SMT-Constrained Symbolic Execution for Eclipse CDT/Codan

This paper presents a symbolic execution plug-in extension for Eclipse CDT/Codan, which serves to reason about satisfiable paths of C programs. Programs are translated into the SMT-LIB sublogic of arrays, uninterpreted functions and nonlinear integer and real arithmetic (AUFNIRA), and path satisfiability is automatically examined with an SMT solver. The presented plug-in can serve as a basis for path-sensitive static bug detection with bounded or unrestricted context, where the presence of bugs is decided with the solver. An interface provides notifications and context information for checker classes. With a buffer bound checker the symbolic execution plug-in is shown capable of accurately detecting bugs with currently 36 of the 39 C flow variants of the NSA's Juliet test suite for static analyzers.

[1]  Daniel Le Berre,et al.  The Sat4j library, release 2.2 , 2010, J. Satisf. Boolean Model. Comput..

[2]  Peter F. Patel-Schneider,et al.  DLP System Description , 1998, Description Logics.

[3]  Uday P. Khedker Data Flow Analysis , 2002, The Compiler Design Handbook.

[4]  Rupak Majumdar,et al.  Software model checking , 2009, CSUR.

[5]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  John Harrison,et al.  Handbook of Practical Logic and Automated Reasoning , 2009 .

[8]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[9]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[10]  Ulf Nilsson,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008, SSV.

[11]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[12]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[13]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[16]  Rina Dechter,et al.  Constraint Processing , 1995, Lecture Notes in Computer Science.

[17]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[18]  Panagiotis Katsaros,et al.  Test-Driving Static Analysis Tools in Search of C Code Vulnerabilities , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[19]  Robert A. Martin Being Explicit About Security Weaknesses , 2007 .

[20]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[21]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[22]  Alessandro Armando,et al.  Bounded model checking of software using SMT solvers instead of SAT solvers , 2006, International Journal on Software Tools for Technology Transfer.

[23]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[24]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .