ABSTRACT
We present CPA-SymExec, a tool for symbolic execution that is implemented in the open-source, configurable verification framework CPAchecker. Our implementation automatically detects which symbolic facts to track, in order to obtain a small set of constraints that are necessary to decide reachability of a program area of interest. CPA-SymExec is based on abstraction and counterexample-guided abstraction refinement (CEGAR), and uses a constraint-interpolation approach to detect symbolic facts. We show that our implementation can better mitigate the path-explosion problem than symbolic execution without abstraction, by comparing the performance to the state-of-the-art Klee-based symbolic-execution engine Symbiotic and to Klee itself. For the experiments we use two kinds of analysis tasks: one for finding an executable path to a specific location of interest (e.g., if a test vector is desired to show that a certain behavior occurs), and one for confirming that no executable path to a specific location exists (e.g., if it is desired to show that a certain behavior never occurs). CPA-SymExec is released under the Apache 2 license and available (inclusive source code) at <a href="https://cpachecker.sosy-lab.org">https://cpachecker.sosy-lab.org</a>. A demonstration video is available at <a href="https://youtu.be/qoBHtvPKtnw">https://youtu.be/qoBHtvPKtnw</a>.
Supplemental Material
Available for Download
A short demonstration video of the use of CPA-SymExec, efficient symbolic execution in CPAchecker, for formal verification of an example program and test-case generation based on condition coverage.
- D. Beyer. 2017. Software Verification with Validation of Results (Report on SVCOMP 2017). In Proc. TACAS (LNCS 10206). Springer, 331–349. Google ScholarDigital Library
- D. Beyer, A. J. Chlipala, T. A. Henzinger, R. Jhala, and R. Majumdar. 2004. Generating Tests from Counterexamples. In Proc. ICSE. IEEE, 326–335. Google ScholarDigital Library
- D. Beyer and M. Dangl. 2016. Verification-Aided Debugging: An Interactive Web-Service for Exploring Error Witnesses. In Proc. CAV (2) (LNCS 9780). Springer, 502–509.Google Scholar
- D. Beyer, M. Dangl, D. Dietsch, and M. Heizmann. 2016. Correctness Witnesses: Exchanging Verification Results Between Verifiers. In Proc. FSE. ACM, 326–337. Google ScholarDigital Library
- D. Beyer, M. Dangl, D. Dietsch, M. Heizmann, and A. Stahlbauer. 2015. Witness Validation and Stepwise Testification across Software Verifiers. In Proc. FSE. ACM, 721–733. Google ScholarDigital Library
- D. Beyer, M. Dangl, T. Lemberger, and M. Tautschnig. 2018. Tests from Witnesses: Execution-Based Validation of Verification Results. In Proc. TAP (LNCS 10889). Springer, 3–23.Google Scholar
- D. Beyer and T. Lemberger. 2016. Symbolic Execution with CEGAR. In Proc. ISoLA (LNCS 9952). Springer, 195–211.Google Scholar
- D. Beyer and T. Lemberger. 2018. Replication Package for Article “CPA-SymExec: Efficient Symbolic Execution in CPAchecker” in Proc. ASE’18. 10.5281/zenodo.1321181 Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. R. Engler. 2009. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proc. OSDI. USENIX Association, 209–224. http://www.usenix.org/events/osdi08/tech/full_ papers/cadar/cadar.pdf Google ScholarDigital Library
- M. Chalupa, M. Vitovská, and J. Strejcek. 2018. SYMBIOTIC 5: Boosted Instrumentation - (Competition Contribution). In Proc. TACAS (LNCS 10806). Springer, 442–446.Google Scholar
- E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. 2003. Counterexampleguided abstraction refinement for symbolic model checking. J. ACM 50, 5 (2003), 752–794. Google ScholarDigital Library
- W. Craig. 1957. Linear Reasoning. A New Form of the Herbrand-Gentzen Theorem. J. Symb. Log. 22, 3 (1957), 250–268.Google ScholarCross Ref
- E. Ermis, M. Schäf, and T. Wies. 2012. Error Invariants. In Proc. FM (LNCS 7436). Springer, 187–201.Google Scholar
- J. Jaffar, V. Murali, J. A. Navas, and A. E. Santosa. 2012. TRACER: A Symbolic Execution Tool for Verification. In Proc. CAV (LNCS 7358). Springer, 758–766. Google ScholarDigital Library
- R. Jhala and R. Majumdar. 2005. Path Slicing. In Proc. PLDI. ACM, 38–47. Google ScholarDigital Library
- Y. P. Khoo, J. S. Foster, M. Hicks, and V. Sazawal. 2008. Path projection for usercentered static analysis tools. In Proc. PASTE. ACM, 57–63. 1145/1512475.1512488 Google ScholarDigital Library
- D. Kim, Yonghwi Kwon, P. Liu, I. L. Kim, D. M. Perry, X. Zhang, and G. Rodriguez-Rivera. 2016. Apex: automatic programming assignment error explanation. In Proc. OOPSLA. ACM, 311–327. Google ScholarDigital Library
- J. C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385–394. Google ScholarDigital Library
- H. D. T. Nguyen, D. Qi, A. Roychoudhury, and S. Chandra. 2013. SemFix: program repair via semantic analysis. In Proc. ICSE. IEEE, 772–781. 1109/ICSE.2013.6606623 Google ScholarDigital Library
- A. Roychoudhury. 2016. SemFix and beyond: semantic techniques for program repair. In Proc. ForMABS. ACM, 2. Abstract 1 Introduction 2 Architecture of CPA-SymExec 3 Using CPA-SymExec 4 Comparison 5 Conclusion References Google ScholarDigital Library
Index Terms
- CPA-SymExec: efficient symbolic execution in CPAchecker
Recommendations
Enhancing spark's contract checking facilities using symbolic execution
SIGAda '11: Proceedings of the 2011 ACM annual international conference on Special interest group on the ada programming languageSpark, a subset of Ada for engineering safety and security-critical systems, is one of the best commercially available frameworks for formal-methods-supported development of critical software. Spark is designed for verification and includes a software ...
Theoretical aspects of compositional symbolic execution
FASE'11/ETAPS'11: Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of softwareGiven a program and an assertion in that program, determining if the assertion can fail is one of the key applications of program analysis. Symbolic execution is a well-known technique for finding such assertion violations that can enjoy the following ...
Enhancing spark's contract checking facilities using symbolic execution
Spark, a subset of Ada for engineering safety and security-critical systems, is one of the best commercially available frameworks for formal-methods-supported development of critical software. Spark is designed for verification and includes a software ...
Comments