Symbiotic with CPAchecker Marek Chalupa, Masaryk University Brno - - PowerPoint PPT Presentation

symbiotic with cpachecker
SMART_READER_LITE
LIVE PREVIEW

Symbiotic with CPAchecker Marek Chalupa, Masaryk University Brno - - PowerPoint PPT Presentation

Dec 19, 2023 414 likes •780 views

Symbiotic with CPAchecker Marek Chalupa, Masaryk University Brno October 2, 2019 4th International Workshop on CPAchecker Motivation int main( void ) { int x = 10; for ( int i = 0; i < 1000; ++i) { for ( int j = 0; j < 1000; ++j) { for (

slide-1
SLIDE 1

Symbiotic with CPAchecker

Marek Chalupa, Masaryk University Brno October 2, 2019

4th International Workshop on CPAchecker

slide-2
SLIDE 2

Motivation

int main(void) { int x = 10; for (int i = 0; i < 1000; ++i) { for (int j = 0; j < 1000; ++j) { for (int k = 0; k < 1000; ++k) { /* some code that does not touch x */ } } } if (x > 0) __VERIFIER_error(); }

1 / 17

slide-3
SLIDE 3

Motivation

int main(void) { int x = 10; for (int i = 0; i < 1000; ++i) { for (int j = 0; j < 1000; ++j) { for (int k = 0; k < 1000; ++k) { /* some code that does not touch x */ } } } if (x > 0) __VERIFIER_error(); }

1 / 17

slide-4
SLIDE 4

Motivation

int main(void) { int x = 10; for (int i = 0; i < 1000; ++i) { for (int j = 0; j < 1000; ++j) { for (int k = 0; k < 1000; ++k) { /* some code that does not touch x */ } } } if (x > 0) __VERIFIER_error(); }

1 / 17

slide-5
SLIDE 5

Outline

  • Symbiotic
  • What is Symbiotic?
  • How it works?
  • CPAchecker in Symbiotic
  • How is it integrated?
  • Some results.

2 / 17

slide-6
SLIDE 6

Symbiotic

slide-7
SLIDE 7

What is Symbiotic?

  • Framework for generating code fitted to verification.

3 / 17

slide-8
SLIDE 8

What is Symbiotic?

  • Framework for generating code fitted to verification.
  • It employs:
  • code instrumentation (combined with static analyses),
  • program slicing,
  • (compiler) optimizations.

3 / 17

slide-9
SLIDE 9

What is Symbiotic?

  • Framework for generating code fitted to verification.
  • It employs:
  • code instrumentation (combined with static analyses),
  • program slicing,
  • (compiler) optimizations.
  • It is highly modular.
  • Internally works with LLVM.

3 / 17

slide-10
SLIDE 10

What is Symbiotic?

  • Framework for generating code fitted to verification.
  • It employs:
  • code instrumentation (combined with static analyses),
  • program slicing,
  • (compiler) optimizations.
  • It is highly modular.
  • Internally works with LLVM.
  • Integrates several verification tools that can be seamlessly run
  • n the generated code.

3 / 17

slide-11
SLIDE 11

Symbiotic – schema

.c .c .c compilation clang instrumentation

  • ptimizations

slicing

  • ptimizations

verification KLEE, CPAchecker, ... .prp symbiotic-cc symbiotic-verify

4 / 17

slide-12
SLIDE 12

Instrumentation

Instrumentation inserts auxiliary code to the analyzed program.

  • Symbiotic has a configurable instrumentation module
  • Configuration in JSON

5 / 17

slide-13
SLIDE 13

Instrumentation

Instrumentation inserts auxiliary code to the analyzed program.

  • Symbiotic has a configurable instrumentation module
  • Configuration in JSON
  • It can use results of static analyses to prevent redundant code

injection

  • Can run in several stages, passing information from former to

later stages

5 / 17

slide-14
SLIDE 14

Instrumentation

Instrumentation inserts auxiliary code to the analyzed program.

  • Symbiotic has a configurable instrumentation module
  • Configuration in JSON
  • It can use results of static analyses to prevent redundant code

injection

  • Can run in several stages, passing information from former to

later stages

  • Restriction: can insert only calls to functions at this moment

5 / 17

slide-15
SLIDE 15

Instrumentation – example

  • 1. %p = alloca i32*

call check pointer(%p, 8)

  • 2. store null to %p
  • 3. %addr = call malloc(20)

call check pointer(%p, 8)

  • 4. store %addr to %p

call check free(%addr)

  • 5. call free(%addr);

call check pointer(%p, 8)

  • 6. %tmp = load %p

call check pointer(%tmp, 4)

  • 7. store i32 1 to %tmp

6 / 17

slide-16
SLIDE 16

Instrumentation – example

  • 1. %p = alloca i32*
  • 2. store null to %p
  • 3. %addr = call malloc(20)
  • 4. store %addr to %p
  • 5. call free(%addr);
  • 6. %tmp = load %p

call check pointer(%tmp, 4)

  • 7. store i32 1 to %tmp

6 / 17

slide-17
SLIDE 17

Program slicing

Program slicing removes instructions of a program that are irrelevant to a specified ”behavior” of the program.

  • The behavior is specified by slicing criterion < V , l >
  • V is a set of variables
  • l is a program location
  • meaning: preserve the value of variables in V at location l

(and the reachability o fl) during any execution of the program

  • Slicing criteria are (in our settings) error locations

7 / 17

slide-18
SLIDE 18

Program slicing – how it works?

  • Compute dependencies between instructions.
  • We say that instruction A depends on instruction B if:
  • instruction A uses values generated by instruction B, or
  • instruction A is not executed if we go some other way at

(branching) B.

