Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
While: Sound Symbolic Analysis
Case Studies: Javascript and C
Related Work
Conclusions and Further Work
References
All Topics
Computer Science
Software Engineering

Gillian, Part I: A Multi-language Platform for Symbolic Execution

Profile image of Philippa GardnerPhilippa Gardner

2020, Artifact Digital Object Group

https://doi.org/10.1145/3395646
visibility

description

16 pages

link

1 file

Abstract

We introduce Gillian, a platform for developing symbolic analysis tools for programming languages. Here, we focus on the symbolic execution engine at the heart of Gillian, which is parametric on the memory model of the target language. We give a formal description of the symbolic analysis and a modular implementation that closely follows this description. We prove a parametric soundness result, introducing restriction on abstract states, which generalises path conditions used in classical symbolic execution. We instantiate Gillian to obtain trusted symbolic testing tools for JavaScript and C, and use these tools to find bugs in real-world code, thus demonstrating the viability of our parametric approach. CCS Concepts: • Theory of computation → Program analysis; Program semantics; • Software and its engineering → Formal language definitions.

Related papers

A Generic Framework for Symbolic Execution
Dorel Lucanu

Lecture Notes in Computer Science, 2013

We propose a language-independent symbolic execution framework for languages endowed with a formal operational semantics based on term rewriting. Starting from a given definition of a language, a new language definition is automatically generated, which has the same syntax as the original one but whose semantics extends data domains with symbolic values and adapts semantical rules to deal with these values. Then, the symbolic execution of concrete programs is the execution of programs with the new symbolic semantics, on symbolic input data. We prove that the symbolic execution thus defined has the properties naturally expected from it. A prototype implementation of our approach was developed in the K Framework. We demonstrate the genericity of our tool by instantiating it on several languages, and show how it can be used for the symbolic execution and model checking of several programs. Id ::= domain of identifiers Int ::= domain of integer numbers (including operations) Bool ::= domain of boolean constants (including operations) AExp :: = Int | AExp / AExp [strict] | Id | AExp * AExp [strict] | (AExp) | AExp + AExp [strict] BExp :: = Bool | (BExp) | AExp <= AExp [strict] | not BExp [strict] | BExp and BExp [strict(1)] Stmt :: = skip | { Stmt } | Stmt ; Stmt | Id := AExp | while BExp do Stmt | if BExp then Stmt else Stmt [strict(1)] Code ::= Id | Int | Bool | AExp | BExp | Stmt | Code Code

View PDFchevron_right
On the Nature of Symbolic Execution
Marcello Bonsangue

2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 2019

In this paper, we provide a formal definition of symbolic execution in terms of a symbolic transition system and prove its correctness with respect to an operational semantics which models the execution on concrete values. We first introduce such a formal model for a basic programming language with a statically fixed number of programming variables. This model is extended to a programming language with recursive procedures which are called by a call-by-value parameter mechanism. Finally, we show how to extend this latter model of symbolic execution to arrays and object-oriented languages which feature dynamically allocated variables.

View PDFchevron_right
Symbolic Execution for JavaScript
Julian Dolby

Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming

We present a framework for trustworthy symbolic execution of JavaScripts programs, whose aim is to assist developers in the testing of their code: the developer writes symbolic tests for which the framework provides concrete counter-models. We create the framework following a new, general methodology for designing compositional program analyses for dynamic languages. We prove that the underlying symbolic execution is sound and does not generate false positives. We establish additional trust by using the theory to precisely guide the implementation and by thorough testing. We apply our framework to whole-program symbolic testing of real-world JavaScript libraries and compositional debugging of separation logic specifications of JavaScript programs.

View PDFchevron_right
Efficient and formal generalized symbolic execution
Xianghua Deng

Automated Software Engineering, 2011

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.

View PDFchevron_right
Formal Program Verification Using Symbolic Execution
Roger Dannenberg

IEEE Transactions on Software Engineering, 2000

Symbolic execution provides a mechanism for formally proving programs correct. A notation is introduced which allows a concise presentation of rules of inference based on symbolic execution. Using this notation, rules of inference are developed to handle a number of language features, including loops and procedures with multiple exits. An attribute grammar is used to formally describe symbolic expression evaluation, and the treatment of function calls with side effects is shown to be straightforward. Because symbolic execution is related to program interpretation, it is an easy-to-comprehend, yet powerful technique. The rules of inference are useful in expressing the semantics of a language and form the basis of a mechanical verification condition generator.

View PDFchevron_right
Rethinking Pointer Reasoning in Symbolic Execution
Emilio Coppa

32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), 2017

Symbolic execution is a popular program analysis technique that allows seeking for bugs by reasoning over multiple alternative execution states at once. As the number of states to explore may grow exponentially, a symbolic executor may quickly run out of space. For instance, a memory access to a symbolic address may potentially reference the entire address space, leading to a combinatorial explosion of the possible resulting execution states. To cope with this issue, state-of-the-art executors concretize symbolic addresses that span memory intervals larger than some threshold. Unfortunately, this could result in missing interesting execution states, e.g., where a bug arises. In this paper we introduce MEMSIGHT, a new approach to symbolic memory that reduces the need for concretization, hence offering the opportunity for broader state explorations and more precise pointer reasoning. Rather than mapping address instances to data as previous tools do, our technique maps symbolic address expressions to data, maintaining the possible alternative states resulting from the memory referenced by a symbolic address in a compact, implicit form. A preliminary experimental investigation on prominent benchmarks from the DARPA Cyber Grand Challenge shows that MEMSIGHT enables the exploration of states unreachable by previous techniques.

View PDFchevron_right
Verifying LTL Properties of Bytecode with Symbolic Execution}
Mauro Pezzè

2008

Bytecode languages are at a very desirable degree of abstraction for performing formal analysis of programs, but at the same time pose new challenges when compared with traditional languages. This paper proposes a methodology for bytecode analysis which harmonizes two well-known formal verification techniques, model checking and symbolic execution. Model checking is a property-guided exploration of the system state space until the property is proved or disproved, producing in the latter case a counterexample execution trace. Symbolic execution emulates program execution by replacing concrete variable values with symbolic ones, so that the symbolic execution along a path represents the potentially infinite numeric executions that may occur along that path. We propose an approach where symbolic execution is used for building a possibly partial model of the program state space, and on-the-fly model checking is exploited for verifying temporal properties on it. The synergy of the two techniques yields considerable potential advantages: symbolic execution allows for modeling the state space of infinite-state software systems, limits the state explosion, and fosters modular verification; model checking provides fully automated verification of reachability properties of a program. To assess these potential advantages, we report our preliminary experience with the analysis of a safety-critical software system.

View PDFchevron_right
Generalizing symbolic execution to library classes
Awais Khurshid

ACM Sigsoft Software Engineering Notes, 2006

Forward symbolic execution is a program analysis technique that allows using symbolic inputs to explore program executions. The traditional applications of this technique have focused on programs that manipulate primitive data types, such as integer or boolean. Recent extensions have shown how to handle reference types at their representation level. The extensions have favorably been backed by advances in constraint solving technology, and together they have made symbolic execution applicable, at least in theory, to a large class of programs. In practice, however, the increased potential for applications has created significant issues with scalability of symbolic execution to programs of non-trivial size-the ensuing path conditions rapidly become unfeasibly complex.

View PDFchevron_right
Taint Analysis of Security Code in the KLEE Symbolic Execution Engine
Felipe Andres Manzano

Lecture Notes in Computer Science, 2012

We analyse the security of code by extending the KLEE symbolic execution engine with a tainting mechanism that tracks information flows of data. We consider both simple flows from direct assignment operations, and (more subtle) indirect flows inferred from the control flow. Our mechanism prevents overtainting by using a region-based static analysis provided by LLVM, the compiler infrastructure machine on which KLEE runs. We rigorously define taint propagation in a formal LLVM intermediate representation semantics, and show the correctness of our method. We illustrate the mechanism with several examples, showing how we use tainting to prove confidentiality and integrity properties.

View PDFchevron_right
Toward Symbolic Verification of Programs Handling Pointers
S. Bardin

2004

We aim at checking safety properties on systems with pointers which are naturally infinite state systems. In this paper, we introduce Symbolic Memory States, a new symbolic representation well suited to the verification of systems with pointers. We show SMS enjoys all the good properties needed to check safety properties, such as closure under union, canonicity of the representation and decidable inclusion. We also introduce pointer automata, a model for programs using dynamic allocation of memory. We define the properties we want to check in this model and we give undecidability results. The verification part is still work in progress.

View PDFchevron_right

References (66)

  1. R. Baldoni, E. Coppa, D. Cono D'Elia, C. Demetrescu, and I. Finocchi. 2018. A Survey of Symbolic Execution Techniques. ACM Computing Surveys 51, 3 (2018), 50:1ś50:39.
  2. A. Banerjee and D. A. Naumann. 2002. Secure Information Flow and Pointer Confinement in a Java-like Language. In CSFW.
  3. J. Berdine, C. Calcagno, and P. W. O'Hearn. 2005. Symbolic Execution with Separation Logic. In APLAS. 52ś68.
  4. F. Besson, S. Blazy, and P. Wilke. 2017. CompCertS: A Memory-Aware Verified C Compiler Using Pointer as Integer Semantics. In ITP.
  5. M. Bodin, P. Gardner, T. Jensen, and A. Schmitt. 2019. Skeletal Seman- tics and their Interpretations. PACMPL 3, POPL (2019), 44:1ś44:31.
  6. D. Bogdanas and G. Rosu. 2015. K-Java: A Complete Semantics of Java. In POPL.
  7. J. Bornholt and E. Torlak. 2018. Finding Code that Explodes under Symbolic Evaluation. PACMPL 2, OOPSLA (2018), 149:1ś149:26.
  8. M. Botinčan, D. Distefano, M. Dodds, R. Grigore, D. Naudžiūnienė, and M. J. Parkinson. 2011. coreStar: The Core of jStar. In Boogie.
  9. S. Bucur, J. Kinder, and G. Candea. 2014. Prototyping Symbolic Execu- tion Engines for Interpreted Languages. In ASPLOS.
  10. C. Cadar, D. Dunbar, and D. R. Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs.. In OSDI.
  11. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. 2008. EXE: Automatically Generating Inputs of Death. ACM Transactions on Information and System Security 12, 2 (2008), 10:1ś10:38.
  12. C. Cadar, P. Godefroid, S. Khurshid, C. S. Păsăreanu, K. Sen, N. Till- mann, and W. Visser. 2011. Symbolic Execution for Software Testing in Practice: Preliminary Assessment. In ICSE.
  13. C. Cadar and K. Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56 (2013), 82ś90.
  14. C. Calcagno and D. Distefano. 2011. Infer: An Automatic Program Verifier for Memory Safety of C Programs. In NASA Formal Methods Symposium.
  15. C. Calcagno, D. Distefano, P. W. O'Hearn, and H. Yang. 2011. Compo- sitional Shape Analysis by Means of Bi-Abduction. JACM 58 (2011), 26:1ś26:66.
  16. P. Cousot and R. Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In POPL.
  17. D. Darais, M. Might, and D. Van Horn. 2015. Galois transformers and modular abstract interpreters: reusable metatheory for program analysis. In OOPSLA.
  18. R. Dockins, A. Foltzer, J. Hendrix, B. Huffman, D. McNamee, and A. Tomb. 2016. Constructing Semantic Models of Programs with the Software Analysis Workbench. In VSSTE.
  19. ECMA TC39. 2017. Test262 Test Suite. https://github.com/tc39/test262.
  20. D. Engler and D. Dunbar. 2007. Under-constrained Execution: Making Automatic Code Destruction Easy and Scalable. In ISSTA.
  21. R. B. Findler, M. Klein, B. Fetscher, and M. Felleisen. 2018. Redex: Practical Semantics Engineering. Technical Report.
  22. G. Roşu and T. Florin Şerbănuţă . 2010. An Overview of the K Semantic Framework. Journal of Logic and Algebraic Programming 79, 6 (2010), 397ś434.
  23. P. Godefroid, N. Klarlund, and K. Sen. 2005. DART: Directed Automated Random Testing. In ACM Sigplan Notices.
  24. P. Godefroid, M. Y. Levin, and D. A. Molnar. 2008. Automated Whitebox Fuzz Testing. In NDSS.
  25. P. Godefroid, A. V. Nori, S. K. Rajamani, and S. Tetali. 2010. Composi- tional May-must Program Analysis: Unleashing the Power of Alterna- tion. In POPL.
  26. C. Hathhorn, C. Ellison, and G. Rosu. 2015. Defining the undefinedness of C. In PLDI.
  27. E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. M. Moore, D. Park, Y. Zhang, A. Stefanescu, and G. Rosu. 2018. KEVM: A Complete Formal Semantics of the Ethereum Virtual Ma- chine. In CSF.
  28. D. Van Horn and M. Might. 2010. Abstracting Abstract Machines. In ICFP.
  29. D. Van Horn and Matthew Might. 2012. Systematic Abstraction of Abstract Machines. J. Funct. Program. 22, 4-5 (2012), 705ś746.
  30. T. Kapus and C. Cadar. 2019. A Segmented Memory Model for Symbolic Execution. In ESEC/FSE.
  31. F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Aspects of Computing 27, 3 (2015), 573ś609.
  32. D. Kroening and M. Tautschnig. 2014. CBMC ś C Bounded Model Checker. In TACAS.
  33. S. Lau, V. B. F. Gomes, K. Memarian, J. Pichon-Pharabod, and Sewell P. 2019. Cerberus-BMC: A Principled Reference Semantics and Explo- ration Tool for Concurrent and Sequential C. In CAV.
  34. X. Leroy, A. W. Appel, S. Blazy, and G. Stewart. 2012. The CompCert Memory Model, Version 2. Research Report RR-7987. INRIA. 26 pages.
  35. G. Li, E. Andreasen, and I. Ghosh. 2014. SymJS: Automatic Symbolic Testing of JavaScript Web Applications. In FSE.
  36. B. Loring, D. Mitchell, and J. Kinder. 2019. Sound Regular Expression Semantics for Dynamic Symbolic Execution of JavaScript. In PLDI.
  37. M. Might. 2010. Abstract Interpreters for Free. In SAS.
  38. P. Müller, M. Schwerhoff, and A. J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In VMCAI.
  39. P. Müller, M. Schwerhoff, and A. J. Summers. 2017. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Dependable Software Systems Engineering.
  40. D. P. Mulligan, S. Owens, K. E. Gray, T. Ridge, and P. Sewell. 2014. Lem: Reusable Engineering of Real-World Semantics. In ICFP.
  41. L. Nelson, J. Bornholt, R. Gu, A. Baumann, E. Torlak, and X. Wang. 2019. Scaling Symbolic Evaluation for Automated Verification of Systems Code with Serval. In SOSP.
  42. npm, Inc. 2018. npm, a Package Manager for JavaScript. https://www. npmjs.com.
  43. Peter W. O'Hearn. 2020. Incorrectness logic. PACMPL 4, POPL (2020), 10:1ś10:32.
  44. D. Park, A. Stefanescu, and G. Rosu. 2015. KJS: a Complete Formal Semantics of JavaScript. In PLDI.
  45. D. Park, Y. Zhang, M. Saxena, P. Daian, and G. Rosu. 2018. A Formal Verification Tool for Ethereum VM Bytecode. In FSE.
  46. Y. Phang Khoo, B.-Y. E. Chang, and J. S. Foster. 2010. Mixing type checking and symbolic execution. In PLDI.
  47. Racket. 2017. The Racket Programming Language. racket-lang.org.
  48. D. A. Ramos and D. R. Engler. 2015. Under-Constrained Symbolic Execution: Correctness Checking for Real Code. In USENIX Security Symposium.
  49. M. Raza and P. Gardner. 2009. Footprints in Local Reasoning. Logical Methods in Computer Science 5, 2 (2009).
  50. J. C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In LICS.
  51. S. Panić. 2014. Collections-C: A Library of Generic Data Structures. https://github.com/srdja/Collections-C.
  52. J. Fragoso Santos, P. Maksimović, S.-É. Ayoun, and P. Gardner. 2020. Gillian: Compositional Symbolic Execution for All. arXiv:2001.05059
  53. J. Fragoso Santos, P. Maksimovic, T. Grohens, J. Dolby, and P. Gardner. 2018. Symbolic Execution for JavaScript. In PPDP.
  54. J. Fragoso Santos, P. Maksimovic, D. Naudziuniene, T. Wood, and P. Gardner. 2018. JaVerT: JavaScript Verification Toolchain. PACMPL 2, POPL (2018), 50:1ś50:33.
  55. J. Fragoso Santos, P. Maksimovic, G. Sampaio, and P. Gardner. 2019. JaVerT 2.0: Compositional Symbolic Execution for JavaScript. PACMPL 3, POPL (2019), 66:1ś66:31.
  56. M. Santos. 2016. Buckets-JS: A JavaScript Data Structure Library. https://github.com/mauriciosantos/Buckets-JS.
  57. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. 2010. A Symbolic Execution Framework for JavaScript. In S&P.
  58. D. A. Schmidt. 1995. Natural-Semantics-Based Abstract Interpretation (Preliminary Version). In SAS.
  59. I. Sergey, D. Devriese, M. Might, J. Midtgaard, D. Darais, D. Clarke, and F. Piessens. 2013. Monadic Abstract Interpreters. In PLDI.
  60. P. Sewell, F. Zappa Nardelli, S. Owens, G. Peskine, T. Ridge, S. Sarkar, and R. Strnisa. 2010. Ott: Effective Tool Support for the Working Semanticist. Funct. Program. 20, 1 (2010), 71ś122.
  61. A. Stefanescu, D. Park, S. Yuwen, Y. Li, and G. Rosu. 2016. Semantics- based Program Verifiers for All Languages. In OOPSLA.
  62. The Gillian Team. 2020. Gillian on GitHub. https://github.com/ GillianPlatform/Gillian.
  63. The Gillian Team. 2020. The Official Gillian Website. https:// gillianplatform.github.io.
  64. E. Torlak and R. Bodík. 2013. Growing Solver-aided Languages with Rosette. In Onward!
  65. E. Torlak and R. Bodík. 2014. A Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages. In PLDI.
  66. E. Wittern, A. T. T. Ying, Y. Zheng, J. Dolby, and J. Alain Laredo. 2017. Statically checking web API requests in JavaScript. In ICSE.

Related papers

Under-Constrained Symbolic Execution: Correctness Checking for Real Code
david ramos

2015

Software bugs are a well-known source of security vulnerabilities. One technique for finding bugs, symbolic execution, considers all possible inputs to a program but suffers from scalability limitations. This paper uses a variant, under-constrained symbolic execution, that improves scalability by directly checking individual functions, rather than whole programs. We present UC-KLEE, a novel, scalable framework for checking C/C++ systems code, along with two use cases. First, we use UC-KLEE to check whether patches introduce crashes. We check over 800 patches from BIND and OpenSSL and find 12 bugs, including two OpenSSL denial-of-service vulnerabilities. We also verify (with caveats) that 115 patches do not introduce crashes. Second, we use UC-KLEE as a generalized checking framework and implement checkers to find memory leaks, uninitialized data, and unsafe user input. We evaluate the checkers on over 20,000 functions from BIND, OpenSSL, and the Linux kernel, find 67 bugs, and verif...

View PDFchevron_right
Gillian, Part II: Real-World Verification for JavaScript and C
Philippa Gardner

Computer Aided Verification, 2021

We introduce verification based on separation logic to Gillian, a multi-language platform for the development of symbolic analysis tools which is parametric on the memory model of the target language. Our work develops a methodology for constructing compositional memory models for Gillian, leading to a unified presentation of the JavaScript and C memory models. We verify the JavaScript and C implementations of the AWS Encryption SDK message header deserialisation module, specifically designing common abstractions used for both verification tasks, and find two bugs in the JavaScript and three bugs in the C implementation.

View PDFchevron_right
Gillian: A Multi-Language Platform for Unified Symbolic Analysis
Philippa Gardner

Cornell University - arXiv, 2021

This is an evolving document describing the meta-theory, the implementation, and the instantiations of Gillian, a multi-language symbolic analysis platform. 1 INTRODUCTION Gillian was introduced in [4] as a multi-language platform for whole-program symbolic execution, parametric on the concrete and symbolic memory models of the target language (TL), and underpinned by a core symbolic execution engine with strong mathematical foundations. Gillian analysis is done on GIL, an intermediate goto language parametric on a set of memory actions, which describe the fundamental ways in which TL programs interact with their memories. To instantiate Gillian to a new TL, a tool developer must: (1) identify the set of the TL memory actions and implement the TL memory models using these actions; and (2) provide a trusted compiler from the TL to GIL, which preserves the TL memory models and the semantics. In [4], Gillian was instantiated to JavaScript (JS) and C, and these instantiations, called Gillian-JS and Gillian-C, were used to find bugs in two real-world data-structure libraries. In [1], Gillian was extended with support for compositional memory models and verification based on separation logic. The compositional memory models of Gillian work with partial memories and are formulated in terms of core predicates and associated consumer and producer actions for the TL memory models, which need to be provided by the tool developer. The core predicates describe the fundamental units of TL memories: e.g., a JS object-property pair and a C block cell. The consumers and producers, respectively, frame off and frame on the TL memory resource described by the core predicate. The partial memories also need to track negative resource: that is, the resource known to be absent from the partial memory. Gillian verification is built on top of compositional memory models. In particular, the core predicates induce an assertion language for writing function specifications in separation logic and the consumers and producers allow for the creation of a fully parametric spatial entailment engine, enabling re-use of function specifications in symbolic execution. Gillian also allows tool developers to extend assertions with user-defined predicates so as to identify the TL language interface familiar to code developers, and code developers to provide additional predicates and lemmas to verify the particular data structures in their programs. In [1], Gillian-JS and Gillian-C were extended to support verification, and used to provide verified specifications of the JS and C implementations of the deserialisation module of the AWS Encryption SDK, discovering two bugs in the former and three in the latter. Outline. This document currently contains the following content: (§2) an account of Gillian's whole-program execution, including: (§2.1) the syntax of Gillian's intermediate language, GIL (§2.2) memory models for whole-program execution and their properties, which require the memory actions of the target language (§2.3) allocators, which relieve Gillian users of the need to reason explicitly about allocation (§2.4) state models, which are built on top of memory models, and their properties (§2.5) the single-trace and the collecting GIL semantics, defined in terms of state models

View PDFchevron_right
Symbolic execution with abstraction
SANDEEP ANAND

International Journal on Software Tools for Technology Transfer, 2008

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks-this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of [2].

View PDFchevron_right
JaVerT 2.0: compositional symbolic execution for JavaScript
Philippa Gardner

Proceedings of the ACM on Programming Languages, 2019

We propose a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. Using this approach, we build JaVerT 2.0, a symbolic analysis tool for JavaScript that follows the language semantics without simplifications. JaVerT 2.0 supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during whole-program symbolic testing and guides the inference of resource of the bi-abductive execution. We evaluate the performance of JaVerT 2.0 on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic te...

View PDFchevron_right

Related topics

  • Computer Science
  • Symbolic Execution

    • Cited by

    Gillian, Part II: Real-World Verification for JavaScript and C
    Philippa Gardner

    Computer Aided Verification, 2021

    We introduce verification based on separation logic to Gillian, a multi-language platform for the development of symbolic analysis tools which is parametric on the memory model of the target language. Our work develops a methodology for constructing compositional memory models for Gillian, leading to a unified presentation of the JavaScript and C memory models. We verify the JavaScript and C implementations of the AWS Encryption SDK message header deserialisation module, specifically designing common abstractions used for both verification tasks, and find two bugs in the JavaScript and three bugs in the C implementation.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved