Symbiotic 3: New Slicer and Error-Witness Generation
- 1.3k Downloads
Symbiotic 3 is a new generation of a bug-detection tool for C programs. The tool sticks to the combination of program instrumentation, slicing, and symbolic execution. Large parts of the tool are rewritten, in particular the managing and instrumentation scripts and slicer (including points-to analysis). Further, the symbolic executor Klee has been modified to produce error-witnesses. The changes are commented in the description of the tool workflow.
1 Verification Approach and Software Architecture
The workflow of Symbiotic 3 (together with indication of chosen programming languages and employed external tools with their respective versions) is provided in Fig. 1. Our tool currently focuses on the Error Function Unreachability property (however, the approach can handle the other properties as well and we plan to support them in near future). The code cleanup modifies the C source (e.g. to bypass the known bug in clang where inlined functions are omitted). The program is then translated to llvm, checked for unsupported functionality (e.g. creation of new threads), and instrumented. As we support only the unreachability property, the instrumentation is trivial. This step makes also another small modifications of the program, e.g. each allocated variable is initialized to a nondeterministic value (to solve problems with uninitialized variables appearing in some benchmarks). After linking with lib.bc (which contains our definitions of __VERIFIER_* functions) and some optimization passes, namely control flow graph optimization and constant propagation, we slice the program.
The slicer in Symbiotic 3 is written from scratch. While the previous slicer followed the slicing algorithm of , the current one implements slicing based on dependence graphs [3, 5]. The slicer relies on field-sensitive, flow-insensitive points-to analysis (extended with an “unknown offset” value), which has been also reimplemented. The new slicer is substantially faster than the previous one.
The sliced program is optimized again (with passes similar to -O2 optimization level) and symbolically executed with our fork of Klee . We modified it to stop the computation when assertion violation is detected and to produce the corresponding error witness. The exact versions of Klee and the solvers stp  and MiniSat  called by Klee can be found in the Symbiotic 3 distribution. Finally, the Klee output is translated into the required form. In particular, a witness is translated to the GraphML format by a Perl script.
2 Strengths and Weaknesses
The main strengths of the approach are its soundness and universality; the approach can be applied also to the Concurrency benchmarks and these with more complex properties, which are currently not supported by our implementation (and thus skipped). Another advantage is the modularity of the tool architecture.
The main disadvantage is the high computational cost of symbolic execution. Especially programs with loops, recursion, or intensive branching cannot be analyzed within reasonable time unless an erroneous execution is detected soon. The fundamental problem are programs with infinite paths as these cannot be fully symbolically executed in finite time.
3 Tool Setup and Configuration
Installation: Unpack the archive. Further, gcc 4.9 or higher, GNU utils (sed), python 2.7, and perl with the XML::Writer module are required.
Participation Statement: Symbiotic 3 participates in all categories.
- Execution: Run ./symbiotic OPTS <source>, where available OPTS include:
- -64 sets environment for 64-bit benchmarks
- -prp=file sets the specification file to use
- -help shows the full list of possible options
Precise SV-COMP settings and the translation of the output to the competition results can be found at: http://sv-comp.sosy-lab.org/2016/systems.php
4 Software Project and Contributors
Symbiotic 3 has been developed by M. Chalupa, J. Slaby, M. Vitovská, and M. Jonáš under supervision of J. Strejček. The tool is available under the GNU GPLv2 License. The project is hosted by the Faculty of Informatics, Masaryk University. llvm, Klee, stp, and MiniSat are also available under open-source licenses. The project web page is: https://github.com/staticafi/symbiotic
- 1.Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224. USENIX Association (2008)Google Scholar
- 10.Weiser, M.: Program slicing. In: Proceedings of ICSE, pp. 439–449. IEEE (1981)Google Scholar