tugraz
TU Graz
Quality Assurance in Software DevelopmentQualitatssicherung in der Softwareentwicklung
A.o.Univ.-Prof. Dipl.-Ing. Dr. Bernhard Aichernig
Institut fur Softwaretechnologie (IST)TU Graz
Summer Term 2019
B. Aichernig Quality Assurance in Software Development
1 / 45
tugraz
TU Graz
Agenda
1 Symbolic Execution
2 Concolic Execution
B. Aichernig Quality Assurance in Software Development
2 / 45
tugraz
TU Graz
Literature: Symbolic Execution
I James C. King. Symbolic Execution and Program Testing,Communications of the ACM, Volume 19, Issue 7. July 1976,Pages 385–394.
B. Aichernig Quality Assurance in Software Development
3 / 45
tugraz
TU Graz
Symbolic Execution
I Instead of normal program inputs
I one supplies symbols representing arbitrary values.
I Execution proceeds like normal execution,
I except that values may be symbolic formulas over the input values.
I Interesting: symbolic execution of branching statements (e.g.if-statements)
I A technique between testing and formal proofs.I Testing: execution with some concrete input valuesI Proofs: no execution
B. Aichernig Quality Assurance in Software Development
4 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
5 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
6 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
7 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
8 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
9 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;← x = αa + αb, y = αb + αc , z = αa + αb + αc7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
10 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;← x = αa + αb, y = αb + αc , z = αa + αb + αc7 r e tu rn z ; return αa + αb + αc8 }
The symbolic computation shows (proves) that the method sum returnsthe sum of its three input values.
B. Aichernig Quality Assurance in Software Development
11 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y )2 {3 i n t z ;4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
12 / 45
tugraz
TU Graz
Path Condition
I Symbolic execution of if-statement requires path condition (pc).
I pc is a Boolean expression over symbolic inputs.
I pc never contains program variables!
I pc is a conjunction of branching conditions.
B. Aichernig Quality Assurance in Software Development
13 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ;4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
14 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
15 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
16 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
17 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ;8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
18 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ; ← x = αx , y = αy , z = αy , pc = ¬αx < αy8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
19 / 45
tugraz
TU Graz
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ; ← x = αx , y = αy , z = αy , pc = ¬αx < αy8 r e tu rn z ;← return(z = αx ∧ αx < αy ) ∨ (z = αy ∧ ¬αx < αy )9 }
B. Aichernig Quality Assurance in Software Development
20 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 {3 r e tu rn4 min (5 min ( a , b ) ,6 c7 ) ;8 }
B. Aichernig Quality Assurance in Software Development
21 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,6 c7 ) ;8 }
B. Aichernig Quality Assurance in Software Development
22 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ pc = αa < αb) ∨ (= αb ∧ pc = αa ≥ αb)6 c7 ) ;8 }
B. Aichernig Quality Assurance in Software Development
23 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ pc = αa < αb) ∨ (= αb ∧ pc = αa ≥ αb)6 c ← c = αc7 ) ;8 }
B. Aichernig Quality Assurance in Software Development
24 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc)8 }
B. Aichernig Quality Assurance in Software Development
25 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc)
B. Aichernig Quality Assurance in Software Development
26 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc) ∨9 (= αc ∧ pc = αa < αb ∧ αa ≥ αc)
B. Aichernig Quality Assurance in Software Development
27 / 45
tugraz
TU Graz
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc) ∨9 (= αc ∧ pc = αa < αb ∧ αa ≥ αc) ∨
10 (= αc ∧ pc = αa ≥ αb ∧ αb ≥ αc)
B. Aichernig Quality Assurance in Software Development
28 / 45
tugraz
TU Graz
Symbolic Execution TreeSymbolic execution forcs at each if-statement:
αa < αb
αa < αc
min = αa
T
min = αc
F
T
αb < αc
min = αb
T
min = αc
F
F
B. Aichernig Quality Assurance in Software Development
29 / 45
tugraz
TU Graz
From Path Conditions to Concrete Test Cases
I Calculation: pc2 = true ∧ αa < αb ∧ ¬(αa < αc)
I Path condition represents equivalence class for all concrete valuestaking a path.
