1 / 7

J. Jaffar , V. Murali , J. Navas and A. Santosa

TRACER: A Symbolic Execution Tool for Verification. http://paella.d1.comp.nus.edu.sg/tracer. J. Jaffar , V. Murali , J. Navas and A. Santosa. What is TRACER?. TRACER is a symbolic execution (SE) tool that can perform verification of C programs

marnin
Download Presentation

J. Jaffar , V. Murali , J. Navas and A. Santosa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TRACER: A Symbolic Execution Tool for Verification http://paella.d1.comp.nus.edu.sg/tracer J. Jaffar, V. Murali, J. Navas and A. Santosa

  2. What is TRACER? • TRACER is a symbolic execution (SE) tool that can perform verification of C programs • Where does TRACER standcompared to other verifiers? • Laziness/Eagerness • Lazy: start from coarsely abstracted model and refine (CEGAR) • Eager: start with concrete model and remove irrelevant facts (SE) • Interpolation strength • Weak: May contain spurious errors and cause refinements too often, but can remove more irrelevant facts • Strong: Less spurious errors but may delay convergence to fixed point

  3. Key features of TRACER • TRACER mitigates two important problems in SE: path explosion and infinite length of paths • Path explosion in SE addressed using interpolation of infeasible paths [CP 2009] • Interpolants succinctly capture the reason of infeasibility of paths and can be used to subsume other nodes • TRACER attempts to compute weakest preconditions, the best interpolant for loop-free fragments • When WP becomes disjunctive, it is approximated by using the incoming context from forward SE

  4. Key features of TRACER • Infinite length paths arise due to unbounded loops. To address the problem, CEGAR-style abstraction refinement is embedded into SE [RV 2011] • To make SE finite, abstract the symbolic state of loop header in an attempt to discover a loop invariant • Try to compute the strongest possible invariants so that loss of information is minimized • If needed, strengthen the abstraction minimally using interpolation so that the error location is unreachable (this is the mechanism for unrolling)

  5. Implementation of TRACER • Implemented in CLP as a meta-interpreter of CLP programs • Advantage of using CLP • Programmability • CLP technology suitable for SE (variable renaming, backtracking, constraint handling, projection) • Easy to adapt • Custom-interpolants • Supports interpolants from external tools (CLP-Prover, Z3, etc.)

  6. Performance of TRACER • Benchmarks obtained from SVCOMP’12 • Device drivers • SSH • Competitive with state of the art tools (CPA-checker and HSF)

  7. Current and future directions of TRACER TRACER is designed to be a generic SE engine, and can go beyond verification • It provides the machinery for SE with interpolation towards a target • User-abstractions for precision and performance • Used for discovery and not just verification • Example: path-sensitive program analysis • Path-sensitive backward slicing [SAS 2012] • Live variable analysis etc. • Off-the-shelf path-sensitive program transformation for external analysers • Example: boosting concolic testing via interpolation [draft] • Example: resource analysis (WCET etc.) by discovering variable bounds [EMSOFT 2011]

More Related