# ECE 453 - Software Testing, Quality Assurance, and Maintenance

## Introduction

### Testing and Verification

- **Testing**: An ad-hoc software validation method that proves the existence of faults.
- **Verification**: A formal software validation method that proves the software satisfies its specifications.
- **Static Program Verification**: The algorithmic discovery of the properties of a program by inspection of its source text.
- **Formal Methods**: The general area of research related to program specification and verification.

### Undecidability

- **Undecidability**: A problem is undecidable if there does not exists a Turning machine that can solve it.
- **Rice's Theorem**: For any non-trivial property of partial functions, no general and effective method can decide whether an algorithm computes a partial function with that property.

### User Effort vs Verification Assurance


- *From Least Effort / Least Assurance to Most Effort / Most Assurance.*


1. Testing
2. Symbolic Execution: Automated Test-Case Generation
3. Automated Verification
4. Deductive Verification

### Key Challenges

- *Testing*: Coverage
- *Symbolic Execution and Automated Verification*: Scalability 
- *Deductive Verification*: Usability
- *Common Challenges*: Specification / Oracle

## Fault, Error, and Failure

### Definitions

- **Fault**: A static defect in software.
- **Error**: An incorrect internal state (*unobserved*).
- **Failure**: An incorrect external behavior with respect to the expected external behavior (*observed*).

### RIP Model

- Three conditions must be present for an error to be observed: failure.
  1. **Reachability**: The location or locations in the program that contain the fault must be reached.
  2. **Infection**: After execution the location, the state of the program must be incorrect.
  3. **Propagation**: The infected state must propagate to cause some output of the program to be incorrect.

### Addressing Faults

1. **Fault Avoidance**: Better Design, Better Programming Languages, ...
2. **Fault Detection**: Testing, Debugging, ...
3. **Fault Tolerance**: Redundancy, Isolation, ...

## Foundations: Syntax, Semantics, and Graphs

### WHILE: A Simple Imperative Language

#### Syntatic Entities

##### Terminals


- *Atomic Tokens*.


1. **Integers**: $n \in Z$
2. **Booleans**: $\text{true}, \text{false} \in B$
3. **Locations (Program Variables)**: $x, y \in L$

##### Non-Terminals


- *Composition of Tokens*.


1. **Atomic Expressions**: $e \in Aexp$
2. **Boolean Expressions**: $b \in Bexp$
3. **Statements**: $c \in Stmt$

#### Syntax of Arithmetic Expressions

$$
\begin{aligned}
\text{e } ::= &\; n     &\text{ for } n \in Z \\
      &\vert -n &\text{ for } n \in Z \\
      &\vert x  &\text{ for } x \in L \\
      &\vert e_1 \text{ aop } e_2 \\
      &\vert \text{'('e')'} \\
\text{aop } ::= &\; \text{'*' } \vert \text{ '/' } \vert \text{ '-' } \vert \text{ '+'}
\end{aligned}
$$

- *No Declarations*
- *Only Integer Variables*.
- *No Side-Effects*.

#### Syntax of Boolean Expressions

$$
\begin{aligned}
\text{b } ::= &\; \text{'true'} \\
    &\vert \text{'false'} \\
    &\vert \text{'not' } b \\
    &\vert e_1 \text{ rop } e_2 &\text{ for } e_1, e_2 \in Aexp \\
    &\vert e_1 \text{ bop } e_2 &\text{ for } e_1, e_2 \in Bexp \\
    &\vert \text{'('b')'} \\
\text{rop } ::= &\; \text{'<' } \vert \text{ '<=' } \vert \text{ '=' } \vert \text{ '>=' } \vert \text{ '>'} \\
\text{bop } ::= &\; \text{'and' } \vert \text{ 'or'}
\end{aligned}
$$

#### Syntax of Statements

$$
\begin{aligned}
\text{s } ::= &\; \text{skip} \\
    &\vert x := e \\
    &\vert \text{if } b \text{ then } s \;[\text{else } s] \\
    &\vert \text{while } b \text{ do } s \\
    &\vert \text{'\{' } slist \text{ '\}'} \\
    &\vert \text{print_state} \\
    &\vert \text{assert } b \\
    &\vert \text{assume } b \\
    &\vert \text{havoc } v1, ..., vN \\
\text{slist } ::= &\; s (\text{';'} s)* \\
\text{prog } ::= &\; \text{slist} 
\end{aligned}
$$

### Abstract Syntax Tree

- An **abstract syntax tree** is a tree in which each node represents a syntactic entity.

