Skip to main content
SpringerLink
Log in

Symbolic analysis via semantic reinterpretation

  • SPIN 09
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

The paper presents a novel technique to create implementations of the basic primitives used in symbolic program analysis: forward symbolic evaluation, weakest liberal precondition, and symbolic composition. We used the technique to create a system in which, for the cost of writing just one specification—an interpreter for the programming language of interest—one obtains automatically generated, mutually-consistent implementations of all three symbolic-analysis primitives. This can be carried out even for languages with pointers and address arithmetic. Our implementation has been used to generate symbolic-analysis primitives for the x86 and PowerPC instruction sets.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: PLDI (2001)

  2. Barnett, M., Chang, B.-Y., DeLine, R., Jacobs, B., Leino, K.: Boogie: A modular reusable verifier for object-oriented programs. In: Formal Methods for Components and Objects (2005)

  3. Beckman, N., Nori, A., Rajamani, S., Simmons, R.: Proofs from tests. In: ISSTA (2008)

  4. Birkedal, L., Welinder, M.: Hand-writing program generator generators. In: PLILP (1994)

  5. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Analysis and Defense. Springer, Berlin (2008)

  6. Cousot, P., Cousot, R.: Abstract interpretation. In: POPL (1977)

  7. Coverity, Inc. Coverity Prevent. www.coverity.com/html/coverity-prevent.html

  8. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Int. Conf. on Tools and Algs. for the Construction and Analysis of Systems (2008)

  9. Dutertre, B., de Moura, L.: Yices: an SMT solver (2006). http://yices.csl.sri.com/

  10. Ganesh, V., Dill, D.: A decision procesure for bit-vectors and arrays. In: CAV (2007)

  11. Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: PLDI (2005)

  12. Godefroid, P., Levin, M., Molnar, D.: Automated whitebox fuzz testing. In: NDSS (2008)

  13. GrammaTech, Inc. CodeSonar. http://www.grammatech.com/products/codesonar

  14. Gulavani, B., Henzinger, T., Kannan, Y., Nori, A., Rajamani, S.: SYNERGY: a new algorithm for property checking. In: FSE (2006)

  15. Henzinger, T., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL (2002)

  16. Intel.: Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2A: Instruction Set Reference, A-M. http://download.intel.com/design/processor/manuals/253666.pdf

  17. Intel.: Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2B: Instruction Set Reference, N-Z. http://download.intel.com/design/processor/manuals/253667.pdf

  18. Jhala, R., Majumdar, R.: B2: Software model checking for C (2009). http://www.cs.ucla.edu/~rupak/b2/

  19. Jones N., Gomard C., Sestoft P.: Partial Evaluation and Automatic Program Generation. Prentice-Hall, Englewood Cliffs (1993)

    MATH  Google Scholar 

  20. Jones, N., Mycroft, A.: Data flow analysis of applicative programs using minimal function graphs. In: POPL, pp. 296–306 (1986)

  21. Lal, A., Lim, J., Reps, T.: McDash: Refinement-based property verification for machine code. TR-1649, Comp. Sci. Dept., Univ. of Wisconsin, Madison, WI (2009)

  22. Lee, P., Leone, M.: Optimizing ML with run-time code generation. In: PLDI (1996)

  23. Lim, J., Lal, A., Reps, T.: Symbolic analysis via semantic reinterpretation. In: Spin Workshop (2009)

  24. Lim, J., Reps, T.: A system for generating static analyzers for machine instructions. TR-1622, CS Dept., Univ. of Wisconsin, Madison, WI (2007)

  25. Lim, J., Reps, T.: A system for generating static analyzers for machine instructions. In: CC (2008)

  26. Malmkjær, K.: Abstract interpretation of partial-evaluation algorithms. PhD thesis, Dept. of Comp. and Inf. Sci., Kansas State Univ. (1993)

  27. Morris J.: A general axiom of assignment. In: Broy, M., Schmidt, G. (eds) Theor. Found. of Program. Methodology, Reidel, Dordrecht (1982)

    Google Scholar 

  28. Mosses, P.: A semantic algebra for binding constructs. In: ICFPC (1981)

  29. Mycroft, A., Jones, N.: A relational framework for abstract interpretation. In: PADO (1985)

  30. Necula, G., Lee, P.: Safe kernel extensions without run-time checking. In: OSDI (1996)

  31. Nelson, G.: A generalization of Dijkstra’s calculus. TOPLAS 11(4) (1989)

  32. Nielson F.: Two-level semantics and abstract interpretation. TCS 69, 117–242 (1989)

    Article  MATH  MathSciNet  Google Scholar 

  33. Nielson F., Nielson H.: Two-Level Functional Languages. Cambridge University Press, Cambridge (1992)

    Book  MATH  Google Scholar 

  34. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: FSE (2005)

  35. Sifakis J.: A unified approach for studying the properties of transition systems. TCS 18, 227–258 (1982)

    Article  MATH  MathSciNet  Google Scholar 

  36. Xie, Y., Aiken, A. (2007) Saturn: a scalable framework for error detection using Boolean satisfiability. TOPLAS 29(3)

  37. Xie, Y., Chou, A., Engler, D.: ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In: FSE (2003)

Download references

Author information

Authors and Affiliations

  1. University of Wisconsin, Madison, WI, USA

    Junghee Lim & Thomas Reps

  2. Microsoft Research India, Bangalore, India

    Akash Lal

  3. GrammaTech, Inc., Ithaca, NY, USA

    Thomas Reps

Authors
  1. Junghee Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Akash Lal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Reps
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Reps.

Additional information

Portions of this work appeared in the Proc. of the 16th Int. SPIN Workshop [23]. The research was supported by NSF under grants CCF-0540955, CCF-0810053, and CCF-0904371, by ONR under grants N00014-09-1-0510 and N00014-09-1-0776, by ARL under grant W911NF-09-1-0413, and by AFRL under grants FA8750-06-C-0249 and FA9550-09-1-0279.

J. Lim was supported by a Symantec Research Labs Graduate Fellowship.

A. Lal was supported by a Microsoft Research Fellowship. The work was performed while A. Lal was affiliated with the University of Wisconsin.

T. Reps has an ownership interest in GrammaTech, Inc., which has licensed elements of the technology reported in this publication.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lim, J., Lal, A. & Reps, T. Symbolic analysis via semantic reinterpretation. Int J Softw Tools Technol Transfer 13, 61–87 (2011). https://doi.org/10.1007/s10009-010-0158-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-010-0158-6

Keywords

Search

Navigation