Automatically proving termination and memory safety for programs with pointer arithmetic

(1)

BIROn - Birkbeck Institutional Research Online

Ströder, T. and Giesl, J. and Brockschmidt, M. and Frohn, F. and Fuhs,

Carsten and Hensel, J. and Schneider-Kamp, P. and Aschermann, C. (2017)

Automatically proving termination and memory safety for programs with

pointer arithmetic. Journal of Automated Reasoning 58 (1), pp. 33-65. ISSN

0168-7433.

Downloaded from:

Usage Guidelines:

Please refer to usage guidelines at

or alternatively

(2)

(will be inserted by the editor)

Automatically Proving Termination and Memory Safety for

Programs with Pointer Arithmetic

Thomas Str¨oder · J ¨urgen Giesl ·

Marc Brockschmidt · Florian Frohn ·

Carsten Fuhs · Jera Hensel ·

Peter Schneider-Kamp · Cornelius Aschermann

Abstract While automated verification of imperative programs has been studied intensively, proving termination of programs with explicit pointer arithmetic fully automatically was still an open problem. To close this gap, we introduce a novel abstract domain that can track allocated memory in detail. We use it to automatically construct asymbolic execution graph that over-approximates all possible runs of a program and that can be used to prove memory safety. This graph is then transformed into aninteger transition system, whose termination can be proved by standard techniques. We implemented this approach in the automated termination proverAProVEand demonstrate its capability of analyzingCprograms with pointer arithmetic that existing tools cannot handle.

Keywords LLVM·Cprograms·Termination·Memory Safety·Symbolic Execution

1 Introduction

Consider the following standardCimplementation ofstrlen[62, 72], computing the length of the string at the pointerstr. InC, strings are usually represented as a pointerstrto the heap, where all following memory cells up to the first one that contains the value0are allocated memory and form the value of the string.

int strlen(char* str) {char* s = str; while(*s) s++; return s-str;}

To analyze algorithms on such data, one has to handle the interplay between addresses and the values they point to. InC, a violation ofmemory safety(e.g., dereferencingNULL, accessing an array outside its bounds, etc.) leads to undefined behavior, which may also

Supported by Deutsche Forschungsgemeinschaft (DFG) grant GI 274/6-1, Research Training Group 1298 (AlgoSyn), and the Danish Council for Independent Research, Natural Sciences.

Thomas Str¨oder·J¨urgen Giesl·Florian Frohn·Jera Hensel·Cornelius Aschermann LuFG Informatik 2, RWTH Aachen University, Germany

Marc Brockschmidt

Microsoft Research Cambridge, UK

Carsten Fuhs

Dept. of Computer Science and Information Systems, Birkbeck, University of London, UK

Peter Schneider-Kamp

(3)

include non-termination. Thus, to prove termination ofCprograms with low-level memory access, one must also ensure memory safety. Thestrlenalgorithm is memory safe and terminates, because there is some addressend≥str(aninteger propertyofendandstr) such that*endis0(apointer propertyofend) and all addressesstr≤s≤endare allocated. Other typical programs with pointer arithmetic operate on arrays (which are just sequences of memory cells inC). In this paper, we present a novel approach to prove memory safety and termination of algorithms on integers and pointers automatically. Our abstract domain is tailored to track both integer properties which relate allocated memory addresses with each other, as well as pointer properties about the data stored at such addresses.

To avoid handling the intricacies ofC, we analyze programs in the platform-indepen-dent intermediate representation (IR) of theLLVMcompilation framework [51, 53]. Our approach works in three steps: First, asymbolic execution graphis created that represents an over-approximation of all possible program runs. We present our abstract domain based onseparation logic[61] in Sect. 2 and the automated generation of such graphs in Sect. 3. In Sect. 4 we show the correctness of our construction. In this first step fromLLVMto the symbolic execution graph, we handle all issues related to memory, and in particular we prove memory safety of our input program. In Sect. 5, we describe the second step of our approach, in which we generate aninteger transition system(ITS) from the symbolic execution graph, encoding the essential information needed to show termination. In the last step, existing techniques for integer programs are used to prove termination of the resulting ITS. In Sect. 6, we compare our approach with related work and show that our implementation in the termination proverAProVEproves memory safety and termination of typical pointer algorithms that could not be handled by other tools before.

A preliminary version of parts of this paper was published in [67]. The present paper extends [67] by the following new contributions:

– We lift the restriction of analyzing only programs with exactly one function to non-recursive programs with several functions.

– We show how to consider alignment information in the abstract domain. In [67], we just assumed a 1 byte data alignment for all types.

– In [67], we only handled memory allocation using theLLVMinstructionalloca. In this paper, we extend our abstract domain and our symbolic execution rules to handle the external functionsmallocandfree. This allows us to model memory safety more precisely. Up to now, we could only prove absence of accesses to unallocated memory, whereas now, we can also show thatfreeis only called for addresses that have been returned bymallocand that have not been released already. Note that if memory is not released by the end of the program, then we do not consider this as a violation of memory safety, because it does not lead to undefined behavior.

– We added more symbolic execution rules forLLVMinstructions, and give a detailed overview of our limitations in Sect. 6.

– To represent all possible program runs by a finite symbolic execution graph, it is crucial tomergeabstract program states that visit the same program position. We have substan-tially improved the merging heuristic of [67] in order to also analyze programs where termination or memory safety depend on invariants relating different areas of allocated memory. Such reasoning is required for programs like thestrcpyfunction from the standardClibrary. Our symbolic execution can now handle such programs automatically, whereas [67] fails to prove memory safety (and hence also termination).

(4)

2 Abstract Domain for Symbolic Execution

In this section, we introduce concreteLLVMstates andabstractstates that representsetsof concrete states. These states will be needed for symbolic execution in Sect. 3.

To simplify the presentation, we restrict ourselves to types of the formin(forn-bit inte-gers),in*(for pointers to values of typein),in**,in***, etc. Like many other approaches to termination analysis, we disregard integer overflows and assume that variables are only instantiated with signed integers appropriate for their type.

define i32 @strlen(i8* str) { entry: 0: c0 = load i8* str

1: c0zero = icmp eq i8 c0, 0

2: br i1 c0zero, label done, label loop loop: 0: olds = phi i8* [str,entry],[s,loop]

1: s = getelementptr i8* olds, i32 1 2: c = load i8* s

3: czero = icmp eq i8 c, 0

4: br i1 czero, label done, label loop done: 0: sfin = phi i8* [str,entry],[s,loop] 1: sfinint = ptrtoint i8* sfin to i32 2: strint = ptrtoint i8* str to i32 3: size = sub i32 sfinint, strint

4: ret i32 size }

We consider thestrlen func-tion from Sect. 1. In the corre-spondingLLVMcode,1_str_{has the}

typei8*, since it is a pointer to the string’s first character (of typei8). The program is split into the ba-sic blocksentry,loop, anddone. We will explain thisLLVMcode in detail when constructing the sym-bolic execution graph in Sect. 3.

An LLVM state consists of a call stack, a knowledge base with

information about the values of symbolic variables, and two sets which describe memory allocations and the contents of memory. The call stack is a sequence of stack frames, where each stack frame contains information local to its corresponding function. In particular, a stack frame contains the currentprogram positionwhich is represented by a pair(b,j). Here, bis the name of the current basic block andjis the index of the next instruction. So ifBlksis the set of all basic blocks, then the set of program positions isPos=Blks×_N. To ease the for-malization, we assume that different functions do not have basic blocks with the same names. Moreover, a stack frame also contains information on the current values of the local program variables. We represent an assignment to thelocal variablesVP(e.g.,VP={str,c0, . . .}) in thei-th stack frame as a partial functionLVi:VP*Vsym (where “*” denotes partial

functions). We use an infinite set of symbolic variablesVsymwithVsym∩VP={}instead of concrete integers. In this way, our states can represent not onlyconcreteexecution states, where all symbolic variablesv∈Vsymare constrained to a concrete fixed number inZ, but also

abstractstates, wherevcan stand for several possible values. Such states will be needed for symbolic execution. To ease the generalization of states in Sect. 3.3, we require that allLVi

occurring in a call stack are injective and have pairwise disjoint ranges. LetVsym(LVi)⊆Vsym

be the set of all symbolic variablesvwhere there exists somex∈VPwithLVi(x) =v.

