Range Analysis of Microcontroller Code Using Bit-Level Congruences

  • Jörg Brauer
  • Andy King
  • Stefan Kowalewski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6371)


Bitwise instructions, loops and indirect data access pose difficult challenges to the verification of microcontroller programs. In particular, it is necessary to show that an indirect write does not mutate registers, which are indirectly addressable. To prove this property, among others, this paper presents a relational binary-code semantics and details how this can be used to compute program invariants in terms of bit-level congruences. Moreover, it demonstrates how congruences can be combined with intervals to derive accurate ranges, as well as information about strided indirect memory accesses.


Memory Location Range Analysis Abstract Interpretation Program Location Abstract Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Atmel Corporation. 8-bit AVR Instruction Set (July 2008)Google Scholar
  2. 2.
    Bagnara, R., Dobson, K., Hill, P., Mundell, M., Zaffanella, E.: Grids: A domain for analyzing the distribution of numerical values. In: Puebla, G. (ed.) LOPSTR 2006. LNCS, vol. 4407, pp. 219–235. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Balakrishnan, G., Reps, T.W.: WYSINWYX: What You See Is Not What You eXecute. ACM Trans. Program. Lang. Syst. (to appear, 2010)Google Scholar
  4. 4.
    Brauer, J., King, A.: Automatic abstraction for intervals using boolean formulae. In: SAS 2010. LNCS. Springer, Heidelberg (2010)Google Scholar
  5. 5.
    Brauer, J., Noll, T., Schlich, B.: Interval analysis of microcontroller code using abstract interpretation of hardware and software. In: SCOPES. ACM, New York (to appear, 2010)Google Scholar
  6. 6.
    Codish, M., Lagoon, V., Stuckey, P.J.: Logic programming with Satisfiability. Theory and Practice of Logic Programming 8(1), 121–128 (2008)CrossRefzbMATHGoogle Scholar
  7. 7.
    Codish, M., Mulkers, A., Bruynooghe, M., García de la Banda, M.J., Hermenegildo, M.V.: Improving abstract interpretations by combining domains. ACM Trans. Program. Lang. Syst. 17(1), 28–44 (1995)CrossRefGoogle Scholar
  8. 8.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM, New York (1977)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL, pp. 269–282 (1979)Google Scholar
  10. 10.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Mine, A., Monniaux, D., Rival, X.: The Astrée analyser. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Cousot, P., Halbwachs, N.: Automatic Discovery of Linear Restraints Among Variables of a Program. In: POPL, pp. 84–97. ACM Press, New York (1978)Google Scholar
  12. 12.
    Eide, E., Regehr, J.: Volatiles are miscompiled, and what to do about it. In: EMSOFT, pp. 255–264. ACM, New York (2008)CrossRefGoogle Scholar
  13. 13.
    Granger, P.: Static analysis of linear congruence equalities among variables of a program. In: Abramsky, S. (ed.) CAAP 1991 and TAPSOFT 1991. LNCS, vol. 493, pp. 169–192. Springer, Heidelberg (1991)Google Scholar
  14. 14.
    Gulwani, S., McCloskey, B., Tiwari, A.: Lifting abstract interpreters to quantified logical domains. In: POPL, pp. 235–246. ACM, New York (2008)Google Scholar
  15. 15.
    King, A., Søndergaard, H.: Inferring congruence equations using SAT. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 281–293. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    King, A., Søndergaard, H.: Automatic abstraction for congruences. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 281–293. Springer, Heidelberg (2010)Google Scholar
  17. 17.
    Miné, A.: The Octagon Abstract Domain. Higher-Order and Symbolic Computation 19(1), 31–100 (2006)CrossRefzbMATHGoogle Scholar
  18. 18.
    Müller-Olm, M., Seidl, H.: Analysis of Modular Arithmetic. ACM Trans. Program. Lang. Syst. 29(5) (August 2007)Google Scholar
  19. 19.
    Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded systems assembly code. In: Yorav, K. (ed.) HVC 2007. LNCS, vol. 4899, pp. 185–201. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Regehr, J., Reid, A.: HOIST: A system for automatically deriving static analyzers for embedded systems. Operating Systems Review 38(5), 133–143 (2004)CrossRefGoogle Scholar
  21. 21.
    Reps, T., Sagiv, M., Yorsh, G.: Symbolic Implementation of the Best Transformer. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Simon, A., King, A.: Taming the wrapping of integer arithmetic. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 121–136. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jörg Brauer
    • 1
  • Andy King
    • 2
  • Stefan Kowalewski
    • 1
  1. 1.Embedded Software LaboratoryRWTH Aachen UniversityGermany
  2. 2.Portcullis Computer SecurityPinnerUK

Personalised recommendations