Dynamic Symbolic Execution Guided by Data Dependency Analysis for High Structural Coverage

Dynamic symbolic execution has been shown to be an effective technique for automated test input generation. When applied to large-scale and complex programs, its scalability however is limited due to the combinatorial explosion of the path space. We propose to take advantage of data flow analysis to better perform dynamic symbolic execution in the context of generating test inputs for maximum structural coverage. In particular, we utilize the chaining mechanism to (1) extract precise guidance to direct dynamic symbolic execution towards exploring uncovered code elements and (2) meanwhile significantly optimize the path exploration process. Preliminary experiments conducted to evaluate the performance of the proposed approach have shown very encouraging results.

[1]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[2]  Carlos Urias Munoz,et al.  Automatic Generation of Random Self-Checking Test Cases , 1983, IBM Syst. J..

[3]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[4]  Lori A. Clarke,et al.  A System to Generate Test Data and Symbolically Execute Programs , 1976, IEEE Transactions on Software Engineering.

[5]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[6]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[7]  Phil McMinn,et al.  Evolutionary Testing Using an Extended Chaining Approach , 2006 .

[8]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[9]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[10]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[11]  Phil McMinn,et al.  Search‐based software test data generation: a survey , 2004, Softw. Test. Verification Reliab..

[12]  A. Jefferson Offutt,et al.  A semantic model of program faults , 1996, ISSTA '96.

[13]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[14]  Giovanni Denaro,et al.  Enhancing structural software coverage by incrementally computing branch executability , 2011, Software Quality Journal.

[15]  Bogdan Korel,et al.  The chaining approach for software test data generation , 1996, TSEM.

[16]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[17]  Carlos Pacheco,et al.  Directed random testing , 2009 .

[18]  Alvis Cheuk M. Fong,et al.  Scalable automated test generation using coverage guidance and random search , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[19]  Mark Harman,et al.  FlagRemover: A testability transformation for transforming loop-assigned flags , 2011, TSEM.

[20]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[21]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[22]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.