More sorting algorithms: Heap sort & Radix sort. Heap Data Structure and Heap Sort (Chapter 7.6)
Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs...
Transcript of Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs...
![Page 1: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/1.jpg)
Test Case Generation for Heap Inputs using
Separation Logic
Quang Loc Le
A joint work with many collaborators
NII Shonan Meeting Seminar 100, Japan
Oct 2, 2017
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 1 / 34
![Page 2: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/2.jpg)
Test Case Generation for Heap Inputs
Input: a Java program and its Precondition
Output: Valid test cases
Goal: high coverage
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 2 / 34
![Page 3: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/3.jpg)
Test Case Generation for Heap Inputs
Approach: Symbolic Execution
Path condition
Branching
SAT solver
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 3 / 34
![Page 4: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/4.jpg)
Test Case Generation for Heap Inputs
Symbolic Execution with Lazy Initialization
JPF - 2003: Assign values to heap inputs on demand1 x ← null
2 x ← currentObj
3 x ← newObj
BBE - 2004: with repOK
JBSE - 2015: with HEX logical precondition
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 4 / 34
![Page 5: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/5.jpg)
Test Case Generation for Heap Inputs
Symbolic Execution with Lazy Initialization
JPF - 2003
BBE - 2004
JBSE - 2015: with logical precondition for validation
only regular shape
no pure propertiesbounded - unsound SAT for induction
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 5 / 34
![Page 6: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/6.jpg)
Test Case Generation for Heap Inputs
Symbolic Execution
Lazy Initialization with Least Fixed Point
SAT solver with induction reasoning
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 6 / 34
![Page 7: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/7.jpg)
Add two numbers represented by linked lists
pred list pair(a,b) ≡ emp ∧ a = null ∧ b = null
∨ ∃n1,n2.a 7→Node( ,n1) ∗ b 7→Node( ,n2) ∗ list pair(n1,n2)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 7 / 34
![Page 8: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/8.jpg)
Add two numbers represented by linked lists
Input:
Program
Node add(Node x, Node y){Node dummyHead = new Node(0,null);Node z = dummyHead;while(x != null) {z.next = new Node(x.next+ y.next,null);x = x.next;y = y.next; z = z.next; }return dummyHead.next; }
Precondition
list pair(x , y)
Output: Test Cases
X=null ∧ Y=nullX 7→Node( ,null) ∗ Y 7→Node( ,null)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 8 / 34
![Page 9: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/9.jpg)
Add two numbers represented by linked lists
1 Node add(Node x, Node y){2 Node dummyHead = new Node(0,null);3 Node z = dummyHead;4 while(x != null) {5 z.next = new Node(x.next+ y.next,null);6 x = x.next;7 y = y.next; z = z.next; }8 return dummyHead.next; }
pc : ∃D,Z .list pair(X ,Y ) ∗ D 7→Node( ,null) ∧ Z=D
pc : ∃D,Z .(X=null ∧ Y=null) ∗ D 7→Node( ,null) ∧ Z=D
pc : ∃D,Z ,N1,N2.X 7→Node( ,N1) ∗ Y 7→Node( ,N2) ∗ list pair(X ,Y )∗D 7→Node( ,null) ∧ Z=D
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 9 / 34
![Page 10: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/10.jpg)
Experimental Results
benchmarks: 74 methods - Singly Linked List, Doubly Linked List,
Stack, Binary Search Tree, and Red Black Tree from SIR; AVL
Tree and AA Tree from Sierum/Kiasan, and Gantt project from
SUSHI (ISSTA 2017).
Valid Test: BBE (8.14%), JBSE (0.72%), ours (100%)
Coverage: BBE (38.01%), JBSE (33.23%), ours (99.1%)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 10 / 34
![Page 11: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/11.jpg)
1 Program Testing
2 SAT Solver
Syntax
Problem
Decidable Fragment
3 Conclusion
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 11 / 34
![Page 12: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/12.jpg)
A fragment of Separation Logic
Formula Φ ::= ∆ | Φ1 ∨ Φ2 ∆ ::= ∃v̄ . (κ∧π)Spatial formula κ ::= emp | x 7→c(vi) | P(v̄) | κ1∗κ2
Pure formula π ::= π1∧π2 | α | φ
α: Pointer (Dis)Equalities
φ: Presburger arithmetic
P: inductive predicate. Predicate Definition: P(̄t) ≡ Φ
Warning: no pointer arithmetic and no magic wand
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 12 / 34
![Page 13: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/13.jpg)
Satisfiability Problem
Input: A formula ∆ in the fragment
Question: Is ∆ satisfiable?
