Quantitative Analysis of Exploration Schedules for Symbolic Execution / Kvantitativ analys av utforskningsscheman för Symbolisk Exekvering

Kaiser, Christoph

January 2017

Due to complexity in software, manual testing is not enough to cover all relevant behaviours of it. A different approach to this problem is Symbolic Execution. Symbolic Execution is a software testing technique that tests all possible inputs of a program in the hopes of finding all bugs. Due to the often exponential increase in possible program paths, Symbolic Execution usually cannot exhaustively test a program. To nevertheless cover the most important or error prone areas of a program, search strategies that prioritize these areas are used. Such search strategies navigate the program execution tree, analysing which paths seem interesting enough to execute and which to prune. These strategies are typically grouped into two categories, general purpose searchers, with no specific target but the aim to cover the whole program and targeted searchers which can be directed towards specific areas of interest. To analyse how different searching strategies in Symbolic Execution affect the finding of errors and how they can be combined to improve the general outcome, the experiments conducted consist of several different searchers and combinations of them, each run on the same set of test targets. This set of test targets contains amongst others one of the most heavily tested sets of open source tools, the GNU Coreutils. With these, the different strategies are compared in distinct categories like the total number of errors found or the percentage of covered code. With the results from this thesis the potential of targeted searchers is shown, with an example implementation of the Pathscore-Relevance strategy. Further, the results obtained from the conducted experiments endorse the use of combinations of search strategies. It is also shown that, even simple combinations of strategies can be highly effective. For example, interleaving strategies can provide good results even if the underlying searchers might not perform well by themselves. / På grund av programvarukomplexitet är manuell testning inte tillräcklig för att täcka alla relevanta beteenden av programvaror. Ett annat tillvägagångssätt till detta problem är Symbolisk Exekvering (Symbolic Execution). Symbolisk Exekvering är en mjukvarutestningsteknik som testar alla möjliga inmatningari ett program i hopp om att hitta alla buggar. På grund av den ofta exponentiella ökningeni möjliga programsökvägar kan Symbolisk Exekvering vanligen inte uttömmande testa ettprogram. För att ändå täcka de viktigaste eller felbenägna områdena i ett program, används sökstrategier som prioriterar dessa områden. Sådana sökstrategier navigerar i programexekveringsträdet genom att analysera vilka sökvägar som verkar intressanta nog att utföra och vilka att beskära. Dessa strategier grupperas vanligtvis i två kategorier, sökare med allmänt syfte, utan något specifikt mål förutom att täcka hela programmet, och riktade sökare som kan riktas mot specifika intresseområden. För att analysera hur olika sökstrategier i Symbolisk Exekvering påverkar upptäckandetav fel och hur de kan kombineras för att förbättra det allmänna utfallet, bestod de experimentsom utfördes av flera olika sökare och kombinationer av dem, som alla kördes på samma uppsättning av testmål. Denna uppsättning av testmål innehöll bland annat en av de mest testade uppsättningarna av öppen källkod-verktyg, GNU Coreutils. Med dessa jämfördes de olika strategierna i distinkta kategorier såsom det totala antalet fel som hittats eller procenttalet av täckt kod. Med resultaten från denna avhandling visas potentialen hos riktade sökare, med ett exempeli form av implementeringen av Pathscore-Relevance strategin. Vidare stöder resultaten som erhållits från de utförda experimenten användningen av sökstrategikombinationer. Det visas också att även enkla kombinationer av strategier kan vara mycket effektiva.Interleaving-strategier kan till exempel ge bra resultat även om de underliggande sökarna kanske inte fungerar bra själva.

symbolic execution

bug finding

test case generation

Computer Sciences

Datavetenskap (datalogi)

Estudo, definição e implementação de um sistema de recomendação para priorizar os avisos gerados por ferramentas de análise estática / Study, definition and implementation a recommendation system to prioritize warnings generated by static analysis tools

Mendonça, Vinícius Rafael Lobo de

19 November 2014

Submitted by Luciana Ferreira (lucgeral@gmail.com) on 2015-03-24T14:51:12Z No. of bitstreams: 2 Dissertação - Vinícius Rafael Lobo de Mendonça - 2014.pdf: 4110263 bytes, checksum: 2e2be342a6c3301f64fa41a675b85ba9 (MD5) license_rdf: 23148 bytes, checksum: 9da0b6dfac957114c6a7714714b86306 (MD5) / Approved for entry into archive by Luciana Ferreira (lucgeral@gmail.com) on 2015-03-24T14:55:54Z (GMT) No. of bitstreams: 2 Dissertação - Vinícius Rafael Lobo de Mendonça - 2014.pdf: 4110263 bytes, checksum: 2e2be342a6c3301f64fa41a675b85ba9 (MD5) license_rdf: 23148 bytes, checksum: 9da0b6dfac957114c6a7714714b86306 (MD5) / Made available in DSpace on 2015-03-24T14:55:54Z (GMT). No. of bitstreams: 2 Dissertação - Vinícius Rafael Lobo de Mendonça - 2014.pdf: 4110263 bytes, checksum: 2e2be342a6c3301f64fa41a675b85ba9 (MD5) license_rdf: 23148 bytes, checksum: 9da0b6dfac957114c6a7714714b86306 (MD5) Previous issue date: 2014-11-19 / Recommendation systems try to guide the user carrying out a task providing him with useful information about it. Considering the context of software development, programs are ever increasing, making it difficult to carry out a detailed verification of warnings generated by automatic static analyzers. In this work, we propose a recommendation system, called WarningsFIX, which aims at helping developers on handling the high number of warnings reported by automatic static analyzers. The back end of this system is composed of seven open-source static analysis tools collecting data, which subsequently are used for visualizing information through TreeMaps. The intention is to combine the outcomes of different static analyzers such that WarningsFIX recommends the analysis of warnings with highest chance to be a true positive. Therefore, the information related to warnings are displayed in four levels of detail: program, package, class, and line. The nodes may be classified in the first three levels: amount of warnings, number of tools and suspicions rate. An exploratory study was carried out and the limitations, advantages and disadvantages of the proposed approach were discussed. / O Sistema de Recomendação apoia um usuário na realização de uma tarefa. Considerando o atual contexto do desenvolvimento de software, programas estão cada vez maiores, tornando difícil a realização de uma avaliação detalhada dos avisos gerados pelos analisadores estáticos. Nesse trabalho, propõe-se um sistema de recomendação, chamado WarningsFIX, que tem objetivo de ajudar os desenvolvedores manipular o alto nível dos avisos emitidos pelos analisadores estáticos. O back end desse sistema é composto de sete ferramentas de análise estática de código aberto para coleta de dados, que são visualizados por meio de TreeMap. O objetivo é combinar os resultados de diferentes analisadores estáticos, assim recomendar a análise de avisos com alta chance de ser verdadeiro positivo. Portanto, a informações relacionadas ao nó são visualizadas em quatro níveis de visualização: programa, pacote, classe e linha. Além disso, os nós podem ser classificados em três tipos: quantidade de avisos, quantidade de ferramentas e taxa de suspeição. Um estudo exploratório foi realizado e as limitações, vantagens e desvantagens da abordagem proposta foram discutidas.

Análise estática

Analisadores estáticos

Sistema de recomendação

Treemaps

Mineração de dados

Static Analysis

Bug finding tools

Recommendation systems

Treemaps

Data mining