Gillian, part i: a multi-language platform for symbolic execution

We introduce Gillian, a platform for developing symbolic analysis tools for programming languages. Here, we focus on the symbolic execution engine at the heart of Gillian, which is parametric on the memory model of the target language. We give a formal description of the symbolic analysis and a modular implementation that closely follows this description. We prove a parametric soundness result, introducing restriction on abstract states, which generalises path conditions used in classical symbolic execution. We instantiate to obtain trusted symbolic testing tools for JavaScript and C, and use these tools to find bugs in real-world code, thus demonstrating the viability of our parametric approach.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  Yi Zhang,et al.  A formal verification tool for Ethereum VM bytecode , 2018, ESEC/SIGSOFT FSE.

[3]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[4]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[5]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[6]  David Darais,et al.  Galois Transformers and Modular Abstract Interpreters , 2014, ArXiv.

[7]  Dawson R. Engler,et al.  Under-constrained execution: making automatic code destruction easy and scalable , 2007, ISSTA '07.

[8]  Tom Ridge,et al.  Ott: effective tool support for the working semanticist , 2007, ICFP '07.

[9]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[10]  Grigore Rosu,et al.  Semantics-based program verifiers for all languages , 2016, OOPSLA.

[11]  Daniel Kroening,et al.  CBMC - C Bounded Model Checker - (Competition Contribution) , 2014, TACAS.

[12]  Philippa Gardner,et al.  JaVerT 2.0: compositional symbolic execution for JavaScript , 2019, Proc. ACM Program. Lang..

[13]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[14]  Matthew Might,et al.  Systematic abstraction of abstract machines , 2011, Journal of Functional Programming.

[15]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[16]  Daejun Park,et al.  KJS: a complete formal semantics of JavaScript , 2015, PLDI.

[17]  George Candea,et al.  Prototyping symbolic execution engines for interpreted languages , 2014, ASPLOS.

[18]  Philippa Gardner,et al.  JaVerT: JavaScript verification toolchain , 2017, Proc. ACM Program. Lang..

[19]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[20]  Thomas Jensen,et al.  Skeletal semantics and their interpretations , 2018, Proc. ACM Program. Lang..

[21]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[22]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[23]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[24]  Sandrine Blazy,et al.  CompCertS: A Memory-Aware Verified C Compiler Using Pointer as Integer Semantics , 2017, ITP.

[25]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[26]  Brian Huffman,et al.  Constructing Semantic Models of Programs with the Software Analysis Workbench , 2016, VSTTE.

[27]  Radu Grigore,et al.  coreStar : the Core of jStar , 2011 .

[28]  Julian Dolby,et al.  Symbolic Execution for JavaScript , 2018, PPDP.

[29]  Philippa Gardner,et al.  Gillian: Compositional Symbolic Execution for All , 2020, ArXiv.

[30]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[31]  Philippa Gardner,et al.  Footprints in Local Reasoning , 2009, Log. Methods Comput. Sci..

[32]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[33]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[34]  Bor-Yuh Evan Chang,et al.  Mixing type checking and symbolic execution , 2010, PLDI '10.

[35]  Emina Torlak,et al.  Growing solver-aided languages with rosette , 2013, Onward!.

[36]  Cristian Cadar,et al.  A segmented memory model for symbolic execution , 2019, ESEC/SIGSOFT FSE.

[37]  Dominique Devriese,et al.  Monadic abstract interpreters , 2013, PLDI.

[38]  Matthew Might Abstract Interpreters for Free , 2010, SAS.

[39]  David A. Schmidt Natural-Semantics-Based Abstract Interpretation (Preliminary Version) , 1995, SAS.

[40]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[41]  Grigore Rosu,et al.  An overview of the K semantic framework , 2010, J. Log. Algebraic Methods Program..

[42]  Tom Ridge,et al.  Lem: reusable engineering of real-world semantics , 2014, ICFP.

[43]  Grigore Rosu,et al.  K-Java , 2015, POPL.

[44]  Cristiano Calcagno,et al.  Infer: An Automatic Program Verifier for Memory Safety of C Programs , 2011, NASA Formal Methods.

[45]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[46]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[47]  David Darais,et al.  Galois transformers and modular abstract interpreters: reusable metatheory for program analysis , 2014, OOPSLA.

[48]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[49]  Julian Dolby,et al.  Statically Checking Web API Requests in JavaScript , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[50]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[51]  Johannes Kinder,et al.  Sound regular expression semantics for dynamic symbolic execution of JavaScript , 2018, PLDI.

[52]  Emina Torlak,et al.  Finding code that explodes under symbolic evaluation , 2018, Proc. ACM Program. Lang..

[53]  Chucky Ellison,et al.  Defining the undefinedness of C , 2015, PLDI.

[54]  Peter Sewell,et al.  Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C , 2019, CAV.

[55]  Matthew Might,et al.  Abstracting abstract machines , 2010, ICFP '10.

[56]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[57]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.