文档协助在线汇总问题答案：Solutions to Midterm Exam Preparation QuestionsIn the following document, the text in blueis the solution to the question above. In some cases, there may be other responses that would be considered correct or partially correct.Introduction to Software AnalysisQuestion 1.Static vs. Dynamic Analysisa.State one advantage of static analysis over dynamic analysis.Answer: Static analysis may achieve soundness it is possible to design an analysis that does not miss an error in a program, even if some of errors reported may be false positives.Since static analysis does not require the program to be run, the cost to analyze a piece of software is proportional to its code size, not it’s runtime.Since static analysis does not require the program to be run, it can be performed on a machine without requiring that machine to be able to run the code.b.State one advantage of dynamic analysis over static analysis.Answer: Dynamic analysis may achieve completeness it is possible to design an analysis that will only report errors that can be triggered in a concrete execution of the program, even if some errors may be undiscovered due to limitations on the number of runs inspected.Since dynamic analysis is performed by observing a concrete run of a program, bugs found using this method are typically easy to report / reproduce.Note that there may be other acceptable answers to both parts of this question.Question 2. We may classify each program as either safe or unsafe. For instance, we may saythat a program is safe if it does not dereference a null pointer in any execution, and unsafe if there exists an execution in which it will dereference a null pointer.A software analysis is considered sound if whenever it reports a program as safe, the program is indeed safe. However, due to the undecidability of software analysis, a sound analysis may reject some safe programs. A sound analysis A is more precise than a sound analysis B if whenever analysis B accepts a program, analysis A also accepts that program.Consider the above figure. Inside of the dotted ( ) oval lies the set of all safe programs, and the outside of the oval denotes the set of all unsafe programs. The inside of each solid oval, labeled A1 through A5, denotes the set of programs accepted by the corresponding analysis (e.g., these are five different null dereference checking analyses). Each analysis rejects all programs outside its corresponding oval.Which of these five analyses are sound? List the sound analyses ordered by precision, i.e A6 A7 A8 indicates that A6, A7, and A8 are all sound, and A6 is more precise than A7, which is more precise than A8.Answer: A1 and A2 are the only analyses that can be considered sound. The other analyses include unsafe programs (their oval covers regions outside the dotted oval) in the set of programs they will accept, which means the analysis is unsound.A2 A1, because A2 will accept any program that is safe that will also be accepted by A1, and more (A2 completely contains A1 in the diagram).Introduction to Software TestingQuestion 3. Consider a program P, and two test suites, X and Y for P. Test suite X covers set ofbranches Q in the program, while test suite Y covers set of branches R in the program. SupposeQ is a proper subset of R (Q⊂R).Which of the below statements are necessarily true?A. Whenever a test in Y reaches a statement, some test in X also reaches that statement.B. Whenever a test in X reaches a statement, some test in Y also reaches that statement.C. Test suite Y has strictly higher path coverage than test suite X.D. Test suite Y has strictly higher branch coverage than test suite X.Answer: B, DC is not a correct answer. It is possible for Y to cover more branches in a program than X without covering more paths through the program. Question 4.Consider the Java function:void copy(int[] src, int[] dst, int N) {for (int i = 0; i i++)dst[i] = src[i];}Which of the below predicates is the function’s weakest possible precondition that prevent any null-pointer or array-out-of-bounds exceptions from being thrown?NOTE:The expression X = Y is read: “X implies Y”. It is equivalent to (!X) OR Y.A.N ≥ 0 ∧src != null ∧dst != null ∧N src.length ∧N dst.lengthB.N ≥ 0 ∧src != null ∧dst != null ∧N src.length ∧dst.length = src.lengthC.N 0 ⇒(src != null ∧dst != null ∧N src.length ∧N dst.length)D.N 0 ⇒(src != null ∧dst != null ∧N src.length ∧dst.length = src.length)Answer: CQuestion 5. Consider a test suite consisting of three deterministic tests T1, T2, T3 for a correctprogram P. Since P is correct, it passes all the three tests. Suppose we have three mutants M1, M2, M3 of P such that: M1 fails T1 and T2; M2 