Range Analysis of Microcontroller Code Using Bit-Level Congruences: 15th International Workshop, FMICS 2010, Antwerp, Belgium, September 20-21, 2010. Proceedings by Brauer, Jorg et al.
Range Analysis of Microcontroller Code Using
Bit-Level Congruences
Jo¨rg Brauer1, Andy King2, and Stefan Kowalewski1
1 Embedded Software Laboratory, RWTH Aachen University, Germany
2 Portcullis Computer Security, Pinner, HA5 2EX, UK
Abstract. Bitwise instructions, loops and indirect data access pose dif-
ficult challenges to the verification of microcontroller programs. In par-
ticular, it is necessary to show that an indirect write does not mutate
registers, which are indirectly addressable. To prove this property, among
others, this paper presents a relational binary-code semantics and details
how this can be used to compute program invariants in terms of bit-level
congruences. Moreover, it demonstrates how congruences can be com-
bined with intervals to derive accurate ranges, as well as information
about strided indirect memory accesses.
1 Introduction
Microcontroller assembly code1 presents different challenges to verification than
those posed by programs written in high-level languages. Microcontroller code
typically consists of a loop in which input ports are read. Data is then stored
and processed – often using bitwise operations – before values are written to
output ports. Bitwise operations and control logic formulated in terms of status
flags necessitate reasoning at the granularity of bits. This presents one problem.
On hardware such as the ATMEL ATmega16 [1], any verification argument
must also pay special attention to the targets of indirect writes2. An indirect
write is a store operation in which the contents of one register are stored at a
target address that is held in another register. On the ATmega family of mi-
crocontrollers, registers are reserved locations in the same address space as the
SRAM. Thus, it is possible to mutate a register, such as the stack pointer, if the
target coincides with the address of the register. One approach to microcontroller
verification is to assume that indirect writes never mutate registers [20]. Though
appealing in its simplicity, this assumption is dubious for handcrafted assem-
bly code, and it is not unknown for compilation itself to introduce errors [12].
The problem of reasoning about targets is compounded by the fact that indirect
writes often arise in loops that are, for example, responsible for data initialisa-
tion. Then the same store operation may write to a number of different targets.
Another problem is therefore showing that all targets are within range [5].
1 We often refer to assembly code, although our implementation operates on a disas-
sembled binary, and thus, does not rely on correctness of assemblers and linkers.
2 We illustrate our method for the ATmega16 platform, but the techniques are easily
transferable to other platforms as well as high-level languages.
S. Kowalewski and M. Roveri (Eds.): FMICS 2010, LNCS 6371, pp. 82–98, 2010.
c© Springer-Verlag Berlin Heidelberg 2010
Range Analysis of Microcontroller Code Using Bit-Level Congruences 83
0x50: LDI R17 0
0x51: LDI R26 96
0x52: LDI R27 0
0x53: LDI R30 66
0x54: LDI R31 0
0x55: RJUMP 2
0x56: LPMPI R0 Z
0x57: STPI X R0
0x58: CPI R26 99














