Gillian: A Multi-Language Platform for Unified Symbolic Analysis

Gillian was introduced in [4] as a multi-language platform for whole-program symbolic execution, parametric on the concrete and symbolic memory models of the target language (TL), and underpinned by a core symbolic execution engine with strong mathematical foundations. Gillian analysis is done on GIL, an intermediate goto language parametric on a set of memory actions, which describe the fundamental ways in which TL programs interact with their memories. To instantiate Gillian to a new TL, a tool developer must: (1) identify the set of the TL memory actions and implement the TL memory models using these actions; and (2) provide a trusted compiler from the TL to GIL, which preserves the TL memory models and the semantics. In [4], Gillian was instantiated to JavaScript (JS) and C, and these instantiations, called Gillian-JS and Gillian-C, were used to find bugs in two real-world data-structure libraries. In [1], Gillian was extended with support for compositional memory models and verification based on separation logic. The compositional memory models of Gillian work with partial memories and are formulated in terms of core predicates and associated consumer and producer actions for the TL memory models, which need to be provided by the tool developer. The core predicates describe the fundamental units of TL memories: e.g., a JS object-property pair and a C block cell. The consumers and producers, respectively, frame off and frame on the TL memory resource described by the core predicate. The partial memories also need to track negative resource: that is, the resource known to be absent from the partial memory. Gillian verification is built on top of compositional memory models. In particular, the core predicates induce an assertion language for writing function specifications in separation logic and the consumers and producers allow for the creation of a fully parametric spatial entailment engine, enabling re-use of function specifications in symbolic execution. Gillian also allows tool developers to extend assertions with user-defined predicates so as to identify the TL language interface familiar to code developers, and code developers to provide additional predicates and lemmas to verify the particular data structures in their programs. In [1], Gillian-JS and Gillian-C were extended to support verification, and used to provide verified specifications of the JS and C implementations of the deserialisation module of the AWS Encryption SDK, discovering two bugs in the former and three in the latter.