CSV 889: Concurrent Software Verification

Subodh SharmaIndian Institute of Technology Delhi

Symbolic Execution

Runtime Verification vs Symbolic Execution

Courtesy: Zvonimir slides from sv 2012 course

Key developements

• King, CACM 1976

• Still an active area of research– CUTE [UIUC]– KLEE [Stanford]– Java Path Finder [NASA] ...

Nuts and Bolts of Symbolic Execution

• Treat values of variables as symbolic• For “program path” collect constraints over

symbolic expressions– Known as “Path Conditions”

• Check feasibility at branches– By using either SAT or SMT tools – Could be used for pruning infeasible paths

• Fork and proceed

Example I

Concrete execution x = 3, y = 2

Example I

Symbolic execution x = a, y = b

Problems with Symbolic Execution

• Constraints– Linear arithmetic– nonlinear – higher order functions– unknown data structure invariants

Example II

Courtesy: S. Anand, 2009

What constraints to generate for data structure updates?

Example II

Courtesy: S. Anand, 2009

Use data structure invariants

Example II

Courtesy: S. Anand, 2009

Use data structure invariants

Dealing with Functions

Goal: Find an input to crash the program

What is the total number of program paths leading to error()?

Key idea is to compute function summaries!

Courtesy: S. Anand, 2009

Dealing with Functions

Courtesy: S. Anand, 2009

Summary

• TODAY: Basics of Symbolic Execution and the problems with it

• NEXT CLASS: State-of-the-art Symbolic execution engines (KLEE, CUTE) + Handling Concurrency