Symbiotic 4: Beyond Reachability - (Competition Contribution)

The fourth version of Symbiotic brings a brand new instrumentation part, which can now instrument the analyzed program with code pieces checking various specification properties. As a consequence, Symbiotic 4 participates for the first time also in categories focused on memory safety. Further, we have ported both Symbiotic and Klee to llvm 3.8 and added new features to the slicer which is now modular and easily extensible. 1 Verification Approach and Software Architecture Symbiotic implements the approach of [6] combining instrumentation, slicing, and symbolic execution [4] to detect errors in C programs. While all the previous releases [7,5,2] focus on checking reachability of an error location, Symbiotic 4 can check any property definable by a finite state machine. For example, the finite state machine of Figure 1 describes the double free error. Intuitively, for every allocated block of memory we create a copy of the state machine that tracks its current status. An error state is reached if the block is deallocated twice. Hence, the instrumentation reduces property checking to unreachability checking as the program violates the property iff the error state is reachable. Creation and tracking of the state machine is performed by code instrumented to the original program. In fact, the brand new instrumentation implemented in Symbiotic works more generally. It gets a JSON file with instrumentation rules. Every rule specifies a function call to be inserted before (or after) each occurrence of a given sequence of instructions. Bodies of called functions are then defined in a separate file written in C. Each instrumentation rule can be refined using an output of a specified static analysis. For example, a code checking NULL dereference does not have to be instrumented to locations where a suitable static analysis guarantees that the corresponding pointer cannot be NULL. For SV-COMP 2017, we have prepared instrumentation rules for checking memory safety properties. For overflow property, we let clang sanitizer to instrument the program. We do not support checking termination property as it cannot be simply translated to reachability analysis. The workflow of Symbiotic 4 is illustrated by Figure 2. As the first step, we check that the verified property is not termination. Then we translate the * The research was supported by The Czech Science Foundation, grant GA15-17564S. † Corresponding author: [email protected]