45 research outputs found
Combining over- and under-approximating program analyses for automatic software testing
This dissertation attacks the well-known problem of path-imprecision in static program analysis. Our starting point is an existing static program analysis that over-approximates the execution paths of the analyzed program. We then make this over-approximating program analysis more precise for automatic testing in an object-oriented programming language. We achieve this by combining the over-approximating program analysis with usage-observing and under-approximating analyses. More specifically, we make the following contributions.
We present a technique to eliminate language-level unsound bug warnings produced by an execution-path-over-approximating analysis for object-oriented programs that is based on the weakest precondition calculus. Our technique post-processes the results of the over-approximating analysis by solving the produced constraint systems and generating and executing concrete test-cases that satisfy the given constraint systems. Only test-cases that confirm the results of the over-approximating static analysis are presented to the user. This technique has the important side-benefit of making the results of a weakest-precondition based static analysis easier to understand for human consumers. We show examples from our experiments that visually demonstrate the difference between hundreds of complicated constraints and a simple corresponding JUnit test-case.
Besides eliminating language-level unsound bug warnings, we present an additional technique that also addresses user-level unsound bug warnings. This technique pre-processes the testee with a dynamic analysis that takes advantage of actual user data. It annotates the testee with the knowledge obtained from this pre-processing step and thereby provides guidance for the over-approximating analysis.
We also present an improvement to dynamic invariant detection for object-oriented programming languages. Previous approaches do not take behavioral subtyping into account and therefore may produce inconsistent results, which can throw off automated analyses such as the ones we are performing for bug-finding.
Finally, we address the problem of unwanted dependencies between test-cases caused by global state. We present two techniques for efficiently re-initializing global state between test-case executions and discuss their trade-offs.
We have implemented the above techniques in the JCrasher, Check 'n' Crash, and DSD-Crasher tools and present initial experience in using them for automated bug finding in real-world Java programs.Ph.D.Committee Chair: Smaragdakis, Yannis; Committee Member: Dwyer, Matthew; Committee Member: Orso, Alessandro; Committee Member: Pande, Santosh; Committee Member: Rugaber, Spence
Replicability Study: Corpora For Understanding Simulink Models & Projects
Background: Empirical studies on widely used model-based development tools
such as MATLAB/Simulink are limited despite the tools' importance in various
industries.
Aims: The aim of this paper is to investigate the reproducibility of previous
empirical studies that used Simulink model corpora and to evaluate the
generalizability of their results to a newer and larger corpus, including a
comparison with proprietary models.
Method: The study reviews methodologies and data sources employed in prior
Simulink model studies and replicates the previous analysis using SLNET. In
addition, we propose a heuristic for determining code-generating Simulink
models and assess the open-source models' similarity to proprietary models.
Results: Our analysis of SLNET confirms and contradicts earlier findings and
highlights its potential as a valuable resource for model-based development
research. We found that open-source Simulink models follow good modeling
practices and contain models comparable in size and properties to proprietary
models. We also collected and distribute 208 git repositories with over 9k
commits, facilitating studies on model evolution.
Conclusions: The replication study offers actionable insights and lessons
learned from the reproduction process, including valuable information on the
generalizability of research findings based on earlier open-source corpora to
the newer and larger SLNET corpus. The study sheds light on noteworthy
attributes of SLNET, which is self-contained and redistributable
Targeted Greybox Fuzzing with Static Lookahead Analysis
Automatic test generation typically aims to generate inputs that explore new
paths in the program under test in order to find bugs. Existing work has,
therefore, focused on guiding the exploration toward program parts that are
more likely to contain bugs by using an offline static analysis.
In this paper, we introduce a novel technique for targeted greybox fuzzing
using an online static analysis that guides the fuzzer toward a set of target
locations, for instance, located in recently modified parts of the program.
This is achieved by first semantically analyzing each program path that is
explored by an input in the fuzzer's test suite. The results of this analysis
are then used to control the fuzzer's specialized power schedule, which
determines how often to fuzz inputs from the test suite. We implemented our
technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart
contracts and evaluate its effectiveness on 27 real-world benchmarks. Using an
online analysis is particularly suitable for the domain of smart contracts
since it does not require any code instrumentation---instrumentation to
contracts changes their semantics. Our experiments show that targeted fuzzing
significantly outperforms standard greybox fuzzing for reaching 83% of the
challenging target locations (up to 14x of median speed-up)
Check 'n' Crash: Combining Static Checking and Testing
We present an automatic error-detection approach that combines static checking and concrete test-case generation. Our approach consists of taking the abstract error conditions inferred using theorem proving techniques by a static checker (ESC/Java), deriving specific error conditions using a constraint solver, and producing concrete test cases (with the JCrasher tool) that are executed to determine whether an error truly exists. The combined technique has advantages over both static checking and automatic testing individually. Compared to ESC/Java, we eliminate spurious warnings and improve the ease-of-comprehension of error reports through the production of Java counterexamples. Compared to JCrasher, we eliminate the blind search of the input space, thus reducing the testing time and increasing the test quality
Dynamic Symbolic Database Application Testing
A database application differs form regular applications in that some of its inputs may be database queries. The program will execute thequeries on a database and mayuse any result values in its subsequent program logic. This means thatauser-suppliedquerymaydeterminethevaluesthatthe application will use in subsequent branching conditions. At the same time, a new database application is often required to work well on a body of existing data stored in some large database. For systematic testing of database applications, recent techniques replace the existing database with carefully crafted mock databases. Mock databases return values that will trigger as many execution paths in the application as possible and thereby maximize overall code coverage of the database application. In this paper we offer an alternative approach to database application testing. Our goal is to support software engineers in focusing testing on the existing body of data the application is required to work well on. For that, we propose to side-step mock database generation and instead generate queries for the existing database. Our key insight is that we can use the information collected during previous program executions to systematically generate new queries that will maximize the coverage of the application under test, while guaranteeing that the generated test cases focus on the existing data
Searching Mobile App Screens via Text + Doodle
Locating a specific mobile application screen from existing repositories is
restricted to basic keyword searches, such as Google Image Search, or
necessitates a complete query screen image, as in the case of Swire. However,
interactive partial sketch-based solutions like PSDoodle have limitations,
including inaccuracy and an inability to consider text appearing on the screen.
A potentially effective solution involves implementing a system that provides
interactive partial sketching functionality for efficiently structuring user
interface elements. Additionally, the system should incorporate text queries to
enhance its capabilities further. Our approach, TpD, represents the pioneering
effort to enable an iterative search of screens by combining interactive
sketching and keyword search techniques. TpD is built on a combination of the
Rico repository of approximately 58k Android app screens and the PSDoodle. Our
evaluation with third-party software developers showed that PSDoodle provided
higher top-10 screen retrieval accuracy than state-of-the-art Swire and
required less time to complete a query than other interactive solutions