Fig. 1. An initialisation loop for the ATMEL ATmega16
1.1 Illustrative Example
This paper addresses the problem of statically analysing the targets of indirect
writes, whilst simultaneously modelling data at the bit-level. Since the set of
possible targets cannot be exactly determined statically, we employ abstract
interpretation techniques [8] to compute a range of addresses that includes all
possible targets. If the enclosing range is suitably tight, it is possible to verify that
the registers are not overwritten. Figure 1 illustrates some ATmega16 assembly
code. The instructions at locations 0x50 - 0x54 assign 8-bit registers to (decimal)
constants. The relative jump passes control to location 0x58. The LPMPI R0 Z
instruction first loads R0 with the contents of the byte at the address in program
memory stored in the 16-bit Z register, then Z is incremented. Z is obtained by
concatenating the 8-bit registers R30 and R31. Likewise, the 8-bit registers R26
and R27 constitute the 16-bit X register. STPI X R0 stores the contents of R0
into the byte at address X and then increments X.
The ATmega has a Harvard architecture, and hence, program memory is
separate from SRAM. Location 98, for instance, in program memory is different
from location 98 in SRAM. Thus, program memory is accessed with special
instructions such as LPMPI. Therefore, detecting self-modifying code, which we do
not consider, is trivial. The instructions CPI R26 99 and CPC R27 R17 compare
X against 99, setting the zero flag if X equals 99. Control loops back to location
0x56 iff the zero flag is cleared, that is, if X is not equal to 99. The net effect of
the code is to copy the contents of three locations in program memory starting
at 66 into the SRAM locations 96− 98. This initialises three global variables to
constant values.
A non-relational interval analysis as described in [5] can derive that X ∈ [96, 99]
in program location 0x5A. The interval analyser derives the bound on X based
on the combination of CPI/CPC instructions followed by BRNE. However, it fails
to discover that Z ∈ [66, 69] and has to assume that the loop body could be
entered with values X ∈ [96, 98] ∧ Z ∈ [66, 69], X ∈ [96, 98] ∧ Z ∈ [66, 70], and so
forth, which eventually yields Z ∈ [0, 65535]. If the CPI/CPC instructions were
to restrict Z instead of X, then the value of X were unbounded. This is in fact
a well-known drawback of non-relational interval analysis. To resolve this type
of imprecision, we combine the results of a relational analysis for equalities with
a computationally cheap interval analysis, with the goal of deriving that X is
incremented only in combination with Z, and consequently that X ∈ [96, 98]∧Z ∈
[66, 68] when the indirect loads/stores are executed.
84 J. Brauer, A. King, and S. Kowalewski
1.2 Approach
In microcontroller code for the ATmega16 platform, a memory region typically
is statically reserved rather than dynamically allocated. Thus, the address of the
start of a region that is used as an array is fully determined. Hence, when veri-
fying such code, it is not necessary to use a symbolic name to refer to a memory
region: an address will suffice. The force of this is that there is no need to adopt
a memory model in which regions with different symbolic names are assumed
to be non-interfering. Symbolic memory models are often employed when the
position of a region is unknown, as with dynamically allocated memory in C,
but this nevertheless compromises soundness [3]. Furthermore, when analysing
statically reserved regions, it is even possible to infer a relationship between each
address of a region, and the contents of that address.
To represent such relations, we turn to linear congruences [2, 18]. In this
classical abstract domain [13], the relationships between variables are described
as systems of linear equations of the form
∑n−1
i=0 cixi mod m = d, denoted by∑n−1
i=0 cixi ≡m d, where ci ∈ Z are integer coefficients, xi are variables, m ∈ N is
a modulus, and d ∈ Z is an integer constant. Such a system may have none, one
or many solutions, where a solution is an assignment to the values of the n vari-
ables x0, . . . , xn−1 that satisfies each of the equations. For example, the system
u+2v ≡256 3 and v+w ≡256 1 has solutions {〈1+256k1+2k3, 1+256k2−k3, k3〉 ∈
[0, 255]3} where k1, k2, k3 ∈ Z. Such relationships arise between program vari-
ables, or memory locations in the case of microcontroller code, because of the
modular nature of computer arithmetic. It is therefore natural to consider mod-
uli corresponding to the size of a machine word [18]. Such systems can only
represent linear relationships, but not ranges, and therefore, we adopt a more
expressive class of congruences based on decomposing variables into their con-
sistent bits [15].
For instance, suppose u is represented by an unsigned byte whose bits are
〈u0, . . . , u7〉 where ui ∈ {0, 1} and the value of u is
∑7
i=0 2
iui. Suppose too that
v and w are likewise represented by 〈v0, . . . , v7〉 and 〈w0, . . . , w7〉. Then the above
system can be expressed as
∑7
i=0 2
i(ui + 2vi) ≡256 3, ∑7i=0 2i(vi + wi) ≡256 1
without any loss of information. It has been shown how such systems can be
applied to verify bit-twiddling algorithms [15, 16].
1.3 Contributions
In this paper, we make the following contributions. (1) We deploy congruence
systems to derive program invariants for assembly code at the level of bits.
(2) Further, we combine intervals [5] and congruence relations to derive accurate
ranges. To do so, we present a new algorithm for refining the precision of abstract
descriptions in both domains. (3) We show how a contiguous range, such as [0, 6],
can be refined to a set of non-contiguous values, such as {0, 2, 4, 6}, by applying
congruences to ranges. (4) To summarise, this paper shows by that it is possible
to infer accurate ranges using congruences and intervals, and thereby verify the
correctness of microcontroller assembly code.
Range Analysis of Microcontroller Code Using Bit-Level Congruences 85
2 Abstract Domains
This section briefly reviews results on the abstract domains our work builds on,
namely intervals and congruences. In the following, let m = 2w where w = 8 is
the word-length of the microcontroller, Zm = {i ∈ N | 0 ≤ i ≤ m − 1}, and let
V = {v0, . . . , vn−1} be a set of variables for some n ∈ N. Further, let P denote
the set of program locations (or instructions, equivalently).
2.1 Intervals
The interval abstract domain, probably the most widely used numerical domain,
is used to over-approximate the value-sets of memory cells. In case of the 8-bit
ATmega16, a memory location can hold a contiguous subset of values in Zm
defined through its bounds. Denote the domain Int. A partial order on intervals
is induced by the subset relation over the concrete value-sets. Then, (Int,⊆)
forms a complete lattice with ⊥ = ∅ and + = Zm. Define auxiliary functions fst :
Int → Zm and snd : Int → Zm that map intervals to their bounds. Abstraction





γInt(i) = {z ∈ Zm | fst(i) ≤ z ≤ snd(i)}
for i ∈ Int and v ⊆ Zm. An abstract interpretation framework for deriving non-
relational interval abstractions of microcontroller code has been described in [5],
however, space constraints prevent us from repeating these results here. We
assume that for each program location p ∈ P and each memory location v ∈ V ,
an interval abstraction has been computed, given through a map I : V×P → Int.
2.2 Congruences
Additionally, our analysis is based on representing Boolean functions as con-
gruence systems. To explain this idea, let sol(f) denote the set of solutions of
a Boolean function f over n propositional variables. Our method relies on the
computation of the so-called congruent closure, which yields a congruence sys-
tem c over n bitwise variables such that sol(f) ⊆ sol(c) ∩ Bn with B = {0, 1}
holds. For example, given a function f = x1 ∧ (x2 ∨ x3), we have sol(f) =
{〈1, 0, 1〉, 〈1, 1, 0〉, 〈1, 1, 1〉}. Congruent closure, with a fixed modulo of 4, then
computes c = (x1 ≡4 1). The solutions of this congruence equation are sol(c) ∩
B3 = {〈1, x2, x3〉 | x2, x3 ∈ B}. Note that sol(c) \ sol(f) = {〈1, 0, 0〉}.
Definition 1. The operator cong : 2B




