JMLKelinci+: Detecting Semantic Bugs and Covering Branches with Valid Inputs using Coverage-Guided Fuzzing and Runtime Assertion Checking

IF 1.4 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Formal Aspects of Computing Pub Date : 2023-08-05 DOI:10.1145/3607538

Amirfarhad Nilizadeh, Gary T. Leavens, C. Pasareanu, Yannic Noller

{"title":"JMLKelinci+: Detecting Semantic Bugs and Covering Branches with Valid Inputs using Coverage-Guided Fuzzing and Runtime Assertion Checking","authors":"Amirfarhad Nilizadeh, Gary T. Leavens, C. Pasareanu, Yannic Noller","doi":"10.1145/3607538","DOIUrl":null,"url":null,"abstract":"Testing to detect semantic bugs is essential, especially for critical systems. Coverage-guided fuzzing (CGF) and runtime assertion checking (RAC) are two well-known approaches for detecting semantic bugs. CGF aims to generate test inputs with high code coverage. However, while CGF tools can be equipped with sanitizers to detect a fixed set of semantic bugs, they can otherwise only detect bugs that lead to a crash. Thus, the first problem we address is how to help fuzzers detect previously unknown semantic bugs that do not lead to a crash. Moreover, a CGF tool may not necessarily cover all branches with valid inputs, although invalid inputs are useless for detecting semantic bugs. So, the second problem is how to guide a fuzzer to maximize coverage using only valid inputs. On the other hand, RAC monitors the expected behavior of a program dynamically and can only detect a semantic bug when a valid test input shows that the program does not satisfy its specification. Thus, the third problem is how to provide high-quality test inputs for a RAC that can trigger potential bugs. The combination of a CGF tool and RAC solves these problems and can cover branches with valid inputs and detect semantic bugs effectively. Our study uses RAC to guarantee that only valid inputs reach the program under test using the program’s specified preconditions and it also uses RAC to detect semantic bugs using specified postconditions. A prototype tool was developed for this study, named JMLKelinci+. Our results show that combining a CGF tool with RAC will lead to executing the program under test only with valid inputs and that this technique can effectively detect semantic bugs. Also, this idea improves the feedback given to a CGF tool, enabling it to cover all branches faster in programs with non-trivial preconditions.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"1 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2023-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Formal Aspects of Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3607538","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 1

Abstract

Testing to detect semantic bugs is essential, especially for critical systems. Coverage-guided fuzzing (CGF) and runtime assertion checking (RAC) are two well-known approaches for detecting semantic bugs. CGF aims to generate test inputs with high code coverage. However, while CGF tools can be equipped with sanitizers to detect a fixed set of semantic bugs, they can otherwise only detect bugs that lead to a crash. Thus, the first problem we address is how to help fuzzers detect previously unknown semantic bugs that do not lead to a crash. Moreover, a CGF tool may not necessarily cover all branches with valid inputs, although invalid inputs are useless for detecting semantic bugs. So, the second problem is how to guide a fuzzer to maximize coverage using only valid inputs. On the other hand, RAC monitors the expected behavior of a program dynamically and can only detect a semantic bug when a valid test input shows that the program does not satisfy its specification. Thus, the third problem is how to provide high-quality test inputs for a RAC that can trigger potential bugs. The combination of a CGF tool and RAC solves these problems and can cover branches with valid inputs and detect semantic bugs effectively. Our study uses RAC to guarantee that only valid inputs reach the program under test using the program’s specified preconditions and it also uses RAC to detect semantic bugs using specified postconditions. A prototype tool was developed for this study, named JMLKelinci+. Our results show that combining a CGF tool with RAC will lead to executing the program under test only with valid inputs and that this technique can effectively detect semantic bugs. Also, this idea improves the feedback given to a CGF tool, enabling it to cover all branches faster in programs with non-trivial preconditions.

查看原文本刊更多论文

JMLKelinci+:使用覆盖率引导模糊测试和运行时断言检查检测语义错误并覆盖具有有效输入的分支

检测语义错误的测试是必不可少的，特别是对于关键系统。覆盖率引导的模糊测试(CGF)和运行时断言检查(RAC)是检测语义错误的两种众所周知的方法。CGF旨在生成具有高代码覆盖率的测试输入。然而，尽管CGF工具可以配备杀菌器来检测一组固定的语义错误，但它们只能检测导致崩溃的错误。因此，我们要解决的第一个问题是如何帮助fuzzers检测以前未知的语义错误，而不会导致崩溃。此外，CGF工具不一定覆盖所有具有有效输入的分支，尽管无效输入对于检测语义错误是无用的。所以，第二个问题是如何引导模糊器只使用有效的输入来最大化覆盖范围。另一方面，RAC动态地监视程序的预期行为，并且只能在有效的测试输入显示程序不满足其规范时检测语义错误。因此，第三个问题是如何为可能触发潜在错误的RAC提供高质量的测试输入。CGF工具和RAC的组合解决了这些问题，可以用有效的输入覆盖分支，并有效地检测语义错误。我们的研究使用RAC来保证只有有效的输入才能使用程序指定的前提条件到达被测程序，它还使用RAC来检测使用指定后置条件的语义错误。为此研究开发了一个原型工具，命名为JMLKelinci+。我们的结果表明，将CGF工具与RAC相结合将导致仅使用有效输入执行被测程序，并且该技术可以有效地检测语义错误。此外，这个想法改进了给予CGF工具的反馈，使它能够在具有重要前提条件的程序中更快地覆盖所有分支。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Formal Aspects of Computing 工程技术-计算机：软件工程

CiteScore

3.30

自引率

0.00%

发文量

审稿时长

>12 weeks

期刊介绍： This journal aims to publish contributions at the junction of theory and practice. The objective is to disseminate applicable research. Thus new theoretical contributions are welcome where they are motivated by potential application; applications of existing formalisms are of interest if they show something novel about the approach or application. In particular, the scope of Formal Aspects of Computing includes: well-founded notations for the description of systems; verifiable design methods; elucidation of fundamental computational concepts; approaches to fault-tolerant design; theorem-proving support; state-exploration tools; formal underpinning of widely used notations and methods; formal approaches to requirements analysis.