In addition to the values of local variables, each stack frame also contains anallocation list ALi. This list contains expressions of the formJv1,v2Kforv1,v2∈Vsym, which indicate

thatv1≤v2 and that all addresses betweenv1 andv2 have been allocated by analloca

instruction. This information is stored in the stack frames, as memory allocated byalloca in a function is automatically released when the control flow returns from that function.

A program position, a variable assignment and an allocation list form a stack frameFR, and we represent call stacks as sequences[FR1, . . . ,FRn]of such stack frames, where the

i-th stack frame has the formFRi= (pi,LVi,ALi). The topmost frame isFR1, and we use

“·” to decompose call stacks, i.e.,[FR1, . . . ,FRn] =FR1·[FR2, . . . ,FRn]. A new stack frame

1 _This_LLVM_{program corresponds to the code obtained from}_strlen_{with the}_Clang_{compiler [23]. To}

ease readability, we wrote variables without “%” in front (i.e., we wrote “str” instead of “%str” as in proper

(5)

is added in front of the sequence whenever a function is called, and removed when control returns from it. For any call stackCS= [FR1, . . . ,FRn]where each stack frameFRi uses

the partial functionLVifor the local variables, letVsym(CS)consist ofVsym(LV1)∪. . .∪

Vsym(LVn)and of all symbolic variables occurring inAL1, . . . , orALn.

The second component of ourLLVMstates is theknowledge base KB⊆QF IA(Vsym), a

set of quantifier-free first-order formulas that express integer arithmetic properties ofVsym.

For concrete states, the knowledge base constrainsVsym(CS)in such a way that their values

are uniquely determined, whereas for abstract states several values are possible.

Many of the rules for symbolic execution in Sect. 3 have conditions where one has to check validity of formulas obtained from the knowledge base of the current state. In principle, any SMT solver can be used for this check. Most of these formulas only uselinearinteger arithmetic, but for programs with non-linear expressions (likex * y), the resulting formulas can also contain non-linear arithmetic. As validity is not decidable for non-linear integer arithmetic, the power of the SMT solver influences the power of our analysis, since symbolic execution rules can only be applied if the proof for their applicability conditions succeeds.

The third component is the global allocation listAL. It is used to model memory allocated bymalloc, where allocated parts of the memory are again represented by expressions of the formJv1,v2K. In contrast toalloca, memory allocated bymallocneeds to be released

explicitly by the programmer. In this paper, we assume that reading from memory locations that are currently allocated but not initialized, yields an arbitrary fixed value. To remove this assumption, a structure similar toALcould be used to track initialized memory regions.

As the fourth and final component,PTis a set of “points-to” atomsv1,→tyv2 where

v1,v2∈Vsym andtyis anLLVMtype. This means that the valuev2 of typetyis stored

at the addressv1. Letsize(ty)be the number of bytes required for values of typety(e.g.,

size(i8) =1 andsize(i32) =4). As each memory cell stores one byte,v1,→i32v2means

thatv2is stored in the four cells at the addressesv1, . . . ,v1+3. The size of a pointer type

ty*is determined by the data layout string in the beginning of anLLVMprogram. On 64-bit machine architectures, we usually havesize(ty*) =8, and on 32-bit architectures we usually havesize(ty*) =4. In the following let us consider some fixed value forsize(ty*).

Finally, to model possible violations of memory safety, we introduce a special error state ERR. In particular, this state is reached when accessing non-allocated memory. The following definition introduces our notion of (possibly abstract)LLVMstates formally.

Definition 1 (LLVM States)LLVM states have the form (CS,KB,AL,PT)where CS∈ (Pos×(VP *Vsym)× {Jv1,v2K|v1,v2∈Vsym})

∗_,_KB_⊆_{QF IA}₍_V

sym),AL⊆ {Jv1,v2K|

v1,v2∈Vsym}, andPT⊆ {(v1,→tyv2)|v1,v2∈Vsym,tyis anLLVMtype}. Additionally,

there is a stateERRfor possible memory safety violations. For a statea= (CS,KB,AL,PT), letVsym(a)consist ofVsym(CS)and of all symbolic variables occurring inKB,AL, orPT.

In a call stackCS= [(p1,LV1,AL1), . . . ,(pn,LVn,ALn)], we often identify the mapping

LViwith the set of equations{xi=LVi(x)|x∈VP,LVi(x)is defined}and extendLVito

a function fromVP]ZtoVsym]Zby definingLVi(n) =nfor alln∈Z. We also often

identifyCSwith the set of equationsS

1≤i≤n{xi=LVi(x)|x∈VP,LVi(x)is defined}. Let

V_Pfr={xi|x∈VP,i∈N>0}be the set of all these indexed variables that we use to represent

stack frames. Moreover, we writeAL∗ for the union of the global allocation list with the allocation lists in the individual stack frames, i.e.,AL∗=AL∪AL1∪. . .∪ALn. Thus,AL∗

represents all currently allocated memory (byallocaormalloc) in the current state. We say that a state(CS,KB,AL,PT)iswell formediff for every “points-to” informationv,→ty

w∈PT, there is an allocated area_Jv1,v2KinAL

∗_{such that}_|₌_KB_⇒_v

1≤v∧v≤v2. SoPT

(6)

As an example, consider the following abstract state for ourstrlenprogram:

( [( (entry,0), {str1=ustr}, {})], {z=0}, {Justr,vendK}, {vend,→i8z}) (†) It represents states at the beginning of theentryblock, whereCS= [((entry,0),LV1,{})]

withLV1(str) =ustrand no memory was allocated byalloca. Due to an earlier call of

malloc, the memory cells betweenLV1(str) =ustrandvendare allocated on the heap, and

the value at the addressvendisz(where the knowledge base is{z=0}).

To define the semantics of abstract statesa, we introduce the formulashaiSLandhaiFO.

Here,haiSLis a formula from a fragment ofseparation logic[61] that defines which concrete

states are represented bya. The first-order formulahaiFOis a weakened version ofhaiSL,

used for the automation of our approach. We use it to construct symbolic execution graphs, as it allows us to apply standard SMT solving [59] for all reasoning. We also usehaiFOfor

the subsequent generation of integer transition systems from symbolic execution graphs. The formulahaiFOcontainsKB, and in addition, it expresses that the pairsJv1,v2Kin

allocation lists represent disjoint intervals. Moreover, two values at the same address must be equal and two addresses must be different if they point to different values inPT. Finally, all addresses are positive numbers.

Definition 2 (Representing States byFOFormulas)The sethaiFOis the smallest set with

haiFO=KB∪ {1≤v1∧v1≤v2|Jv1,v2K∈AL

∗_{} ∪}

{v2<w1∨w2<v1|Jv1,v2K,Jw1,w2K∈AL

∗_,₍_v_1,_v

2)6= (w1,w2)} ∪

{v2=w2|(v1,→tyv2),(w1,→tyw2)∈PTand |=haiFO⇒v1=w1} ∪

{v16=w1|(v1,→tyv2),(w1,→tyw2)∈PTand |=haiFO⇒v26=w2} ∪

{v1>0|(v1,→tyv2)∈PT}.

Now we formally define “concretestates” as abstract states of a particular form. A con-crete statec uniquelydescribes the call stack and the contents of the memory. So we require that (a)hciFOis satisfiable to ensure thatcactuallycanrepresent something, and that (b)

chas unique values for the contents of all allocated addresses. Here, we represent memory data byte-wise, and sinceLLVMrepresents values in two’s complement, each byte stores a value from[−27_,₂7₋₁_]_{. This byte-wise representation of the memory enforces a uniform}

representation of concrete states, and thus (c) we allow only statements of the formw1,→i8

w2inPTfor concrete states. Moreover, this restriction ensures that concrete states are really

legal states. (Otherwise, we would have to check whether two statementsw1,→ty₁ w2and

w1,→ty₂w3withty16=ty2in the same state are compatible or whether they contradict each

other.) Finally, (d) all occurring symbolic variables must have unique values.

Definition 3 (Concrete States)Letc= (CS,KB,AL,PT)be anLLVMstate. We callca concrete stateiffcis well formed and all of the following conditions hold:

(a) hciFOis satisfiable,

(b) for all_Jv1,v2K∈AL

∗_{and for all integers}_n_with_|₌_h_c_i

FO⇒v1≤n∧n≤v2, there exists (w1,→i8w2)∈PTfor somew1,w2∈Vsymsuch that|=hciFO⇒w1=nand|=hciFO⇒

w2=kfor somek∈[−27,27−1],

(c) there is now1,→tyw2∈PTforty6=i8,

(d) for allv∈Vsym(c)there exists ann∈Zsuch that|=hciFO⇒v=n.

