Xuandong Li

Steering symbolic execution to less traveled paths

Symbolic execution is a promising testing and analysis methodology. It systematically explores a programs execution space and can generate test cases with high coverage. One significant practical challenge for symbolic execution is how to effectively explore the enormous number of program paths in real-world programs. Various heuristics have been proposed for guiding symbolic execution, but they are generally inefficient and ad-hoc. In this paper, we introduce a novel, unified strategy to guide symbolic execution to less explored parts of a program. Our key idea is to exploit a specific type of path spectra, namely the length-n subpath program spectra, to systematically approximate full path information for guiding path exploration. In particular, we use frequency distributions of explored length-n subpaths to prioritize less traveled parts of the program to improve test coverage and error detection. We have implemented our general strategy in KLEE, a state-of-the-art symbolic execution engine. Evaluation results on the GNU Coreutils programs show that (1) varying the length n captures program-specific information and exhibits different degrees of effectiveness, and (2) our general approach outperforms traditional strategies in both coverage and error detection.

UML Activity Diagram Based Testing of Java Concurrent Programs for Data Race and Inconsistency

Data race occurs when multiple threads simultaneously access shared data without appropriate synchronization, and at least one is write. System with a data race is nondeterministic and may generate different outputs even with the same input, according to different interleaving of data access. We present a model-based approach for detecting data races in concurrent Java programs. We extend UML Activity diagrams with data operation tags, to model program behavior. Program under test (PUT) is instrumented according to the model. It is then executed with random test cases generated based on path analysis of the model. Execution traces are reverse engineered and used for post-mortem verification. First, data races are identified by searching the time overlaps of entering and exiting critical sections of different threads. Second, implementation could be inconsistent with the design. The problem may tangle with race condition and makes it hard to detect races. We compare the event sequences with the behavior model for consistency checking. Identified inconsistencies help debuggers locate the defects in the PUT. A prototype tool named tocAj implements the proposed approach and was successfully applied to several cases studies.

Towards a model driven approach to automatic BPEL generation

Both complex separate Web services and composite Web services need orchestration specification. However, on one hand, the process of manually creating orchestration specification is time-consuming and error-prone; and on the other hand, application developers are in a dilemma to choose between virous orchestration languages and engines. In this paper, to reduce the complexity of creating Web services orchestration specification, and to make orchestration models isolate from orchestration languages and engines, we propose a model driven approach to generate orchestration specification. Web services orchestration is modeled using the CCA (Component Collaboration Architecture) of the UML profile for Enterprise Distributed Object Computing (EDOC). Then transform CCA specified orchestration models to BPEL via transformation rules. The same orchestration model can be transformed to different orchestration specifications though we take BPEL as the transformation target. Moreover, the transformation process is automatic.

Lazy-RTGC: A Real-Time Lazy Garbage Collection Mechanism with Jointly Optimizing Average and Worst Performance for NAND Flash Memory Storage Systems

Due to many attractive and unique properties, NAND flash memory has been widely adopted in mission-critical hard real-time systems and some soft real-time systems. However, the nondeterministic garbage collection operation in NAND flash memory makes it difficult to predict the system response time of each data request. This article presents Lazy-RTGC, a real-time lazy garbage collection mechanism for NAND flash memory storage systems. Lazy-RTGC adopts two design optimization techniques: on-demand page-level address mappings, and partial garbage collection. On-demand page-level address mappings can achieve high performance of address translation and can effectively manage the flash space with the minimum RAM cost. On the other hand, partial garbage collection can provide the guaranteed system response time. By adopting these techniques, Lazy-RTGC jointly optimizes both the average and the worst system response time, and provides a lower bound of reclaimed free space. Lazy-RTGC is implemented in FlashSim and compared with representative real-time NAND flash memory management schemes. Experimental results show that our technique can significantly improve both the average and worst system performance with very low extra flash-space requirements.