  • Slicing: keep only the instructions on which the error

(transitively) depends.

8 / 17

slide-19
SLIDE 19

Program slicing – how it works?

  • Compute dependencies between instructions.
  • We say that instruction A depends on instruction B if:
  • instruction A uses values generated by instruction B, or
  • instruction A is not executed if we go some other way at

(branching) B.

  • Slicing: keep only the instructions on which the error

(transitively) depends. data dependence

8 / 17

slide-20
SLIDE 20

Program slicing – how it works?

  • Compute dependencies between instructions.
  • We say that instruction A depends on instruction B if:
  • instruction A uses values generated by instruction B, or
  • instruction A is not executed if we go some other way at

(branching) B.

  • Slicing: keep only the instructions on which the error

(transitively) depends. data dependence control dependence

8 / 17

slide-21
SLIDE 21

Program Slicing – example

int zeroing(char *buf, size_t size) { int n = input(); for (int i = 0; i < n; ++i) { assert(i < size && "Out␣of␣bounds"); buf[i] = 0; } return 0; }

9 / 17

slide-22
SLIDE 22

Program Slicing – example

int zeroing(char *buf, size_t size) { int n = input(); for (int i = 0; i < n; ++i) { assert(i < size && "Out␣of␣bounds"); buf[i] = 0; } return 0; }

9 / 17

slide-23
SLIDE 23

Once the code is generated...

Once the code is generated, we can

  • Do nothing... (output the generated LLVM)
  • Generate C from it and output it (llvm2c tool)
  • Pass it to a verification engine (as LLVM or C, according to

the verifier)

10 / 17

slide-24
SLIDE 24

Once the code is generated...

Once the code is generated, we can

  • Do nothing... (output the generated LLVM)
  • Generate C from it and output it (llvm2c tool)
  • Pass it to a verification engine (as LLVM or C, according to

the verifier) So Symbiotic can be viewed as a

  • C to LLVM compiler,
  • C to C transformer,
  • verification tool for C language

10 / 17

slide-25
SLIDE 25

Verification engines

  • Verification tools are integrated into Symbiotic by extending

benchexec tool-info modules

  • The extension adds methods for:
  • specifying the required LLVM version
  • (optional) setting the environment
  • (optional) hooks that run before or after

compilation/instrumentation/slicing/verification

11 / 17

slide-26
SLIDE 26

Verification engines

  • Verification tools are integrated into Symbiotic by extending

benchexec tool-info modules

  • The extension adds methods for:
  • specifying the required LLVM version
  • (optional) setting the environment
  • (optional) hooks that run before or after

compilation/instrumentation/slicing/verification

  • So far we have integrated KLEE, CPAchecker, DIVINE,

SMACK, and SeaHorn

  • experimental support for CBMC, UltimateAutomizer, and

IKOS

11 / 17

slide-27
SLIDE 27

Symbiotic – Limits.

  • No C++ (exceptions).
  • Symbiotic still does not scale to large programs.
  • The current bottle-neck is data-dependence analysis in slicer

12 / 17

slide-28
SLIDE 28

Symbiotic with CPAchecker

slide-29
SLIDE 29

CPAchecker integration into Symbiotic

  • CPAchecker has LLVM backend
  • Parses LLVM and creates a CFA over C language
  • Missing a support for some floats-related constructs
  • Missing a support for some global initializers

13 / 17

slide-30
SLIDE 30

CPAchecker integration into Symbiotic

  • CPAchecker has LLVM backend
  • Parses LLVM and creates a CFA over C language
  • Missing a support for some floats-related constructs
  • Missing a support for some global initializers
  • We can use also the C backend directly
  • Symbiotic can use llvm2c to generate C from the LLVM
  • The default option (as of a few weeks ago :)

13 / 17

slide-31
SLIDE 31

CPAchecker integration into Symbiotic

  • CPAchecker has LLVM backend
  • Parses LLVM and creates a CFA over C language
  • Missing a support for some floats-related constructs
  • Missing a support for some global initializers
  • We can use also the C backend directly
  • Symbiotic can use llvm2c to generate C from the LLVM
  • The default option (as of a few weeks ago :)
  • We use the SV-COMP’19 configuration (-svcomp19) by

default

13 / 17

slide-32
SLIDE 32

CPAchecker in Symbiotic

  • Symbiotic + llvm2c + CPAchecker (with the C backend) now

works better then Symbiotic + CPAchecker (LLVM backend)

  • However, ”pure” CPAchecker still works better then

Symbiotic+CPAchecker

14 / 17

slide-33
SLIDE 33

Experiments on ReachSafety category

500 1000 1500 2000 2500 3000

n-th fastest benchmark

101 CPU time [s]

No slicing (LLVM bcknd) No Slicing (llvm2c) Slicing (LLVM bcknd) Slicing (llvm2c) Pure CPAchecker

15 / 17

slide-34
SLIDE 34

Experiments with LLVM backend

200 400 600 800 1000 CPU time [s] CPAchecker No slicing Slicing 500 1000 1500 2000 n-th fastest benchmark 200 400 600 800 1000 CPU time [s] KLEE No slicing Slicing

16 / 17

slide-35
SLIDE 35

Summary

  • Symbiotic is a framework that generates optimized (LLVM or

C) code for verification

  • It is highly modular
  • It integrates several verification tools, including CPAchecker

https://github.com/staticafi/symbiotic

17 / 17

slide-36
SLIDE 36

Summary

  • Symbiotic is a framework that generates optimized (LLVM or

C) code for verification

  • It is highly modular
  • It integrates several verification tools, including CPAchecker

https://github.com/staticafi/symbiotic Thank you!

17 / 17