Efñcient Test Generation Guided by Field Coverage Gritería

Field-exhaustive testing is a testing criterion that requires suites to contain enough test inputs to cover all feasible valúes for fields within a certain input-size bound. While previous work shows that field- exhaustive suites can be automatically generated, the generation tech- nique requires a formal specification of the inputs that can be subject to SAT-based analysis. Moreover, this constraint together with the resfrie- tion of producing all feasible valúes for input fields makes test generation costly, and field-exhaustive testing difficult to generalize to further testing domains. In this paper, we deal with field. coverage as testing criteria that measure the degree to which a program is tested by examining to what extent the valúes of inputs’ fields are covered. We show that this notion generalizes field-exhaustive testing, withdrawing the need for a SAT-analyzable formal specification, and thus can be combined with any test generation technique to produce smaller test suites, reducing testing time. In particular, we consider field coverage: (i) in combination with test generation based on symbolic execution, to produce underapproximations of all testing sequences; (ii) as a relaxation of bounded-exhaustive testing, producing smaller suites using the Korat tool; and (iii) in combination with random testing, producing smaller test suites and even serving as a termination criterion for generation. As we show, in all these cases field coverage helps producing significantly smaller suites, thus contributing to testing time, while retaining the effectiveness of the corresponding original techniques, in terms of test suite quality.Sociedad Argentina de Informática e Investigación Operativ

Efficient Bounded Model Checking of Heap-Manipulating Programs using Tight Field Bounds

Software model checkers are able to exhaustively explore different bounded program executions arising from various sources of nondeterminism. These tools provide statements to produce non-determinis- tic values for certain variables, thus forcing the corresponding model checker to consider all possible values for these during verification. While these statements offer an effective way of verifying programs handling basic data types and simple structured types, they are inappropriate as a mechanism for nondeterministic generation of pointers, favoring the use of insertion routines to produce dynamic data structures when verifying, via model checking, programs handling such data types. We present a technique to improve model checking of programs handling heap-allocated data types, by taming the explosion of candidate structures that can be built when non-deterministically initializing heap object fields. The technique exploits precomputed relational bounds, that disregard values deemed invalid by the structure’s type invariant, thus reducing the state space to be explored by the model checker. Precomputing the relational bounds is a challenging costly task too, for which we also present an efficient algorithm, based on incremental SAT solving. We implement our approach on top of the CBMC bounded model checker, and show that, for a number of data structures implementations, we can handle significantly larger input structures and detect faults that CBMC is unable to detect.Sociedad Argentina de Informática e Investigación Operativ