Model checking of hybrid systems using shallow synchronization

Hybrid automata are a widely accepted modeling framework for systems with discrete and continuous variables. The traditional semantics of a network of automata is based on interleaving, and requires the construction of a monolithic hybrid automaton based on the composition of the automata. This destroys the structure of the network and results in a loss of efficiency, especially using bounded model checking techniques. An alternative compositional semantics, called “shallow synchronization”, exploits the locality of transitions and relaxes time synchronization. The semantics is obtained by composing traces of the local automata, and superimposing compatibility constraints resulting from synchronization. n nIn this paper, we investigate the different symbolic encodings of the reachability problem of a network of hybrid automata. We propose a novel encoding based on the shallow synchronization semantics, which allows different strategies for searching local paths that can be synchronized. We implemented a bounded reachability search based on the use of an incremental Satisfiability-Modulo-Theory solver. The experimental results confirm that the new encoding often performs better than the one based on interleaving.

Path-oriented reachability verification of a class of nonlinear hybrid automata using convex programming

Hybrid automata are well-studied formal models for dynamical systems. However, the analysis of hybrid automata is extremely difficult, and even state-of-the-art tools can only analyze systems with few continuous variables and simple dynamics. Because the reachability problem for general hybrid automata is undecidable, we give a path-oriented reachability analysis procedure for a class of nonlinear hybrid automata called convex hybrid automata. Our approach encodes the reachability problem along a path of a convex hybrid automaton as a convex feasibility problem, which can be efficiently solved by off-the-shelf convex solvers, such as CVX. Our path-oriented reachability verification approach can be applied in the frameworks of bounded model checking and counterexample-guided abstraction refinement with the goal of achieving significant performance improvement for this subclass of hybrid automata.

Removing Irrelevant Atomic Formulas for Checking Timed Automata Efficiently

Reachability analysis for timed automata can be done by enumeration of time zones, which are conjunctions of atomic formulas of the form x-y≤(<)n. This paper shows that some of the atomic formulas in a generated time zone can be removed while the reachability analysis algorithm generates the same set of reachable locations. We call such formulas irrelevant ones. By removing the irrelevant formulas, the number of symbolic states associated with each location is reduced. We present two methods to detect irrelevant formulas. Case studies show that, for some kind of timed automata, these methods may significantly reduce the space requirement for reachability analysis.

Automatic Regression Test Selection Based on Activity Diagrams

Regression testing is the most common method for ensuring the quality of changed software. As UML models are widely used as design blueprints, model-based test case generation techniques can be used in regression test cases generation. However, test cases obtained from these techniques are usually represented as sequences of actions in abstract models, and heavy human efforts are needed to transform them into test cases accepted by software for execution. To reduce this effort, we present an approach to automatically generate executable test cases for regression testing based on activity diagrams. It combines a technique of activity diagrams based regression test cases classification to pick up retestable test cases, and a technique of feedback-directed test cases generation to generate test cases for new behaviors in changed software. We implement the tool MDRTGen to show the performance of the approach. The experiments show the good performance of the approach in improving the efficiency of test cases generation and decreasing the cost in regression testing.

Feedback-Directed Test Case Generation Based on UML Activity Diagrams

As UML models are widely used as design blueprints, model-based techniques can be used in test case generation. However, test cases obtained from these techniques are usually abstract test cases, represented as sequences of actions in abstract models, and heavy human efforts are needed to translate them into concrete test cases accepted by programs for execution. To reduce this effort, we present an approach to automatically generating executable test cases based on activity diagrams. It relates methods of classes in JAVA programs with activity nodes in their design models and instruments codes into JAVA programs to collect traces in execution. Regarding traces collected in execution as feedbacks, data classifiers that can predict test inputs impact on decision nodes in activity diagrams are constructed. Those data classifiers are used to guide the creation of new test inputs that can cover untouched paths in design models. Experiments show that the approach can greatly relieve testers burden in preparing test cases.

Run-time systems failure prediction via proactive monitoring

In run-time evolving systems, components may evolve while the system is being operated. Unsafe run-time changes may compromise the correct execution of the entire system. Traditional design-time verification techniques difficultly cope with run-time changes, and run-time monitoring may detect disfunctions only too late, when the failure arises. The desire would be to define advanced monitors with the ability to predict and prevent the potential errors happening in the future. In this direction, this paper proposes CASSANDRA, a new approach that by combining design-time and run-time analysis techniques, can “look ahead” in the near execution future, and predict potential failures. During run-time we on-the-fly construct a model of the future k-step global state space according to design-time specifications and the current execution state. Consequently, we can run-time check whether possible failures might happen in the future.