Moreover,ERRis also a concrete state.

(7)

means that the evaluation step performs an operation that may lead to undefined behavior. AnLLVMprogram ismemory safeforc6=ERRiff there is no evaluationc→+_LLVMERR, where→+_LLVMis the transitive closure of→LLVM.

As mentioned, in addition tohaiFO, we also introduce a separation logic formulahaiSLfor

every statea. We consider a fragment of separation logic which extends first-order logic by a predicate symbol “,→” for “points-to” information and by the connective “∗” for separating conjunction. As usual,ϕ1∗ϕ2means thatϕ1andϕ2hold for disjoint parts of the memory. The semantics of separation logic can then be defined usinginterpretationsof the form

(as,mem)which represent the values of the program variables and the heap. The (partial) assignmentfunctionas:V_Pfr*Zis used to describe the values of the program variables

(more precisely,asoperates on variables of the formxito represent the variablex∈VP occurring in thei-th stack frame). Moreover, a partial functionmem:N>0*{0, . . . ,28−1}

with finite domain describes thememorycontents at allocated addresses (as unsigned bytes). To deal with symbolic variables in formulas, we useinstantiations. LetT(Vsym)be the set

of all arithmetic terms containing only variables fromVsym. Any functionσ:Vsym→T(Vsym)

is called an instantiation. Thus,σ does not instantiateV_Pfr. Instantiations are extended to

formulas in the usual way, i.e.,σ(ϕ)instantiates every free occurrence ofv∈Vsyminϕby σ(v). An instantiation is calledconcreteiffσ(v)∈_Zfor allv∈Vsym.

Definition 4 (Semantics of Separation Logic)Letas:V_Pfr *Z,mem:N>0*{0, . . . ,

28₋₁_}_{, and let}

ϕbe a formula such thatasis defined on all variables fromV_Pfrthat occur inϕ.

Letas(ϕ)result from replacing allxiinϕbyas(xi). Note that by construction, local variables

xiare never quantified in our formulas. Then we define(as,mem)|=ϕiffmem|=as(ϕ). We now define mem|=ψ for formulas ψ that may contain symbolic variables from

Vsym (this is needed for Sect. 3). As usual, all free variablesv1, . . . ,vninψare implicitly

universally quantified, i.e.,mem|=ψiffmem|=∀v1, . . . ,vn.ψ. The semantics of arithmetic

operations and predicates as well as of first-order connectives and quantifiers are as usual. In particular, we definemem|=∀v.ψiffmem|=σ(ψ)holds for all instantiationsσwhere

σ(v)∈_Zandσ(w) =wfor allw∈Vsym\ {v}.

We still have to define the semantics of,→and∗for variable-free formulas. Forn1,n2∈Z,

let mem|=n1,→n2 hold iffmem(n1) =n2.2 The semantics of∗ is defined as usual in

separation logic: For two partial functionsmem1,mem2:N>0*Z, we writemem1⊥mem2to

indicate that the domains ofmem1andmem2are disjoint. Ifmem1⊥mem2, thenmem1]mem2

denotes the union ofmem1andmem2. Nowmem|=ϕ1∗ϕ2holds iff there existmem1⊥mem2

such thatmem=mem1]mem2wheremem1|=ϕ1andmem2|=ϕ2. As usual, “|=ϕ” means

thatϕis a tautology, i.e., that(as,mem)|=ϕholds for any interpretation(as,mem).

To formalize the semantics of an abstract statea, i.e., to define which concrete states are represented bya, we now definehaiSL. InhaiSL, we combine the elements ofAL∗with the

separating conjunction “∗” to express that different allocated memory blocks are disjoint. We have to include an additional separated conjuncttrueto represent further allocations that we do not know of. In contrast, the elements ofPTare combined by the ordinary conjunction “∧”. So(v1,→tyv2)∈PTdoes not imply thatv1is different from other addresses occurring

inPT. Similarly, we also combine the two formulas resulting fromAL∗andPTby “∧”, as both express different properties of the same memory addresses.

Definition 5 (Representing States bySLFormulas)Forv1,v2∈Vsym, lethJv1,v2KiSL=

2 _{We use “}_,_→_{” instead of “}_7→_{” in separation logic, since}_mem_|₌_n

(8)

1≤v1 ∧v1≤v2 ∧(∀x.∃y.(v1≤x≤v2)⇒(x,→y)).

Reflecting two’s complement representation, for anyLLVMtypety, we definehv1,→tyv2iSL=

v1>0∧ hv1,→size(ty)v3iSL ∧ (v2≥0⇒v3=v2)∧ (v2<0⇒v3=v2+28·size(ty)),

wherev3∈Vsymis fresh. We assume a little-endian data layout (where the least significant

byte is stored in the lowest address).3_{Here, we let}_h_v

1,→0v3iSL=trueandhv1,→n+1v3iSL= (v1,→(v3mod 28))∧ h(v1+1),→n(v3div 28)iSL.

Leta= (CS,KB,AL,PT)be an abstract state. It is represented in separation logic by4

haiSL=CS∧ KB∧ (true∗(∗ϕ∈AL∗ hϕiSL))∧(

^

ϕ∈PT hϕiSL)

Clearly, we have|=haiSL⇒ haiFOfor any abstract statea. SohaiFOonly contains

first-order information that holds in every concrete state represented bya.

Now we can define which concrete states are represented by an abstract state. Note that due to Def. 3, we can extract an interpretation(asc,memc)from every concrete statec6=ERR. Then we define that a (well-formed) abstract statea representsall those concrete statesc where(asc,memc)is a model of some (concrete) instantiation ofa.

Definition 6 (Representing Concrete by Abstract States)Letc= (CSc,KBc,ALc,PTc)

be a concrete state whereCSc uses the functionsLVc₁, . . . ,LVc_n. For every x∈VP where LVc_i(x)is defined, letasc₍_x

i) =nfor the numbern∈Zwith|=hciFO⇒LVci(x) =n.

Forn∈_N>0, the functionmemc(n)is defined iff there exists aw1,→i8w2∈PTcsuch that |=hciFO⇒w1=n. Let|=hciFO⇒w2=kfork∈[−27,27−1]. Then we havememc(n) =k

ifk≥0 andmemc(n) =k+28ifk<0.

We say that an abstract state a= ([(p1,LVa₁,ALa₁), . . . ,(pn,LVa_n,ALa_n)],KBa,ALa,PTa)

representsa concrete statec= ([(p1,LVc₁,ALc₁), . . . ,(pn,LVc_n,ALc_n)],KBc,ALc,PTc)iffais well formed and(asc_,_memc₎_{is a}_model_of

σ(haiSL)for some concrete instantiationσof the

symbolic variables. The only state that represents the error stateERRisERRitself.

So the abstract state (†) from thestrlenprogram represents all concrete statesc= ([((entry,0),LV1,{})],KB,AL,PT)wherememc_{stores a string at the address}_asc₍_str

1).5

3 FromLLVMto Symbolic Execution Graphs

We now show how to automatically generate asymbolic execution graphthat over-approxi-mates all possible executions of a given program. For this, we present symbolic execution rules for some of the most importantLLVMinstructions. We start with the rules for theLLVM instructions in ourstrlenexample in Sect. 3.1. In Sect. 3.2, we present rules for a more advanced example including memory allocation and function calls.

While there already exist approaches for symbolic execution ofCorLLVM(e.g., in the toolsKLEE[18] andUfo[1]), our new abstract domain is particularly suitable for tracking explicit information about memory allocations and the contents of memory, allowing a fully

3 _{A corresponding representation could also be defined for big-endian layout. This layout information is}

necessary to decide which concrete states are represented by abstract states, but it is not used when constructing symbolic execution graphs (i.e., our remaining approach is independent of such layout information).

4 _{We identify}_sets_{of first-order formulas}_{ϕ

1, ...,ϕn}with their conjunctionϕ1∧...∧ϕn. Thus,CSis identi-fied with the set resp. with the conjunction of the equationsS

1≤i≤n{xi=LVi(x)|x∈VP,LVi(x)is defined}. Moreover, we wrote(true∗(

∗

ϕ∈AL∗ hϕi_SL))to ensure that this part of the formula istrueifAL∗=∅.

