Deriving abstract transfer functions for analyzing embedded software

RegehrJohn,; DuongsaaUsit,

doi:10.1145/1159974.1134657

Cited by 9 publications

(8 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Simon and King [8] show how to make polyhedral analysis wrapping-aware without incurring a high additional cost. Regehr and Duongsaa [6] perform bounds analysis in a wrapping-aware manner, dealing also with bit-wise operations, but as their analysis uses conventional intervals, it is not able to maintain the precision offered by wrapped intervals.…”

Section: Fig 1 Three Different Ways To Cut the Number Circle Openmentioning

confidence: 99%

Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code

Navas

Schachte

Søndergaard

et al. 2012

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. Many compilers target common back-ends, thereby avoiding the need to implement the same analyses for many different source languages. This has led to interest in static analysis of LLVM code. In LLVM (and similar languages) most signedness information associated with variables has been compiled away. Current analyses of LLVM code tend to assume that either all values are signed or all are unsigned (except where the code specifies the signedness). We show how program analysis can simultaneously consider each bit-string to be both signed and unsigned, thus improving precision, and we implement the idea for the specific case of integer bounds analysis. Experimental evaluation shows that this provides higher precision at little extra cost. Our approach turns out to be beneficial even when all signedness information is available, such as when analysing C or Java code.

show abstract

Section: Fig 1 Three Different Ways To Cut the Number Circle Openmentioning

confidence: 99%

Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code

Navas

Schachte

Søndergaard

et al. 2012

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…One approach to handling machine arithmetic is to select a fixed wrapping point on the number circle, and represent values as intervals in the range Öv min , v max ×. For example, Regehr and Duongsaa [13] perform bounds analysis in a sound, wrapping-aware manner (dealing also with bit-wise operations) but as their analysis uses conventional intervals, precision is lost when sets of values cross the selected wrapping point.…”

Section: Wrapped Intervals (W-intervals)mentioning

confidence: 99%

Abstract Interpretation over Non-lattice Abstract Domains

et al. 2013

View full text Add to dashboard Cite

Abstract. The classical theoretical framework for static analysis of programs is abstract interpretation. Much of the power and elegance of that framework rests on the assumption that an abstract domain is a lattice. Nonetheless, and for good reason, the literature on program analysis provides many examples of non-lattice domains, including non-convex numeric domains. The lack of domain structure, however, has negative consequences, both for the precision of program analysis and for the termination of standard Kleene iteration. In this paper we explore these consequences and present general remedies.

show abstract

“…Moreover, the BDD encodings are often too large (several Kbs) to satisfy our conciseness requirement, which is imperative in our context to allow for bit-precise symbolic execution of long program execution traces as is needed for whitebox fuzzing [6]. In follow-up work, [18] develops another technique that assumes a structural constraint on the function being synthesized (analogous to template-based synthesis) and scales to larger instructions. However, the synthesized functions are again for certain abstract domains.…”

Section: Other Related Workmentioning

confidence: 99%

Automated synthesis of symbolic instruction encodings from I/O samples

Godefroid

Taly

2012

Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Symbolic execution is a key component of precise binary program analysis tools. We discuss how to automatically boot-strap the construction of a symbolic execution engine for a processor instruction set such as x86, x64 or ARM. We show how to automatically synthesize symbolic representations of individual processor instructions from input/output examples and express them as bit-vector constraints. We present and compare various synthesis algorithms and instruction sampling strategies. We introduce a new synthesis algorithm based on smart sampling which we show is one to two orders of magnitude faster than previous synthesis algorithms in our context. With this new algorithm, we can automatically synthesize bit-vector circuits for over 500 x86 instructions (8/16/32-bits, outputs, EFLAGS) using only 6 synthesis templates and in less than two hours using the Z3 SMT solver on a regular machine. During this work, we also discovered several inconsistencies across x86 processors, errors in the x86 Intel spec, and several bugs in previous manually-written x86 instruction handlers.

show abstract

Deriving abstract transfer functions for analyzing embedded software

Cited by 9 publications

References 13 publications

Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code

Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code

Abstract Interpretation over Non-lattice Abstract Domains

Automated synthesis of symbolic instruction encodings from I/O samples

Contact Info

Product

Resources

About