Download presentation
Presentation is loading. Please wait.
Published byMavis Boyd Modified over 9 years ago
1
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE
2
Acknowledgement C. Cadar, D. Dunbar, D. Engler: KLEE, OSDI’08 Godefroid, Klarlund, Sen: DART, PLDI ‘05 Sen, Markov, Agha: CUTE, FSE’05
3
Three Concerns Path explosion Handling the environment Hard constraints
4
KLEE: Architecture Hybrid between OS for sym proc and interpreter Each Sym proc has a register file, stack, heap, program counter and path condition – register file, stack, heap are expressions here Sym process represented as a state in KLEE
5
KLEE Architecture LLVM bytecode K L E E SYMBOLIC ENVIRONMENT Constraint Solver (STP) x = 3 x = -2 x = 1234 x = 3 C code x 0 x 1234 LLVMLLVM
6
KLEE: Architecture Program is converted to LLVM bytecode KLEE interprets bytecode directly and maps to constraints – w/o approximation – bit level accuracy
7
KLEE: Architecture Before building sym expr, check if operands are concrete – if so, perform them natively! example: %dst = add i32 %src0, %src1
8
KLEE: Architecture Conditional branches: – boolean expr – change instruction pointer whether provably true or false along the current path – if both are feasible then clone states and accordingly change respective instruction pointers
9
KLEE: Architecture Potentially dangerous instructions – act as branches ex. division instruction generates a branch to check div-by- zero if error is generated then constraint falsified and alternated path is explored test case generated to trigger the error and terminates the state. Some dangerous operations: – ld/st – out of bound checks – pointer dereference – assertions, etc.
10
KLEE: Architecture Problem with ld/st – Modeling memory! – if flat byte array then solvers never return – every memory object as a separate solver array essentially segmented memory ignores all other locations not reference by the ld/st
11
KLEE: Architecture Problem with pointers – KLEE clones the state N times at pointer dereference – a pointer can have a large points-to set – in-bounds check for respective points-to object – This solution is expensive – Works for KLEE as their benchmarks had pointers with singleton points-to sets.
12
Compact State Representation Implements copy-on-write at the object level – rather than at the page level Heaps as immutable maps – therefore portions of heap can also be shared among states
13
Query Optimization Queries are NP-complete Expression re-writing: – x + 0 = x – x* 2^n = x<<n – 2*x – x = x
14
Query Optimization Constraint Simplification: – x True ∧ x = 5 propagate equality constraints Implied value concretization – x = 5 makes x concrete and written to memory – subsequent accesses returns cheap constants
15
Query Optimization Constraint Independence – Constraints do not overlap in terms of memory they refer Eg: i 0 Query: i = 20? – remove irrelevant subset of constraints
16
Query Optimization Counterexample Caching – Redundant queries are frequent – simple cache is effective – counterexample cache: maps set of constraints to counter-examples sentinels if there is no solution
17
Query Optimization Counterexample Caching Eg: {i < 10, i = 10} – no solution – If subset has no solution then larger set they appear in has also no solution Eg: {i < 10, j = 8} – If superset has a solution then so does the subset
18
Effectiveness of Optimizations
19
State Scheduling Random path selection – helps avoid starvation when loops creating fork- bombs Coverage-optimized search – heuristics to compute weight of each node min dist to the uncovered node – choose states with higher probability to explore uncovered code Round robin among the first two !
20
Environment Modeling If all arguments concrete, execute natively Otherwise, provide models on symbolic files int fd = open(“t.txt”, O_RDONLY);
21
Concolic Execution Works well on interprocedural bugs, use of library calls
22
Concolic Execution Falls back on concrete values when – Non linear arithmetic – pointers pointing to input values
23
Concolic execution with dynamic data Static alias analysis is required! -- since no way to know whether a->c is overwritten.
24
Nonlinear arithmetic
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.