Created: 2014-05-19 14:49
Updated: 2019-03-07 10:17
License: gpl-2.0


Finding Software Vulnerabilities using Symbolic Execution and Fuzzing

Build Status



Map2Check is a bug hunting tool that automatically generating and checking safety properties in C programs. It tracks memory pointers and variable assignments to check user-specified assertions, overflow, and pointer safety. The generation of the tests cases are based on assertions (safety properties) from the code instructions, adopting the [LLVM framework](, [LibFuzzer]( [KLEE]( to generate input values to the test cases generated by Map2Check.

Extra documentation is available at


Requirements for using the tool
To use this tool is necessary a Linux 64-bit OS system. In linux, you can install requirements typing the commands:

$ sudo apt install python-minimal
$ sudo apt install libc6-dev

Our binary tool is avaliable at


How to build Map2Check?

You can build Map2Check using our [Dockerfile](./Dockerfile), more details at

Install Map2Check

In order to install Map2Check on your PC, you should download and save the map2check zip file on your disk from After that, you should type the following command:

$ unzip
$ cd Map2Check-map2check_v7.2_svcomp

Testing tool

Map2Check can be invoked through a standard command-line interface. Map2Check should be called in the installation directory as follows:

$ ./map2check -m svcomp_960521-1_false-valid-free.c

For help and others options:

$ ./map2check --help

When using a LLVM bytecode, be sure to add -g flag when generating the file, it is not required, but map2check will provide better info (like line numbers).


Instructions for SV-COMP'19

Use the '' script in the 'utils' directory to verify each single test-case.


$ ./ -p propertyFile.prp file.i

Map2Check accepts the property file and the verification task and provides as verification result: TRUE + Witness, [FALSE|FALSE(p)] + Witness, or UNKNOWN. FALSE(p), with p in {valid-free, valid-deref, valid-memtrack, valid-memcleanup}, means that the (partial) property p is violated. For each verification result the witness file (called witness.graphml) is generated Map2Check root-path folder. There is timeout of 895 seconds set by this script, using "timeout" tool that is part of coreutils on debian. If these constraints are violated, it should be treated as UNKNOWN result.




  • Herbert O. Rocha (since 2014), Federal University of Roraima, Brazil
  • Rafael Menezes (since 2016), Federal University of Roraima, Brazil

Questions and bug reports:

     // \\    > L I N U X - GPL <
    /(   )\
Cookies help us deliver our services. By using our services, you agree to our use of cookies Learn more