Challenges:
Unbounded heaps
Infinite numerical domain
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 13 / 34
![Page 14: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/14.jpg)
Proof by Induction
Base case
Induction case
Cyclic Proof (J. Brotherston - UCL, J.
Jaffa et. al. - NUS)
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Weaken ∆32 to ∆′32
Find σ s.t. ∆′32σ ⇒ ∆12
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 14 / 34
![Page 15: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/15.jpg)
Cyclic Proof
From Entailment Problem (∆a⊢∆c) to Satisfiability Problem
(∆a⊢false )
Shape and Integer domains
link back simultaneously (CAV 2016)
Shape then Integer (CAV 2017)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 15 / 34
![Page 16: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/16.jpg)
Our Approach - CAV 2017
Decision Procedure: Base Computation
Compute for each inductive predicate a finite representation that
precisely characterises its satisfiability.
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 16 / 34
![Page 17: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/17.jpg)
Base of Inductive Predicate: Example 1
Inductive predicate: Singly-linked list with size property
pred ll size(root,n) ≡ emp∧root=null∧n=0
∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1
Example:
baseP(ll size(root,n))≡{emp∧root=null∧n=0,root7→node( , )∧n>0}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 17 / 34
![Page 18: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/18.jpg)
Projections
Inductive predicate: Singly-linked list with size property
pred ll size(root,n) ≡ emp∧root=null∧n=0
∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1
Spatial projection
ll sizeS(root) ≡ emp ∧ root=null
∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)
Numerical projection
ll sizeN(n) ≡ n=0
∨ ∃ n1· ll sizeN(n1)∧n=n1+1
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 18 / 34
![Page 19: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/19.jpg)
Phase 1: Cyclic Tree for Spatial projection
ll sizeS(root) ≡ emp ∧ root=null
∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)
∆0 ≡ ll sizeS(root)∆1 ≡ emp ∧ root=null
∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)
∆0
∆1 ∆2
{emp∧root=null,root7→node( , )}
Why not continue unfolding?
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 19 / 34
![Page 20: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/20.jpg)
Foundation of Base Computation
For each formula, eliminating existentially quantified pointer-typed
variables produces an equi-satisfiable formula.
Example: ∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)is equi-satisfiable with
∆b2 ≡ ∃ r · root7→nodeS(r)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 20 / 34
![Page 21: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/21.jpg)
Phase 2: Cyclic Tree for Numeric projection
ll sizeN(n) ≡ n=0
∨ ∃ n1· ll sizeN(n1)∧n=n1+1
Cyclic Tree for Numeric Projection is the same unfolding pattern to the
one for Spatial Projection
π0 ≡ ll sizeN(n)π1 ≡ n=0
π2 ≡ ∃ n1· ll sizeN(n1)∧n=n1 + 1
π0
π1 π2
{n=0,n>0}find closure form of ll sizeN(n1).
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 21 / 34
![Page 22: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/22.jpg)
Base Computation
Finite Representation: Base Formula (without inductive predicates)
Combining empty heap (emp), points-to (7→), spatial conjunction
(∗) and Presburger Arithmetic
Example:
SAT ∆1≡emp∧x=null∧n=0
UNSAT ∆2≡x 7→node(n,y) ∗ y 7→node(n−1,null)∧x=y
The fragment of base formulas is decidable
(Piskac, Wies and Zufferey - CAV 2013, Navarro and Rybalchenko
- APLAS 2013)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 22 / 34
![Page 23: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/23.jpg)
Base Computation
Given an inductive predicate P(x̄)≡Φ,
1 Construct a cyclic unfolding tree for ∆0 ≡ P(x̄)
2 Flatten the tree into a disjunctive set of base formulas
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
∆0
∆11 ∆b31
∆21 ∆22
baseP(P(x̄))≡{∆21,∆b
31}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 23 / 34
![Page 24: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/24.jpg)
Constructing Cyclic Unfolding Tree
Given an inductive predicate P(x̄)≡Φ, construct a unfolding tree for
∆0≡P(x̄) through iterations of actions:
1 Choose a (open) leaf, close it ifit can be reduced into a base formula.
a base formula
a formula in which pointer-typed parameters of every inductive
predicates are existentially quantified.
its over-approximation is unsat.
can be linked back to form a circular path.
