CREST Internal
Yunho KimProvable Software
LaboratoryCS Dept. KAIST
CREST
Yunho Kim Prov-able SW Lab2/20
• CREST is a concolic testing tool for C programs– Generate test inputs automatically– Execute target under test on generated test inputs– Explore all possible execution paths of a target systemati-
cally
• CREST is a open-source re-implementation of CUTE– mainly written in C++
• CREST’s instrumentation is implemented as a module of CIL(C Intermetiate Language) written in Ocaml
Overview of CREST code
Yunho Kim Prov-able SW Lab
C sourcecode
Instrumentedcode
CIL
GCC
yices run_crest
cil/src/ext/crestInstrument.ml
src/libcrest/crest.ccsrc/base/symbolic_interpreter.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.cc
CREST symbolic execution library
src/run_crest/run_crest.ccsrc/run_crest/concolic_search.ccsrc/base/yices_solver.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.ccsrc/base/basic_types.cc
constraint
next input
Sourcecode
Externaltool
CREST
Legend
3/20
EXT
Directory Structure
Yunho Kim Prov-able SW Lab4/20
• src/base/libcrest/process_cfg/run_crest/tools/
• cil/src/ext/crestInstrument.ml– A CIL module for instrumentation
: Base libraries for symbolic execution: Probe code for collecting symbolic states: CFG generator for CFG-based search heuristic: Main function of run_crest and search algorithms: A tool for printing execution path from szd_execution
CREST Code Metrics
Yunho Kim Prov-able SW Lab5/20
Name Value
# of files.h 9.cc 12
Total 21
# of linesCode 2,210
Others 1,595Total 3,805
# of classes 14
# of functions 147
Symbolic Execution Component
Yunho Kim Prov-able SW Lab6/20
• Symbolic execution component collects symbolic states during concrete execution and manages symbolic execution paths
• Related files
File Contentsrc/libcrest/crest.cc Probe functions inserted into instrumented targetsrc/base/symbolic_interpreter.cc Main symbolic execution engine for CRESTsrc/base/symbolic_execution.cc A class for a symbolic execution which consists of symbolic
path and inputssrc/base/symbolic_path.cc A class for a symbolic path which is a sequence of symbolic
predicates at taken branchessrc/base/symbolic_predicate.cc A class for a symbolic predicate which consists of a symbolic
expression and a comparatorsrc/base/symbolic_expression.cc A class for a symbolic expression
Symbolic Interpreter
Yunho Kim Prov-able SW Lab7/20
• Symbolic interpreter performs dynamic symbolic exe-cution during execution of a target program
• Symbolic interpreter implements a symbolic machine which has stack-architecture
• 4 types of statements– Symbolic variable initialization– Assignments– Applying operators– Branches
Symbolic Machine
Yunho Kim Prov-able SW Lab8/20
• Symbolic machine has a symbolic stack, symbolic memory and a symbolic predicate register– Symbolic memory stores symbolic expressions– Symbolic stack element: <symbolic expr, concrete value>– If the top of the stack is a predicate, the predicate is stored
in the symbolic predicate register
Address Symbolic expression
Symbolic memorySymbolic stack Symbolic predicate register
Example Revisited
Yunho Kim Prov-able SW Lab9/20
1 #include <crest.h> 2 main() { 3 int a,b,c, match=0; 4 CREST_int(a); \ CREST_int(b); \ CREST_int(c);5~9 … omitted… 10 if(a==b) match=match+1;10~32 … omitted … 33 }
int a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);… omitted … #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long )(& a), (long long )a); __CrestLoad(35, (unsigned long )(& b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { //extern void __CrestBranch(int id , int bid , unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long
long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; } else { __CrestBranch(38, 12, 0); } }
Symbolic Variable Initialization
Yunho Kim Prov-able SW Lab10/20
• Creates a symbolic memory element in symbolic mem-ory– A concrete address of a variable is used as a symbolic address
• Suppose that we start with the input a = b = c = 0;
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stackSymbolic variable initializationint a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);
Symbolic predicate register
Symbolic Compare Operator(1/4)
Yunho Kim Prov-able SW Lab11/20
• Symbolic compare operator is used for a branch condi-tion and results in a symbolic predicate– The predicate is store in a symbolic predicate register
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register
Symbolic PC
Symbolic Compare Operator(2/4)
Yunho Kim Prov-able SW Lab12/20
• __CrestLoad(int id, unsigned long *ptr, long long val) function loads a symbolic expression which ptr points to and pushes <loaded expr, val> to the stack– If *ptr is a concrete variable, the function pushes <NULL, val> to the stack
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register
Symbolic PC
<a, 0>
Symbolic Compare Operator(3/4)
Yunho Kim Prov-able SW Lab13/20
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate registerSymbolic PC
<a, 0>
<b, 0>
Symbolic Compare Operator(4/4)
Yunho Kim Prov-able SW Lab14/20
• __CrestApply2(int ID, int op_type, long long val) 1. pops two elements from the stack,2. applies a binary operator corresponding to op_type to the popped elements, 3. pushes a result to the stack if the result is not a predicate– A predicate is stored in the register
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id
, int bid , unsigned char b ) __CrestBranch(37, 11, 1);
Symbolic predicate register
Symbolic PC <a==b, 1>
Symbolic Branch(1/2)
Yunho Kim Prov-able SW Lab15/20
• Whenever a branch statement is executed, CREST stores which branch is taken by calling __CrestBranch() function.
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id , int bid ,
unsigned char b ) __CrestBranch(37, 11, 1);
Symbolic predicate register
Symbolic PC<a==b, 1>
Symbolic Branch(2/2)
Yunho Kim Prov-able SW Lab16/20
• Symbolic path is a sequence of <symbolic pred, branch ID> • __CrestBranch(int id, int bid, unsigned char b) function appends a
new element <symbolic pred, bid> to the current symbolic path– Symbolic pred comes from the register– If b == 0, negated predicate is appended
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stackif (a == b) {//extern void __CrestBranch(int id , int bid ,
unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match =
match = 1; */ __CrestLoad(41, (unsigned long )(&
match), (long long )match);Symbolic predicate register
Symbolic PC
Symbolic path: <a==b, 11>
Symbolic Arithmetic Operator (1/2)
Yunho Kim Prov-able SW Lab17/20
• Symbolic arithmetic operator is similar to symbolic compare oper-ator– Pops operands from the stack, applies operator to the operands, and
pushes the result to the stack
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match =
match = 1; */__CrestLoad(41, (unsigned long )(& match),
(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;
Symbolic predicate register
Symbolic PC
Symbolic path: <a==b, 11>
<NULL, 0>
<NULL, 1>
Symbolic Arithmetic Operator (2/2)
Yunho Kim Prov-able SW Lab18/20
• If at least one of operands is symbolic, the result is also symbolic– Otherwise, the result is concrete
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match = match
= 1; */__CrestLoad(41, (unsigned long )(& match),
(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;
Symbolic predicate register
Symbolic PC
Symbolic path: <a==b, 11>
<NULL, 2>
Symbolic Assignment (1/1)
Yunho Kim Prov-able SW Lab19/20
• __CrestStore(int id, unsigned long *ptr) function pops one ele-ment from the stack and update symbolic memory– If the popped element is concrete, just ignore it– If the element is symbolic
• If ptr has an entry in symbolic memory, the corresponding symbolic expression is updated• Otherwise, a new entry is added to symbolic memory
Address Symbolic expression
&a a
&b b
&c c
Symbolic memorySymbolic stack
__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;
Symbolic predicate register
Symbolic PC
Symbolic path: <a==b, 11>
Conclusion
Yunho Kim Prov-able SW Lab20/20
• CREST does not support full ANSI-C semantics– No symbolic pointer dereference– Only linear integer arithmetic– No bit-wise operator– And so on
• To support them, we need to improve CREST’s dy-namic symbolic interpreter engine
• I hope this presentation will be a good starting point