### Visitor Design Pattern

- An object-oriented design pattern that separates an algorithm from an element on which it operates.
- **Assignment Notes**: In Python, the method handle is used to dynamic dispatch calls: `visit_Stmt()`.

### Non-Determinism vs. Randomness

- A **deterministic** function always returns the same result on the same input.
- A **non-deterministic** function may return different values on the same input.
- A **random** function may choose a different value with a probability distribution.
- A non-deterministic choice cannot be implemented.

### Syntax and Semantics

- **Syntax**: Determines how things are expressed.
- **Semantics**: Determines how syntax is interpreted to give meaning.

### Semantics of Programming Languages

- **Denotational Semantics**: The meaning of a program is defined as the mathematical object it computes.
- **Axiomatic Semantics**: The meaning of a program is defined in terms of its effect on the truth of logical assertions.
- **Operational Semantics**: The meaning of a program is defined by formalizing the individual computation steps of the program.

### Semantics of WHILE

- A **state** $s$ is a function from $L$ to $Z$.
    - It assigns a value for every variable.
- The set of all states is $Q = L \to Z$.

#### Notation

- *Empty State*: $\left[\right]$
- *State*: $\left[x := 10, y := 15, z := 5\right]$
- *Substitution*: $s\left[x := 10\right]$

### Judgement

- $\langle e, q \rangle \Downarrow n$ states that an *expression* $e$ in *state* $q$ has a *value* $n$.
- *Note: Evaluate $n$ in a judgement $\langle e, q \rangle \Downarrow n$.*

### Inference Rules

$$
\frac{F_1 ... F_n}{G} \text{ where } H
$$

- An **inference rule** defines a relation between judgements $F_1, ..., F_n$ and $G$.
    - The judgements $F_1, ..., F_n$ are the **premises** of the rule.
    - The judgements $G$ is the **conclusion** of the rule.
    - The formula $H$ is called the **side condition** of the rule.
    - If $n = 0$, the rule is called an **axiom**. In this case, the line separating premises and conclusion may be omitted.
- A **derivation** infers new facts from existing facts.

### Inference Rules for Aexp

- *Note: Expression would not mutate state; side-effect free.*

$$
\begin{aligned}
&\frac{}{\langle n, q \rangle \Downarrow n} \\[1em]
&\frac{}{\langle x, q \rangle \Downarrow q(x)} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} + e_{2}, q \rangle \Downarrow (n_{1} + n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} - e_{2}, q \rangle \Downarrow (n_{1} - n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} * e_{2}, q \rangle \Downarrow (n_{1} * n_{2})}
\end{aligned}
$$

### Inference Rules for Bexp

- *Note: Expression would not mutate state; side-effect free.*

$$
\begin{aligned}
&\frac{}{\langle \text{true}, q \rangle \Downarrow \text{true}} \\[1em]
&\frac{}{\langle \text{false}, q \rangle \Downarrow \text{false}} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} = e_{2}, q \rangle \Downarrow (n_{1} = n_{2})} \\[1em]
&\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} \le e_{2}, q \rangle \Downarrow (n_{1} \le n_{2})} \\[1em]
&\frac{\langle b_{1}, q \rangle \Downarrow t_{1} \quad \langle b_{2}, q \rangle \Downarrow t_{2}}{\langle b_{1} \land b_{2}, q \rangle \Downarrow (t_{1} \land t_{2})}
\end{aligned}
$$

### Semantics of Statements

- $\langle s, q \rangle \Downarrow q'$
    - where $s$ is the **Program Statement**.
    - where $q$ is the **Input Program State**.
    - where $q'$ is the **Output Program State**.
    
$$
\begin{aligned}
&\frac{}{\langle \text{skip}, q \rangle \Downarrow q} \\[1em]
&\frac{}{\langle \text{print_state}, q \rangle \Downarrow q} \\[1em]
&\frac{\langle s_{1}, q \rangle \Downarrow q'' \quad \langle s_{2}, q'' \rangle \Downarrow q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \Downarrow q'} \\[1em]
&\frac{\langle e, q \rangle \Downarrow n}{\langle x := e, q \rangle \Downarrow q[x := n]} \\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s_{1}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'} \\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{false} \quad \langle s_{2}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'}
\end{aligned}
$$

### Derivation $\implies$ Execution

- **Top-Down**: Execution.
- **Bottom-Up**: Explanation.

> Show that $\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]$.

$$
\cfrac{\cfrac{}{\cfrac{\langle 0, [] \rangle \Downarrow 0}{\langle p := 0, [] \rangle \Downarrow [p := 0]}} \quad \cfrac{}{\cfrac{\langle 1, [p := 0] \rangle \Downarrow 1}{\langle x := 1, [p := 0] \rangle \Downarrow [p := 0, x := 1]}}}{\cfrac{\langle p := 0 \text{ ; } x := 1, [] \rangle \Downarrow [p := 0, x:= 1] \quad \langle n := 2, [p := 0, x := 1] \rangle \Downarrow [p := 0, x := 1, n := 2]}{\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]}}
$$

### Semantics of Loops

- Let $T$ be a special state, **top**, that represents divergence, such as an infinite loop.
- Any statement in a divergent state is treated like "skip".

$$
\begin{aligned}
&\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s \text{ ; while } b \text{ do } s, q \rangle \Downarrow q'}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q'}\\[1em]
&\frac{}{\langle \text{while true do } s, q \rangle \Downarrow T}\\[1em]
&\frac{}{\langle s, T \rangle \Downarrow T}\\[1em]
\end{aligned}
$$

### Properties of Semantics

- A semantic is **deterministic** if every program statement has exactly one possible derivation in any state.
- Two statements are **semantically equivalent** if for every input state they derive the same output state.

#### Structural Induction

- To prove a property $P$ on a derivation tree.
    1. *Base Case*: Prove $P$ for all of the axioms.
    2. *Inductive Hypothesis*: Assume $P$ holds before every rule.
    3. *Induction*: Prove that $P$ holds at the end of every rule.
- Use structural induction to prove that the semantics are deterministic.

### Structural Operational Semantics (*Small-Step*)

- *Execution of One Statement*: $\langle s, q \rangle \implies \langle t, q' \rangle$
    - where $s$ is the statement to execute.
    - where $q$ is the input state.
    - where $t$ is the rest of the program.
    - where $q'$ is the output state.

### Small-Step Semantics for WHILE

$$
\begin{aligned}
&\frac{}{\langle \text{skip}, q \rangle \implies q}\\[1em]
&\frac{\langle s_{1}, q \rangle \implies q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle s_{2}, q' \rangle}\\[1em]
&\frac{\langle s_{1}, q \rangle \implies \langle \mathbf{s_{3}}, q' \rangle}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle \mathbf{s_{3}} \text{ ; } s_{2}, q' \rangle}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{true}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{1}, q \rangle}\\[1em]
&\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{2}, q \rangle}\\[1em]
&\frac{}{\langle \text{while } b \text{ do } s, q \rangle \implies \langle \text{if } b \text{ then } (s \text{ ;  while } b \text{ do } s) \text{ else skip}, q \rangle}
\end{aligned}
$$

### Properties of Small Step Semantics

- Small step semantics are a **transition system**: $TS = (S, R)$.
    - where $S$ is a set of states: $\langle s, q \rangle$.
    - where $R$ is a transition relation on a pair of states.
        - $(x, y) \in R \iff (x \implies y)$ is a true judgement in small-step semantics.
- **Derivation Sequence**: A path $x_{1}, x_{2}, x_{3}, ....$ in $TS$ corresponds to a program execution.
- Properties of small-step semantics are established by induction on the length of the derivation.
- A small step semantic is deterministic if there is only one derivation for every configuration.

### Programming to Modeling

- **Assertions**: `assert e` - Aborts an execution when $e$ is false, no-op otherwise.
```cpp
void assert(bool b) {
    if (!b)
        error();
}
```
- **Non-Determinism**: `havoc x` - Assign a variable $x$ a non-deterministic value.
```cpp
void havoc(int &x) {
    int y;
    x = y;
}
```
- **Assumptions**: `assume e` - Block execution if $e$ is false, no-op otherwise.
```cpp
void assume(bool e) {
    while (!e);
}
```

### Safety Specifications as Assertions

- **Correct**: If all executions that satisfy all assumptions also satisfy all assertions.
- **Incorrect**: If there exists an execution that satisfies all of the assumptions and violdates at least one assertion.
- Assumptions $\implies$ Pre-Conditions.
- Assertions $\implies$ Properties.

