A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich

More documents

Recommendations

Info

CHAPTER 15. AUTOMATED TEST GENERATION 128 approximation may prevent the SMT solver from producing a new path through the code, but strategies for achieving high coverage exist in this case, and are implemented by the above mentioned tools. To handle function calls, the mapping of actual parameters to formal parameters is handled like assignments. To handle function return values, a call is made so that the value can be remembered by the runtime, and then assigned at the call site. A loop is wrapped around each call of an autotest function. This loop noties the runtime when an autotest function is completed. If the runtime is able to produce an input that may explore a new path, the autotest function is called again. Otherwise, the loop terminates. This loop is constructed in the makeTestLoop function by way of an interpreted constructor. 15.2.2 autotest Runtime The runtime library for this tutorial is divided into three parts. First, we maintain a symbolic memory that maps concrete addresses to expressions in terms of inputs. Second, at the end of an autotest function, we translate these expressions into expressions of the Yices SMT solver in order to obtain a path condition. Finally, we maintain a set of path conditions from which we may choose a path to modify for submission to Yices in the hope of obtaining inputs that will explore a new path. The source for the runtime library can be found in ciltut-lib/src/concolic. File names mentioned below are relative to this path. The le concolic exp.ml implements our internal expression representation. We dene our own type for expressions instead of translating directly to Yices expressions so that we leave open the possibility of using other SMT solvers in the future. The le concolic ctxt.ml implements the mapping from memory addresses to our symbolic expressions. It also maintains state for Yices, and includes a function yices of exp that translates our symbolic expressions into Yices expressions. In yices of exp the bit shifting operations are not translated into symbolic Yices expressions. This is because the Yices theory for bitvectors is only capable of reasoning about shifts by constant amounts. Therefore, yices of exp simply uses the concrete result of the operations. Finally, the le concolic paths.ml implements the path exploration algorithm. The global record pState maintains a list of already explored paths along with a list of conditions for the current path. It also maintains two mappings. The branchHT hash table maps branch identiers to the state of a branch. A branch identier is a combination of an id assigned at compile time to each conditional, and a count of the number of times a conditional has been executed on a single concrete run. The count is kept so that the possibly many executions of the same static conditional are not improperly conated by the path exploration algorithm. This is important, for example, so that each time a loop guard is executed, it is considered a dierent conditional. The state of a branch is either NeitherTaken, TrueTaken, FalseTaken, or BothTaken. The second hash table, branchCounts, keeps track of how many times a conditional has been executed, so that branch id's may be properly assigned. When a conditional is executed, its id is determined by checking its static id and looking it up in branchCounts. Then, the condition is appended to pathCond. When an autotest function ends, the expressions in pathCond are translated to Yices expressions, and the resulting path condition is appended to paths, and branchHT is updated. Then, paths is searched for a path condition having
CHAPTER 15. AUTOMATED TEST GENERATION 129 the property that ipping one of its conjuncts should cause Yices to generate a model that explores an unexplored branch, as recorded by branchHT. This search and conjunct ipping is carried out by the genNextPath function. If no such path is found, a value is returned indicating that the loop around the autotest function should terminate. If Yices does nd a model, the values are stored such that they may be requested in the autotest loop body, and stored in local variables so that they may be given as input in the next iteration. 15.3 test/tut15.c This le shows how the features in this tutorial can be used. It denes two functions, one that does arithmetic using its arguments, and another that does a string comparison. These two functions are annotated autotest so that the test generation runtime will execute them repeatedly until each conditional has had both branches taken. The string comparison function is annotated instrument so that it will be executed symbolically when called from an autotest function. # include ../test/tut15.c string compare has the behavior of strcmp. We include the code for it here explicitly so that it can be instrumented and explored by the test generation runtime when called from g below. On each iteration the conditionals are considered distict from the conditionals executed in previous iterations. The result is that input strings of various lengths will be generated until the SMT solver is no longer able to generate a model. ../test/tut15.c int (instrument string_compare)(char *a, char *b) { int i = 0; while (1) { if (a[i] > b[i]) return 1; if (a[i] < b[i]) return -1; if (a[i] == 0 && b[i] == 0) break; i++; } } return 0; The function f is annotated as an autotest function. The test generation runtime will take the given inputs from the text of the program and use them to generate the rst path through the function. For this function, the rst input is 0 for a and 0 for b. With this input the false branch of the conditional is taken. When the path condition is negated and passed to Yices, an a and b are returned such that (a * b) - (a + b) == 14862436.
Page 1 and 2:
A CIL Tutorial Using CIL for langua
Page 3 and 4:
Contents Preface 4 Introduction 5 0
Page 5 and 6:
CONTENTS 3 13 Whole-program Analysi
Page 7 and 8:
Introduction The C Intermediate Lan
Page 9 and 10:
References [1] clang: a C language
Page 11 and 12:
CHAPTER 0. OVERVIEW AND ORGANIZATIO
Page 13 and 14:
Chapter 1 The AST The Concrete Synt
Page 15 and 16:
CHAPTER 1. THE AST 13 1.2 Printing
Page 17 and 18:
References [1] Andrew W. Appel. Mod
Page 19 and 20:
CHAPTER 2. VISITING THE AST 17 open
Page 21 and 22:
CHAPTER 2. VISITING THE AST 19 $ ci
Page 23 and 24:
Chapter 3 Dataow Analysis Dataow An
Page 25 and 26:
CHAPTER 3. DATAFLOW ANALYSIS 23 Cod
Page 27 and 28:
CHAPTER 3. DATAFLOW ANALYSIS 25 let
Page 29 and 30:
CHAPTER 3. DATAFLOW ANALYSIS 27 and
Page 31 and 32:
CHAPTER 3. DATAFLOW ANALYSIS 29 let
Page 33 and 34:
CHAPTER 3. DATAFLOW ANALYSIS 31 DoC
Page 35 and 36:
CHAPTER 3. DATAFLOW ANALYSIS 33 tes
Page 37 and 38:
References [1] Aws Albarghouthi, Ra
Page 39 and 40:
CHAPTER 4. INSTRUMENTATION 37 type
Page 41 and 42:
CHAPTER 4. INSTRUMENTATION 39 metho
Page 43 and 44:
CHAPTER 4. INSTRUMENTATION 41 $ cil
Page 45 and 46:
CHAPTER 5. INTERPRETED CONSTRUCTORS
Page 47 and 48:
CHAPTER 5. INTERPRETED CONSTRUCTORS
Page 49 and 50:
Chapter 6 Overriding Functions When
Page 51 and 52:
CHAPTER 6. OVERRIDING FUNCTIONS 49
Page 53 and 54:
References [1] Kumar Avijit, Pratee
Page 55 and 56:
CHAPTER 7. TYPE QUALIFIERS 53 let c
Page 57 and 58:
CHAPTER 7. TYPE QUALIFIERS 55 let w
Page 59 and 60:
CHAPTER 7. TYPE QUALIFIERS 57 $ cil
Page 61 and 62:
Chapter 8 Dependant Type Qualiers O
Page 63 and 64:
CHAPTER 8. DEPENDANT TYPE QUALIFIER
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Chapter 9 Type Qualier Inference In
Page 75 and 76:
CHAPTER 9. TYPE QUALIFIER INFERENCE
Page 77 and 78:
CHAPTER 9. TYPE QUALIFIER INFERENCE
Page 79 and 80: CHAPTER 9. TYPE QUALIFIER INFERENCE
Page 81 and 82: CHAPTER 9. TYPE QUALIFIER INFERENCE
Page 83 and 84: Chapter 10 Adding a New Kind of Sta
Page 85 and 86: CHAPTER 10. ADDING A NEW KIND OF ST
Page 93 and 94: Chapter 11 Program Verication In th
Page 95 and 96: CHAPTER 11. PROGRAM VERIFICATION 93
Page 107 and 108: Chapter 12 Comments CIL has a very
Page 109 and 110: CHAPTER 12. COMMENTS 107 let printC
Page 111 and 112: References [1] Lin Tan, Ding Yuan,
Page 113 and 114: CHAPTER 13. WHOLE-PROGRAM ANALYSIS
Page 115 and 116: CHAPTER 13. WHOLE-PROGRAM ANALYSIS
Page 117 and 118: CHAPTER 14. IMPLEMENTING A SIMPLE D
Page 127 and 128: Chapter 15 Automated Test Generatio
Page 129: CHAPTER 15. AUTOMATED TEST GENERATI
Page 133 and 134: CHAPTER 15. AUTOMATED TEST GENERATI
Page 135 and 136: Index A (module), 10, 13, 15, 10, 1
Page 137 and 138: INDEX 135 isCacheReportType, 11, 11
show all

A CIL Tutorial - Department of Computer Science - ETH ZÃ¼rich

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?