A Generic Framework for Symbolic Execution

International audienceWe propose a generic, language-independent symbolic execution approach for languages endowed with a formal operational semantics based on term rewriting. Starting from the definition of a language L, a new definition Lsym is automatically generated, which has the same syntax, but whose semantics extends L's data domains with symbolic values and adapts the semantical rules of L to deal with the new domains. Then, the symbolic execution of Lprograms is the concrete execution of the corresponding Lsym programs, i.e., the application of the rewrite rules in the semantics of Lsym. We prove that the symbolic execution thus defined has the adequate properties normally expected from it, and illustrate the approach on a simple imperative language defined in the K framework. A prototype symbolic execution engine also written in K is presented

Un cadre générique pour l'exécution symbolique : théorie et applications

We propose a language-independent symbolic execution framework. The approach is parameterised by a language definition, which consists of a signature for the language's syntax and execution infrastructure, a model interpreting the signature, and rewrite rules for the language's operational semantics. Then, symbolic execution amounts to performing a so-called symbolic rewriting, which consists in changing both the model and the manner in which the operational semantics rules are applied. We prove that the symbolic execution thus defined has the properties naturally expected from it. A prototype implementation of our approach was developed in the K Framework. We demonstrate the genericity of our tool by instantiating it on several languages, and show how it can be used for the symbolic execution, bounded model checking, and deductive verification of several programs.Nous proposons un cadre général pour l’exécution symbolique de programmes, qui est indépendant des langages dans lesquels les programmes en question sont écrits. L’approche est paramétrisée par une définition de langage, qui consiste en une signature pour la syntaxe du langage et pour son infrastructure, un modèle interprétant la signature, et un ensemble de règles de réécriture définissant la sémantique opérationnelle du langage. L’exécution symbolique revientalors à modifier calculer des chemins symboliques en utilisant une opration dite de dérivation. Nous démontrons que l’exécution symbolique possède les propriétés attendues par rapport à l’exécution concrète: les exécutions symboliques et concrètes d’un même programme se simulent mutuellement. Nous montrons également qu’une extension coinductive de l’exécution symbolique peut être utilisée pour la vérification déductive de programmes. Nous avons implémenté notreapproche dans un outil prototype dans la K framework. L’aspect générique de l’outil est mis en évidence par son instanciation sur plusieurs langages. Nous montrons enfin comment l’outil permet l’analyse symbolique, le model checking borné, et la vérification déductive de programmes

On the nature of symbolic execution

In this paper, we provide a formal definition of symbolic execution in terms of a symbolic transition system and prove its correctness with respect to an operational semantics which models the execution on concrete values. We first introduce such a formal model for a basic programming language with a statically fixed number of programming variables. This model is extended to a programming language with recursive procedures which are called by a call-by-value parameter mechanism. Finally, we show how to extend this latter model of symbolic execution to arrays and object-oriented languages which feature dynamically allocated variables

Programming Language Aggregation with Applications in Equivalence Checking

International audienceWe show that, given the operational semantics of two programming languages L and R, it is possible to construct an aggregate language, in which programs consist of pairs of programs from L and respectively R. In the aggregate language, a program P = (PL, PR) takes a step from either PL or PR. The main difficulty is how to aggregate the two languages so that data such as integers or booleans that are common to both languages has the same representation in the aggregate language. The aggregation is based on the pushout theorem, which allows us to construct a model of the aggregate language from models of the initial languages, while making sure that the interpretation of common data such as integers is the same. A main application of the aggregation result is in equivalence checking. It is possible to check for example that two programs PL and PR (written in L and respectively R) compute the same result by checking the partial correctness of the pair (PL,PR) in the aggregate language.Nous montrons qu'à partir des sémantiques opérationnelles de deux langages de programmation L et R il est possible de construire leur agrégation, qui est un langage dont les programmes sont des paires de programmes de L et de R. Dans ce nouveau langage, les données ou expressions communes à L et R sont factorisés afin d'éviter d'en garder deux copies distinctes. Ceci est rendu possible grâce au théorème de "pushout" qui construit un modèle de l'agrégation à partir de modèles des composantes L et R. Nous appliquons ces résultats à la preuve d'équivalence de programmes

Towards Trustworthy Refactoring in Erlang

Tool-assisted refactoring transformations must be trustworthy if programmers are to be confident in applying them on arbitrarily extensive and complex code in order to improve style or efficiency. We propose a simple, high-level but rigorous, notation for defining refactoring transformations in Erlang, and show that this notation provides an extensible, verifiable and executable specification language for refactoring. To demonstrate the applicability of our approach, we show how to define and verify a number of example refactorings in the system.Comment: In Proceedings VPT 2016, arXiv:1607.0183

Rewriting Modulo SMT and Open System Analysis

This paper proposes rewriting modulo SMT, a new technique that combines the power of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo SMT is ideally suited to model and analyze reachability properties of infinite-state open systems, i.e., systems that interact with a nondeterministic environment. Such systems exhibit both internal nondeterminism, which is proper to the system, and external nondeterminism, which is due to the environment. In a reflective formalism, such as rewriting logic, rewriting modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT naturally extends rewriting-based reachability analysis techniques, which are available for closed systems, to open systems. The proposed technique is illustrated with the formal analysis of: (i) a real-time system that is beyond the scope of timed-automata methods and (ii) automatic detection of reachability violations in a synchronous language developed to support autonomous spacecraft operations.NSF Grant CNS 13-19109 and NASA Research Cooperative Agreement No. NNL09AA00AOpe

Deriving state machines from tinyos programs using symbolic execution.

Abstract Th

Language Definitions as Rewrite Theories

(To appear in Springer LNCS)International audienceK is a formal framework for defining the operational semantics of programming languages. It includes software tools for compiling K language definitions to Maude rewrite theories, for executing programs in the defined languages based on the Maude rewriting engine, and for analyzing programs by adapting various Maude analysis tools. A recent extension to the K tool suite is an automatic transformation of language definitions that enables the symbolic execution of programs, i.e., the execution of programs with symbolic inputs. In this paper we investigate the theoretical relationships between K language definitions and their translations to Maude, between symbolic extensions of K definitions and their Maude encodings, and how the relations between K definitions and their symbolic extensions are reflected on their respective representations in Maude. These results show, in particular, how analyses performed with Maude tools can be formally lifted up to the original language definitions