### Graphs, Paths, Cycle

- A **graph**, $G = (N, E)$, is an ordered pair consisting of a node set, $N$, and an edge set, $E = \{(n_{i}, n_{j})\}$.
    - **Directed**: If the pairs in $E$ are ordered.
    - **Undirected**: If the pairs in $E$ are unordered.
- A **path**, $P$, through a directed graph $G = (N, E)$ is a sequence of edges $\left( (u_{1}, v_{1}), (u_{2}, v_{}), ... (u_{t}, v_{t}) \right)$ such that the following is true.
    - where $v_{k - 1} = u_{k}$ for all $1 < k \le t$.
    - where $u_{1}$ is the start node.
    - where $u_{t}$ is the end node.
    - The length of a path is the number of edges in the path.
- A **cycle** in a graph $G$ is a path whose start node and end node are the same.
- A **tree** is an acyclic, undirected graph.
- A **directed acyclic graph (DAG)** is a directed graph without cycles.
- Every tree is isomorphic to a prefix-closed subset of $N^{*}$ for some natural number $N$.

### Graphs as Models of Computation

- A **computation tree** represents all possible executions of a system.
    - *Node*: The state of the system represented by the valuation of all the variables.
    - *Problem*: For many computations, the trees are too large.
- A **control flow graph** represents the flow of execution in the program $G = (N, E, S, T)$.
    - where $N$ is the nodes representing executable instructions.
    - where $E$ is the edges representing the potential transfer of control.
    - where $S$ is a designated start node.
    - where $T$ is a designated terminal node.
- An **infeasible path** is a path that does not correspond with an execution sequence.

## Structural Coverage

### Testing

- **Static Testing** $\implies$ *Compile Time*:
    - *Static Analysis*
    - *Code Inspection*
    - *Code Walk-Through*
- **Dynamic Testing** $\implies$ *Run Time*:
    - *Black-Box Testing*
    - *White-Box Testing*

### Test Case

- **Test Case**: *Input Values, Expected Results, Prefix Values, Postfix Values, Dependency Values.*
- **Test Set**: *A Set of Test Cases.*
- **Expected Results**: The results that will be produced when executing the test if and only if the program satisfies its intended behavior.

### Test Requirement

- **Test Requirement**: A specific element of a software artifact that a test case must satisfy or cover.
    - *Denoted $TR$*
    
#### Examples

1. Functional (Black Box, Specification-Based)
2. Structural (White Box)
3. Model-Based
4. Fault-Based

### Coverage Criterion

- **Coverage Criterion**: A rule or collection of rules that impose test requirements on a test set.
    - *Generates $TR$*

### Adequacy Criteria

- **Adequacy Criterion**: Set of Test Requirements.
- A test suite satisfies an adequacy criterion if:
    - All the tests succeed.
    - Every test requirement in the criterion is satisfied by at least one of the test cases in the test suite.

### Coverage Criteria

> Basic Coverage $\implies$ Advanced Coverage

1. Line
    - **Adequacy Criterion**: Each source code line must be executed at least once.
    - **Coverage**: The percentage of source code lines executed.
2. Statement
    - **Adequacy Criterion**: Each statement (or node in the CFG) must be executed at least once.
    - **Coverage**: The percentage of statements executed.
3. Function
4. Branch
    - **Adequacy Criterion**: Each branch/decision, (or edge in the CFG) must be executed at least once.
    - **Coverage**: The percentage of edges executed.
    - **Test Case**: $O(n)$, where $n$ is the number of conditions.
5. Decision/Condition
6. Modified Decision/Condition
7. Path
    - **Adequancy Criterion**: Each path in the CFG must be executed at lease once.
    - **Coverage**: The percentage of paths executed.
    - **Test Case**: $O(2^{n})$, where $n$ is the number of conditions.
8. Loop
9. Mutation

### Coverage Level

- Given a set of test requirements $TR$,
- Given a test set $T$,
- The **coverage level** is the ratio of the number of test requirements satisfied by $T$ to the size of $TR$.

### Unit Testing

- A **unit test** exercises a unit of functionality to test its behavior.
- A **unit test framework** provides a standard mechanism for....
    1. Specifying a Test (Setup, Execution, Expected Result, Teardown).
    2. Executing a Test.
    3. Generating Test Reports.

