Symbolic Execution: Intuition and Implementation

In this article I give a transient tour of a program prognosis technique known as symbolic execution. As the title signifies, I purpose to existing every the intuition within the encourage of the technique, and likewise the principle points of a simple implementation. My intended audience is skilled programmers who plan now not trust any background in program prognosis. That is a group caught in an awkward insist. Though I mediate they would possibly be able to even tremendously trust the income of what the program prognosis neighborhood has to offer, this recordsdata appears to be caught in academia, hidden within the encourage of technical jargon, and saved out of attain from all however the most dedicated followers. I’m hoping this article will spark some hobby within the skilled programming neighborhood, every in of us pondering about writing these tools and in of us pondering about utilizing these tools. I initiate by describing the intuition within the encourage of the technique, and then walk thru a simple implementation. The implementation is in Haskell, however I’ve finished my most attention-grabbing to take care of the Haskell as pseudo code and existing the snippets in depth. Your total implemenation is on GitHub.

Divulge you trust been checking out the next draw. What test circumstances can even you write?

# Compute the absolute imprint of an int.
def abs(x):
    assert(kind(x) is int)
    if x < zero:
        return -x
    else:
        return x

Two come to mind: (1) a test where x is a harmful number and (2) a test trust been x is a particular number. Why these explicit conditions? The reason, of course, is to feed in values that test every code direction. Completely different exams of hobby can even test the boundary condition (x = zero) and the extremes (the minimum and maximum integer). The target is to examine the draw on its attention-grabbing paths that are precipitated by attention-grabbing values.

To a programmer, creating with these test circumstances is second nature, however how can even this course of be described as an algorithm? A starting up level is to place a quiz to what is recognized regarding the price x at completely different points within the program.

• On the entry indicate the draw, puny or no is recognized about x. Since Python is dynamically typed, x can even now not even be an int.
• After the assert, x must be at the least an int, alternatively it also will seemingly be any int.
• Inner the first branch of the if, x must be harmful, and at the first return commentary, x is negated. This branch must return a particular int.
• Inner the second branch, x must be zero or certain, and thus it also returns a particular int.

Reasoning backwards from these observations, it’s certain that a harmful int is required to examine the second branch, and both zero or a particular int is required to examine the first.

There are a few attention-grabbing issues to illustrate here.

First, as we step thru this program, we don’t take into legend specific values of x esteem Thirteen. As one more, we take into legend the house of that you can also judge of values x can even retract on. At completely different points within the program, x can even be a screech of all integers, harmful integers, or certain integers plus zero. In other words, we judge of x as a symbolic imprint (i.e., a house of that you can also judge of values) in deserve to a concrete imprint (i.e., a explicit element of that house of that you can also judge of values).

Second, because the program branches, the house of that you can also judge of values is constrained. x can even be any integer after the first assert, however if that imprint flows into the first branch, it’s recognized that it goes to most attention-grabbing be a harmful integer. In other words, branches put in power constraints on the that you can also judge of values of x.

This course of, which programmers plan instinctually your total time, is the topic of this article: symbolic execution. When this idea is formalized and computerized, it goes to plan very attention-grabbing results. To name a few:

• Computerized test technology: True as a programmer performs this course of informally to in finding test circumstances, once computerized, this course of can generate test circumstances exercising all explored paths.
• Detection of failing asserts: Since symbolic execution tracks the house of that you can also judge of values that would possibly maybe maybe drift into an assert commentary, that recordsdata can even be feeble to examine if any of the values in that house violate the assert. Within the event that they plan, those values can even be reported encourage to the programmer.
• Detection of buggy conduct: There are some behaviors that, no subject being successfully defined, are on the total unintended and indicative of a bug. As an instance, in a languages with mounted width integers, overflows are on the total unintended. Since a symbolic execution engine knows which values can drift where, it goes to detect if an addition can even result in an overflow. As an instance, if x and y are every unconstrained 32-bit integers, then for some values of x and y, x+y can even pause up in an overflow.
• Detection of invariant violations: Invariants are properties that are repeatedly staunch in any respect level in a program’s execution (e.g., the left child of a binary tree is repeatedly less than or equal to the parent, or the stability of a magnificent contract is repeatedly certain or zero). By automatically exploring all or many paths, symbolic execution can detect paths that violate invariants and sage encourage which inputs trigger these paths.

Ahead of enforcing the symbolic execution engine, I first want a language to symbolically plan. For this motive, I’ve put together a minute stack language. The first portion of this allotment will picture the implementation of this stack language, and the second will picture a symbolic execution engine for this language.

I selected a stack language thanks to its resemblance to a low stage bytecode. Symbolic execution engines on the total target low stage bytecode or assembly so that they are language agnostic and don’t depend on the correctness of a language’s compiler.

