RWset: Attacking Path Explosion in Constraint-Based Test Generation

Recent work has used variations of symbolic execution to automatically generate high-coverage test inputs [3, 4, 7, 8, 14]. Such tools have demonstrated their ability to find very subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in checked code. This paper presents a new technique for reducing the number of traversed code paths by discarding those that must have side-effects identical to some previously explored path. Our results on a mix of open source applications and device drivers show that this (sound) optimization reduces the numbers of paths traversed by several orders of magnitude, often achieving program coverage far out of reach for a standard constraint-based execution system.

[1]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[2]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[3]  梅村 恭司 Andrew S.Tanenbaum 著, "Operating systems, Design and implementation", PRENTICE-HALL, INC., Englewood Cliffs, B5変形判, 719p., \4,120 , 1988 .

[4]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[5]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[6]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[7]  Andrew S. Tanenbaum,et al.  Operating systems - design and implementation, 3rd Edition , 2005 .

[8]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[9]  Gerard J. Holzmann,et al.  The Engineering of a Model Checker: The Gnu i-Protocol Case Study Revisited , 1999, SPIN.

[10]  Klaus Havelund,et al.  SPIN Model Checking and Software Verification , 2000, Lecture Notes in Computer Science.

[11]  Jorrit N. Herder,et al.  TOWARDS A TRUE MICROKERNEL OPERATING SYSTEM A revision of MINIX that brings quality enhancements and strongly reduces the kernel in size by moving device drivers to user-space , 2005 .

[12]  Andrew S. Tanenbaum,et al.  Operating systems: design and implementation , 1987, Prentice-Hall software series.

[13]  George J. Milne,et al.  Correct Hardware Design and Verification Methods , 2003, Lecture Notes in Computer Science.

[14]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[15]  Andreas Podelski,et al.  ACSAR: Software Model Checking with Transfinite Refinement , 2007, SPIN.

[16]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[17]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[18]  Robert S. Hanmer,et al.  Systematic software testing using VeriSoft — An analysis of the 4ESS™ heart-beat monitor , 1998, Bell Labs Technical Journal.

[19]  Michael Jones,et al.  A dead variable analysis for explicit model checking , 2006, PEPM '06.

[20]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[21]  Brian N. Bershad,et al.  Recovering Device Drivers (Awarded Best Paper!) , 2004, OSDI.

[22]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[23]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[24]  David L. Dill,et al.  Improved probabilistic verification by hash compaction , 1995, CHARME.

[25]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.