### Designing for Testing

- Factor the program into meaningful units.
- Each unit should have a well defined specification.
    - What are legal inputs?
    - What are legal outputs?
    - How inputs and outputs are passed around?
- Avoid monolithic design that reads standard input and writes standard output.
- Additional functionality specifically for testing/debugging purposes.

### Subsumption

- **Criteria Subsumption**: A test criterion $C_{1}$ subsumes $C_{2}$ if and only if every set of test cases satisfies $C_{1}$ also satisfies $C_{2}$.

### Syntactical and Semantic Reachability

- A node $n$ is **syntactically** reachable from $m$ if there exists a path from $m$ to $n$.
- A node $n$ is **semantically** reachhable if one of the paths from $n$ to $n$ can be reached on some input.
- **Syntactic Reachability**: Control Flow Graph.
- **Semantic Reachability**: Undecidable.

### Reachability

- Let $reach_{G}(X)$ denote the sub-graph of $G$ that is syntactically reachable from $X$, where $X$ is either a node, an edge, a set of nodes, or a set of edges.

### Connect Test Cases and Test Paths

- A $path_{G}$ is a mapping from test cases to test paths.
$$path(T) = \{path(t) \mid t \in T\}$$
- A test case has at least one test path.
    - **Deterministic**: One Test Path.
    - **Nondeterministic**: Many Test Paths.

### Node, Edge, Edge-Pair Coverage

- **Node Coverage (NC)**: $TR$ contains each reachable node in $G$.
    - *~Statement Coverage.*
- **Edge Coverage (EC)**: $TR$ contains each reachable path of length up to $1$, inclusive, in $G$.
    - *~Branch Coverage.*
- **Edge-Pair Coverage (EPC)**: $TR$ contains each reachable path of length up to $2$, inclusive, in $G$.

### Simple Path

- A path is **simple** if no node appears more than once in the path, except that the first and the last nodes may be the same.

#### Properties

- No Internal Loops.
- Possibly Bounded Length.
- Possible Create Any Path = Composition of Simple Paths.
- Many Simple Paths Exist.

### Prime Path

- A path is **prime** if it is simple and does not appear as a proper subpath of any other simple path.
- **Prime Path Coverage (PPC)**: $TR$ contains each prime path in $G$.
    - *Problem*: A prime path may be infeasible yet contains feasible simple paths.
- **Complete Path Coverage (CPC)**: $TR$ contains all paths in $G$.
- **Specified Path Coverage (SPC)**: $TR$ contains a specified set $S$ of paths.

### Graph Coverage Criteria Subsumption

1. *Complete Path Coverage (CPC)* > *Prime Path Coverage (PPC)* > *Edge Coverage (EC)* > *Node Coverage (NC)*
2. *Complete Path Coverage (CPC)* > *Edge-Pair Coverage (EPC)* > *Edge Coverage (EC)* > *Node Coverage (NC)*

## Logic Coverage

### Decisions

- **Decisions**: A logical expression in a program.
    - $P$ is a set of decisions (predicates) of the program.
- **Conditions**: The leaves of a decision.
    - $C_{p}$ is a set of conditions (atomic predicates) constructing a predicate $p$.
    - $C$ is the set of all conditions in all of the decisions in $P$.
$$C_{p} = \{c \mid c \in p\}$$
$$C = \cup_{p \in P} C_{p}$$
- **Logical Operators**: Connect conditions to construct a decision.

###  Decision, Condition, Combinatorial Coverage

- **Decision Coverage (DC)**: For each $p \in P$, $TR$ contains two requirements.
    1. $p$ evaluates to true.
    2. $p$ evaluates to false.
    - *~Edge Coverage.*
- **Condition Coverage (CC)**: For each $c \in C$, $TR$ contains two requirements.
    1. $c$ evaluates to true.
    2. $c$ evaluates to false.
- **Combinatorial Coverage (CoC) / Multiple Condition Coverage**: For each $p \in P$, $TR$ has test requirements for the conditions in $C_{p}$ to evaluate to each possible combination of truth values.

### Active Condition Coverage

- An **active condition** focuses on each condition that affects the final decision.
    - *Active Conditions = Major Conditions.*
    - *Non-Active Conditions = Minor Conditions.*
- **Determination**: A major condition *determines* a decision with certain minor conditions.
- **Active Condition Coverage (ACC)**: For each $p \in P$ and making each condition $c_{i} \in C_{p}$ major, choose assignments for minor conditions $c_{j}$, $j \ne i$ such that $c_{i}$ determines $p$.