∣∣∣∣{y0, . . . ,yk−1} ⊆ S ∧ {λ0, . . . ,λk−1} ⊆ Z ∧∑j<k




86 J. Brauer, A. King, and S. Kowalewski
An algorithm for deriving optimal congruent abstractions of Boolean formulae
was described by King and Søndergaard [16]. Given a formula ϕ, the key idea of
their method is to derive a congruent abstraction αCong(ϕ) through successive
calls to a SAT solver. Therefore, their algorithm is similar in spirit to the sym-
bolic implementation of a best transformer as described by Reps et al. [21]. In
the following, let Cong denote the domain of bit-level congruences over V .
3 Worked Examples
We illustrate the power of bit-level reasoning using the congruence domain for
some illustrative sequences of ATmega16 assembly. The key idea of our approach
is to derive a template transfer function for each instruction using SAT solving
up-front, and then instantiate the transfer functions to infer program invari-
ants. The invariants are then strengthened with intervals, yielding more precise
representations of congruences as well as intervals.
3.1 Reasoning about Bit-Wise Operations
Consider the instruction EOR R0 R1, which computes the exclusive-or of regis-
ters R0 and R1 and stores the result in R0. First, a template abstraction of this
instruction that does not depend on the concrete registers R0 and R1 is synthe-
sised from a Boolean encoding. To express the semantics of EOR r s, introduce
bit-vectors r[i] and s[i] for the inputs as well as r′[i] and s′[i] for the outputs
(with 0 ≤ i ≤ 7). Then, EOR r s is encoded symbolically as
!EOR r s" = ∧7i=0 (r′[i]↔ r[i]⊕ s[i] ∧ s′[i]↔ s[i])
where ⊕ denotes the Boolean exclusive-or. By computing the congruent closure
of !EOR r s" with a modulus of 256, denoted αCong, we obtain:
αCong(!EOR r s") = {∧7i=0 (128 · r′[i] ≡256 128 · r[i] + 128 · s[i])∧∧7
i=0 s
′[i] ≡256 s[i]
Note that sol(αCong(!EOR r s")) = sol(!EOR r s"), and thus, this congruent
transfer function is just as accurate as its Boolean counterpart.
3.2 Relational Composition without Ranges
In the previous example, we have seen how a template abstraction of a single
instruction is derived. Here, we consider the program fragment EOR R0 R1; EOR
R1 R0; EOR R0 R1 and the instantiation of templates. In [15], it was shown
that best transformers for blocks (sequences of instructions) can be obtained by
encoding the sequence propositionally as a whole. Since our goal is to derive range
information for different program locations that may be located in the middle
of a block, we deviate from following this approach, and combine the obtained
transfer functions using relational composition ◦ : Cong× Cong→ Cong.
Range Analysis of Microcontroller Code Using Bit-Level Congruences 87
A template transfer function c, derived analogously to the first example, is in-
stantiated with the corresponding variables r0, r1, r0′, and r1′, which amounts
to renaming variables in the template. This gives c1 = c(r0, r1, r0′, r1′), c2 =
c(r1, r0, r1′, r0′), and c3 = c(r0, r1, r0′, r1′), for instance:
c1 =
∧7




To combine the effects of c1 and c2, introduce additional disjoint bit-vectors r0′′
and r1′′, and put c′1 = c1 ∧
(∧7i=0r0′′[i] ≡256 r0[i]′) ∧ (∧7i=0r1′′[i] ≡256 r1[i]′)
and c′2 = c2 ∧
(∧7i=0r0′′[i] ≡256 r0[i]) ∧ (∧7i=0r1′′[i] ≡256 r1[i]). The net effect
of this construction is to relate the outputs of c1 to the inputs of c2. Then,
define c1 ◦ c2 = ∃r0′′,r1′′(∃r0′,r1′(c′1) ∧ ∃r0,r1(c′2)) where the operation ∃X(f)
eliminates the variables X from f using projection. Observe that projection
can be implemented by computing upper triangular form after reordering the
variables in the system [18,15]. As a result, we obtain:
c1 ◦ c2 =
∧7
i=0 (r1
′[i] ≡256 r0[i]) ∧
∧7
i=0 (128 · r0′[i] ≡256 128 · (r0[i] + r1[i]))
That is, after the second instruction, register R1 holds the original value of R0.
Further, by computing c1 ◦ c2 ◦ c3 analogously, we derive:
c1 ◦ c2 ◦ c3 = ∧7i=0 (r0′[i] ≡256 r1[i]) ∧∧7i=0 (r1′[i] ≡256 r0[i])
This congruent representation reveals that the sequence of instructions performs
an in-place swapping of R0 and R1 using consecutive exclusive-or operations.
3.3 Reasoning about Ranges Using Invariants
Recall again the example program from Fig. 1, which copies three values from
program memory into SRAM. The interval analysis infers a map I : V×P → Int,
which states that before instruction 0x5A is executed, the registers X and Z hold
the values I(X, 0x5A) = [96, 99] and I(Z, 0x5A) = [0, 65535].
To derive program invariants, we express the behaviour of the program frag-
ment in terms of a flowchart program 〈P ,V , p0, T 〉, where P is the set of program
locations, V is the set of program variables, p0 ∈ P is the initial program loca-
tion and T ⊆ P × P defines the possible transitions between the instructions as
given by the control flow graph. Consequently, we have P = {0x50, . . . , 0x5A},
V = {R17, R26, R27, R30, R31} and p0 = 0x50. The semantics of the program can








for the initial program location p0.
– inv(pj) =
⊔
(pi,pj)∈T (inv(pi) ◦ ci,j), where ci,j denotes the instantiated con-
gruent transfer function connecting pi ∈ P and pj ∈ P .
Here,
⊔
denotes the least upper bound operator over congruences as defined