fails none; and M3 fails T2 and T3.Let M = P denote that M and P are equivalent. Likewise, let M != P denote that they are NOT equivalent.a. Could it be possible that M1 = P? Justify your answer.Answer: Nob. Mutation analysis will report M2 to the tester since it does not fail any test in the test suite.Which of the following actions are plausible for the tester to take given this information?A. Determine if M2 == P, and if so, devise a new test case T4 on which M2 passes but P fails.B. Determine if M2 != P, and if so, then ignore M2.C. Determine if M2 != P, and if so, devise a new test case T4 on which P passes but M2 fails.D. Determine if M2 == P, and if so, ignore M2.Answer: C, DRandom TestingQuestion 6. Consider the following concurrent program with two threads and shared variable x.Variables tmp1 and tmp2 are local to the respective threads. This program has a concurrency bug: it can lose an update to x. Thread1 Thread21:tmp1=x 4:tmp2=x2:tmp1=tmp1+1 5:tmp2=tmp2+13:x=tmp1 6:x=tmp2a.Write one possible execution of the six statements that does not cause a concurrency bug.Answer: Any order which performs a read and a write before the second read, e.g., 1 2 3 4 5 6 OR 4 5 6 1 2 3.b.Write one possible execution of the six statements that does trigger a concurrency bug.Answer: Any order which performs both reads before any write, e.g., 1 4 2 5 3 6.c.What is the depth of the concurrency bug?Answer: 2d.Specify the ordering constraints needed to trigger the bug.Answer: (4, 3) (1, 6)Question 7. Consider the following pseudo-Java function, in whichHashMapisused.A HashMapisa data structure that associates a value of type Vtoa key of type K.Thevaluev associatedwith a keyk canbe set with the API callput(k, v),andthe value associated withthe key kisreturned by the API call get(k).Forthis problem, if no value has been associatedwith k,then assumeget(k)returns0.double charRatio(String s, char a, char b) { int N = s.length();HashMapchar c = s.charAt(i);int v = counts.get(c);counts.put(c, v+1);}return counts.get(a) / counts.get(b);}Describe how you could use a fuzzer to test this function. What bugs would you expect a fuzzer to identify in this function? What bugs would be more challenging for a fuzzer to identify? Explain your reasoning fully, including any assumptions you are making. Answer: There are three main bugs in this program: the possibility of a null dereference if s == null, the possibility of a division by zero when b doesn t appear in the input string, and the possibility of counts.get(a) / counts.get(b) not equaling the correct ratio of a s to b s in the input string due to integer division.Fuzzing would likely quickly detect the division-by-zero error by generating a string s with no instances of the char b. This would depend on the implementation of the fuzzer. If the fuzzer only generated 0 and 1 s, then it would likely be difficult for b not to appear in s. On the other hand, if the fuzzer uniformly generated legal strings of length 100 from the ASCII character set (and b were uniformly chosen from the ASCII character set), then there would be a 45% chance of the bug being triggered. (As the length of the input string grows, the probability of selecting b so that b were not in s would vanish quickly, though.)The null-dereference error would also likely be caught by the fuzzer using a similar argument.The integer division bug would be harder to detect, as fuzzing does not generally entail matching the output of a function against an expected output: we usually just give the function random strings until we detect a crash.Automated Test GenerationQuestion 8.Consider the following class:public class Lock {private final static int UNLOCKED = 0;private final static int LOCKED = 1;private int state;public Lock() { state = UNLOCKED; }public void acquire() { assert(state == UNLOCKED); state = LOCKED; } public void release() { assert(state == LOCKED); state = UNLOCKED; } public int getState() { return state; }}Consider each of the below five tests individually. Answer whether that test can ever possibly begeneratedby Randoop. If yes, explain whether Randoop 1.Discards the test as illegal, or 2.Reports the test as a bug, or 3.Adds the test to components for future extension.For simplicity, assume that Randoop does not check for redundancy, and that the contracts it checks (not shown for brevity) are standard ones (e.g., equals and hashCode).

所有的编程代写范围：essayghost为美国、加拿大、英国、澳洲的留学生提供C语言代写、代写C语言、C语言代做、代做C语言、数据库代写、代写数据库、数据库代做、代做数据库、Web作业代写、代写Web作业、Web作业代做、代做Web作业、Java代写、代写Java、Java代做、代做Java、Python代写、代写Python、Python代做、代做Python、C/C++代写、代写C/C++、C/C++代做、代做C/C++、数据结构代写、代写数据结构、数据结构代做、代做数据结构等留学生编程作业代写服务。