## Automated Test-Case Generation: Address Sanitizer

### Automated Test-Case Generation

1. **Black Box**: Random Test Cases.
2. **Grey Box**: Coverage Guidance.
3. **White Box**: Symbolic Reasoning.

### Valgrind

- An instrumentation framework for dynamic analysis tools that interprets a program using a synthetic CPU.

### Memory Access Instrumentation

- The compiler instruments each *STORE* and *LOAD* instruction with a check whether the memory being accessed is accessible.

### Memory Mapping and Alignment

- *Virutal Memory* $\implies$ *Mem* + *Shadow*
    - **Mem**: Normal Application Memory.
    - **Shadow**: Metadata Memory about Main Memory.
- Poisoning a byte address of *Mem* requires writing a special value to its corresponding descriptor in *Shadow*.
- Because most processors align memory using 8 bytes (i.e., *QWORDS*), *AddressSanitizer* maps each 8 bytes of *Mem* into 1 byte of *Shadow*.
    - If all 8 bytes are accessible, $\text{Shadow} = 0$.
    - If all 8 bytes are inaccessible, $\text{Shadow} < 0$.
    - If the first $k$ bytes are only accessible, $\text{Shadow} = k$.

### Redzones

- **Redzones** are markers that mark boundaries of allocated memory segments on the heap.

## Automated Test-Case Generation: Fuzzing

### Fuzzing

- A set of automated testing techniques that tries to identify abnormal program behaviors by evaluation of how the tested program responds to various inputs.

### Challenges

1. **Inputs**: Input Files or Byte Arrays
2. **Detecting Abnormal Behavior**: Crashes, User-Defined Assertions, Hang Time, Memory Allocations
3. **Ensuring Progression**: Program Counter, Lines of Source Code, Statements, Control Flow Graph, Functions, ....
    - i.e., Coverage Feedback
4. **Generating Interesting Inputs**: Bit Flips, Byte Flips, Byte Swaps, Byte Rotates, Arithmetic, Known Inputs, Composition, ....
5. **Speed**: Fork After Initialization, Use Cheaper Resources, Many Inputs for Single Process, ....

## SMT Solver Z3

### Satisfiability Modulo Theory (SMT)

- **Satisfiability**: The problem of determining whether a formula $F$ has a model.
    - If $F$ is **propositional**, a model is a truth assignment to Boolean variables.
    - If $F$ is **first-order formula**, a model assigns values to variables and interpretation to all the function and predicate symbols.
- **SAT Solvers**: Check satisfiability of propositional formulas.
- **SMT Solvers**: Check satisfiability of formulas in a decidable first-order theory.

## Symbolic Execution

### Symbolic Execution High-Level Algorithm

1. Execute Program with Symbolic Inputs.
2. Fork Execution at Each Branch.
3. Record Branching Conditions.
4. Decide Path Feasibility with Constraint Solver.
5. Generates Test Cases with Constraint Solver.

### Symbolic Execution

- **Symbolic Execution**: A static analysis of programs by tracking symbolic values.
- **Symbolic Path Condition**: A path condition for a path $P$ is a formula $PC$ such that $PC$ is satisfiable if and only if $P$ is executable.
- The forking of the execution at each branch allows constraints to be built that characterize conditions for executing paths, and the effects of the execution on program state.

### Symbolic State

- A **symbolic state** is a pair $S = (Env, PC)$, where ...
    - $Env = L \to E$ is an **environment** that maps program variables to symbolic expressions (first-order logic terms).
    - $PC$ is a **path condition** that is a first-order logic formula.
- A concrete state $M : L \to Z$ satisfies a symbolic state $S = (Env, PC)$ if and only if ...
$$M |= (Env, PC) \text{ iff } \left( (\land_{v \in L} M(v) = Env(v)) \land PC \text{ is } SAT \right)$$

### Functional Representation of an Executable Component

- A symbolic execution creates a functional representation of a path in a CFG.
- $D[P_{i}]$ is the domain for a path $P_{i}$ that represents the inputs that force the program to take the path.
- $C[P_{i}]$ is the computation for a path $P_{i}$ that represents the result of executing the path.
- A program $P$ is composed of partial functions representing the executable paths: $P = \{P_{1}, ..., P_{r}\}$ where $P_{i} : X_{i} \to Y$.