′[i] ≡256 0) ∧∧7
i=0 (r26
′[i] ≡256 r26[i]) ∧ ∧7i=0 (r27′[i] ≡256 r27[i])∧∧7
i=0 (r30
′[i] ≡256 r30[i]) ∧ ∧7i=0 (r31′[i] ≡256 r31[i
88 J. Brauer, A. King, and S. Kowalewski
and thereafter, the invariant is stable. To express the program invariant inv(p0x5A),
let 〈〈x〉〉 =∑7i=0 2ix[i]. Proceeding with the computations eventually yields:
inv(p0x5A) =
{
(〈〈r26′〉〉 − 〈〈r30′〉〉 ≡256 30)∧∧7
i=0 (r17
′[i] ≡256 0 ∧ r27′[i] ≡256 0 ∧ r31′[i] ≡256 0)
From inv(p0x5A) and I(X, 0x5A) = [96, 99], we can now derive I(Z, 0x5A) = [66, 69].
In the following, we will first see how program invariants of this kind are derived
for arbitrary assembly programs, and then describe a systematic way of refining
congruences and intervals in parallel. This operation amounts to triangularisa-
tion and checking satisfiability in order to strengthen the descriptions in both
domains. Formally speaking, we will derive an operator reduce : Int × Cong →
Int× Cong such that reduce(i, c) 4 (i, c) for (i, c) ∈ Int× Cong (cf. Sect. 6).
4 Relational Semantics for Assembly Code
In his seminal paper on congruence analysis, Granger [13] lamented the difficulty
of handcrafting transformers for the congruence domain. However, since each of
the 131 instructions on the ATmega16 has a well-defined semantics on the level
of bits, we synthesise templates of transfer functions, based on a propositional
encoding of the instructions and the computation of congruent closure to rem-
edy this difficulty. When modelling the effects of instructions, no abstraction is
applied, such that the formulae define the concrete semantics of the instructions.
Instructions for the ATmega platform have either zero, one, or two operands.
Here, we present a relational encoding !·" for a representative subset of the
instruction-set. The semantics for other instructions can be derived analogously
from the instruction set manual [1]. Given a set of memory locations accessed by
an instruction, its encoding is given over disjoint bit-vectors for representing each
accessed memory location, where the outputs are primed. Formally speaking,
given a set of program variables V , the Boolean formulae !·" are defined over
BV∪V′ , where V = {v[i] | v ∈ V , 0 ≤ i ≤ 7}, V′ = {v′[i] | v ∈ V , 0 ≤ i ≤ 7},
and BY defines the class of Boolean formulae over propositional variables Y .
Additionally, we require V ∩V′ = ∅.
4.1 Copy and Load Instructions
The instruction MOV r s copies a register s into r. Similarly, given c ∈ Zm, the
instruction LDI r c loads the constant value c into r. To express, introduce a
bit-vector c ∈ B8 with 〈〈c〉〉 = c. The semantics of these instructions can be
encoded relationally over bit-vectors r, s, r′ and s′ as:
!MOV r s" = ∧7i=0(r′[i]↔ s[i]) ∧ ∧7i=0(s′[i]↔ s[i])!LDI r c" = ∧7i=0(r′[i]↔ c[i])
Computing the congruent closure of !MOV r s", e.g., yields:
αCong(!MOV r s") = ∧7i=0 (r′[i] ≡256 s[i]) ∧∧7i=0 (s′[i] ≡256 s[i])
Range Analysis of Microcontroller Code Using Bit-Level Congruences 89
Observe that for these instructions, a modulus of 2 would suffice, but this is not
always so. However, choosing the modulus to match the register-length is safe.
Moreover, note that the status register (called SREG in case of the ATmega16)
is not affected by these instructions, which is different for logical or arithmetic
instructions. Overall, the status register contains 8 different flags that can be
affected by instructions: carry flag C, zero flag Z, negative flag N , overflow flag
O, sign flag S, half-carry flagH, transfer flag T , and interrupt flag I. The exact
way these bits are set or cleared, however, depends on the concrete instruction.
4.2 Bitwise Instructions
As bitwise operations, the ATmega16 supports bitwise-and (AND), bitwise-and
with a constant value (ANDI), bitwise negation (COM), exclusive-or (EOR), bitwise-
or (OR), and bitwise-or with a constant (ORI). The effects of these operations on
the destination register, denoted θ(op), are bit-blasted as follows:
θ(AND r s) =
∧7
i=0 (r





