DySy: Dynamic Symbolic Execution for Invariant

Inference

Authors

Christoph Csallner Nikolai Tillmann Yannis Smaragdakis

Christoph Csallner

College of Computing, Georgia Tech Research interest :Software

engineering, especially in program analysis and automated testing

Other papers:1.Combining static and dynamic reasoning for bug

detection(TAP 2007)2.Combining over- and under-approximating

program analyses for automatic software testing

Nikolai Tillmann

Microsoft Research Leader of project Pex Papers:1.Pex-White Box Test Generation

for .NET(TAP 2008)2. Unit Tests Reloaded: Parameterized

Unit Testing with Symbolic Execution. IEEE Software(4): 38-47 (2006)

Yannis Smaragdakis Associate Professor,

Department of Computer Science, University of Massachusetts, Amherst Research:Applied programming

languages and software engineering Papers:1.C&Y’s papers2. Exception Analysis and Points-To

Analysis: Better Together(ISSTA'09)

Background

Dynamic Invariant Inference: Daikon

Sybolic execution Pex

Invariant

a predicate is called an invariant to a sequence of operation if the predicate always evaluates at the end of the sequence to the same value than before starting the sequence

Example:MU puzzle

Daikon The first and most mature dynamic

invariant inference tool. Daikon tracks a program's variables

during execution and generalizes the observed behavior to invariants by variant relation models.

Relation model exmaples: Constant value (x= a, or x > 0), Linear relationships (y == a*x + b), Ordering (x <= y) and Membership

Symbolic execution

Symbolic Execution and Program Testing 1975 by James King.

the analysis of programs by tracking symbolic rather than actual values

Path condition(pc):A precondition for a program path

Simple example

1.y = read() 2.y = 2 * y 3.if (y == 12) 4.fails() 5.print("OK")

Pex

a dynamic analysis and test generation framework for .NET, developed by the Foundations of Software Engineering group at Microsoft Research

shadow interpreter Relation between DySy and Pex.

Overview

Basic idea Implementation details Abstraction for Loops

Basic idea 1.For one test suite. Take pc as

precondition. Take the conduction rule from precondition to return value of a method as postcondition

2.Repeat 1 for all test suites. 3.Combine all precondition by

disjunction, and all postcondition by conjunction.

example public Object top() { if(Empty) return null; return theArray[topOfStack]; } Two test suites:1. Empty == true2. Empty == false && topOfStack >= 0

&& topOfStack < theArray.Length

Example(2) Conbined precondition: Empty == true ||(Empty == false &&

topOfStack >= 0 && topOfStack < theArray.Length)

Combined postcondition:Empty == true ==> (\result == null) and(Empty == false && topOfStack >= 0 &&topOfStack < theArray.Length)==> (\result == theArray[topOfStack])

Implementation details Usage of Pex

Handling nested method calls

Abstraction for Loops

Usage of Pex

For the duration of each method call,

DySy registers a separate interpreter with Pex's monitoring framework.

Nested calls

DySy builds a set of quadruples (method, pathCondition, result,

finalState) to represent methods as it monitors the program

Abstraction for Loops

Traditional method :Record preconditions for every

cycle. precise but useless, causing heavy

overhead

Abstraction for Loops

heuristic method :1.Loop variants are treated as

inputs(symbol)2.Loop conditions are ignored, except

that the loop body is not entered.3.Only latest value of loop variants

are recorded.

example

public int linSearch(int ele, int[] arr) {if (arr == null)throw new ArgumentException();for (int i = 0; i < arr.Length; i++) {if (ele == arr[i])return i;}return -1;}

Program state arr != null &&($i < arr.Length && !

(ele == arr[$i]) && $i >= 0 ||

$i < arr.Length && ele == arr[$i] && $i >= 0 )

public int linSearch(int ele, int[] arr) {

if (arr == null)throw new

ArgumentException();for (int i = 0; i < arr.Length; i+

+) {if (ele == arr[i])return i;}return -1;}

Simplified program state

!(ele == arr[$i]) ==> \result == -1 ||ele == arr[$i] ==> \result == $i

evaluation

Test code: StackAr: an example program originally

by Weiss Overhead: DySy: 28seconds Daikon: 9seconds

Thank you!