5 _{The reason is that then there is an address}_end_∈

N>0withend≥asc(str1)such thatmemc(end) =0 andmemc_{is defined for all numbers between}_asc₍_str1₎_and_{end. Hence if}_a_{is the state in (†), then}_memc_|₌

(9)

automated analysis of programs with direct memory access and pointer arithmetic. Most other existing tools cannot successfully analyze termination of such programs fully automatically without the specification of invariants by the user. In particular, we also have rules for refining and generalizing abstract states. This is needed to obtainfinitesymbolic execution graphs that represent all possible executions. We present our algorithm to generalize states in Sect. 3.3.

3.1 Basic Symbolic Execution Rules

Our analysis starts with the set of initial states that one wants to analyze for termination, e.g., all states wherestrpoints to astring. So in our example, we start with the abstract state (†). Fig. 1 depicts the symbolic execution graph forstrlen. Here, we omitted the component AL={_Justr,vendK}for the global allocation list, which stays the same in all states in this

example. We also abbreviated parts ofCS,KB, andPTby “. . . ”. Instead ofvend,→i8zand

z=0, we directly wrotevend,→0, etc.

The functionstrlenstarts with loading the character at addressstrtoc0. Letp:ins denote thatinsis the instruction at positionp. Our first rule handles the casep: “x = load ty* ad”, i.e., the value of typetyat the addressadis assigned to the variablex. In our rules, letaalways denote the statebeforethe execution step (i.e., above the horizontal line of the rule). Moreover, we writehaiinstead ofhaiFO. As each memory cell stores one byte,

in theload-rule we first have to check whether the addressesad, . . . ,ad+size(ty)−1 are allocated, i.e., whether there is aJv1,v2K∈AL

∗_{such that}_h_a_{i ⇒}₍_v

1≤LV1(ad)∧LV1(ad) +

size(ty)−1≤v2)is valid. Then, we reach a new state where the previous positionp= (b,i)

is updated to the positionp+= (b,i+1)of the next instruction in the same basic block, and we setLV1(x) =wfor a freshw∈Vsym. Here we writeLV1[x:=w]for the function where (LV1[x:=w])(x) =wand fory6=x, we have(LV1[x:=w])(y) =LV1(y). Moreover, we

addLV1(ad),→tywtoPT. Thus, ifPTalready contained a formulaLV1(ad),→tyu, then haiimpliesw=u. We used this rule to obtainBfromAin Fig. 1.

In memory access instructions likeload, one can also specify an optionalalignmental which indicates that the respective addresses are divisible byal. This alignment information is generated by theLLVMcode emitter (e.g., by the compiler fromCtoLLVM). It is a hint to the code generator (which transformsLLVMcode into machine code) that the address will be at the specified alignment. The code generator may use this information for optimizations. Note in the rules thatLV1is a partial function, i.e.,LV1may not be defined for allx∈VP.

But according to [53], in well-formedLLVMprograms all uses of a variable are dominated by its definition. SoLV1(x)is always defined when we read fromxduring symbolic execution.

loadfrom allocated memory (p:“x = load ty* ad [, align al]” withx,ad∈VP,al∈N)

((p,LV1,AL1)·CS,KB,AL,PT) ((p+_,_LV

1[x:=w],AL1)·CS,KB,AL,PT∪ {LV1(ad),→tyw})

if

• there isJv1,v2K∈AL

∗_with_|₌_h_a_{i ⇒}₍_v

1≤LV1(ad)∧LV1(ad) +size(ty)−1≤v2), • |=hai ⇒(LV1(ad)modal=0), if an alignmental≥1 is specified,

• w∈Vsymis fresh

In a similar way, we formulate a rule for instructions thatstorea value at some address in the memory. The instruction “store ty t, ty* ad” stores the valuetof typetyat the addressad. Again, we check whetherLV1(ad), . . . ,LV1(ad) +size(ty)−1 are addresses in

an allocated part of the memory. The information thatadnow points totis added to the set PT. All other information inPTthat is not influenced by this change is kept.6

6 _{For any terms, “}

(10)

[((entry,0),{str1=ustr, . . .},{})],{. . .},{vend,→0}

A

[((entry,1),{str1=ustr,c01=v1, . . .},{})],{. . .},{ustr,→v1,vend,→0}

B

[((entry,1),{str1=ustr,c01=v1, . . .},{})],

{v1=0, . . .},{. . .}

C [((entry,1),{str1=ustr,c01=v1, . . .},{})],

{v16=0, . . .},{ustr,→v1,vend,→0}

D

. . . _[((

entry,2),{str1=ustr,c0zero1=v2, . . .},{})],{v2=0, . . .},{vend,→0, . . .}

E

[((loop,1),{str1=ustr,olds1=v3, . . .},{})],{v3=ustr, . . .},{vend,→0, . . .}

F

[((loop,2),{str1=ustr,s1=v4, . . .},{})],{v4=v3+1,v3=ustr, . . .},{vend,→0, . . .}

G

[((loop,3),{str1=ustr,c1=v5,s1=v4, . . .},{})],{. . .},{v4,→v5,vend,→0, . . .}

H

[((loop,3),{str1=ustr,c1=v5, . . .},{})],

{v5=0, . . .},{. . .} I

. . .

[((loop,3),{str1=ustr,c1=v5,s1=v4, . . .},{})],

{v56=0, . . .},{v4,→v5,vend,→0, . . .}

J

[((loop,4),{str1=ustr,czero1=v6,c1=v5,s1=v4,olds1=v3, . . .},{})],

{v56=0,v6=0,v4=v3+1,v3=ustr, . . .},{v4,→v5,vend,→0, . . .}

K

[((loop,4),{str1=vstr,c1=vc,s1=vs,olds1=volds, . . .},{})],

{vc6=0,vs=volds+1,volds≥vstr,vs<vend, . . .},{vs,→vc,vend,→0, . . .}

L

[((loop,3),{str1=vstr,c1=wc,s1=ws,olds1=wolds, . . .},{})],

{ws=wolds+1,wolds=vs,vs<vend, . . .},{ws,→wc,vend,→0, . . .}

M

. . .

[((loop,4),{str1=vstr,c1=wc,s1=ws,olds1=wolds, . . .},{})],

{wc6=0,ws=wolds+1,wolds=vs,vs<vend, . . .},{ws,→wc,vend,→0, . . .}

N

Fig. 1 Symbolic execution graph forstrlen

storeto allocated memory (p:“store tyt, ty* ad [, align al]”,t∈VP∪Z,ad∈VP,al∈_N)

((p,LV1,AL1)·CS,KB,AL,PT)

((p+,LV1,AL1)·CS,KB∪ {w=LV1(t)},AL,PT0∪ {LV1(ad),→tyw})

if

• there isJv1,v2K∈AL

∗

with|=hai ⇒(v1≤LV1(ad)∧LV1(ad)+size(ty)−1≤v2),

• PT0={(w1,→syw2)∈PT| |=hai ⇒(JLV1(ad),LV1(ad)+size(ty)−1K⊥Jw1,w1+size(sy)−1K)},

• |=hai ⇒(LV1(ad)modal=0), if an alignmental≥1 is specified, • w∈Vsymis fresh

Ifloadorstoreaccesses a non-allocated address or if the address does not correspond to the specified alignment, then memory safety is violated and we reach theERRstate.

loadorstoreon unallocated memory (p:“x = load ty* ad [, align al]” withx,ad∈VP

andal∈N, orp:“store ty t, ty* ad [, align al]” witht∈VP∪Z,ad∈VP, andal∈N)

ERR if

there is noJv1,v2K∈AL

∗_with_|₌_h_a_{i ⇒}₍_v

1≤LV1(ad)∧LV1(ad)+size(ty)−1≤v2)

loadorstorewith unsafe alignment (p:“x = load ty* ad, align al” withx,ad∈VP

andal∈N>0, orp:“store ty t, ty* ad, align al” witht∈VP∪Z,ad∈VP, andal∈N>0)

ERR if6|=hai ⇒(LV1(ad)modal=0)

[image:10.595.72.419.80.466.2]

(11)

if the state contains enough information to decide whether the valuest1andt2of typetyare

equal. In that case, the value1resp.0(i.e.,trueresp.false) is assigned tox.

icmp eq(p:“x = icmp eq ty t1, t2” withx∈VPandt1,t2∈VP∪Z)