### Finding Bugs with Symbolic Execution

1. Enumerate Paths with Symbolic Execution.
2. Translate Any Safety Property to Reachability (Assertions).
3. Treat Assertions as Error Conditions.

## Dynamic Symbolic Execution

### Dynamic Symbolic Execution

1. Execute the program with a concrete state and a symbolic state in parallel.
2. Generate a new concrete state using a constraint solver.

### EXE Algorithm

*See Slides 6 to 21 in Dynamic Symbolic Execution.*

### DART Algorithm

*See Slides 22 to 64 in Dynamic Symbolic Execution.*

## Semantics of Symbolic Execution

### Notation

- $L$ is a set of program variables.
- $q$ is a concrete state that maps program variables $L$ to integers $\mathbb{Z}$.
- $Q : L \to \mathbb{Z}$ is the set of all states.

### Symbolic States and Path Conditions

- A **symbolic state** $q$ is a map from program variables to symbolic expressions.
- A **path condition** $pc$ is a formula over symbolic expressions.
- A **judgment** in symbolic execution has the following form.
$$\langle s, q, pc \rangle \Downarrow q', pc'$$
    - where $s$ is the **Program Statement**.
    - where $q$ is the **Input Symbolic Environment**.
    - where $q'$ is the **Output Symbolic Environment**.
    - where $pc$ is the **Input Path Condition**.
    - where $pc'$ is the **Output Path Condition**.
- A path condition $pc'$ is **satisfiable** if and only if there is a concrete input state $c$ and concrete output state $c'$ such that $s$ started in state $c$ reaches $c'$, i.e., $\langle s, c \rangle \Downarrow c'$

### Symbolic Semantics for WHILE: Expressions

$$
\begin{aligned}
&\frac{}{\langle n, q \rangle \Downarrow n} n \in \mathbb{Z} \\[1em]
&\frac{}{\langle v, q \rangle \Downarrow q(v)} v \in L \\[1em]
&\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} + a_{2}, q \rangle \Downarrow \text{Plus}(n_{1}, n_{2})} \\[1em]
&\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} * a_{2}, q \rangle \Downarrow \text{Times}(n_{1}, n_{2})} \\[1em]
&\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} < a_{2}, q \rangle \Downarrow \text{Lt}(n_{1}, n_{2})} \\[1em]
&\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} > a_{2}, q \rangle \Downarrow 
\text{Gt}(n_{1}, n_{2})} \\[1em]
&\frac{\langle b_{1}, q \rangle \Downarrow r_{1} \quad \langle b_{2}, q \rangle \Downarrow r_{2}}{\langle b_{1} \land b_{2}, q \rangle \Downarrow \text{And}(r_{1}, r_{2})} \\[1em]
&\frac{\langle b_{1}, q \rangle \Downarrow r_{1} \quad \langle b_{2}, q \rangle \Downarrow r_{2}}{\langle b_{1} \lor b_{2}, q \rangle \Downarrow \text{Or}(r_{1}, r_{2})} \\[1em]
\end{aligned}
$$

### Symbolic Semantics for WHILE: Statements

$$
\begin{aligned}
&\frac{}{\langle \text{skip}, q, pc \rangle \Downarrow q, pc} \\[1em]
&\frac{}{\langle \text{print_state}, q, pc \rangle \Downarrow q, pc} \\[1em]
&\frac{\langle s_{1}, q, pc \rangle \Downarrow q'', pc'' \quad \langle s_{2}, q'', pc'' \rangle \Downarrow q', pc'}{\langle s_{1} \text{ ; } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em]
&\frac{\langle e, q \rangle \Downarrow r}{\langle x := e, q, pc \rangle \Downarrow q[x := r], pc} \\[1em]
&\frac{R \text{ is a fresh symbolic constant}}{\langle \text{havoc } x, q, pc \rangle \Downarrow q[x := R], pc} \\[1em]
&\frac{\langle b, q \rangle \Downarrow r \quad pc \land r \text{ is SAT } \quad \langle s_{1}, q, pc \land r \rangle \Downarrow q', pc'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em]
&\frac{\langle b, q \rangle \Downarrow r \quad pc \land \lnot r \text{ is SAT } \quad \langle s_{2}, q, pc \land \lnot r \rangle \Downarrow q', pc'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em]
&\frac{\langle b, q \rangle \Downarrow r \quad pc \land \lnot r \text{ is SAT}}{\langle \text{while } b \text{ do } s, q, pc \rangle \Downarrow q, pc \land \lnot r}\\[1em]
&\frac{\langle b, q \rangle \Downarrow r \quad pc \land r \text{ is SAT } \quad \langle s \text{ ; while } b \text{ do } s, q, pc \land r \rangle \Downarrow q', pc'}{\langle \text{while } b \text{ do } s, q, pc \rangle \Downarrow q', pc'}\\[1em]
\end{aligned}
$$

### Concolic Semantics for WHILE: Notation

- $Sym(L)$ are the symbolic program variables.
- $Con(L)$ are the concrete program variables.
- A **concolic state** is a triple: $q = \langle c, s, pc \rangle$.
    - where $con(q) = c$ is the **Concrete State**.
    - where $sym(q) = s$ is the **Symbolic State**.
    - where $pc(q) = pc$ is the **Path Condition**.
- Every variable $v \in sym(q)$ has a **concrete shadow** $con(q)(v)$; i.e., concrete state can evaluate all variables.

### Equivalence of Concrete States

- Two concrete states $c_{1}$ and $c_{2}$ are equivalent, $c_{1} \equiv_{con} c_{2}$, whenever they agree on concrete variables:
$$c_{1} \equiv_{con} c_{2} \iff \forall a \in Con(L) \cdot c_{1}(a) = c_{2}(a)$$

### Containment of Concrete States

- $c \models \langle s, pc \rangle$ means that concrete $c$ is contained in symbolic $\langle s, pc \rangle$.

### Concolic Semantics of Expressions

- Expressions that do not depend on symbolic variables are evaluated concretely.
- Expressions that depend on symbolic variables are evaluated symbolically (i.e. AST).

$$\frac{con(a) \quad \langle a, con(q) \rangle \Downarrow v}{\langle a, q \rangle \Downarrow v}$$

$$\frac{sym(a) \quad \langle a, sym(q) \rangle \Downarrow v}{\langle a, q \rangle \Downarrow v}$$

### Concolic Semantics of Simple Statements

- For most statements, the semantics are extended by applying both symbolic and concrete operational semantics in parallel.
- The last pre-condition ensures that the concrete and symbolic states are chosen consistently.

$$\frac{\langle s, con(q) \rangle \Downarrow c \quad \langle s, sym(q), pc(q) \rangle \Downarrow s', pc' \quad c \models \langle s', pc' \rangle}{\langle s, q \rangle \Downarrow \langle c, s', pc' \rangle}$$

### Concolic Semantics of Assignment

- Assignment of values to concrete variables is limited to concrete values only.
- *Impossible*: To assign symbolic variables to concrete variables.

$$\frac{\langle e, q \rangle \Downarrow n \quad con(x) \quad n \in \mathbb{Z}}{\langle x := e, q \rangle \Downarrow q[x := n]}$$

### Concolic Semantics of If-Statement

- At an if-statement, concolic execution can chose to switch to the branch that is not consistent with current concrete state, as long as the concrete state can be adjusted.

$$\frac{\langle b, con(q) \rangle \Downarrow \text{true} \quad \langle b, q \rangle \Downarrow r \quad pc(q) \land \lnot r \text{ is SAT } \quad c \models \langle sym(q), pc(q) \land \lnot r \rangle \quad c \equiv_{con} con(q) \quad \langle s_{2}, \langle c, sym(q), pc(q) \land \lnot r \rangle \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'}$$

### Concolic Semantics of Concretization

- **Concretization** turns symbolic variables into the values of their concrete shadows. The choice of concretization is captured in a concretization constraints in the path condition.
- If $x$ is a symbolic variable with symbolic value $r$ and it is currently shadowed concretely by a concrete value $n$, then its value can be concretized to $n$ as long as the path condition is updated with $r = n$ to reflect the concretization.

$$\frac{sym(x) \quad \langle x, con(q) \rangle \Downarrow n \quad \langle x, sym(q) \rangle \Downarrow r \quad \langle s, \langle con(q), sym(q)[x := n], pc(q) \land r = n \rangle \rangle \Downarrow q'}{\langle s, q \rangle \Downarrow q'}$$