I Concrete test cases: find concrete values satisfying pcI e.g. for pc2: a = 0, b = 1, c = 0
I Result: path coverage
B. Aichernig Quality Assurance in Software Development
30 / 45
tugraz
TU Graz
Limitations
I infinite number of paths (loops)
I infeasible paths (pc = false)
I limitations of solvers and theorem provers
I all code must be accessible (white-box)
I only for single-threaded programs
B. Aichernig Quality Assurance in Software Development
31 / 45
tugraz
TU Graz
Symbolic Execution Tools
I Klee: for C (LLVM), http://klee.github.io/
I Symbolic PathFinder for Java (bytecode): http://babelfish.
arc.nasa.gov/trac/jpf/wiki/projects/jpf-symbc
B. Aichernig Quality Assurance in Software Development
32 / 45
tugraz
TU Graz
Concolic Execution
I Concolic = Concrete + Symbolic
I also called Dynamic Symbolic Execution (Microsoft)
I Concrete and Symbolic Execution in parallel
I Due to concrete execution:I No infeasable paths!I Integration of black-box components possible.
B. Aichernig Quality Assurance in Software Development
33 / 45
tugraz
TU Graz
Concolic Execution Loop
Algorithm
1 Covered := {} covered set of inputs
2 select new input i 6∈ Covered stop if no one found
3 execute Program(i) and record path condition C C(i) holds
4 Covered := Covered ∪ {i |C (i)}5 goto 2
I New input i 6∈ Covered after n iterations:solve ¬Ci1 ∧ · · · ∧ ¬Cin
I Stop when ¬Ci1 ∧ · · · ∧ ¬Cin = false
B. Aichernig Quality Assurance in Software Development
34 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
35 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
36 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
37 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
38 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;7 r e tu rn z ;8 }
B. Aichernig Quality Assurance in Software Development
39 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;← x = (αa + αb, 3), y = (αb + αc , 5),7 z = (αa + αb + αc , 6)8 r e tu rn z ;9 }
B. Aichernig Quality Assurance in Software Development
40 / 45
tugraz
TU Graz
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;← x = (αa + αb, 3), y = (αb + αc , 5),7 z = (αa + αb + αc , 6)8 r e tu rn z ; ← return(αa + αb + αc , 6)9 }
B. Aichernig Quality Assurance in Software Development
41 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ;
← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true
4 i f ( x<y )
¬(0 < 0)
5 z=x ;6 e l s e
← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )
7 z=y ;
← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <αy )
8 r e tu rn z ;
← return z = (αy , 0), pc1 = ¬(αx < αy )
9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y )
¬(0 < 0)
5 z=x ;6 e l s e
← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )
7 z=y ;
← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <αy )
8 r e tu rn z ;
← return z = (αy , 0), pc1 = ¬(αx < αy )
9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e
← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )
7 z=y ;
← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <αy )
8 r e tu rn z ;
← return z = (αy , 0), pc1 = ¬(αx < αy )
9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ;
← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <αy )
8 r e tu rn z ;
← return z = (αy , 0), pc1 = ¬(αx < αy )
9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ; ← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <
αy )8 r e tu rn z ;
← return z = (αy , 0), pc1 = ¬(αx < αy )
9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ; ← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <
αy )8 r e tu rn z ;← return z = (αy , 0), pc1 = ¬(αx < αy )9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 1
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ; ← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <
αy )8 r e tu rn z ;← return z = (αy , 0), pc1 = ¬(αx < αy )9 }
Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)
B. Aichernig Quality Assurance in Software Development
42 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ;
← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true
4 i f ( x<y )
(0 < 1): ⇒ pc2 = αx < αy
5 z=x ;
← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy
6 e l s e7 z=y ;8 r e tu rn z ;
← return z = (αx , 0), pc2 = αx < αy
9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y )
(0 < 1): ⇒ pc2 = αx < αy
5 z=x ;
← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy
6 e l s e7 z=y ;8 r e tu rn z ;
← return z = (αx , 0), pc2 = αx < αy
9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1):
⇒ pc2 = αx < αy
5 z=x ;
← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy
6 e l s e7 z=y ;8 r e tu rn z ;
← return z = (αx , 0), pc2 = αx < αy
9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ;
← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy
6 e l s e7 z=y ;8 r e tu rn z ;
← return z = (αx , 0), pc2 = αx < αy
9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;
← return z = (αx , 0), pc2 = αx < αy
9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;← return z = (αx , 0), pc2 = αx < αy9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Bsp. Min: Iteration 2
1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;← return z = (αx , 0), pc2 = αx < αy9 }
Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.
B. Aichernig Quality Assurance in Software Development
43 / 45
tugraz
TU Graz
Limitations
I infinite number of paths: upper bounds
I limitations of solvers and theorem provers
I for single-threaded programs
B. Aichernig Quality Assurance in Software Development
44 / 45
tugraz
TU Graz
Concolic Execution Tools
I jCute: for Java,http://osl.cs.illinois.edu/software/jcute/
I IntelliTest (Pex): for C#, see exercise
I PathCrawler: for C programs, http://pathcrawler-online.com
B. Aichernig Quality Assurance in Software Development
45 / 45