Concolic Testing of Multithreaded Programs and Its Application to Testing Security Protocols

Testing concurrent programs that accept data inputs is notoriously hard because, besides the large number of possible data inputs, nondeterminism results in an exponentially large number of interleavings of concurrent events. We propose a novel testing algorithm for concurrent programs in which our goal is not only to execute all reachable statements of a program, but to detect all possible data races, and deadlock states. The algorithm uses a combination of symbolic and concrete execution (called concolic execution) to explore all distinct causal structures (or partial order relations among events generated during execution) of a concurrent program. The idea of concolic testing is to use the symbolic execution to generate inputs that direct a program to alternate paths, and to use the concrete execution to guide the symbolic execution along a concrete path. Our algorithm uses the concrete execution to compute the exact race conditions between the events of an execution at runtime. Subsequently, we systematically re-order or permute the events involved in these races by generating new thread schedules as well as generate new test inputs. This way we explore at least one representative from each partial order. We describe jCUTE, a tool implementing the testing algorithm together with the results of applying jCUTE to realworld multithreaded Java applications and libraries. In one of our case studies, we discovered several undocumented potential concurrency-related bugs in the widely used Java collection framework distributed with the Sun Microsystems’ JDK 1.4.

[1]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[2]  Edith Schonberg,et al.  Detecting access anomalies in programs with critical sections , 1991, PADD '91.

[3]  David Notkin,et al.  Symstra: A Framework for Generating Object-Oriented Unit Tests Using Symbolic Execution , 2005, TACAS.

[4]  Guy L. Steele,et al.  Making asynchronous parallelism safe for the world , 1989, POPL '90.

[5]  Jong-Deok Choi,et al.  Efficient and precise datarace detection for multithreaded object-oriented programs , 2002, PLDI '02.

[6]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[7]  George S. Avrunin,et al.  Using model checking with symbolic execution to verify parallel numerical programs , 2006, ISSTA '06.

[8]  Scott D. Stoller,et al.  Model-checking multi-threaded distributed Java programs , 2000, International Journal on Software Tools for Technology Transfer.

[9]  Antti Valmari,et al.  Stubborn sets for reduced state space generation , 1991, Applications and Theory of Petri Nets.

[10]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[11]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[12]  Matthew B. Dwyer,et al.  Exploiting Object Escape and Locking Information in Partial-Order Reductions for Concurrent Object-Oriented Programs , 2004, Formal Methods Syst. Des..

[13]  Barton P. Miller,et al.  Detecting Data Races in Parallel Program Executions , 1989 .

[14]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[15]  Koushik Sen,et al.  Automated Systematic Testing of Open Distributed Programs , 2006, FASE.

[16]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[17]  Koushik Sen,et al.  Online efficient predictive safety analysis of multithreaded programs , 2005, International Journal on Software Tools for Technology Transfer.

[18]  Derek L. Bruening Systematic testing of multithreaded Java programs , 1999 .

[19]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[20]  Matthew B. Dwyer,et al.  Finding feasible abstract counter-examples , 2003, International Journal on Software Tools for Technology Transfer.

[21]  Richard H. Carver,et al.  A General Model for Reachability Testing of Concurrent Programs , 2004, ICFEM.

[22]  Stephen N. Freund,et al.  Detecting race conditions in large programs , 2001, PASTE '01.

[23]  Colin J. Fidge,et al.  Partial orders for parallel debugging , 1988, PADD '88.

[24]  Natsume Matsuzaki,et al.  Key Distribution Protocol for Digital Mobile Communication Systems , 1989, CRYPTO.

[25]  James R. Larus,et al.  Protocol-based data-race detection , 1998, SPDT '98.

[26]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[27]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[28]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[29]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[30]  Sarfraz Khurshid,et al.  Exploring very large state spaces using genetic algorithms , 2004, International Journal on Software Tools for Technology Transfer.

[31]  Doron A. Peled,et al.  All from One, One for All: on Model Checking Using Representatives , 1993, CAV.

[32]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[33]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.