2 Otherwise, unfold it.
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 24 / 34
![Page 25: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/25.jpg)
Example 2: Constructing Cyclic Unfolding Tree
pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1
∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;
∆0 ≡ Q(x ,y ,n)
1 Base Detection. None
2 Over-Approximation. π0 ≡ true .
Not UNSAT
3 Cyclic Detection. None
∆0
Figure : Unfolding Tree T0.
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 25 / 34
![Page 26: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/26.jpg)
Example 2: Constructing Cyclic Unfolding Tree
pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1
∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;
∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2
∆3≡∃ x1,y1,n1,y2.y 7→node(x1,y1) ∗ x 7→node(null, y2) ∧y1=null∧x 6=null∧n1=1∧y 6=null∧n=n1+2
∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2
1 Base Detection. ∆3
2 Over-Approximation. π4≡.....Not UNSAT
3 Cyclic Detection. Yes
∆0
∆1 ∆♣2
∆3 ∆♣4
Figure : T Q2 .
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 26 / 34
![Page 27: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/27.jpg)
Example 2: Constructing Cyclic Unfolding Tree
Cyclic Detection
∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2
∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2
Steps
1 matching externally visible points-to predicate: y 7→node( , )
2 matching externally visible inductive predicates: Q(x , , )
In general, we may need to group isomorphic inductive predicatesbeforehand (same predicate name and same sequence of free
arguments)
3 matching externally visible (dis)equalities over pointers: y 6=null
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 27 / 34
![Page 28: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/28.jpg)
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 28 / 34
![Page 29: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/29.jpg)
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
∆0
∆1 ∆2
∆3 ∆4
∆13 ∆1
4
...
∆flat3 ≡∆3 ∨∆1
3 ∨ ...
∆3≡ ∃ x1,y1,n1,y2.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧y 6=null∧n=n1+1) ∧ (y1=null∧n1=1)
∆13≡∃ x1,y1,n1,x2,y2,n2,y3.(y 7→node(x1,y1)∗x 7→node(null, y3)∧x 6=null
y 6=null∧n=n1+1) ∗ (y1 7→node(x2,y2)∧y2=null∧n1=n2+2∧n2=1)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 29 / 34
![Page 30: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/30.jpg)
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
Pcyc(n1)≡n1=1 ∨ ∃n2.n1=n2+2∧Pcyc(n2)
Pcyc(n1)≡∃k .n1=2k+1∧k≥0
∆b3 is equi-satisfiable to ∆flat
3 :
∆b3≡∃ x1,y1,x2,y2,n1.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧
y 6=null∧n=n1+1)∧(∃k .n1=2k+1∧k≥0)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 30 / 34
![Page 31: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/31.jpg)
Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
=⇒
∆0
∆1 ∆b3
baseP(Q(x,y,n))≡{∆1,∆b
3}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 31 / 34
![Page 32: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/32.jpg)
Proposed Decidable Fragment
An inductive predicate is in the proposed decidable fragment if all
numerical projections of base leaves; and
Pcyc predicates
are Presburger-definable (i.e., can be computed as Presburger
formulas).
Some systems of arithmetic inductive predicates arePresburger-definable:
DPI (Tatsuta et. al. - APLAS 2016)
periodic sets (Bozga et. al. - CAV 2010)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 32 / 34
![Page 33: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/33.jpg)
Conclusion
Test Input Generation using Separation Logic
A decision procedure for an extensible decidable fragment in
separation logic including general inductive predicates and
arithmetic
Base Computation:
Construct Unfolding Tree
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Flatten Unfolding Tree
∆0
∆11 ∆b31
∆21 ∆22
baseP(P(v̄))≡{∆21,∆b
31}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 33 / 34
![Page 34: Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan](https://reader033.fdocuments.net/reader033/viewer/2022041520/5e2e01aa00f243297522459f/html5/thumbnails/34.jpg)
Future Work
SAT solver
array separation logic with inductive predicates
extension of separation logic with string logic
Cyclic proof: ENT to SAT and now back to ENT
for bi-abduction problem
completeness
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 34 / 34