Heuristics for Scalable Dynamic Test Generation
本文的主要思想:提出了一种搜索策略,它是用静态的程序结构来引导动态测试,我们把它叫做CFG(control flow graph).
1.CONCOLIC SEARCH STRATEGIES
通过例子来说明该算法:程序实例如下图所示
A. Bounded Depth-First Search.
(1)假设我们初始以x = 0, y = 0,作为输入产生执行路径P0 = l0, l2, l3, l9, l13, l14, l4.这个执行路径通过两个条件语句,其路径约束是:x ≤ y ∧ x != 4.
(2)深度优先搜索(DFS)通过把路径约束改为:x>y,使得第一个分支由l2转向l1,产生输入如:x = 1, y = 0.用此输入执行产生执行路径:P1 = l0, l1, l5, l7, l8, l3, l9, l13, l14, l4 ,且路径约束 path constraints 为:x > y ∧ y ≤ 0 ∧ x != 4.
(3)DFS递归调用P1,通过约束条件x > y ∧y > 0,这可能会产生输入x=2,y=1. 这个输入产生执行路径P2 = l0, l1, l5, l6,该分支可以到达l6:ABORT.
(4)DFS递归调用P2,但是再无多余的路径遍历,这样第二次递归就可以立即返回。
(5)DFS继续处理P1,强制分支从l13转向 l10,从而进入一个新的分支语句。DFS继续递归以产生直到目标路径出现。
当所有的程序路径被遍历之后停止,或者给一个阈值d,当d个可达路径被遍历到时停止。
B. Control-Flow Directed Search.
首先,我们为每个函数建立control flow graph (CFG),给予从条件语句到其分支的边的权为1,到其他边的权为0.例子程序中的control flow graph (CFG)如下:
Additionally, we add a zero-weight edge from each call site to the called function:(l1, l5), (l3, l9), and (l15, l5).
给定执行的测试程序,CfgDirectedSearch试图使程序沿着最短距离(与目标或未覆盖的分支的距离)的分支执行, 引导程序直接向目标分支搜索。例如:
如上图所示,如果分支l11未被遍历,我们会给到l11的分支赋距离值0,到l10的分支赋距离值1,到l1,l2的赋值2,到l6, l7, l12, and l13的赋值infinite,结果如下图:
给定如上图的距离,执行输入x = 1, y = 0,产生执行路径:P0 = l0, l1, l5, l7, l8, l3, l9, l13, l14, l4 with path constraints x > y ∧ y ≤ 0 ∧ x != 4;CFG导向的搜索强制从分支l13转向l10,应为l10具有更小的距离值。解决x > y∧y ≤ 0∧x = 4 产生 e.g. x = 4, y = 0 和 P1 = l0, l1, l5, l7, l8, l3, l9, l10, l12, l14 and PC x > y∧y ≤ 0∧x =4∧−2y ≤ 9.
CFG强制从l12转向l11,因为其距离为零。解决x > y∧y ≤ 0∧x = 4∧−2y > 9 得到 e.g., x = 4, y = −5, which drive the program to ABORT at l11.
CFG导向的搜索是贪婪的,可能会跳过main()和f()中的一些分支。In practice, however, the search may drive execution through a branch l with some distance d, but then find that none of the paths from l to a target branch are feasible. We need mechanisms both for revising our distances for branches – i.e. heuristically updating our local estimates for how hard it is to reach a target branch – and for backtracking or restarting the search. These details can be found in the technical report.
C. Uniform Random Search.
广泛应用的随机测试,基于random inputs,本文提出的Uniform Random Search基于random paths。给定一些路径 P, UniformRandomSearch strategy将会遍历这些路径, 使得每一个路径被遍历的概率为0.5.
例如:假设初始历经是 P0 =l0, l2, l3, l9, l13, l14, l4, 对应的输入为: x = 0, y = 0.首先考虑第一个分支 l2并跑一个硬币 –如果结果是正面, 会强制程序的执行从l2 转向 l1. 假设是正面, 解决path constraints 产生 e.g., x = 1, y = 0 和新的路径P1 =l0, l1, l5, l7, l8, l3, l9, l13, l14, l4.
搜索会转向第二个分支 l7(of P1). 假设硬币是反面, 并且第三个分支l13的硬币是正面. 得到path constraints 产生,e.g., x = 4, y = 0, 和新的路径 P2 through l10: P2 =l0, l1, l5, l7, l8, l3, l9, l10, l12, l14. 最后,假设对最后的分支l12硬币是反面.
可以看到,UniformRandomSearch will produce some particular execution with L feasible branches with probability 2−L, running the solver and test program an expected L/2 times.
D. Random Branch Search.
In this strategy, RandomBranchSearch, we simply pick one of the branches along the current path at random, and then force the execution to take the branch. The strategy just repeats this step over and over, possibly with random restarts,taking some random walk through the path space.
2.结论:
We believe that a combination of static and dynamic analyses can help automated test generation to achieve significant branch coverage on large software systems. Our experimental results suggest that sophisticated search strategies, particularly those driven by static information such as a programs control flow graph, can enable concolic execution to achieve greater coverage on larger, real-world programs.
