Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Finding Software Vulnerabilities using Symbolic Execution and Fuzzing

Build Status CII Best Practices Gitter

Map2Check is a bug hunting tool that automatically generating and checking safety properties in C programs. It tracks memory pointers and variable assignments to check user-specified assertions, overflow, and pointer safety. The generation of the tests cases are based on assertions (safety properties) from the code instructions, adopting the LLVM framework version 6.0, LibFuzzer, KLEE to generate input values to the test cases generated by Map2Check. Additionally, we have adopted Crab-LLVM tool to computes inductive invariants for LLVM-based languages.

Extra documentation is available at

Requirements for using the tool

To use the Map2Check tool is necessary a Linux 64-bit OS system. In the linux OS, you should install the requirements, typing the commands:

$ sudo apt install python-minimal
$ sudo apt install libc6-dev

Our binary tool is avaliable at

Install Map2Check

In order to install Map2Check on your PC, you should download and save the map2check zip file on your disk from After that, you should type the following command:

$ unzip
$ cd map2check-rc-v7.3-svcomp20

Running the tool

Map2Check can be invoked through a standard command-line interface. Map2Check should be called in the installation directory as follows:

$ ./map2check --memtrack svcomp_960521-1_false-valid-free.c

In this case, --memtrack is the option to check for memory errors. For help and others tool options:

$ ./map2check --help

When you use a LLVM bytecode as input for the tool, be sure to add -g flag when generating the file, it is not required, but map2check will provide better info (like line numbers).

How to build Map2Check?

You can build Map2Check using our Dockerfile by clone our repository:

$ git clone
$ cd Map2Check
$ git submodule update --init --recursive
# Build docker image to compile Map2Check
$ docker build -t hrocha/mapdevel --no-cache -f Dockerfile .
$ docker run --rm -v $(pwd):/home/map2check/devel_tool/mygitclone:Z --user $(id -u):$(id -g) hrocha/mapdevel /bin/bash -c "cd /home/map2check/devel_tool/mygitclone; ./; ./"

More details at

How to run the regression testing

You should build the Benchexec docker image that is available in our repository in the submodule:

$ cd Map2Check
$ docker build -t hrocha/benchexecrun --no-cache -f utils/benchexecrun/Dockerfile utils/benchexecrun/
# Running the regression testing
$ ./ t

Instructions for SV-COMP'20

Use the script in the Map2Check binary directory to verify each single test-case.


$ ./ -p propertyFile.prp file.i

Map2Check accepts the property file and the verification task and provides as verification result: TRUE + Witness, [FALSE|FALSE(p)] + Witness, or UNKNOWN. FALSE(p), with p in {valid-free, valid-deref, valid-memtrack, valid-memcleanup}, means that the (partial) property p is violated. For each verification result the witness file (called witness.graphml) is generated Map2Check root-path folder. There is timeout of 897 seconds set by this script, using "timeout" tool that is part of coreutils on debian. If these constraints are violated, it should be treated as UNKNOWN result.



Questions and bug reports:

     // \\    > L I N U X - GPL <
    /(   )\