue, we propose a concrete standard format for the representation and communication of verification results that raises the bar from plain "yes" or "no" answers to verification witnesses, which are valuable artifacts of the verification process that contain detailed information discovered during the analysis. We then use these verification witnesses for several applications: To increase the trust in verification results, we irst develop several independent validators based on violation witnesses, i.e. verification witnesses that represent bugs detected by a verifier. We then extend our validators to also erify the verification results obtained from a successful verification, which are represented y correctness witnesses. Lastly, we also develop an interactive web service to store and retrieve these verification witnesses, to provide online validation to quickly de-prioritize likely wrong results, and to graphically visualize the witnesses, as an example of how verification can be integrated into a development process. Since the introduction of our proposed standard format for verification witnesses, it has been adopted by over thirty different software verifiers, and our witness-based result-validation tools have become a core component in the scoring process of the International Competition on Software Verification.In der Welt der Wissenschaft gilt die Formale Verifikation als etablierte Methode, die Korrektheit von Hard- und Software zu gewährleisten. Da die Anwendung formaler Verifikation jedoch selbst ein beschwerliches und fehlerträchtiges Unterfangen darstellt, ist es erstrebenswert, automatisierte Lösungen dafür zu finden. Forscher entwickeln daher immer wieder neue Algorithmen Formaler Verifikation oder verbessern bereits existierende Algorithmen, um die Grenzen der Automatisierbarkeit Formaler Verifikation weiter und weiter zu dehnen. Auch die Industrie ist bereits auf diese Anstrengungen aufmerksam geworden. Flugsteuerungssysteme, Betriebssystemtreiber und Entwürfe von Hardware-Schaltungen sind nur einzelne Beispiele von Systemen, bei denen Formale Verifikation bereits heute einen festen Stammplatz im Arsenal der Qualitätssicherungsmaßnahmen eingenommen hat. Trotz alledem bleiben die primären Einsatzgebiete Formaler Verifikation jene, in denen Fehler ein hohes Risiko finanzieller oder physischer Schäden bergen, da in anderen Projekten die Kosten des Einsatzes Formaler Verifikation in der Regel als zu hoch empfunden werden, unbeachtet der Tatsache, dass es der Forschungsgemeinschaft in den letzten Jahrzehnten gelungen ist, enorme Fortschritte bei der Verbesserung der Effektivität und Effizienz Formaler Verifikationstechniken zu machen. Wir präsentieren und diskutieren zwei potenzielle Ursachen für diese Diskrepanz zwischen Forschung und Industrie, die wir auf dem Gebiet der Automatisierten Formalen Softwareverifikation identifiziert haben. (1) Sogar Fachleuten fällt es oft schwer, zu entscheiden, welche der zahlreichen verfügbaren Methoden sie als vielversprechendste Lösung eines gegebenen Verifikationsproblems empfehlen sollten. Darüber hinaus gibt es selbst dann, wenn eine passende Lösung für ein gegebenes System gefunden wird, keine Garantie, dass sich diese Lösung im Laufe der Evolution des Systems als Nachhaltig erweisen wird. Daher sind sowohl die Wahl als auch der Unterhalt eines passenden Ansatzes zur Anwendung Formaler Softwareverifikation auf reale Systeme kostspielige Unterfangen. (2) Selbst unter der Annahme, dass eine passende und wartbare Lösung zur Anwendung Formaler Softwareverifikation auf ein gegebenes System gefunden und Verifikationsergebnisse erzielt werden, benötigen die Entwickler des Systems immer noch weitere Unterstützung, um einen praktischen Nutzen aus den Ergebnissen ziehen zu können, die sich oft maßgeblich unterscheiden von den Ergebnissen jener klassischen Qualitätssicherungssysteme, mit denen sie vertraut sind, wie beispielsweise dem Testen. Um das erste Problem zu entschärfen, untersuchen wir unter Verwendung des Open-Source-Softwareverifikationsystems CPAchecker mehrere beliebte Formale Softwareverifikationsmethoden, wie beispielsweise Prädikatenabstraktion, Impact, Bounded-Model-Checking, k-Induktion und PDR, und führen umfangreiche und gründliche experimentelle Studien auf einem großen und etablierten Konvolut an Beispielprogrammen durch, um die Stärken und Schwächen dieser Methoden hinsichtlich ihrer relativen Effektivität und Effizienz zu ermitteln und daraus eine Entscheidungsgrundlage für die Wahl der besten Lösung für ein gegebenes Problem abzuleiten. Um das zweite Problem zu entschärfen, schlagen wir ein konkretes Standardformat zur Modellierung und zum Austausch von Verifikationsergebnissen vor, welches die Ansprüche an Verifikationsergebnisse anhebt, weg von einfachen "ja/nein"-Antworten und hin zu Verifikationszeugen (Verification Witnesses), bei denen es sich um wertvolle Produkte des Verifikationsprozesses handelt und die detaillierte, während der Analyse entdeckte Informationen enthalten. Wir stellen mehrere Anwendungsbeispiele für diese Verifikationszeugen vor: Um das Vertrauen in Verifikationsergebnisse zu erhöhen, entwickeln wir zunächst mehrere, voneinander unabhängige Validatoren, die Verletzungszeugen (Violation Witnesses) verwenden, also Verifikationszeugen, welche von einem Verifikationswerkzeug gefundene Spezifikationsverletzungen darstellen, Diese Validatoren erweitern wir anschließend so, dass sie auch in der Lage sind, die Verifikationsergebnisse erfolgreicher Verifikationen, also Korrektheitsbehauptungen, die durch Korrektheitszeugen (Correctness Witnesses) dokumentiert werden, nachzuvollziehen. Schlussendlich entwickeln wir als Beispiel für die Integrierbarkeit Formaler Verifikation in den Entwicklungsprozess einen interaktiven Webservice für die Speicherung und den Abruf von Verifikationzeugen, um einen Online-Validierungsdienst zur schnellen Depriorisierung mutmaßlich falscher Verifikationsergebnisse anzubieten und Verifikationszeugen graphisch darzustellen. Unser Vorschlag für ein Standardformat für Verifikationszeugen wurde inzwischen von mehr als dreißig verschiedenen Softwareverifikationswerkzeugen übernommen und unsere zeugen-basierten Validierungswerkzeuge sind zu einer Kernkomponente des Bewertungsschemas des Internationalen Softwareverifikationswettbewerbs geworden