((p+,LV1[x:=w],AL1)·CS,KB∪ {w=1},AL,PT)

if|=hai ⇒(LV1(t1) =LV1(t2)) andw∈Vsymis fresh

((p+,LV1[x:=w],AL1)·CS,KB∪ {w=0},AL,PT)

if|=hai ⇒(LV1(t1)6=LV1(t2)) andw∈Vsymis fresh

Other integer comparisons (for<,≤, . . . ) are handled analogously. Note thatLLVM always represents integers in two’s complement, as does the knowledge base in our states. However, some instructions explicitly consider values in an unsigned way, and this needs to be reflected in our evaluation rules. As an example, suppose that|=hai ⇒v=−27∧

w=27−1. Then signed comparison yieldsv<w, but unsigned comparison yieldsv>w, becausevis stored as(1 0 0 0 0 0 0 0), whereaswis stored as(0 1 1 1 1 1 1 1). So for an unsigned comparison, we check whether the two values to be compared are either both positive or both negative, i.e., have the same sign. In this case, the comparison on the unsigned interpretation coincides with the signed comparison. For different signs, negative numbers (likev=−27) are alwaysgreaterthan positive ones (likew=27−1). As an example, the following rule illustrates the affirmative case (w=1) of unsigned less-or-equal (ule).

icmp ule(p:“x = icmp ule ty t1, t2” withx∈VPandt1,t2∈VP∪Z)

((p+_,_LV

1[x:=w],AL1)·CS,KB∪ {w=1},AL,PT)

if|=hai ⇒(LV1(t1)≤LV1(t2))∧(sgn(LV1(t1)) =sgn(LV1(t2))) ∨ (LV1(t1)≥0)∧(LV1(t2)<0) andw∈Vsymis fresh

The rules foricmpare only applicable ifKBcontains enough information to evaluate the respective condition. Otherwise, a case analysis needs to be performed, i.e., one has to refinethe abstract state by extending its knowledge base. This is done by the following rule, which transforms an abstract state intotwonew ones.7

refining abstract states (p:“x = icmp eq ty t1, t2”, x∈VP,t1,t2∈VP∪Z)

((p,LV1,AL1)·CS,KB∪ {ϕ},AL,PT)|((p,LV1,AL1)·CS,KB∪ {¬ϕ},AL,PT)

if 6|=hai ⇒ϕ and 6|=hai ⇒ ¬ϕ and ϕisLV1(t1) =LV1(t2)

In stateBof Fig. 1, we evaluate “c0zero = icmp eq i8 c0, 0”, i.e., we check if the first characterc0of the stringstris0. Since this cannot be inferred fromB’s knowledge base, we refineBto the successor statesC andD and call the edges fromBtoC andD refinement edges. InD, we havec0=v1 andv16=0. Thus, theicmp-rule yieldsE where

c0zero=v2andv2=0. We do not display the successors ofCthat lead to a program end.

The next instruction in our example is “br i1 c0zero, label done, label loop”, a conditional jump (or branch) to another block. Let us first consider a similar, but simpler case. The instruction “br label bnext” means that the execution has to continue with the

first instruction in the blockbnext. When execution moves from one block to another, in the

7 _{Analogous refinement rules can also be used for other conditional}_LLVM_{instructions, e.g., conditional}

(12)

new target block one first evaluates thephiinstructions that may be present at its beginning. These instructions are needed due to the static single assignment form ofLLVMand initialize the variables in the target block depending on from which block we are entering the target block. Suchphiinstructions may only occur at the beginning of a block, i.e., every block starts with a (possibly empty) sequence ofphiinstructions. Aphiinstruction has the form “x = phi ty [t1,b1], . . . ,[tn,bn]”, meaning that if the previous block wasbj, then the value

tjis assigned tox. Allt1, . . . ,tnmust have typety. A peculiarity ofphiinstructions is that

allphiinstructions in the same block are executed atomically together. So all local variables occurring int1, . . . ,tnstill have the values that they hadbeforeentering the new target block.

To handlephiin combination with thebrinstruction at the end of the previous block, we introduce an auxiliary functionfirstNonPhi. For any blockb,firstNonPhi(b)is the index of the first non-phiinstruction inb. Moreover, we define the functioncomputePhito implement the parallel execution of allphistatements “x1 _{= phi ty}1 _[t1

1,b11], ..., [tn11,b1_n1]”,

. . . , “xm = phi tym [t₁m,bm1], ..., [tnmm,bm_nm]” at the start of the blockbnext. Its

argu-ments are the current valuesLVof the local variables, the current blockbj, and the target

blockbnext, and it returns a pair(LV0,KBphi), whereLV0reflects the updated local variables

andKB_phicontains information on the new symbolic variables introduced inLV0:

computePhi(LV,bj,bnext) = (LV[x1:=w1, . . . ,xm:=wm], {w1=LV(t1j), . . . ,wm=LV(tmj)}),

wherew1, . . . ,wm_∈_V

symare fresh. Now we can define a rule that allows us to perform an

unconditional jump withbrto a blockbnextand that executesbnext’sphiinstructions.

unconditionalbr(p:“br label bnext” withbnext∈Blks)

(((b,i),LV1,AL1)·CS,KB,AL,PT)

(((bnext,j),LV01,AL1)·CS,KB∪KBphi,AL,PT)

if (LV0₁,KBphi) = computePhi(LV1,b,bnext) and j = firstNonPhi(bnext)

For conditional branches “br i1 t,label b1,label b2”, one has to check whether

the current state contains enough information to conclude thatt is 1 (i.e.,true) or 0 (i.e., false). Then the evaluation continues after thephiinstructions of blockb1resp.b2.

conditionalbr(p:“br i1 t,label b1,label b2” witht∈VP∪ {0,1}andb1,b2∈Blks)

(((b,i),LV1,AL1)·CS,KB,AL,PT) (((b1,j1),LV01,AL1)·CS,KB∪KBphi,AL,PT)

if|=hai ⇒(LV1(t) =1),(LV01,KBphi) =computePhi(LV1,b,b1), j1=firstNonPhi(b1)

(((b,i),LV1,AL1)·CS,KB,AL,PT)

(((b2,j2),LV01,AL1)·CS,KB∪KBphi,AL,PT)

if|=hai ⇒(LV1(t) =0),(LV01,KBphi) =computePhi(LV1,b,b2), j2=firstNonPhi(b2)

With thebrinstruction, one now jumps to theloopblock in StateF. Note that we sim-plified the equalities resulting fromcomputePhiinF, to avoid renaming in the presentation. The strlenfunction traverses the string using a pointers, and theloopterminates whenseventually reaches the last memory cell of the string (containing0). Then one jumps todone, converts the pointerssandstrto integers, and returns their difference. To perform the required pointer arithmetic, “bd = getelementptr ty* ad,in t” increasesadby the size oftelements of typety(i.e., bysize(ty)·t) and assigns this address tobd.8

8 _{Since we do not consider}_struct_{data structures in this paper, we disregard}_{getelementptr}_instructions

(13)

getelementptr(p:“bd = getelementptr ty* ad, in t”,ad,bd∈VP,t∈VP∪Z)

1[bd1:=w],AL1)·CS,KB∪ {w=LV1(ad) +size(ty)·LV1(t)},AL,PT)

ifw∈Vsym is fresh

In Fig. 1, this rule is used for the step fromFtoG, which impliess=str+1. In the step toH, the character at addresssis loaded toc. To ensure memory safety, theload-rule checks thatsis in an allocated part of the memory (i.e., thatustr≤ustr+1≤vend). This

holds becausehGiimpliesustr≤vendandustr6=vend (asustr,→v1,vend,→0∈PTand

v16=0∈KB). Finally, we check whethercis0. We again perform a refinement which yields

the statesIandJ. StateJcorresponds to the casec6=0and thus, we obtainczero=0inK. Finally, we present rules for the instructionsptrtointandsub that are used in the blockdoneof thestrlenexample. Theptrtointinstruction simply converts pointers to integers and is needed to perform subsequent arithmetic operations on them (e.g., to subtract one address from another in thestrlenalgorithm). In a similar way, we also have rules to handle otherLLVMinstructions for casting between pointers and different types of integers.

ptrtoint(p:“x = ptrtoint ty* ad to in” withx,ad∈VP)

((p+,LV1[x:=w],AL1)·CS,KB∪ {w=LV1(ad)},AL,PT)

ifw∈Vsym is fresh

In sub instructions of the form “x = sub ty t1, t2”, botht1 andt2 must have the

typetyand the variablexalso gets this type. We use similar rules to handle otherLLVM instructions for other arithmetic, Boolean, and bit manipulation operations.

sub(p:“x = sub tyt1, t2” withx∈VP,t1,t2∈VP∪Z)

((p+_,_LV

1[x:=w],AL1)·CS,KB∪ {w=LV1(t1)−LV1(t2)},AL,PT)

ifw∈Vsym is fresh

3.2 Advanced Symbolic Execution Rules

Now we also present rules that allow allocation of memory, function calls, and manipulation of larger memory chunks. We start with a rule for theallocastatement. The instruction “x = alloca ty, in t” allocates memory fortelements of the typety. Here,xis an identifier fromVPof typety*andtis either an identifier or a natural number. Thus, a new interval is allocated (i.e., the allocation listAL1of the current stack frame is extended byJv1,v2K

for fresh symbolic variablesv1,v2) andKBis extended byv2=v1+size(ty)·LV1(t)−1.

