SYMBOLIC EXECUTION OF HIGH-LEVEL TRANSFORMATIONS BY AHMAD SALIM AL-SIBAHI, ALEKSANDAR S. DIMOVSKI & ANDRZEJ WĄSOWSKI 01/11/2016 1

01/11/2016 2 LOOKING AT A BIG AUTOMATED REFACTORING PROJECT

01/11/2016 3 Our Goal: Automated White-box Test Generation for High-Level Transformations

01/11/2016 4 EXAMPLE: THE RENAME-FIELD REFACTORING class Account { Id id; Money credit; membershipLevel() { return max(100, this.credit / 100); } eq(Account o) { return this.credit == o.credit && this.id == o.id; } } rename credit to balance in Account class Account { Id id; Money balance; membershipLevel() { return max(100, this.balance / 100); } eq(Account o) { return this.balance == o.balance && this.id == o.id; } }

01/11/2016 5 RENAME-FIELD REFACTORING IN TRON # input class: Class, old_field: Field, new_field: Field # precondition old_field ∈ class.fields ∧ new_field ∉ class.fields # refactoring program class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip

SYMBOLIC EXECUTION 01/11/2016 6

01/11/2016 7 SYMBOLIC EXECUTION – CONCRETE INPUT class Account { Id id; Money credit; membershipLevel() { return max(100, this.credit / 100); } eq(Account o) { return this.credit == o.credit && this.id == o.id; } }

SYMBOLIC EXECUTION – STRUCTURED SYMBOLIC INPUT class { } name? Fields? Methods?

01/11/2016 9 SYMBOLIC EXECUTION – UPDATING STATE class { } name? Fields? Methods? c fs class { } name? Fields? Methods? c fs fs := c.fields

01/11/2016 10 SYMBOLIC EXECUTION - BRANCHING class { } name? Fields? Methods? c fs class { } name? Fields? Methods? c fs class { } name? ∅ Methods? c fs fs = ∅ fs ≠ ∅ f?

EXECUTING EXAMPLE 01/11/2016 11

01/11/2016 12 EXPLORING A SYMBOLIC PATH OF RENAME FIELD class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip class { } name? Fields? Methods? of? class old_field new_field nf? class { } name? Fields? Methods? nf? class old_field new_field of?

01/11/2016 13 EXPLORING A SYMBOLIC PATH OF RENAME FIELD class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip class { } name? Fields? Methods? nf? class old_field new_field of? FieldAccessExprs? class { } name? Fields? Methods? nf? class old_field new_field of?

01/11/2016 14 EXPLORING A SYMBOLIC PATH OF RENAME FIELD class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip FieldAccessExprs? class { } name? Fields? Methods? nf? class old_field new_field of? FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? ? ? type field

01/11/2016 15 EXPLORING A SYMBOLIC PATH OF RENAME FIELD class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? ? ? type field FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? type field

01/11/2016 16 EXPLORING A SYMBOLIC PATH OF RENAME FIELD class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? type field FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? type field

01/11/2016 17 EXPLORING A SYMBOLIC PATH OF RENAME FIELD 2nd iteration! class.fields := (class.fields \ old_field) ∪ new_field foreach faexpr ∈ class match⋆ FieldAccessExpr do if (faexpr.field = old_field ∧ faexpr.target.type = class) then faexpr.field := new_field else skip FieldAccessExprs? class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? type field class { } name? Fields? Methods? nf? of? fae? class old_field new_field faexpr target? type field

01/11/2016 18 TEST GENERATION • There is in practice an infinite amount of symbolic paths a program can have, so we bound exploration • We must additionally keep track of initial shape of structure for test generation of input • A model finder converts the symbolic paths into concretely executable test cases

01/11/2016 19 Set Expressions Type-direct matching Abstraction over Element Types and Cardinality Encoding operations in solver using native theory of sets Strong Field Updates Lazy init. separating reasoning about shapes from aliasing First-class handling of containment links Lazy iteration over symbolic sets Deep containment constraints IMPORTANT OPTIMIZATIONS THAT MAKE OUR TECHNIQUE WORK IN PRACTICE

01/11/2016 20 SYMEXTRON: FORMAL RULES

EVALUATION 01/11/2016 21

01/11/2016 22 EVALUATION RESULTS 0 10 20 30 40 50 60 70 80 90 100 Branch coverage (%) of test generators Black-box White-box Programs range in size from 65-134 lines of code

01/11/2016 23 EVALUATION RESULTS 0 10 20 30 40 50 60 70 80 90 100 Meta-model coverage (%) of test generators Black-box White-box

01/11/2016 24 • Symbolic execution is effective for test generation • Easy to extend to support more complex properties • Possible to use for verification • Currently allows k-bounded reachability property checking • Over-approximation of loops would further allow checking universal properties EFFECTIVENESS AND EXTENSIBILITY

01/11/2016 25 CONCLUSION

01/11/2016 26 TOOL http://models-team.github.io/SymexTRON/