The purpose of these sample questions is to prepare you for success on the midterm . These questions have been used on previous s in this course, and represent the range of difficulty and depth you should expect on the actual midterm. You should expect some  questions this semester to be similar to these questions, and some to be dissimilar.


We recommend that you use these questions as a companion to your lesson viewing sessions, and use them to help solidify your understanding as you progress through the course. This is generally more effective than reviewing these questions all at once just before the . We will release the solutions to these test preparation questions the week of the midterm .


Introduction to Software Analysis


Question 1.Static vs. Dynamic Analysis


a.State one advantage of static analysis over dynamic analysis.


b.State one advantage of dynamic analysis over static analysis.



Question 2. We may classify each program as either safe or unsafe. For instance, we may say that a program is safe if it does not dereference a null pointer in any execution, and unsafe if there exists an execution in which it will dereference a null pointer.


A software analysis is considered sound if whenever it reports a program as safe, the program is indeed safe. However, due to the undecidability of software analysis, a sound analysis may reject some safe programs. A sound analysis A is more precise than a sound analysis B if whenever analysis B accepts a program, analysis A also accepts that program.

image.png

Consider the above figure. Inside of the dotted (—) oval lies the set of all safe programs, and the outside of the oval denotes the set of all unsafe programs. The inside of each solid oval, labeled



A1 through A5, denotes the set of programs accepted by the corresponding analysis (e.g., these are five different null dereference checking analyses). Each analysis rejects all programs outside its corresponding oval.


Which of these five analyses are sound? List the sound analyses ordered by precision, i.e A6 > A7 > A8 indicates that A6, A7, and A8 are all sound, and A6 is more precise than A7, which is more precise than A8.


Introduction to Software Testing


Question 3. Consider a program P, and two test suites, X and Y for P. Test suite X covers set of branches Q in the program, while test suite Y covers set of branches R in the program. Suppose Q is a proper subset of R (Q ⊂ R).Which of the below statements are necessarily true?


A. Whenever a test in Y reaches a statement, some test in X also reaches that statement.


B. Whenever a test in X reaches a statement, some test in Y also reaches that statement.


C. Test suite Y has strictly higher path coverage than test suite X.


D. Test suite Y has strictly higher branch coverage than test suite X.


Question 4.Consider the Java function:


void copy(int[] src, int[] dst, int N) {


for (int i = 0; i < N; i++)


dst[i] = src[i];


}


Which of the below predicates is the function’s weakest possible precondition that prevent any null-pointer or array-out-of-bounds exceptions from being thrown?


NOTE:The expression X => Y is read: “X implies Y”. It is equivalent to (!X) OR Y.


A. N ≥ 0 ∧ src != null ∧ dst != null ∧ N < src.length ∧ N < dst.length


B. N ≥ 0 ∧ src != null ∧ dst != null ∧ N < src.length ∧ dst.length = src.length


C. N > 0 ⇒ (src != null ∧ dst != null ∧ N < src.length ∧ N < dst.length)


D. N > 0 ⇒ (src != null ∧ dst != null ∧ N < src.length ∧ dst.length = src.length)


Question 5. Consider a test suite consisting of three deterministic tests T1, T2, T3 for a correct program P. Since P is correct, it passes all the three tests. Suppose we have three mutants M1, M2, M3 of P such that: M1 fails T1 and T2; M2 fails none; and M3 fails T2 and T3.


Let M = P denote that M and P are equivalent. Likewise, let M != P denote that they are NOT equivalent.


a. Could it be possible that M1 = P? Justify your answer.



b. Mutation analysis will report M2 to the tester since it does not fail any test in the test suite. Which of the following actions are plausible for the tester to take given this information?


A. Determine if M2 == P, and if so, devise a new test case T4 on which M2 passes but P fails.


B. Determine if M2 != P, and if so, then ignore M2.


C. Determine if M2 != P, and if so, devise a new test case T4 on which P passes but M2 fails.


D. Determine if M2 == P, and if so, ignore M2.


Random Testing


Question 6. Consider the following concurrent program with two threads and shared variable x. Variables tmp1 and tmp2 are local to the respective threads. This program has a concurrency bug: it can lose an update to x.


Thread 1 Thread 2


1: tmp1=x 4: tmp2=x


2: tmp1=tmp1+1 5: tmp2=tmp2+1


3: x=tmp1 6: x=tmp2



a.Write one possible execution of the six statements that does not cause a concurrency bug.


b.Write one possible execution of the six statements that does trigger a concurrency bug.


c.What is the depth of the concurrency bug?


d.Specify the ordering constraints needed to trigger the bug.


Question 7. Consider the following pseudo-Java function, in which HashMap is used. A HashMap is a data structure that associates a value of type V to a key of type K. The value


v associated with a key k can be set with the API call put(k, v), and the value associated with the key k is returned by the API call get(k). For this problem, if no value has been associated


with k,then assumeget(k)returns0.


double charRatio(String s, char a, char b) { int N = s.length();


HashMap


char c = s.charAt(i);


int v = counts.get(c);


counts.put(c, v+1);


}


return counts.get(a) / counts.get(b);


}



Describe how you could use a fuzzer to test this function. What bugs would you expect a fuzzer to identify in this function? What bugs would be more challenging for a fuzzer to identify? Explain your reasoning fully, including any assumptions you are making.


Automated Test Generation


Question 8.Consider the following class:


public class Lock {


private final static int UNLOCKED = 0;


private final static int LOCKED = 1;


private int state;


public Lock() { state = UNLOCKED; }


public void acquire() { assert(state == UNLOCKED); state = LOCKED; } public void release() { assert(state == LOCKED); state = UNLOCKED; } public int getState() { return state; }


}


Consider each of the below five tests individually. Answer whether that test can ever possibly be generated by Randoop. If yes, explain whether Randoop 1. Discards the test as illegal, or 2. Reports the test as a bug, or 3.Adds the test to components for future extension.


For simplicity, assume that Randoop does not check for redundancy, and that the contracts it checks (not shown for brevity) are standard ones (e.g., equals and hashCode).


#

Test

Can ever be generated?

If yes, what outcome?

1.

Lock l = new Lock();

A.Yes

B.No

1.Discards

2.Reports

3.Adds

l.acquire();

l.release();

Lock l = new Lock();

2.

int s = l.getState();

A.Yes

B.No

1.Discards

2.Reports

3.Adds

if (s == 0)

l.acquire();

3.

Lock l = new Lock();

A.Yes

B.No

1.Discards

2.Reports

3.Adds

l.release();

4.

Lock l = new Lock();

A.Yes

B.No

1.Discards

2.Reports

3.Adds

l.release();

l.acquire();