Moreover, the address of the first memory cell in the newly allocated block is assigned tox. Thus, we updateLV1byx=v1. Again, the code emitter may have added an alignmental.

(14)

alloca(p:“x = alloca ty, in t [, align al]” withx∈VP,t∈VP∪Z, andal∈N)

ERR if6|=hai ⇒(LV1(t)>0)

1[x:=v1],AL1∪ {Jv1,v2K})·CS,KB

0_{∪ {}_v

2=v1+size(ty)·LV1(t)−1},AL,PT) if

• we have|=hai ⇒(LV1(t)>0),

• KB0=KB∪ {v1modc=0}, wherec=al, ifal≥1 is specified, or elsec=align(ty), • v1,v2∈Vsymare fresh

Note thatallocais used to allocate memory on the stack, whereasmallocandfree allocate and release memory on the heap. The latest versions ofLLVMdo not have built-inmallocorfreeinstructions anymore, but one has to call them as external functions (provided by the standard Clibrary). ForLLVMprograms that callmallocorfree, we use the following two inference rules. The rule formallocmainly differs from the rule forallocaby placing the newly allocated memory region into the global allocation list instead of the allocation list of the current stack frame. Here, “x = call i8* @malloc(in t)” allocatestbytes and the address of the first memory cell in this block is assigned to x. Depending on the processor architecture of the target machine, the allocated memory is 8-byte or 16-byte aligned. Our rule formalloccurrently does not take into account that mallocmay also returnNULLwithout allocating any memory. However, we could easily support this by introducing a corresponding second successor state for this possible outcome.

malloc(p:“x = call i8* @malloc(in t)” withx∈VPandt∈VP∪Z)

((p+,LV1[x:=v1],AL1)·CS,KB0∪ {v2=v1+LV1(t)−1},AL∪ {Jv1,v2K},PT)

if

• we have|=hai ⇒(LV1(t)>0),

• KB0=KB∪ {v1modc=0}, wherec=8 for 32-bit platforms andc=16 for 64-bit platforms, • v1,v2∈Vsymare fresh

LLVMdoes not explicitly distinguish between the heap and stack, but applies the same memory model for both (usingloadandstore). However, memory acquired byallocais automatically released at the end of the function in which it was allocated, while memory ac-quired bymallochas to be released explicitly by callingfree. The instruction “call void @free(i8* t)” releases the allocated memory block starting at the addresst. Moreover, it deletes those entries fromPTwhich are known to correspond to this memory block. Calling freeonNULLdoes not change the state. Iffreeis called with an address that is neither the beginning of an allocated memory block in the global allocation list (of memory allocated bymalloc) norNULL, then memory safety is violated and we reach the stateERR.

free(p:“call void @free(i8* t)” witht∈VP∪Z)

((p,LV1,AL1)·CS,KB,AL] {Jv1,v2K},PT)

((p+_,_LV

1,AL1)·CS,KB,AL,PT0)

if

• v1,v2∈Vsym,

• |=hai ⇒(LV1(t) =v1),

• PT0results fromPTby removing allv,→tyw

where|=hai ⇒v1≤v∧v≤v2

((p+_,_LV

1,AL1)·CS,KB,AL,PT)

if|=hai ⇒(LV1(t) =0)

ERR if

• 6|=hai ⇒(LV1(t) =0),

(15)

[((main,0),{i1=vi, . . .},{})],{. . .},{},{}

A0

[((main,0),{i1=vi, . . .},{})],{vi<1, . . .},{},{}

B0 C [((main,0),{i1=vi, . . .},{})],{vi≥1, . . .},{},{}

0

. . . _[((

main,1),{i1=vi,ineg1=vineg, . . .},{})],{vi≥1,vineg=0, . . .},{},{}

D0

[((main,2),{bytes1=vbytes, . . .},{})],{vi≥1,vbytes=vi, . . .},{},{}

E0

[((main,3),{bytes1=vbytes,ad1=vad, . . .},{})],{vad_end=vad+vbytes−1,vbytes=vi, . . .},{Jvad,vad_endK},{}

F0

[((main,4),{pos1=vpos, . . .},{})],{vadend=vad+vi−1,vpos=vi−1, . . .},{Jvad,vadendK},{}

G0

[((main,5),{last1=vlast, . . .},{})],{vadend=vad+vi−1,vlast=vadend, . . .},{Jvad,vadendK},{}

H0

[((main,6),{last1=vlast, . . .},{})],{vadend=vad+vi−1,vlast=vadend, . . .},{Jvad,vadendK},{vadend,→0}

I0

[((entry,0),{str1=ustr, . . .},{}),((main,6),{. . .},{})],{vadend=vad+vi−1, . . .},{Jvad,vadendK},{vadend,→0}

J0

. . .

[((done,4),{size1=vsize, . . .},{}),((main,6),{. . .},{})],{. . .},{Jvad,vadendK},{vadend,→0}

K0

[((main,7),{len1=vsize,ad1=vad, . . .},{})],{. . .},{Jvad,vadendK},{vadend,→0}

L0

[((main,8),{len1=vsize, . . .},{})],{. . .},{},{}

M0

Fig. 2 Symbolic execution graph formain

To illustrate the rules for allocating and releasing memory, assume that we call the func-tionstrlenwithin a main function with a pointer to a memory area allocated bymalloc. The symbolic execution graph for the correspondingLLVMprogram is depicted in Fig. 2. The first instruction isicmp slt, which checks if the function argumentiin signed inter-pretation is less than 1 (slt). Since in stateA0, we do not have any information oni, we

int main (int i) if (i < 1) i = 1;

char* str = (char*) malloc(i * sizeof(char)); str[i-1] = ’\0’;

int len = strlen(str); free(str);

return len;

define i32 @main(i32 i) {

main: 0: ineg = icmp slt i32 i, 1

1: bytes = select i1 ineg, i32 1, i32 i 2: ad = call i8* @malloc(i32 bytes) 3: pos = add i32 bytes, -1

4: last = getelementptr i8* ad, i32 pos 5: store i8 0, i8* last

6: len = call i32 @strlen(i8* ad) 7: call void @free(i8* ad) 8: ret i32 len}

refineA0 to the statesB0 and C0.C0is then evaluated toD0, where the result of the com-parison is assigned to ineg. Depending on the value of ineg, theselectinstruction assigns 1 or i to the vari-ablebytes. InF0, the call of malloc has been evaluated: the entry_Jv_ad,v_ad_end_Kis added to the global allocation list and in the knowledge base we keep the relationship between the start addressvad and the end

addressv_ad_end. InM0, the

[image:15.595.73.417.72.298.2]

(16)

call(p:“x = call ty @function(ty1 t1, ..., tyn tn)” withx∈VP,t1, . . . ,tn∈VP∪Z)

(((function.entry,0),LV0,{})·(p,LV1,AL1)·CS,KB0,AL,PT) if

• function.entryis the entry block offunction • functionis declared asfunction(ty1u1, . . . ,tynun),

• w1, . . . ,wn∈Vsymare fresh,

• LV0(u1) =w1, . . . ,LV0(un) =wn, andLV0(x)is undefined for allx∈VP\ {u1, . . . ,un}

• KB0=KB∪ {w1=LV1(t1), . . . ,wn=LV1(tn)},

ret(p0:“ret ty t”; p1:“x = call ty ...” withx∈VP,t∈VP∪Z)

((p0,LV0,AL0)·(p1,LV1,AL1)·CS,KB,AL,PT)

((p+₁,LV1[x:=w],AL1)·CS,KB∪ {w=LV0(t)},AL,PT0) if

• w∈Vsymis fresh,

• PT0results fromPTby removing allv,→tywwhere there exists someJv1,v2K∈AL0

with|=hai ⇒v1≤v∧v≤v2

3.3 Generalizing Abstract States

In thestrlenexample and its graph in Fig. 1, after reachingK, one unfolds the loop once more until one reaches a stateKeat position(loop,4)again, analogous to the first iteration. To obtainfinitesymbolic execution graphs, wegeneralizeour states whenever an evaluation visits a program position(b,j)twice and the domains of the local variable mappingsLVi

in the two states are the same. Thus, we have to find a state that is more general than K= ([(p,LVK₁,{})],KBK,AL,PTK)andKe= ([(p,LVK₁e,{})],KBKe,AL,PTKe). For readability, we again write “,→” instead of “,→i8”. Thenp= (loop,4),AL={Justr,vendK}, and

LVK₁ ={str1=ustr,c1=v5,s1=v4,olds1=v3, . . .}

LVKe

1 ={str1=ustr,c1=ve5,s1=ve4,olds1=ve3, . . .} PTK={ustr,→v1,v4,→v5,vend,→z}

PTKe₌_{_u

str,→v1,v4,→v5,ve4,→ve5,vend,→z}

KBK={v56=0,v4=v3+1,v3=ustr,v16=0,z=0, . . .}

KBKe₌{

e

v56=0,ve4=ve3+1,ve3=v4,v4=v3+1,v3=ustr,v16=0,z=0, . . .}.

Our aim is to construct a new stateLthat is more general thanK andK, but containse enough information for the remaining proof. We now present our heuristic formergingstates that is used in our implementation.

To mergeKandK, we keep those constraints ofe Kthat also hold inK. To this end, wee proceed in two steps. First, we create a new stateL= ([(p,LVL₁,{})],KBL,ALL,PTL)using fresh symbolic variablesv_xfor allx∈VPwhereLVK1 andLVK1eare defined. This yields

LVL₁={str1=vstr,c1=vc,s1=vs,olds1=volds, . . .}.

We then create mappingsµK(resp.µ e

K) fromL’s symbolic variables to their counterparts

inK(resp.Ke), i.e.,µK(vx) =LVK₁(x)ifLVK₁(x)is defined. In our example,µK(vstr) =ustr, µK(vc) =v5,µK(vs) =v4,µK(volds) =v3, andµ_K_e(vstr) =ustr,µ_K_e(vc) =ve5,µKe(vs) =ve4, µ_K_e(volds) =ve3. By injectivity ofLV

K

1, we can also define a pseudo-inverse ofµKthat maps

K’s variables toLby settingµK−1(LVK1(x)) =vxifLVK1(x)is defined andµ

−1

K (v) =vfor all

otherv∈Vsym(µ−1 e

(17)

same program variable are mapped to the same symbolic variable byµK−1andµ

−1

e K .

In a second step, we use the mappingsµK−1andµ

−1

e

K to check which constraints ofKalso

hold inKe. So we setALL=µ_K−1(AL)∩µ−1

e

K (AL) ={Jvstr,vendK}and

PTL=µ_K−1(PTK₎_∩_µ−1

e

K (PT

e

K₎

={vstr,→v1,vs,→vc,vend,→z} ∩ {vstr,→v1,v4,→v5,vs,→vc,vend,→z} ={vstr,→v1,vs,→vc,vend,→z}.

Here,v1is not changed byµK−1andµ

−1

e

K because it is not assigned to a program variable.

It remains to constructKBL. Essentially, we would like to take the intersection of those formulas that are implied by the knowledge bases ofKandK. So in principle, we would likee to define the knowledge base of the new merged stateLas follows:

KBL={ϕ | |= µK−1(hKi)⇒ϕ and |= µ− 1

e

K (hKei)⇒ϕ} (1)

However, with this definitionKBLwould be an infinite set of formulas, which is not suitable for automation. Thus, we restrict the definition ofKBLto a finite subset of (1) that can be automatically generated from the knowledge bases of the statesKandK. This restriction ise only a heuristic and has no impact on the correctness, since it would already be correct to include all formulas of (1) in the knowledge base of the generalized state.

Our heuristic for the restriction of (1) considersK’s knowledge base and extends it by certain additional formulas. This leads to a finite set⟪K⟫. For these finitely many formulas we then check whether they are also implied byhKei(when renaming variables appropriately). More precisely, we havev3=ustr(“olds=str”) inhKi, butev3=v4,v4=v3+1,v3= u_str(“olds=str+1”) inhKei. To keep as much information as possible, we rewrite equa-tions to inequaequa-tions before performing the generalization. So let⟪K⟫result from extending

hKibyt1≥t2andt1≤t2for any equationt1=t2∈ hKi. In our example, we obtainv3≥ustr ∈⟪K⟫(“olds≥str”). Moreover, for anyt16=t2∈ hKi, we check whetherhKiimpliest1>

t2ort1<t2, and add the respective inequation to⟪K⟫. In this way, one can express sequences

of inequationst16=t2,t1+16=t2, . . . ,t1+n6=t2(wheret1≤t2) by a single inequationt1+n<t2,

which is needed for suitable generalizations afterwards. We use this to derivev4<vend∈⟪K⟫

(“s<vend”) fromv4=v3+1,v3=ustr,ustr≤vend,ustr6=vend,v46=vend ∈ hKi.

We then letKBLconsist of all formulasϕfrom⟪K⟫that are also implied byhKei, again translating variable names usingµ_K−1andµ−1

e

K . Thus, we have

⟪K⟫={v56=0,v4=v3+1,v3=ustr,v3≥ustr,v4<vend, . . .}

µK−1(⟪K⟫) ={vc6=0,vs=volds+1,volds=vstr,volds≥vstr,vs<vend, . . .}

µ−1 e

K (hKei) ={vc6=0,vs=volds+1,volds=v4,v4=v3+1,v3=vstr,vs<vend, . . .}

KBL ={vc6=0,vs=volds+1,volds≥vstr,vs<vend, . . .}.

In Fig. 1, we do not show the second loop unfolding fromKtoK, and directly draw ae generalization edgewith a dashed arrow fromKtoL. Such an edge expresses that all concrete states represented byKare also represented by the more general stateL. Semantically, a state a0is a generalization of a stateaiff|=haiSL⇒µ(ha0iSL)for some instantiationµ.

In thestrlenexample, we continue symbolic execution in stateL. Similar to the exe-cution fromFtoK, after 5 steps another stateNat position(loop,4)is reached. In Fig. 1, the dotted arrows fromLtoMand fromMtoNabbreviate several evaluation steps. AsL is again a generalization ofN using an instantiationµ withµ(vc) =wc,µ(vs) =ws, and µ(volds) =wolds, we draw a generalization edge fromNtoL. The construction of a

(18)

. . .

s1 u1

. . . ₀

s2 u2

u1−s1≥u2−s2

I00

. . . s1,dst u1

. . . ₀

s2,src u2

u1−s1≥u2−s2

A00

. . . s1 dst u1

. . . ₀

s2 src u2

u1−s1≥u2−s2

B00

. . . s1 dst u1

. . . ₀

s2 src u2

u1−s1≥u2−s2

dst−s1=src−s2 C00

Fig. 3 Thestrcpyfunction and a graphical illustration of its symbolic execution

retinstruction. We call a non-empty symbolic execution graph with this propertycomplete. In particular, a complete symbolic execution graph cannot contain anERRstate.

The approach presented so far is sufficient to prove memory safety (and together with the techniques in Sect. 5 also termination) of thestrlenfunction, cf. Sect. 4 and 5. Up to now, when merging states we make relations between symbolic variables explicit (by adding inequations between symbolic variables). Then, these inequations are retained in the merged state if they are present in both states to be merged. In other words, these inequations restrict the state space of the represented concrete states and we want to keep as many restrictions as possible during merging in order to obtain a more precise abstraction. In some cases, however, it is also important to make relations betweendifferences ofsymbolic variables explicit (e.g., about the distance between addresses). So in addition to inequations likev1≥v2orv1>v2in ⟪K⟫, we may also add equations likev1−v2=w1−w2for symbolic variablesv1,v2,w1,w2.

By making these equations explicit, they can also be retained when merging states. So far, relations established and preserved by instructions within a “loop” (i.e., a path through the program leading from some program position back to the same position) are usually retained by our merging heuristic. For example, the instructions = getelementptr i8* olds, i32 1within the blockloopleads to the relationv4=v3+1 inK and to the

relationve4=ve3+1 inK, wheree v4andve4correspond to the program variablesandv3andve3 corresponds to the program variableolds. Thus, the relationvs=volds+1 is also contained

in the merged stateLfor the corresponding “merged” symbolic variablesvsandvolds.

