Abstract

We introduce Gillian, a platform for developing symbolic analysis tools for programming languages. Here, we focus on the symbolic execution engine at the heart of Gillian, which is parametric on the memory model of the target language. We give a formal description of the symbolic analysis and a modular implementation that closely follows this description. We prove a parametric soundness result, introducing restriction on abstract states, which generalises path conditions used in classical symbolic execution. We instantiate to obtain trusted symbolic testing tools for JavaScript and C, and use these tools to find bugs in real-world code, thus demonstrating the viability of our parametric approach.

Highlights

  • Symbolic execution is a well-established analysis technique for reasoning about programs [12, 13]

  • All three approaches have had substantial successes in academia and industry: for example, Rosette is regularly applied to analysis of domain-specific languages [7, ğ5] and has been used to find bugs in parts of the Linux kernel [41]; K has been instantiated to various languages, such as Java, JavaScript, and C [6, 26, 44, 61], and is being used in industry for symbolic analysis of Ethereum bytecode [27, 45]; and the industrial tools SAW and Infer are developed and used in, respectively, Galois and Facebook

  • The framework provides general symbolic reasoning over these data structures, and the challenge is for the developer to find a way to use the data structures so that this general reasoning is optimised for the specific target language (TL)

Read more

Summary

Introduction

Symbolic execution is a well-established analysis technique for reasoning about programs [12, 13]. All three approaches have had substantial successes in academia and industry: for example, Rosette is regularly applied to analysis of domain-specific languages [7, ğ5] and has been used to find bugs in parts of the Linux kernel [41]; K has been instantiated to various languages, such as Java, JavaScript, and C [6, 26, 44, 61], and is being used in industry for symbolic analysis of Ethereum bytecode [27, 45]; and the industrial tools SAW and Infer are developed and used in, respectively, Galois and Facebook. The framework provides general symbolic reasoning over these data structures, and the challenge is for the developer to find a way to use the data structures so that this general reasoning is optimised for the specific TL. The tools come with a fixed menu of memory models, for which the symbolic reasoning is optimised, but offer no mechanism for adding new memory models. The general symbolic reasoning of the first two approaches is correct-by-construction, whereas the correctness of the specific symbolic reasoning in the third approach needs to be argued on a case-by-case basis and is usually not discussed

Objectives
Results
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.