DASE: Document-Assisted Symbolic Execution for Improving Automated Test Generation
Software testing is crucial for uncovering software defects and ensuring software reliability. Symbolic execution has been utilized for automatic test generation to improve testing effectiveness. However, existing test generation techniques based on symbolic execution fail to take full advantage of programs' rich amount of documentation specifying their input constraints, which can further enhance the effectiveness of test generation.
In this thesis we propose a general approach, Document-Assisted Symbolic Execution (DASE), to improve automated test generation and bug detection. DASE leverages natural language processing techniques and heuristics to analyze programs' readily available documentation and extract input constraints. The input constraints are then used as pruning criteria; inputs far from being valid are trimmed off. In this way, DASE guides symbolic execution to focus on those inputs that are semantically more important.
We evaluated DASE on 88 programs from 5 mature real-world software suites: GNU Coreutils, GNU findutils, GNU grep, GNU Binutils, and elftoolchain. Compared to symbolic execution without input constraints, DASE increases line coverage, branch coverage, and call coverage by 5.27-22.10%, 5.83-21.25% and 2.81-21.43% respectively. In addition, DASE detected 13 previously unknown bugs, 6 of which have already been confirmed by developers after we reported to them.