A deterministic memory allocator for dynamic symbolic execution
File(s)LIPIcs-ECOOP-2022-9.pdf (1014.92 KB)
Published version
Author(s)
Schemmel, Daniel
Büning, Julian
Busse, Frank
Nowack, Martin
Cadar, Cristian
Type
Conference Paper
Abstract
Dynamic symbolic execution (DSE) has established itself as an effective testing and analysis technique. While the memory model in DSE has attracted significant attention, the memory allocator has been
largely ignored, despite its significant influence on DSE.
In this paper, we discuss the different ways in which the memory allocator can influence DSE and the main design principles that a memory allocator for DSE needs to follow: support for external calls, cross-run and cross-path determinism, spatially and temporally distanced allocations, and stability. We then present KDAlloc, a deterministic allocator for DSE that is guided by these six design principles.
We implement KDAlloc in KLEE, a popular DSE engine, and first show that it is competitive with KLEE’s default allocator in terms of performance and memory overhead, and in fact significantly improves performance in several cases. We then highlight its benefits for use-after-free error detection and two distinct DSE-based techniques: MoKlee, a system for saving DSE runs to disk and later (partially) restoring them, and SymLive, a system for finding infinite-loop bugs.
largely ignored, despite its significant influence on DSE.
In this paper, we discuss the different ways in which the memory allocator can influence DSE and the main design principles that a memory allocator for DSE needs to follow: support for external calls, cross-run and cross-path determinism, spatially and temporally distanced allocations, and stability. We then present KDAlloc, a deterministic allocator for DSE that is guided by these six design principles.
We implement KDAlloc in KLEE, a popular DSE engine, and first show that it is competitive with KLEE’s default allocator in terms of performance and memory overhead, and in fact significantly improves performance in several cases. We then highlight its benefits for use-after-free error detection and two distinct DSE-based techniques: MoKlee, a system for saving DSE runs to disk and later (partially) restoring them, and SymLive, a system for finding infinite-loop bugs.
Date Issued
2022-06-23
Date Acceptance
2022-05-13
Citation
LIPIcs : Leibniz International Proceedings in Informatics, 2022, 222, pp.9:1-9:26
ISBN
978-3-95977-225-9
ISSN
1868-8969
Publisher
Schloss Dagstuhl -- Leibniz-Zentrum fuer Informatik
Start Page
9:1
End Page
9:26
Journal / Book Title
LIPIcs : Leibniz International Proceedings in Informatics
Volume
222
Copyright Statement
© Daniel Schemmel, Julian Büning, Frank Busse, Martin Nowack, and Cristian Cadar; licensed under Creative Commons License CC-BY 4.0 (https://creativecommons.org/licenses/by/4.0/)
License URL
Sponsor
European Research Council (ERC)
Grant Number
819141
Source
36th European Conference on Object-Oriented Programming (ECOOP 2022)
Publication Status
Published
Start Date
2022-06-06
Finish Date
2022-06-10
Coverage Spatial
Berlin, Germany