Advertisement

Symbiotic 3: New Slicer and Error-Witness Generation

(Competition Contribution)
  • Marek ChalupaEmail author
  • Martin Jonáš
  • Jiri Slaby
  • Jan Strejček
  • Martina Vitovská
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9636)

Abstract

Symbiotic  3 is a new generation of a bug-detection tool for C programs. The tool sticks to the combination of program instrumentation, slicing, and symbolic execution. Large parts of the tool are rewritten, in particular the managing and instrumentation scripts and slicer (including points-to analysis). Further, the symbolic executor Klee has been modified to produce error-witnesses. The changes are commented in the description of the tool workflow.

1 Verification Approach and Software Architecture

As the previous versions of Symbiotic  [7, 9], the new version also follows the approach suggested in [8]: an analyzed program is (i) instrumented with code that tracks a finite-state machine describing erroneous behaviors, (ii) reduced by slicing [10] that removes code not influencing the state machine moves, and (iii) symbolically executed [6] to find erroneous runs in the program.
Fig. 1.

Workflow of Symbiotic  3. Dashed lines represent C programs, solid lines llvm bytecode, and dotted lines text data.

The workflow of Symbiotic  3 (together with indication of chosen programming languages and employed external tools with their respective versions) is provided in Fig. 1. Our tool currently focuses on the Error Function Unreachability property (however, the approach can handle the other properties as well and we plan to support them in near future). The code cleanup modifies the C source (e.g. to bypass the known bug in clang where inlined functions are omitted). The program is then translated to llvm, checked for unsupported functionality (e.g. creation of new threads), and instrumented. As we support only the unreachability property, the instrumentation is trivial. This step makes also another small modifications of the program, e.g. each allocated variable is initialized to a nondeterministic value (to solve problems with uninitialized variables appearing in some benchmarks). After linking with lib.bc (which contains our definitions of __VERIFIER_* functions) and some optimization passes, namely control flow graph optimization and constant propagation, we slice the program.

The slicer in Symbiotic 3 is written from scratch. While the previous slicer followed the slicing algorithm of [10], the current one implements slicing based on dependence graphs [3, 5]. The slicer relies on field-sensitive, flow-insensitive points-to analysis (extended with an “unknown offset” value), which has been also reimplemented. The new slicer is substantially faster than the previous one.

The sliced program is optimized again (with passes similar to -O2 optimization level) and symbolically executed with our fork of Klee  [1]. We modified it to stop the computation when assertion violation is detected and to produce the corresponding error witness. The exact versions of Klee and the solvers stp  [4] and MiniSat  [2] called by Klee can be found in the Symbiotic  3 distribution. Finally, the Klee output is translated into the required form. In particular, a witness is translated to the GraphML format by a Perl script.

2 Strengths and Weaknesses

The main strengths of the approach are its soundness and universality; the approach can be applied also to the Concurrency benchmarks and these with more complex properties, which are currently not supported by our implementation (and thus skipped). Another advantage is the modularity of the tool architecture.

The main disadvantage is the high computational cost of symbolic execution. Especially programs with loops, recursion, or intensive branching cannot be analyzed within reasonable time unless an erroneous execution is detected soon. The fundamental problem are programs with infinite paths as these cannot be fully symbolically executed in finite time.

3 Tool Setup and Configuration

  • Download: https://github.com/staticafi/symbiotic/releases/tag/3.0.1

  • Installation: Unpack the archive. Further, gcc 4.9 or higher, GNU utils (sed), python 2.7, and perl with the XML::Writer module are required.

  • Participation Statement: Symbiotic  3 participates in all categories.

  • Execution: Run ./symbiotic OPTS <source>, where available OPTS include:
    • - -64 sets environment for 64-bit benchmarks

    • - -prp=file sets the specification file to use

    • - -help shows the full list of possible options

Precise SV-COMP settings and the translation of the output to the competition results can be found at: http://sv-comp.sosy-lab.org/2016/systems.php

4 Software Project and Contributors

Symbiotic  3 has been developed by M. Chalupa, J. Slaby, M. Vitovská, and M. Jonáš under supervision of J. Strejček. The tool is available under the GNU GPLv2 License. The project is hosted by the Faculty of Informatics, Masaryk University. llvm, Klee, stp, and MiniSat are also available under open-source licenses. The project web page is: https://github.com/staticafi/symbiotic

References

  1. 1.
    Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224. USENIX Association (2008)Google Scholar
  2. 2.
    Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. In: Paul, M., Robinet, B. (eds.) International Symposium on Programming. LNCS, vol. 167, pp. 125–132. Springer, Heidelberg (1984)CrossRefGoogle Scholar
  4. 4.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Horwitz, S., Reps, T.W., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)CrossRefGoogle Scholar
  6. 6.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Slaby, J., Strejček, J.: Symbiotic 2: more precise slicing. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014 (ETAPS). LNCS, vol. 8413, pp. 415–417. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  8. 8.
    Slabý, J., Strejček, J., Trtík, M.: Checking properties described by state machines: on synergy of instrumentation, slicing, and symbolic execution. In: Stoelinga, M., Pinger, R. (eds.) FMICS 2012. LNCS, vol. 7437, pp. 207–221. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Slaby, J., Strejček, J., Trtík, M.: Symbiotic: synergy of instrumentation, slicing, and symbolic execution. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 630–632. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. 10.
    Weiser, M.: Program slicing. In: Proceedings of ICSE, pp. 439–449. IEEE (1981)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Marek Chalupa
    • 1
    Email author
  • Martin Jonáš
    • 1
  • Jiri Slaby
    • 1
  • Jan Strejček
    • 1
  • Martina Vitovská
    • 1
  1. 1.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations