International Conference on Tools and Algorithms for the Construction and Analysis of Systems

TACAS 2009: Tools and Algorithms for the Construction and Analysis of Systems pp 277-291

Test Input Generation for Programs with Pointers

  • Dries Vanoverberghe
  • Nikolai Tillmann
  • Frank Piessens
Conference paper

DOI: 10.1007/978-3-642-00768-2_25

Volume 5505 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Vanoverberghe D., Tillmann N., Piessens F. (2009) Test Input Generation for Programs with Pointers. In: Kowalewski S., Philippou A. (eds) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2009. Lecture Notes in Computer Science, vol 5505. Springer, Berlin, Heidelberg

Abstract

Software testing is an essential process to improve software quality in practice. Researchers have proposed several techniques to automate parts of this process. In particular, symbolic execution can be used to automatically generate a set of test inputs that achieves high code coverage.

However, most state-of-the-art symbolic execution approaches cannot directly handle programs whose inputs are pointers, as is often the case for C programs. Automatically generating test inputs for pointer manipulating code such as a linked list or balanced tree implementation remains a challenge. Eagerly enumerating all possible heap shapes forfeits the advantages of symbolic execution. Alternatively, for a tester, writing assumptions to express the disjointness of memory regions addressed by input pointers is a tedious and labor-intensive task.

This paper proposes a novel solution for this problem: by exploiting type information, disjointness constraints that characterize permissible configurations of typed pointers in byte-addressable memory can be automatically generated. As a result, the constraint solver can automatically generate relevant heap shapes for the program under test. We report on our experience with an implementation of this approach in Pex, a dynamic symbolic execution framework for .NET. We examine two different symbolic representations for typed memory, and we discuss the impact of various optimizations.

Keywords

Test input generationsymbolic executionpointers
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Dries Vanoverberghe
    • 1
  • Nikolai Tillmann
    • 2
  • Frank Piessens
    • 1
  1. 1.Katholieke Universiteit LeuvenBelgium
  2. 2.Microsoft ResearchRedmondUSA