θ(EOR r s) =
∧7
i=0 (r
′[i]↔ r[i]⊕ s[i]) ∧ ∧7i=0 (s′[i]↔ s[i])
θ(OR r s) =
∧7
i=0 (r
′[i]↔ r[i] ∨ s[i]) ∧ ∧7i=0 (s′[i]↔ s[i])
The encodings for ANDI r c and ORI r c are derived by replacing s[i] in the
respective formulae with c[i] defined as above. As an example, consider the
abstraction of COM r, which flips all bits in r:
αCong(θ(COM r)) =
∧7
i=0 (128 · r′[i] ≡256 128 · r[i] + 128)
Bitwise instructions also alter status flags. These effects are encoded in formulae
ψ(op), leading to an encoding !op" = θ(op) ∧ ψ(op). AND r s, for instance,
behaves as follows with respect to the status flags: It clears the overflow flag,
sets the negative flag iff r′[7] is set, sets the sign flag to N ′ ⊕O′, and sets the
zero flag iff all bits in r′ are cleared. The other flags remained unchanged. To
express, let id(x) = x′ ↔ x. Then:
ψ(AND r s) =
{¬O′ ∧ Z ′ ↔ (∧7i=0 ¬r′[i]) ∧ id(T ) ∧N ′ ↔ r′[7] ∧
id(C) ∧ S′ ↔N ′ ⊕O′ ∧ id(H) ∧ id(I)
Encodings ψ(op) for ANDI, EOR, OR, and ORI are equal to this case. COM differs
in that it always sets the carry flag. Observe that the congruence domain is too
weak to express the relationship on Z ′, but it can represent the other ones.
4.3 Shifts
In terms of shifts, the ATmega16 supports arithmetic shift right (ASR), logi-
cal shift left (LSL), logical shift right (LSR), rotate left through carry (ROL), and
rotate right through carry (ROR). All these operations shift the value of the source
90 J. Brauer, A. King, and S. Kowalewski
register by a single position, shifts by a higher or variable number of positions
are not supported. ASR r shifts all bits in r to the right, the most significant
(MSB) bit is held constant, and the least significant bit (LSB) is shifted into
the carry. Thus, the instruction divides a signed r by two without changing its
sign. LSR r behaves analogously for an unsigned value. LSL r multiplies r by
two, shifting the MSB into the carry and clearing the LSB. ROL r and ROR r
are used to multiply and divide multi-byte signed and unsigned values by two,
by shifting the carry flag into the LSB/MSB of r and shifting the value of the












′[i]↔ r[i+ 1]) ∧ r′[7]↔ C ∧C′ ↔ r[0]
Encodings for LSR and ROL are specified similarly. The updates of the status
flags are then expressed analogously to before with !op" = θ(op) ∧ ψ(op) and
ψ(op) = ϕ(op) ∧ ξ(op), where
ϕ(op) =
{
N ′ ↔ r′[7] ∧ Z ′ ↔ ∧7i=0 ¬r′[i] ∧ id(T ) ∧ id(I) ∧
O′ ↔N ′ ⊕C ′ ∧ S′ ↔N ′ ⊕O′ ∧ id(H)
is the same among all shift instructions, whereas ξ(op) = C′ ↔ r[0] for op ∈
{ASR, LSR, ROR} and ξ(op) = C′ ↔ r[7] otherwise.
4.4 Arithmetic Instructions
Let us consider encodings for two arithmetic instructions, in this case for sum-
ming up two registers (ADD) and incrementing a register by 1 (INC). Here, ADD
r s is expressed using a cascade of full-adders using additional carry bits c:
θ(ADD r s) =
(∧7
i=0 r
′[i]↔ r[i]⊕ s[i]⊕ c[i]
)
∧ ¬c[0]∧(∧6






Bit-wise encodings for other arithmetic instructions such as computation of the
two’s complement (NEG) or subtraction (SUB) are derived accordingly. The effects
ψ(op) on the status register can be derived analogously to the previous examples
to obtain !op" = ψ(op) ∧ θ(op). Abstracting the increment using congruences
then gives:
αCong(θ(INC r)) = (〈〈r〉〉′ ≡256 〈〈r〉〉 + 1)
Using the same approach, Boolean encodings for the complete instruction set
of the ATmega16 and the corresponding congruent abstractions are computed.
For instance, branching instructions such as BRNE do not alter the status of the
addressable memory, but only the program counter, which is implicitly encoded
in the control flow graph. Compare instructions such as CP, CPC, or CPI subtract
two values, but they only alter the status flags accordingly and do not store the
result at a memory location.
Range Analysis of Microcontroller Code Using Bit-Level Congruences 91
5 A Discussion of Soundness
As stated in Sect. 3.3 already, defining a program analysis over congruences
amounts to the application of four operations: instantiating template functions,
relational composition ◦, join unionsq, and checking entailment |=. Since congruences
satisfy the finite ascending chain condition, no widening is needed [18]. We make
no contributions in this regard. However, two open issues warrant discussion: the
effect of indirect stores on the validity of invariants and relationships between
addresses of a region and the contents of that address.
In Sect. 3.3, we have not modelled the effects of indirect stores on memory loca-
tions 96–98 in SRAM. Thus, no relational constraints are put onto these memory
locations. However, suppose that a value is copied from s into a target register r
using a direct access, which generates an equality constraint
∧7
i=0 r[i] ≡256 s[i],
and later r is overwritten using an indirect store. Following the approachdescribed
so far, the equality constraint remains in the program invariant, which is unsound.
The strength of using a concrete memory model, where each cell is represented by
an integer address, is that the intervals provide an upper-approximation of the tar-
gets of indirect stores. Hence, we can simply modify the ◦ operator such that all
constraints on targets of indirect writes are eliminated when ◦ is applied. This is
achieved by removing all equalities that involve the target register from the invari-
ant. This strategy recovers soundness. As a matter of fact, this method typically
yields the same results as if the constraints on the targets were joined (since indi-
rect stores are modelled as weak updates).
Even though it is not possible to derive relationships on the targets of indi-
rect stores using weak updates, it is possible to derive a relationship between
indirectly written locations and their contents. To illustrate, suppose we have an
indirect store operation ST X R0, and a program invariant is generated. Then, if
the invariant exhibits a relationship between X and R0, it follows that if a target
memory location is written (which cannot be guaranteed), the target address is
congruently related to the source register R0 as described by the invariant.
6 Reducing Abstract Descriptions
Thus far we have derived bit-level invariants, which are systems of linear con-
gruences. In this section, we show how congruences and intervals are combined
to derive more precise abstractions in both domains. Finally, strides – that is,
sets of values that are separated by a constant k ∈ N – are extracted from the
refined ranges.
6.1 A Reduce Operator
Given S1, S2 ⊆ Bnw, where S1 represents the models of the interval abstraction
and S2 represents the models of the congruent invariant, we construct S1 ∩ S2
formally. To represent the models of intervals, let !i,ui ∈ Bw denote bitwise
encodings of the extremal values of vi ∈ V for a fixed p ∈ P as defined through
the map I : V × P → Int. Then:
92 J. Brauer, A. King, and S. Kowalewski
Definition 2. The operator cube : 2B