The Stack Language

I’d aid this allotment transient, since the language itself is now not the major level of interest, alternatively it’s worthwhile to walk thru the implemenation to race searching out the plot it compares to the symbolic execution engine and likewise to picture the semantics of the language.

In this language, a program is a checklist of instructions. Most instructions draw on a world stack, which is a stack of 32-bit words. The Add instruction, to illustrate, pops the first two items off the stack, provides them, and pushes the pause result. Below is a program that reads two numbers from the console, provides them, and prints the pause result. Since I in fact haven’t written a parser, the programs are Haskell lists.

addTwoNumbers :: [Instr] -- A program is a checklist of instructions
addTwoNumbers = [Be taught   -- Be taught from the console and push to the stack
                , Be taught
                , Add    -- Add the numbers on high of the stack and push result to the stack
                , Print  -- Print the number at the tip of the stack
                , Performed   -- Ends execution
                ]

Below is the total instruction house together with a casual description of the semantics. The semantics are described utilizing (earlier than -- after) notation. As an instance, (a b -- a + b) technique that earlier than the instruction is carried out, a and b are on the tip of the stack. After the instruction is carried out, the tip element is the pause result of a + b.

recordsdata Instr = Add {- (a b -- a + b) -}
           | And {- (a b -- a / b) -}
           | Or {- (a b -- a / b) -}
           | No longer {- (a -- 1 if a=zero else zero) -}
           | Lt {- (a b -- a < b) -}
           | Eq {- (a b -- a = b) -}
           | Push Word32 {- ( -- a) a is the Word32 -}
           | Pop {- (a -- ) -}
           | Swap {- (a b -- b a) -}
           | Dup {- (a -- a a) -}
           | Over {- (a b c -- a b c a) -}
           | RotL {- (a b c -- b c a) -}
           | Be taught {- ( -- a ) a is read from console in awful 10 -}
           | Print {- (a -- ) a is printed to console in awful 10 -}
           | JmpIf {- (cond addr -- ) computer := addr if cond =/= zero -}
           | Store {- (addr val -- ) mem[addr] := val -}
           | Load {- (addr -- mem[addr]) -}
           | Performed deriving (Eq, Show camouflage)

All these are easy. There are a few instructions for traditional arithmetic (Add, Eq, Lt, etc) and good judgment (No longer, Or, And, etc) and a few that manipulate the stack (Push, Dup, Over, RotL, etc).

Just some of the instructions deserve special attention: JmpIf, Load, and Store.

JmpIf is the most attention-grabbing aid watch over drift instruction. It pops the jump condition and target address off the stack. If the jump condition is staunch (i.e., is non-zero) then the instruction jumps to the target address by changing the price of computer, the program counter. In every other case, it factual strikes to the next instruction.

The machine also has a memory insist that maps 32-bit words to 32-bit words. Store pops the first two items off the stack. The first is the address and the second is the price. It then shops that imprint to the memory insist utilizing the address because the major. Load hundreds from the address at the tip of the stack and pushes the price at that address onto the stack.

To formalize this a puny bit extra, execution of a program is defined because the manipulation of three recordsdata structures. Every instruction manipulates these in completely different methods.

1. Program counter: this comprises the address of the present instruction. An address is an index into the checklist of instructions that picture the program, and thus zero is the address of the first instruction.
2. Memory insist: here’s a draw of 32-bit words to 32-bit words that would also be read and modified by the Load and Store instructions.
3. Stack: the stack of 32-bit words that most instructions draw on.

This system is carried out by walking over the checklist of instructions and updating those three items accordingly. Every update is one step of the program. The implemenation itself is structured in this method. A draw known as flee walks the program and assuredly calls a draw known as step which takes the present insist and returns the unusual insist, reckoning on what the present instruction is.

Concretely, the program insist is represented as a Three-tuple of an Int, which is the program counter, a draw of 32-bit words, which is the memory insist, and the stack, which is a checklist of 32-bit words. The definition is beneath.

-- | Program insist: (program counter, memory, stack)
kind Enlighten = (Int, Design Word32 Word32, [Word32])

For a range of instructions, a single step increments the program counter and performs some operation on the stack. Below is the implemenation of Add.

-- | Given the present insist and an instruction, enact the
-- | instruction by returning a unusual updated insist.
-- | Only the implementation of `Add` is shown.
step :: Enlighten -> Instr -> IO Enlighten
step (computer, mem, l:r:stack) Add = return (computer+1, mem, l+r : stack)

So the step draw is parameterized over a Three-tuple, which constitutes the program insist, and the present instruction. Every element of the program insist and its update is described beneath.

• computer: This system counter. It’s house to the address of the present Add instruction.
• mem: The memory insist mapping 32-bit words to 32-bit words.
• l:r:stack: The stack, with the tip two items sample matched and poke to l and r.

Execution of the Add instruction technique taking the insist described above, and updating it to the next:

• computer+1: This system counter is incremented to the next instruction.
• mem: The memory insist is unchanged.
• (l+r) : stack: l is added to r and pushed onto the tip of the stack.

To plan the program, step is is named assuredly by the flee draw, which fetches the unusual instruction, feeds it to step, and repeats till it encounters a Performed instruction.

The specific mechanics of the flee draw ought to now not terribly fundamental, alternatively it is miles reproduced beneath with comments for completeness.

-- | Given a program and an preliminary insist, flee the program and return
-- | the last imprint of the stack.
flee :: Prog -> Enlighten -> IO [Word32]
flee prg insist@(computer, _, stack) =
  -- Score the next instruction
  case prg ! (Offset computer) of
    True Performed ->
      -- If the instruction is `Performed`, cease execution and return the stack.
      return stack
    True instr ->
      -- In every other case, plan the instruction.
      -- Call step to in finding the unusual insist, and plan it throughout again.
      step insist instr >>= flee prg
    Nothing ->
      -- If there is now not any such thing as a instruction at that address, throw an error.
      error ("No instruction at " <> show computer)

Your total implementation is on GitHub.

The Symbolic Execution Engine

Symbolic execution proceeds equally to long-established execution. This system insist and direction constraints (this would possibly maybe maybe maybe also be covered rapidly), are updated assuredly by a symStep draw. Two differences house this as opposed to long-established execution:

• The memory insist and stack retailer symbolic in deserve to concrete values. Pretty than working on a stack of 32-bit words, symbolic execution operates on a stack of symbolic expressions which picture items of 32-bit words. These items signify your total values a stack entry (or memory entry) can even own throughout execution.
• A pair of execution paths are explored. Whereas exploring these paths, a house of conditions is accumulated describing the values that, beneath concrete execution, would trigger a explicit direction. These are known as direction constraints. Within the introductory example, “x must be harmful to float into this branch” is an example of a direction constraint. Ideally, all execution paths are explored to exhaustion, however here’s on the total now not that you can also judge of in be aware.

Ahead of getting to the implementation, let’s explore the following tips in extra element.

Symbolic and Concrete

What’s the variation between a symbolic imprint and a concrete imprint? An example of a concrete 32-bit note is 1. An example of a symbolic 32-bit note is x where the emblem x stands for any 32-bit note (or the house of all that you can also judge of 32-bit words). Below symbolic execution, the stack and memory insist own these symbolic in deserve to concrete values. Let’s survey at an example program to develop an even bigger intuition for what this implies.

Here again is the addition program from above. It reads two numbers from the console, provides them, and prints them.

addTwoNumbers :: [Instr] -- A program is a checklist of instructions
addTwoNumbers = [Be taught   -- Be taught from the console and push to the stack
                , Be taught
                , Add    -- Add the numbers on high of the stack and push result to the stack
                , Print  -- Print the number at the tip of the stack
                , Performed   -- Ends execution
                ]

Below symbolic execution, the Be taught instruction will now not in fact ask the person for input. As one more, this can even in finding a symbolic imprint representing your total values a individual can even input. This will then push this symbolic imprint onto the stack. So after the Be taught instruction, the stack will survey esteem this:

The do x is a symbolic imprint that represents any 32-bit note. Connected to the programmer looking for to examine the abs draw within the introduction, symbolic execution reasons about all that you can also judge of values in deserve to specific values.

After the second Be taught, one other symbolic imprint, y, is pushed onto the stack:

Within the ruin, after the Add instruction, x and y are popped off the stack, and an recordsdata structure representing the addition of x and y is pushed onto the stack.

At this level, it’s price asking what can even be inferred from the insist of the symbolic stack. The values of x and y ought to now not recognized, however the next can even be inferred:

• The stack comprises a single entry, and thus the next instruction, Print, is superior.
• The entry can even be any 32-bit note, because y+x can even have confidence to any 32-bit note reckoning on the values of x and y.
• Because x and y are unconstrained, the addition can even result in an overflow.

So even with a program so simple as this, it’s that you can also judge of to win some attention-grabbing properties. This gets powerful extra attention-grabbing when the program comprises branches, however earlier than spirited on, let’s wrap up the instance.

The last two instructions Print and Performed will pop the last imprint off the stack and pause symbolic execution. Because execution is symbolic, nothing is de facto printed to the console.

There’s an further quiz we’ll have the power to place a quiz to at this level: Given the symbolic execution as an total, what’s going to we infer?

• At no level does the program wreck ensuing from a lack of arguments on the stack.
• This system ends with an empty stack. No recordsdata is left over.
• This system counter repeatedly points to a legit instruction.
• This system terminates.

For the explanation that program modified into explored exhaustively, the above is staunch for all that you can also judge of executions of the program. You would possibly maybe maybe additionally judge that here’s trivially staunch because there is most attention-grabbing one direction thru the program, however undergo in mind that this also explored all that you can also judge of values. So although you can also pause 100% protection with a single test, it would possibly maybe maybe maybe maybe retract 2^32 * 2^32 exams to examine these properties to for all values. Regardless of what input you give it, the program can even now not ever wreck, and this can even repeatedly exit with a neat stack.

That talked about, within the genuine world, it’s on the total the case that exploring a program to exhaustion is intractable, and so on the total it’s now not that you can also judge of to make such in finding statements about a program primarily based mostly off symbolic execution by myself.

Within the next allotment, we’ll explore how branching impacts symbolic execution.

Route Constraints

As talked about above, this turns into extra attention-grabbing if the program comprises branches. Here’s a version of the addition program that most attention-grabbing prints the pause result if it’s bigger than 15.

It’s now not fundamental to be pleased the categorical mechanics of this program. Suffice it to assert that the program reads in two numbers, provides them, compares the pause result to 15, and both jumps to a Print instruction or ends execution immeditaely with a Performed instruction.

addInputsPrintOver15 :: [Instr]
addInputsPrintOver15 =
  [Be taught
  , Be taught
  , Add
  , Dup
  , Push 15
  , Lt
  , Push 10 -- Address of Print instruction
  , Swap
  , JmpIf   -- If result's over 10, jump to the Print instruction
  , Performed    -- In every other case, exit
  , Print
  , Performed ]

Let’s rapid forward to factual earlier than the JmpIf instruction. Our stack will own the next symbolic values:

The topmost imprint is the symbolic representation of the condition: the two inputs x and y must sum to a imprint bigger than 15.

The second imprint is the address to jump to if the condition is staunch. That is 10 in deserve to a pair symbolic variable esteem x because 10 is portion of the program itself (Push 10), so we know for obvious this stack entry takes on the price 10.

Within the ruin, the pause result of y+x is at the underside of the stack in case it desires to be printed.

So how is JmpIf evaluated? It’s now not that you can also judge of to offer an clarification for from the expression itself if the condition is staunch or pretend. For some values of x and y, 15 < (y + x) is staunch, and for some it’s pretend. This system the engine must explore every branches, and while it does, this can even aid computer screen of the conditions that must be staunch for a given branch. So, within the case that it jumps, this can even sage that 15 < (y + x) must be staunch, and within the case that it doesn’t jump this can even sage that ~(15 < (y + x)) must be staunch. These constraints are recognized as direction constraints and are the major technique that we learn issues regarding the symbolic values within the program. These direction constraints are carried together with the program insist.

Examining the staunch case, 15 < (y + x) is added to the path constraints and the program jumps to the Print instruction. The unusual program insist is beneath.

So moreover to the symbolic stack, it now has a direction constraint which asserts something regarding the values of x and y at this level within the program. So, what can even be inferred?

• The house of that you can also judge of values x and y can even retract on is peaceable somewhat immense, alternatively it’s recognized with certain guess that (y=1, x=1) is now not a screech because 15 < 2 is fake. On the opposite hand, (y=10, x=15) is a screech of that house because 15 < 25 is staunch.
• y+x can even overflow.
• The upcoming Print instruction is superior since the stack comprises at the least one element.

The other branch is comparable, with the exception of the path constraint is negated.

Again, thanks to the branch, the that you can also judge of values of x and y are constrained. We know (y=1,x=1) is in this house, however (y=15,x=zero) is now not.

Basically the precious takeaway is that branches constraint the house of concrete values that the symbolic values can even retract on, and fixing the path constraints finds the values that will trigger a given direction.

One closing little bit of the puzzle is how these constraints are solved. Most regularly these constraints are despatched to an SMT (Satisfiability Modulo Theories) solver, which experiences encourage if the constraints are satisfiable in any respect, and if that is so, what concrete values fulfill it. The interior workings of SMT solvers are previous the scope of this article, so for now I will take care of them as an oracle.

Implementation

Connected to concrete execution, symbolic execution proceeds by walking the program and assuredly updating the program insist. Diving factual in, here's how the Add instruction is conducted. Compare it to the implemenation of step.

-- | Given a symbolic insist and an instruction,
-- | return a unusual insist updated in maintaining with the
-- | semantics of the instruction.
-- | Only `Add` is shown.
symStep :: SymState -> Instr -> [SymState]
symStep (computer, i, mem, l:r:stack, cs) Add =
  [(computer+1, i, mem, (SAdd l r) : stack, cs)]

Connected to step it takes a insist and returns a unusual insist updated accordingly, however there are two major differences:

1. SymState in deserve to Enlighten is updated. SymState represents the program’s symbolic insist in deserve to concrete insist.
2. A checklist of SymStates in deserve to a single Enlighten is returned.

SymState is equivalent to Enlighten with the exception of that it also holds onto a checklist of direction constraints. Futher, the stack and memory insist aid onto Sym in deserve to 32-bit words. Sym is the tips kind feeble to suggest symbolic expressions.

kind SymState = ( Int            -- Program counter
                , Int            -- Authentic variable counter
                , Design Word32 Sym -- Memory insist
                , [Sym]          -- Symbolic stack
                , [Sym]          -- Route constraint checklist
                )

Show camouflage that the memory insist maps 32-bit words to Sym, so the addresses within the memory insist are peaceable concrete. More on that later.

Within the ruin, Sym the tips kind representing symbolic expressions is constructed esteem an extended-established expression tree. It resembles an AST for a simple expression languge.

recordsdata Sym = SAdd Sym Sym -- Addition
         | SEq Sym Sym  -- Equality
         | SNot Sym     -- Logical No longer
         | SOr Sym Sym  -- Logical Or
         | SCon Word32  -- A concrete 32-bit note
         | SAnd Sym Sym -- Logical And
         | SLt Sym Sym  -- Decrease than
         | SAny Int     -- Any 32-bit note or the house of all 32-bit words
         deriving (Show camouflage, Eq, Ord)

Below are examples of how the Sym recordsdata kind is feeble to suggest symbolic expressions. CAny zero, to illustrate, represents any 32-bit note, which is how the variables x and y are feeble all the plot thru the article. The zero in CAny zero is feeble to uniquely title a symbolic imprint (e.g., if it’s feeble plenty of times).

Now let’s flip our attention encourage to symStep for Add and stare the updates one at a time. The parts of the symbolic insist are as follows:

• computer: That is peaceable the program counter, and it’s peaceable an Int.
• i: That is a counter that’s incremented on every occasion a symbolic imprint is created. Its imprint is feeble to uniquely name symbolic values. This will make extra sense after we stare symStep for the Be taught instruction.
• mem The memory insist, mapping 32-bit words to symbolic expressions.
• l:r:stack: The symbolic stack, with the first two entries poke to l and r.
• cs: The checklist of direction constraints.

These are updated within the next technique:

• computer: This system counter is incremented to the next instruction.
• i: No symbolic values are created, so here's now not modified.
• mem: Add would now not trust an affect on the memory insist, and so here's unchanged.
• l:r:stack: The symbolic expression including l and r is created (SAdd l r) and pushed onto the stack.
• cs: No direction constraints are added, so here's unchanged.

Be taught is an attention-grabbing instruction because it introduces unusual symbolic values. Below is its implementation.

symStep (computer, i, mem, stack, cs) Be taught =
  [(computer+1, i+1, mem, SAny i : stack, cs)]

Here i is feeble as an argument to SAny, which is the tips kind that represents symbolic values. The symbolic imprint, SAny i, is then pushed onto the stack to suggest some arbitrary individual input. i+1 is returned to aid the counter contemporary. And, of course, no true I/O happens.

JmpIf is particularly attention-grabbing because it is miles the most attention-grabbing branching instruction. Below is its implemenation.

symStep :: SymState -> Instr -> [SymState]
symStep (computer, i, mem, cond:SCon addr:stack, direction) JmpIf =
  -- Make plenty of states, one for every branch of the condition.
  [(computer+1,           i, mem, stack, SNot cond : direction)  -- Fraudulent branch
  , (wordToInt addr, i, mem, stack, cond      : direction)] -- Horny branch

symStep (computer, i, mem, _:_:stack, direction) JmpIf =
  -- Function now not explore the staunch branch if the vacation insist address
  -- is symbolic.
  [(computer+1, i, mem, stack, direction)]

There are several critical differences between this and Add or Be taught.

First, this instruction returns plenty of unusual states, one for every branch. Within the first case, where the condition is fake, computer is incremented to the next instruction, and no jump happens. Within the case where the condition is staunch, computer is determined to the jump vacation insist.

Second, also survey that direction, the path constraints, are updated. First the jump condition is popped off the stack and poke to cond. When exploring the staunch case, cond itself is added to the path constraints. When exploring the pretend case, its negation is added: SNot cond.

Within the ruin, the staunch branch is most attention-grabbing explored if the vacation insist address is concrete (demonstrate the SCon addr sample match within the arguments checklist). Why is that this fundamental? Reflect about what would happen if the address trust been now not concerete. Divulge, to illustrate, that the jump address trust been x, any 32-bit note. This would possibly maybe maybe mean that the program can even jump to any address in any respect. Exploring this many branches mercurial turns into intractable, so a compromise is made and most attention-grabbing branches with a concrete vacation insist address are explored. That is a case of procuring and selling exhaustiveness for tractability. In instruct to make the prognosis tractable, a compormise is made: some bugs would maybe be overlooked. As you can also imagine, creating with wise methods of dealing with instances where exhaustiveness must be traded for tractability is an brisk insist a examine.

The Load and Store instructions undergo from a identical screech: symbolic values can drift into the address argument. If the vacation insist address is any 32-bit note, then Store can even retailer to any memory insist in any respect. Equally, it’s that you can also judge of for Load to load from any memory insist in any respect. There are a range of methods of dealing with this. One technique is to take care of it as a branching instruction where every that you can also judge of address is one branch of the program. In other words, one branch hundreds from address zero, one other branch hundreds from 1, and so on. That is the most in finding option within the sense that it’s exhaustive, alternatively it mercurial turns into intractable. Completely different tactics alternate exhaustiveness for tractability, by most attention-grabbing exploring some subset of that you can also judge of addresses.

To aid the implementation simple, this prognosis does something powerful dumber: it ignores instructions that retailer to a symbolic address. Alternatively, when asked to load from a symbolic address a generic symbolic imprint is loaded. Because it also will seemingly be loaded from any place, it over approximates the that you can also judge of values by making the pause result any 32-bit note.

What are the results of this? If instructions are brushed off, symbolic execution can even diverge exclusively from the semantics of the genuine program, and pause up every missing bugs that basically exist, and flagging bugs that don’t in fact exist. As an instance, within the case where a symbolic imprint is feeble for Loads, the prognosis can even omit bugs where the categorical memory address is empty.

Though genuine world symbolic execution engines employ extra sophisticated choices for dealing with these instances, coming into into the behavior of severe about these tradeoffs is price it. Pretty a range of examine in this insist is ready creating with better tactics for dealing with these circumstances, and carefully severe about the plot it impacts the prognosis.

Below is the implementation of Store.

-- If storing to a concrete address, update the memory
-- insist accordingly.
symStep (computer, i, mem, SCon addr:w:stack, cs) Store =
  [(computer+1, i, M.insert addr w mem, stack, cs)]
-- If storing to a symbolic address, ignore the
-- instruction.
symStep (computer, i, mem, _:_:stack, cs) Store =
  [(computer+1, i, mem, stack, cs)]

And the implementation of Load:

-- If loading from a concrete address, load the price
-- from the memory insist.
symStep (computer, i, mem, SCon addr:stack, cs) Load =
  case M.look up addr mem of
    True w -> [(computer+1, i, mem, w:stack, cs)]
    Nothing -> error "Nothing to Load at address."
-- If loading from a symbolic address, take care of the
-- load as loading any that you can also judge of 32-bit note.
symStep (computer, i, mem, _:stack, cs) Load =
  [(computer+1, i+1, mem, SAny i: stack, cs)]

The closing step of symbolic execution is searching symStep assuredly, both till all paths trust been explore exhaustively, or till a particular execution depth it reached. This prognosis returns a tree of states, where every direction from the foundation to a leaf represents an explored execution direction, and every node represents executing one instruction.

symRun :: Int -> Prog -> SymState -> T.Tree SymState
symRun maxDepth prog insist@(computer, _, _, _, _) =
  -- Score the present instruction.
  case prog ! (Offset computer) of
    True Performed ->
      -- If the instruction is Performed, discontinuance
      -- execution of this branch.
      T.Node insist []
    True instr ->
      if maxDepth > zero then
        -- Web your total unusual states (there can even be plenty of)
        -- and recursively name `symRun` on them.
        let newStates = symStep insist instr
            young of us = fmap (symRun (maxDepth - 1) prog) newStates
        in T.Node insist young of us
      else
        -- Max depth reached. Cease execution.
        T.Node insist []
    Nothing ->
      error $ "No instruction at " <> show computer

Show camouflage here that direction exploration proceeds depth first. In this method, symbolic execution can even be reframed as a search screech. Higher tactics for exploring the tree of that you can also judge of paths is an brisk insist of examine.

Your total implementation is on GitHub.

Constraint Fixing

The last step is to send the path constraints off to the contraint solver. In this toy example, the program is carried out to an abitrary depth, and then the constraints solver is invoked on the ensuing tree. Separating these into phases simplifies the implementation, however a genuine world engine would interleave these steps so that recordsdata from the constraint solver can even be feeble throughout symbolic execution.

Translating the constraints is a subject of walking the constraint syntax tree, Sym, and translating every node into whatever recordsdata structure the SMT solver uses. I’ve chosen to make employ of sbv as my interface into Z3, an SMT solver. Because here's library specific, I won’t race into powerful element on how here's finished. Please be aware the appendix for extra fundamental points.

What’s extra attention-grabbing is the assemble these contraints retract on. Divulge I in fact trust the next direction constraints:

These in finding translated into the next:

∃ y. ∃ x. 10 < (y + x) ∧ y < x

So every symbolic variable is existentially quantified and all direction constraints are conjoined.

The SMT solver then experiences encourage with (1) is the method satisfiable in any respect? and (2) what assignments to x and y make the method staunch?

So within the case of the method above, it also can sage: Satisfiable, y = 1, x = 10. What this implies is the path is a that you can also judge of direction thru the program (because its constraints are satisfiable) and it also will seemingly be precipitated by surroundings y to 1 and x to 10.

What if the method is unsatisfiable? That will mean that true direction can even by no technique be taken. That is one motive why constraint fixing while symbolically executing is precious: if a branch is terribly now not going, it also will seemingly be pruned earlier than sources are wasted exploring it.

As repeatedly, the total implementation is on GitHub.

Striking all of it together

Let’s plan a few example programs symbolically and stare the output.

Below is the program that provides its inputs together and most attention-grabbing prints if their sum is over 15.

addInputsPrintOver15 :: [Instr]
addInputsPrintOver15 =
  [Be taught
  , Be taught
  , Add
  , Dup
  , Push 15
  , Lt
  , Push 10 -- Address of Print instruction
  , Swap
  , JmpIf   -- If result's over 10, jump to the Print instruction
  , Performed    -- In every other case, exit
  , Print
  , Performed ]

Symbolically executing it yields the next result.

PC: zero
Stack: []
Route Constraints: "1"
Solved Values: Trivial
|
`- PC: 1
   Stack: ["val_0"]
   Route Constraints: "1"
   Solved Values: Trivial
   |
   `- PC: 2
      Stack: ["val_1","val_0"]
      Route Constraints: "1"
      Solved Values: Trivial
      |
      `- PC: Three
         Stack: ["(val_1 + val_0)"]
         Route Constraints: "1"
         Solved Values: Trivial
         |
         `- PC: four
            Stack: ["(val_1 + val_0)","(val_1 + val_0)"]
            Route Constraints: "1"
            Solved Values: Trivial
            |
            `- PC: 5
               Stack: ["15","(val_1 + val_0)","(val_1 + val_0)"]
               Route Constraints: "1"
               Solved Values: Trivial
               |
               `- PC: 6
                  Stack: ["15 < (val_1 + val_0)","(val_1 + val_0)"]
                  Route Constraints: "1"
                  Solved Values: Trivial
                  |
                  `- PC: 7
                     Stack: ["10","15 < (val_1 + val_0)","(val_1 + val_0)"]
                     Route Constraints: "1"
                     Solved Values: Trivial
                     |
                     `- PC: eight
                        Stack: ["15 < (val_1 + val_0)","10","(val_1 + val_0)"]
                        Route Constraints: "1"
                        Solved Values: Trivial
                        |
                        +- PC: 9
                        |  Stack: ["(val_1 + val_0)"]
                        |  Route Constraints: "~(15 < (val_1 + val_0)) and 1"
                        |  Solved Values: val_0 = zero :: Word32, val_1 = zero :: Word32, 
                        |
                        `- PC: 10
                           Stack: ["(val_1 + val_0)"]
                           Route Constraints: "15 < (val_1 + val_0) and 1"
                           Solved Values: val_0 = 4294967280 :: Word32, val_1 = zero :: Word32, 
                           |
                           `- PC: eleven
                              Stack: []
                              Route Constraints: "15 < (val_1 + val_0) and 1"
                              Solved Values: val_0 = 4294967280 :: Word32, val_1 = zero :: Word32, 

Every node in this tree represents a single snapshot of the symbolic insist at that level within the program. A direction thru the tree represents a direction thru the program. PC is the program counter, and the opposite fields are the symbolic insist straight earlier than executing the instruction at the program counter.

After the preliminary Be taught instructions are carried out, two symbolic variables are pushed onto the stack (one for every Be taught instruction). The first is is named val_0 and the second is val_1.

PC: 2
Stack: ["val_1","val_0"]
Route Constraints: "1"
Solved Values:

At this level, the most attention-grabbing direction constraint is 1 or Horny, which is the trivially staunch direction constraint. In other words, any inputs to the program will trigger this direction–it’s a direction that’s repeatedly flee.

Things in finding extra attention-grabbing at the branch.

PC: eight
Stack: ["15 < (val_1 + val_0)","10","(val_1 + val_0)"]
Route Constraints: "1"
Solved Values: Trivial
|
+- PC: 9
|  Stack: ["(val_1 + val_0)"]
|  Route Constraints: "~(15 < (val_1 + val_0)) and 1"
|  Solved Values: val_0 = zero :: Word32, val_1 = zero :: Word32, 
|
`- PC: 10
   Stack: ["(val_1 + val_0)"]
   Route Constraints: "15 < (val_1 + val_0) and 1"
   Solved Values: val_0 = 4294967280 :: Word32, val_1 = zero :: Word32, 

PC: eight is the address of the JmpIf instruction, and it has two young of us representing every aspect of the branch. One branch represents the condition being pretend (the first child) and the opposite represents it being staunch (the second child). Which inputs would trigger which branch? The “Solved Values” allotment tells us that surroundings the first input, val_0, to zero and the second, val_1, to zero would trigger the pretend 1/2 of the branch, and indeed zero+zero is now not bigger than 15. From the opposite node, we be aware that 4294967280 and zero will trigger the opposite 1/2 of the branch, and indeed 4294967280+zero is bigger than 15.

Here is one other program. It loops with out ruin.

loop :: [Instr]
loop = [Push zero -- Jump vacation insist
       , Push 1 -- Situation: 1 is repeatedly staunch.
       , JmpIf
       , Performed
       ]

The condition, 1, is repeatedly staunch, so it repeatedly jumps encourage to the starting up do of the program.

Below is a fragment of the symbolic program hint.

PC: 2
Stack: ["1","0"]
Route Constraints: "1"
Solved Values: Trivial
|
+- PC: Three
|  Stack: []
|  Route Constraints: "~(1) and 1"
|  Solved Values: Unsatisfiable
|
`- PC: zero
   Stack: []
   Route Constraints: "1 and 1"
   Solved Values: Trivial

The first node is the JmpIf instruction, and the two young of us are every aspect of the branch. The first 1/2 of the branch, the pretend 1/2, returns the pause result Unsatisfiable within the “Solved Values” allotment. The solver appropriately deduces that the path constraint is by no technique staunch and so it must be the case that that branch is by no technique taken. On the opposite hand, the staunch 1/2 of the branch returns Trivial indicating that the path constraints are trivially satisfiable and that branch is repeatedly taken.

The two examples given above are more than seemingly attention-grabbing, however now not too impressive by themselves. The genuine vitality of this draw is utilizing the tips acquired from symbolic execution to flag disorders esteem failing asserts and integer overflows. Though those ought to now not covered in this tutorial, you can also picture what these can even survey esteem. Given a direction constraint and a few assert, the SMT solver can clarify if there are any imprint that fulfill the constraints however suppose the assert. If there are, it’s that you can also judge of for the assert to fail. As for overflows, it’s that you can also judge of to place a quiz to the solver if any fulfilling values trigger the overflow bit. Beyond this, you can also even imagine utilizing temporal good judgment to assert properties over total execution bushes equivalent to : if p is staunch, then at closing q would maybe be staunch. The chances race on and on.

My purpose for writing this tutorial is to bring this draw to a magnificent wider audience. In explicit, I mediate here's a promising technique because it also will seemingly be mostly computerized, and has viewed some genuine world success. I'm hoping if this interests you, that that it is seemingly you'll aid exploring. A genuine dwelling to originate is this survey which comprises a staunch overview of the extra sophisticated tactics for dealing with memory addresses and jumps. In screech up posts, I’d esteem to be in contact extra about one of the fundamental genuine world successes, and the existing tools you can also employ at present.

Constraint fixing with sbv and z3

Constraint fixing with sbv is a subject of walking the Sym tree and translating every node into the correct sbv show. Below is how SAdd is conducted.

import licensed Files.SBV.Dynamic as S

symToSMT m (SAdd l r) =
  S.svPlus <$> symToSMT m l <*> symToSMT m r

Every operand to SAdd is converted with a recursive name to symToSMT and then sbv’s plus operation is utilized, svPlus.

It’s price pointing out that sbv’s untyped API (Files.SBV.Dynamic) must be feeble when creating sbv expressions at runtime.

Arbitrary 32-bit words are created utilizing sbv’s svMkSymVar draw.

-- | Make an existential note of `i` bits with
-- | the name `name`.
sWordEx :: Int -> String -> S.Symbolic S.SVal
sWordEx i name =  put a quiz to >>= liftIO . S.svMkSymVar (True S.EX) (S.KBounded Fraudulent i) (True (toList name))

As shown above, it’s that you can also judge of to specify if the variable is bounded in any respect, by what number of bits, and if the price is signed or now not. You would possibly maybe maybe additionally specify if the variable is existentially (S.EX) or universally quanitified. Here, I employ bounded, unsigned, 32-bit words that are existentially quantified: S.KBounded Fraudulent 32.

Ahead of the Sym tree is translated, the tree is walked and any symbolic variables are quiet (SAny).

-- | Stroll the constraint gathering up the free
-- | variables.
gatherFree :: Sym -> S.Situation Sym
gatherFree c@(SAny _) = S.singleton c
gatherFree (SAdd l r) = gatherFree l <> gatherFree r
gatherFree (SEq l r) = gatherFree l <> gatherFree r
gatherFree (SNot c) = gatherFree c
gatherFree (SOr l r) = gatherFree l <> gatherFree r
gatherFree (SAnd l r) = gatherFree l <> gatherFree r
gatherFree (SLt l r) = gatherFree l <> gatherFree r
gatherFree (SCon _) = mempty

This house of symbolic variables is feeble to thunder all variables to the SMT solver earlier than translating the expression. The declared variables are saved to a draw and retreived when the symbolic expression references them.

symToSMT m (SAny i) = plan
  case M.look up i m of
    True val -> return val
    Nothing -> error "Missing symbolic variable."