Abstract
Symbiotic 3 is a new generation of a bug-detection tool for C programs. The tool sticks to the combination of program instrumentation, slicing, and symbolic execution. Large parts of the tool are rewritten, in particular the managing and instrumentation scripts and slicer (including points-to analysis). Further, the symbolic executor Klee has been modified to produce error-witnesses. The changes are commented in the description of the tool workflow.
The research was supported by The Czech Science Foundation, grant GA15-17564S.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Verification Approach and Software Architecture
As the previous versions of Symbiotic [7, 9], the new version also follows the approach suggested in [8]: an analyzed program is (i) instrumented with code that tracks a finite-state machine describing erroneous behaviors, (ii) reduced by slicing [10] that removes code not influencing the state machine moves, and (iii) symbolically executed [6] to find erroneous runs in the program.
Workflow of Symbiotic 3. Dashed lines represent C programs, solid lines llvm bytecode, and dotted lines text data.
The workflow of Symbiotic 3 (together with indication of chosen programming languages and employed external tools with their respective versions) is provided in Fig. 1. Our tool currently focuses on the Error Function Unreachability property (however, the approach can handle the other properties as well and we plan to support them in near future). The code cleanup modifies the C source (e.g. to bypass the known bug in clang where inlined functions are omitted). The program is then translated to llvm, checked for unsupported functionality (e.g. creation of new threads), and instrumented. As we support only the unreachability property, the instrumentation is trivial. This step makes also another small modifications of the program, e.g. each allocated variable is initialized to a nondeterministic value (to solve problems with uninitialized variables appearing in some benchmarks). After linking with lib.bc (which contains our definitions of __VERIFIER_* functions) and some optimization passes, namely control flow graph optimization and constant propagation, we slice the program.
The slicer in Symbiotic 3 is written from scratch. While the previous slicer followed the slicing algorithm of [10], the current one implements slicing based on dependence graphs [3, 5]. The slicer relies on field-sensitive, flow-insensitive points-to analysis (extended with an “unknown offset” value), which has been also reimplemented. The new slicer is substantially faster than the previous one.
The sliced program is optimized again (with passes similar to -O2 optimization level) and symbolically executed with our fork of Klee [1]. We modified it to stop the computation when assertion violation is detected and to produce the corresponding error witness. The exact versions of Klee and the solvers stp [4] and MiniSat [2] called by Klee can be found in the Symbiotic 3 distribution. Finally, the Klee output is translated into the required form. In particular, a witness is translated to the GraphML format by a Perl script.
2 Strengths and Weaknesses
The main strengths of the approach are its soundness and universality; the approach can be applied also to the Concurrency benchmarks and these with more complex properties, which are currently not supported by our implementation (and thus skipped). Another advantage is the modularity of the tool architecture.
The main disadvantage is the high computational cost of symbolic execution. Especially programs with loops, recursion, or intensive branching cannot be analyzed within reasonable time unless an erroneous execution is detected soon. The fundamental problem are programs with infinite paths as these cannot be fully symbolically executed in finite time.
3 Tool Setup and Configuration
-
Download: https://github.com/staticafi/symbiotic/releases/tag/3.0.1
-
Installation: Unpack the archive. Further, gcc 4.9 or higher, GNU utils (sed), python 2.7, and perl with the XML::Writer module are required.
-
Participation Statement: Symbiotic 3 participates in all categories.
-
Execution: Run ./symbiotic OPTS <source>, where available OPTS include:
-
- -64 sets environment for 64-bit benchmarks
-
- -prp=file sets the specification file to use
-
- -help shows the full list of possible options
-
Precise SV-COMP settings and the translation of the output to the competition results can be found at: http://sv-comp.sosy-lab.org/2016/systems.php
4 Software Project and Contributors
Symbiotic 3 has been developed by M. Chalupa, J. Slaby, M. Vitovská, and M. Jonáš under supervision of J. Strejček. The tool is available under the GNU GPLv2 License. The project is hosted by the Faculty of Informatics, Masaryk University. llvm, Klee, stp, and MiniSat are also available under open-source licenses. The project web page is: https://github.com/staticafi/symbiotic
References
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, pp. 209–224. USENIX Association (2008)
Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004)
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. In: Paul, M., Robinet, B. (eds.) International Symposium on Programming. LNCS, vol. 167, pp. 125–132. Springer, Heidelberg (1984)
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)
Horwitz, S., Reps, T.W., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Slaby, J., Strejček, J.: Symbiotic 2: more precise slicing. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014 (ETAPS). LNCS, vol. 8413, pp. 415–417. Springer, Heidelberg (2014)
Slabý, J., Strejček, J., Trtík, M.: Checking properties described by state machines: on synergy of instrumentation, slicing, and symbolic execution. In: Stoelinga, M., Pinger, R. (eds.) FMICS 2012. LNCS, vol. 7437, pp. 207–221. Springer, Heidelberg (2012)
Slaby, J., Strejček, J., Trtík, M.: Symbiotic: synergy of instrumentation, slicing, and symbolic execution. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 630–632. Springer, Heidelberg (2013)
Weiser, M.: Program slicing. In: Proceedings of ICSE, pp. 439–449. IEEE (1981)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chalupa, M., Jonáš, M., Slaby, J., Strejček, J., Vitovská, M. (2016). Symbiotic 3: New Slicer and Error-Witness Generation. In: Chechik, M., Raskin, JF. (eds) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2016. Lecture Notes in Computer Science(), vol 9636. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49674-9_67
Download citation
DOI: https://doi.org/10.1007/978-3-662-49674-9_67
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49673-2
Online ISBN: 978-3-662-49674-9
eBook Packages: Computer ScienceComputer Science (R0)