∀i ∈ [0, n− 1] : !i,ui ∈ S ∧
(′i = 〈〈〈!i[0], . . . , !i[w − 1]〉〉〉 ∧
u′i = 〈〈〈ui[0], . . . ,ui[w − 1]〉〉〉 ∧
(′i ≤ 〈〈〈x[iw], . . . ,x[iw + w − 1]〉〉〉 ≤ u′i

It is straightforward to show that cube : 2B
nw → 2Bnw and cong : 2Bnw → 2Bnw
are closure operators, that is, extensive, increasing and idempotent. Further,
suppose S1, S2, . . . ⊆ Bnw. If cube(Si) = Si for all i ∈ N then cube(∩i∈NSi) =
∩i∈NSim, and if cong(Si) = Si for all i ∈ N then cong(∩i∈NSi) = ∩i∈NSi. To
derive Galois connections, and accordingly safety of our computations, we define
abstraction and concretisation as follows:
Definition 3. The abstraction and concretisation maps are defined as:
αcube(S) = ∩{S′ ⊆ Bnw | S ⊆ S′ ∧ S′ = cube(S′)} γcube(S) = S
αcong(S) = ∩{S′ ⊆ Bnw | S ⊆ S′ ∧ S′ = cong(S′)} γcong(S) = S
Then, any subset of Bnw (or equivalently Zm) closed under affine combination
can be represented congruently. A similar observation holds for the cube of S.
Further, we have cube(S) = S iff there exists (′0, . . . , (′n−1 ∈ [−2w−1, 2w−1 − 1]
and u′0, . . . , u′n−1 ∈ [−2w−1, 2w−1 − 1] such that:
S =
{
x ∈ Bnw ∣∣∀i ∈ [0, n− 1] : (′i ≤ 〈〈〈x[iw], . . . ,x[iw + w − 1]〉〉〉 ≤ u′i }
For congruences, it is cong(S) = S iff there exists a matrix [A | b] ∈ Zk,nw+1
such that S = {x ∈ Bnw | Ax ≡2w b}.
Finally, we present a constructive approach to computing the affine inter-
section between S1 and S2. This construction is based on strengthening S2 us-
ing constraints from S1 (or I, respectively). The key idea in this construction
is introduce fresh equalities to express the non-negativity of 〈〈vi〉〉 − 〈〈!i〉〉 and
〈〈ui〉〉 − 〈〈vi〉〉 in order to enforce 〈〈!i〉〉 ≤ 〈〈vi〉〉 ≤ 〈〈ui〉〉. This is achieved by im-
posing a zero-constraint on the MSB of the difference, which corresponds to the
sign bit. This construction is followed by putting the resulting system into upper
triangular form.




x ∈ Bnw ∣∣ ∀i ∈ [0, n− 1] : (′i ≤ 〈〈〈x[iw], . . . ,x[iw + w − 1]〉〉〉 ≤ u′i }
S2 = {x ∈ Bnw | Ax ≡2w b}
Let e, f ∈ Bw such that e = 〈0, 0, · · · , 0, 1〉 and f = 〈1, 2, · · · , 2w−2, 2w−1〉.










e 0 · · · 0





0 0 · · · e
 F =

f 0 · · · 0





0 0 · · · f

Range Analysis of Microcontroller Code Using Bit-Level Congruences 93
























Then S1 ∩ S2 = {x ∈ Bnw | A′x′ ≡2w b′}.
Refining intervals follows a method for maximising values in Boolean formulae
described by Codish et al. [6] using successive calls to a decision procedure. The
key idea is to maximise single bits – starting from the MSB – and checking satis-
fiability of a system of linear 0/1 constraints using SAT [15]. We use SAT solving
because triangularisation only provides an incomplete decision procedure for 0/1
variables. In the following definition, the symbol : denotes the concatenation of
bit-vectors.
Definition 4. Definemax(A, b, i)=extr(A, b, i, w, 0, 1)whereextr(A, b, i, j, v1, v2):
– ) if j = 0.






























, i− 1, j − 1, v2, v2) otherwise.
Conversely define min(A, b, i) = extr(A, b, i, w, 1, 0). Finally, reduce follows from
the combination of min, max, and ∩:
Corollary 1. Let S1 ∩ S2 = Ax ≡2w b. Then reduce(S1, S2) = (I ′, Ax ≡2w b)
where I ′ = 〈[min(A, b, 0),max(A, b, 0)], . . . , [min(A, b, n− 1),max(A, b, n− 1)]〉.
Example 1. Suppose w = 4, n = 2 and S2 = {x ∈ B8 | Ax ≡24 b} where
A =

1 0 0 0 −1 0 0 0
0 1 0 0 0 −1 0 0
0 0 1 0 0 0 −1 0
0 0 0 1 0 0 0 −1









To interpret [A | b], let u = 〈x[0],x[1],x[2],x[3]〉 and v = 〈x[4],x[5],x[6],x[7]〉.
Then the system Ax ≡24 b implies that 〈〈u〉〉 ≡2w 〈〈v〉〉 and 〈〈v〉〉 ≡2 0. Now let
S1 = {x ∈ B8 | 4 ≤ 〈〈u〉〉 ≤ 15 ∧ 0 ≤ 〈〈v〉〉 ≤ 7}
94 J. Brauer, A. King, and S. Kowalewski
and consider S1 ∩ S2 as characterised by [A′ | b′] which is:
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 1 2 4 8 0 0 0 0 4
0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 1 2 4 8 0
1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 15
0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 7
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 −1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0

Putting this into a triangular form, we achieve:
1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 15
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 7
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 1 2 4 8 0 0 0 0 4
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 −1−2−4−8 0 0 0 0 1 2 4 8 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 −1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0−1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0

Here, rows 3 and 4 impose the constraint 〈〈v〉〉 ≤ 7 by requiring 7 − 〈〈v〉〉 ≥ 0.
The constraints can be projected from S1 ∩ S2, which yields u[3] ≡2w 0, and
thus, 〈〈u〉〉 ≤ 7. With u[0] ≡2w 0, applying SAT yields 4 ≤ 〈〈u〉〉 ≤ 6. Note,
however, that more precise congruences could be extracted by encoding the
equation system in propositional logic and recomputing congruent closure.
6.2 Refinement for Strides
For p ∈ P , the respective invariant inv(p), and a variable v ∈ V , let i ∈ N be the
maximum index of bit-vector v such that inv(p) contains relations v[j] ≡256 kj
for all 0 ≤ j ≤ i and kj ∈ {0, 1}. The size of the stride is then defined by
2i+1, and the set of possible values constrained by the invariant is given through
Z = {(∑ij=0 2jv[j])+k ·2i+1 | k ∈ N}. Thus, the resulting value-set is I(v, p)∩Z.
Range Analysis of Microcontroller Code Using Bit-Level Congruences 95
Table 1. Optimality of synthesised transfer functions
Class Instructions sol(α(!c")) = sol(!c") ?
load & copy LDI, MOV yes
shift ASR, LSL, LSR, ROL, ROR yes
logical COM, EOR, SWAP yes
logical AND, ANDI, OR, ORI no
arithmetic ADC, ADD, DEC, INC, NEG, SBC, SUB, SUBI yes
arithmetic MUL, MULS, MULSU no
compare CP, CPC, CPI no
branching BRBC, BRBS, ... no
7 Experiments
We have integrated the ideas and algorithms described in this paper into the
[mc]square verification platform for microcontroller binary code. In this sec-
tion, we discuss our experiences with respect to optimality and the runtime re-
quirements. All experiments were performed on a MacBook Pro, equipped with
a 2.4 Ghz dual-core processor and 4 GB of RAM.
7.1 Optimality
Let αCong(!f") denote a transfer function synthesised from a Boolean encoding!f". The congruence domain is optimal for abstracting f iff sol(αCong(!f")) =
sol(!f"). Considering the classes of instructions that were described Sect. 4, opti-
mality results given in Tab. 1 are obtained (ignoring the effects of arithmetic and
logical instructions on the status register). Observe that compare and branching
instructions, which are required to handle conditional branches and loop condi-
tions, sometimes cannot be modelled precisely (recall the congruent abstraction
of Z ′ ↔ ∧7i=0(¬r′[i])). This drawback, however, is remedied through the interval
analysis, which constrains the ranges through branching conditions.
7.2 Runtime
Synthesing transfer functions up-front requires less than 1s for each instruction.
Abstracting INC r, e.g., requires 17 SAT instances over 32 propositional vari-
ables to be solved with an overall runtime of 0.18s using Sat4J. Composing
congruences is implemented using triangularisation, as is unionsq. For the initialisa-
tion loop in Sect. 3.3, the loop invariant stabilised after 2 iterations, which led
to 18 applications of ◦ and 2 applications of unionsq, which required 0.3s overall. The
runtime for operations on matrices is very susceptible to the number of variables
in the system, and hence, r17, r26, r27, r30, and r31 were eliminated prior
to range-refinement as they are unrelated to the invariant. Since the runtime
grows polynomially with the number of bits, computing invariants for complete
programs is not tractable. Instead, an invariant generator should detect program
fragments where the interval analyser loses precision.
96 J. Brauer, A. King, and S. Kowalewski
Computing reduce to derive refined ranges requires 16 SAT instances to be
solved which amounts to 0.25s. That is, two instances for each bit are required,
whereas deriving strides is linear in the number of congruence relations.
8 Related Work
Defining and computing transformers for relational domains has been an ac-
tive topic in abstract interpretation for decades, and numerous techniques for
expressing relational constraints have been described [11, 17]. Most existing ap-
proaches, however, operate on unbounded integers, with the additional duty to
verify that no overflow can occur [10]. The technique from [22] suggests to revise
the truncation map to reflect overflows for polyhedral analysis.
In assembly code for 8-bit architectures, overflows can be observed commonly
due to the limited bit-width. Therefore, it is natural to deploy congruence rela-
tions [18,13] where the modulus is 256. Instead of expressing ranges in a domain
that handles wraps, our approach combines relational invariants with computa-
tionally inexpensive intervals [5]. The idea of reducing two abstract descriptions
in parallel was already formalised by Cousot and Cousot [9]. Later, Codish et
al. [7] have applied a similar technique to pair and set-sharing analysis.
The difficulty of designing optimal transfer functions was already discussed
in [11]. However, it took several decades until it was observed that optimal
transformers can be derived for any abstract domain that satisfies the ascending
chain condition [21]. Our work builds on this to remedy both the difficulty and
the workload of handcrafting transfer functions for the complete instruction
set of the microcontroller as in [4]. Contemporaneously to [21], Regehr et al.
[20] observed that optimal transfer functions for interval analysis of ATmega16
assembly can be derived using BDDs. However, the time needed for computing
best transformers is considerably longer due to the use of BDD-based encodings
without abstraction.
9 Conclusion and Future Work
We have shown that bit-level congruences provide a suitable means for deriving
invariants for assembly code. We have detailed techniques for verifying, infer-
ring, and refining ranges in presence of indirect reads and writes. The work
calls for further research into the handling of indirect stores in order to derive
strong updates instead of weak updates. Existing work on lifting abstract in-
terpreters to quantified domains [14] could serve as a basis for this. Another
interesting application is model checking, where congruences could be used to
reduce the over-approximation introduced through abstractions [19] similar to
the refinement described in Sect. 6, leading to smaller state spaces and fewer
false alarms.
Range Analysis of Microcontroller Code Using Bit-Level Congruences 97
Acknowledgements
This work was supported, in part, by a Royal Society industrial secondment and
the UMIC Research Centre at the RWTH Aachen University.
References
1. Atmel Corporation. 8-bit AVR Instruction Set (July 2008)
2. Bagnara, R., Dobson, K., Hill, P., Mundell, M., Zaffanella, E.: Grids: A domain
for analyzing the distribution of numerical values. In: Puebla, G. (ed.) LOPSTR
2006. LNCS, vol. 4407, pp. 219–235. Springer, Heidelberg (2007)
3. Balakrishnan, G., Reps, T.W.: WYSINWYX: What You See Is Not What You
eXecute. ACM Trans. Program. Lang. Syst. (to appear, 2010)
4. Brauer, J., King, A.: Automatic abstraction for intervals using boolean formulae.
In: SAS 2010. LNCS. Springer, Heidelberg (2010)
5. Brauer, J., Noll, T., Schlich, B.: Interval analysis of microcontroller code using
abstract interpretation of hardware and software. In: SCOPES. ACM, New York
(to appear, 2010)
6. Codish, M., Lagoon, V., Stuckey, P.J.: Logic programming with Satisfiability. The-
ory and Practice of Logic Programming 8(1), 121–128 (2008)
7. Codish, M., Mulkers, A., Bruynooghe, M., Garc´ıa de la Banda, M.J., Hermenegildo,
M.V.: Improving abstract interpretations by combining domains. ACM Trans. Pro-
gram. Lang. Syst. 17(1), 28–44 (1995)
8. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static
analysis of programs by construction or approximation of fixpoints. In: POPL, pp.
238–252. ACM, New York (1977)
9. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In:
POPL, pp. 269–282 (1979)
10. Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Mine, A., Monniaux, D., Rival,
X.: The Astre´e analyser. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp.
21–30. Springer, Heidelberg (2005)
11. Cousot, P., Halbwachs, N.: Automatic Discovery of Linear Restraints Among Vari-
ables of a Program. In: POPL, pp. 84–97. ACM Press, New York (1978)
12. Eide, E., Regehr, J.: Volatiles are miscompiled, and what to do about it. In: EM-
SOFT, pp. 255–264. ACM, New York (2008)
13. Granger, P.: Static analysis of linear congruence equalities among variables of a
program. In: Abramsky, S. (ed.) CAAP 1991 and TAPSOFT 1991. LNCS, vol. 493,
pp. 169–192. Springer, Heidelberg (1991)
14. Gulwani, S., McCloskey, B., Tiwari, A.: Lifting abstract interpreters to quantified
logical domains. In: POPL, pp. 235–246. ACM, New York (2008)
15. King, A., Søndergaard, H.: Inferring congruence equations using SAT. In: Gupta,
A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 281–293. Springer, Heidelberg
(2008)
16. King, A., Søndergaard, H.: Automatic abstraction for congruences. In: Barthe, G.,
Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 281–293. Springer,
Heidelberg (2010)
17. Mine´, A.: The Octagon Abstract Domain. Higher-Order and Symbolic Computa-
tion 19(1), 31–100 (2006)
98 J. Brauer, A. King, and S. Kowalewski
18. Mu¨ller-Olm, M., Seidl, H.: Analysis of Modular Arithmetic. ACM Trans. Program.
Lang. Syst. 29(5) (August 2007)
19. Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded sys-
tems assembly code. In: Yorav, K. (ed.) HVC 2007. LNCS, vol. 4899, pp. 185–201.
Springer, Heidelberg (2008)
20. Regehr, J., Reid, A.: HOIST: A system for automatically deriving static analyzers
for embedded systems. Operating Systems Review 38(5), 133–143 (2004)
21. Reps, T., Sagiv, M., Yorsh, G.: Symbolic Implementation of the Best Trans-
former. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266.
Springer, Heidelberg (2004)
22. Simon, A., King, A.: Taming the wrapping of integer arithmetic. In: Riis Nielson,
H., File´, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 121–136. Springer, Heidelberg
(2007)
