ABSTRACT
We present CESI, an algorithm that combines exhaustive enumeration of test inputs from a structured domain with symbolic execution driven test generation. CESI is a hybrid of two predominant techniques: specification-based enumerative test generation (which exhaustively generates all possible inputs satisfying some constraint) and symbolic directed test generation (which explores program paths based on symbolic path constraint solving). We target programs whose valid inputs are determined by some context free grammar. We introduce symbolic grammars, where the original tokens are replaced with symbolic constants, that link enumerative grammar-based input generation with symbolic directed testing. Symbolic grammars abstract the concrete input syntax, thus reducing the set of input strings that must be enumerated exhaustively. For each enumerated input string, which may contain symbolic constants, symbolic execution based test generation instantiates the constants based on program execution paths. The "template" generated by enumerating valid strings reduces the burden on the symbolic execution to generate syntactically valid inputs and hence exercise interesting code paths. Together, symbolic grammars provide a link between exhaustive enumeration of valid inputs and execution-directed symbolic test generation. In preliminary experiments, CESI is better than if both enumerative and symbolic techniques are used alone.
- Cve-2003-0466. 2003.Google Scholar
- Cve-2006-5994. 2006.Google Scholar
- M. Berkelaar, J. Dirks, K. Eikland, and P. Notebaert. lp_solve 5.5.0.10. 2007.Google Scholar
- C. Boyapati, S. Khurshid, and D. Marinov. Korat: automated testing based on java predicates. In ISSTA, pages 123--133, 2002. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: automatically generating inputs of death. In ACM CCS, pages 322--335. ACM, 2006. Google ScholarDigital Library
- L. Clarke. A system to generate test data and symbolically execute programs. IEEE Trans. Software Eng., 2:215--222, 1976. Google ScholarDigital Library
- D. Coppit and J. Lian. yagg: an easy-to-use generator for structured test inputs. In ASE, pages 356--359. ACM, 2005. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI, pages 213--223. ACM, 2005. Google ScholarDigital Library
- J. B. Goodenough and S. L. Gerhart. Toward a theory of test data selection. IEEE Trans. Software Eng., 1(2):156--173, 1975.Google ScholarDigital Library
- S. C. Johnson. Yacc -- yet another compiler-compiler. Computer Science Tehnical Report, (32), 1975.Google Scholar
- S. Khurshid and D. Marinov. Testera: Specification-based testing of java programs using sat. Autom. Softw. Eng., 11(4):403--434, 2004. Google ScholarDigital Library
- J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, 1976. Google ScholarDigital Library
- R. Lämmel and W. Schulte. Controllable combinatorial coverage in grammar-based testing. In TestCom, volume 3964 of Lecture Notes in Computer Science, pages 19--38. Springer, 2006. Google ScholarDigital Library
- M. E. Lesk and E. Schmidt. Lex -- a lexical analyser generator. Computer Science Tehnical Report, (39), 1975.Google Scholar
- P. M. Maurer. Generating test data with enhanced context-free grammars. IEEE Software, 7(4):50--55, 1990. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In ESEC/SIGSOFT FSE, pages 263--272. ACM, 2005. Google ScholarDigital Library
- W. Visser, C. S. Pasareanu, and S. Khurshid. Test input generation with java pathfinder. In ISSTA, pages 97--107. ACM, 2004. Google ScholarDigital Library
Index Terms
- Directed test generation using symbolic grammars
Recommendations
Directed test generation using symbolic grammars
ASE '07: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software EngineeringWe present CESE, a tool that combines exhaustive enumeration of test inputs from a structured domain with symbolic execution driven test generation. We target programs whose valid inputs are determined by some context free grammar. We abstract the ...
Directed test generation using symbolic grammars
ESEC-FSE '07: Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineeringWe present CESI, an algorithm that combines exhaustive enumeration of test inputs from a structured domain with symbolic execution driven test generation. We target programs whose valid inputs are determined by some context free grammar. We introduce ...
Concolic testing
ASE '07: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software EngineeringConcolic testing automates test input generation by combining the concrete and symbolic (concolic) execution of the code under test. Traditional test input generation techniques use either (1) concrete execution or (2) symbolic execution that builds ...
Comments