However, relations established before a loop may be generalized or removed during merg-ing. As example, the instructionolds = phi i8* [str,entry], [s,loop]assigns the value ofstrto the variableoldswhen the blockloopis entered for the first time. So in the stateK, we had the relationv3=ustrwhere the symbolic variablesv3andustrcorrespond

to the program variablesoldsandstr. Since inK, the value ofe oldshas been increased by 1, this is generalized to the inequationvolds≥vstrin the merged stateL. So by merging

states, we lose the information on the exact distance betweenoldsand its initial valuestr.

char* strcpy(char* s1, char* s2) {

char* dst = s1; char* src = s2;

while ((*dst++ = *src++) != ’\0’);

return s1; }

Of course, we need to abstract to obtain a finiterepresentation of all evaluations. How-ever, we might want to keep the knowledge that two distances between different symbolic variables are the same. This knowledge is

nec-essary for a successful analysis of thestrcpyfunction on the right (cf. [62, 72]). This func-tion copies the string at the source addresss2to the destination addresss1. Thewhileloop of the function terminates as soon as the value0is reached in the source string.

[image:18.595.76.419.76.196.2]

(19)

initial stateI00describes states in which the destinations1begins an allocated memory block whose length is at least as long as the source strings2. Moreover, the symbolic variables u1 andu2refer to the last address in each allocated memory block. StateA00corresponds

to the first entry into the loop, in which the program variablesdstandsrcpoint to the same addresses ass1ands2, respectively. After one loop iteration, bothsrcanddsthave been incremented by one, as shown inB00. For the statesA00andB00, the merging approach presented so far would generate a state requiring onlys1≤dst≤u1ands2≤src≤u2,

but it would not keep any information about the exact distances ofdstfroms1and ofsrc froms2. However, this is not sufficient to prove memory safety (and hence termination) of thestrcpyfunction, as this generalized state would also represent cases in which the destination memory area starting atdstis shorter than the source area. To handle such examples successfully, our merging heuristic needs to relate the difference betweendstand s1with the difference betweensrcands2, obtaining a state such asC00.

So when merging two statesaandb, we also check whether there are symbolic variables va

1,va2,va3,va4 with (va1,va2)6= (va3,va4)in statea such thatva1−va2 =k1·(va3−va4)for some

constantk1. To simplify the search, we only consider cases whereva3−va4=k2 for some

constantk2, and to avoid several equivalent equations due to symmetries, we require that

k1>0 andk2≥0. If the corresponding relationvb1−v2b=k1·(vb3−vb4)also holds for the

symbolic variablesvb₁,vb₂,vb₃,vb₄in statebthat are “merged with”va₁,va₂,va₃,va₄, then the relation v1−v2=k1·(v3−v4)is added to the knowledge base of the merged state for the “merged”

symbolic variablesvi. So forstrcpy, sincedst−s1=src−s2holds in both statesA00

andB00, this equation is contained in the knowledge base of the stateC00that results from mergingA00andB00. When merging states in this way, termination ofstrcpycan be proved automatically, similar tostrlen. Def. 7 formalizes our technique for merging states.

Definition 7 (Merging States)Leta= ([(p1,LVa 1,AL

a

1), ...,(pn,LVan,ALna)],KBa,ALa,PTa),

b= ([(p1,LVb₁,ALb₁), . . . ,(pn,LVbn,ALbn)],KBb,ALb,PTb)be abstract states. Moreover, for all

i∈ {1, . . . ,n}, let the domains ofLVa_i andLVb_i coincide. Thenc= (CSc,KBc,ALc,PTc)with

CSc= [(p1,LVc₁,ALc₁), . . . ,(pn,LVc_n,ALc_n)]results frommergingthe statesaandbif

• LVc_i ={xi=vix|x∈VPwhereLVai(x)is defined}for all 1≤i≤nand fresh pairwise

different symbolic variablesvi_x. Moreover, we defineµa(vi_x) =LVa_i(x)andµb(vi_x) =

LVb_i(x)for allx∈VPwhereLVai(x)is defined, and we letµaandµbbe the identity on

all remaining variables fromVsym. • PTc = µa−1(PTa)∩µb−1(PT

b₎_,_ALc ₌

µa−1(ALa)∩µb−1(AL

b₎_{, and}_ALc

i = µa−1(ALai)∩ µb−1(AL

b

i)for all 1≤i≤n. Here, the “inverse” ofµais defined asµa−1(v) =vixifv=

LVa_i(x)andµa−1(v) =vfor all otherv∈Vsym(µb−1is defined analogously).

• KBc={ϕ∈µa−1(⟪a⟫)| |= µb−1(hbi)⇒ϕ}, where⟪a⟫is the smallest set such that

– hai ⊆⟪a⟫

– t1=t2∈⟪a⟫ =⇒ t1≥t2,t1≤t2∈⟪a⟫

– (t16=t2∈⟪a⟫∧ |=hai ⇒t1>t2) =⇒ t1>t2∈⟪a⟫

– (t16=t2∈⟪a⟫∧ |=hai ⇒t1<t2) =⇒ t1<t2∈⟪a⟫

– |=hai ⇒v1−v2=k1·k2∧v3−v4=k2 =⇒ v1−v2=k1·(v3−v4)∈⟪a⟫

for allk1,k2∈Nwithk1>0 and allv1,v2,v3,v4∈Vsym(a)with(v1,v2)6= (v3,v4).

Note that⟪a⟫may contain arbitrary formulas fromQF IA(Vsym)sincehai ⊆⟪a⟫.

More-over, the termst1,t2in⟪a⟫\ haiare arbitrary (possibly non-linear) arithmetic terms. So our

(20)

restricted classes. Indeed, our definition of⟪a⟫was very successful in our implementation. We now define a rule to computegeneralization edgesautomatically. Recall that semanti-cally, a statea0is a generalization of a stateaiff|=haiSL⇒µ(ha0iSL)for some instantiation µ. To automate our procedure, we define a weaker relationship betweenaanda0. We say that

a0= (CS0,KB0,AL0,PT0)is ageneralizationofa= (CS,KB,AL,PT)with the instantiation

µ whenever the conditions (b) – (f) of the following rule are satisfied. Again, letadenote the statebeforethe generalization step (i.e., above the horizontal line of the rule) and leta0 be the stateresultingfrom the generalization (i.e., below the line).

generalization withµ

([(p1,LV1,AL1), . . . ,(pn,LVn,ALn)],KB,AL,PT)

([(p1,LV0₁,AL0₁), . . . ,(pn,LV0n,AL 0 n)],KB

0_,

AL0,PT0) if

(a) ahas an incoming evaluation edge,9

(b) LViandLV0ihave the same domain andLVi(x) =µ(LV0_i(x))for all 1≤i≤nand allx∈VPwhere LViandLV0iare defined,

(c) |=hai ⇒µ(KB0), (d) ifJv1,v2K∈AL

0_{, then}

Jµ(v1),µ(v2)K∈AL,

(e) ifJv1,v2K∈AL

0

i, thenJµ(v1),µ(v2)K∈ALi(for all 1≤i≤n),

(f) if(v1,→tyv2)∈PT0, then(µ(v1),→tyµ(v2))∈PT

The above rule does not refer to the merging of states in Def. 7, but it introduces a general form of “generalizations”. The correctness of this rule is obvious, as it clearly implies

|=haiSL⇒µ(ha0iSL). Condition (a) is needed to avoid cycles of refinement and

generaliza-tion steps in the symbolic execugeneraliza-tion graph, which would not correspond to any computageneraliza-tion. Of course, many approaches are possible to compute such generalizations. Thm. 8 shows that the merging heuristic from Def. 7 satisfies the conditions of the generalization rule. So if a statecresults from mergingaandb, thencis indeed ageneralizationof bothaandb. Thm. 8 also shows that if one uses the merging heuristic for generalizations, then the construc-tion of symbolic execuconstruc-tion graphs always terminates when applying the following strategy:

(1) Ifbis the next state to evaluate symbolically and there is a path from some stateato b, whereaandbare at the same program position, the domains of all functionsLVin aare equal to the domains of the corresponding functionsLVinb,bhas an incoming evaluation edge, andahas no incoming refinement edge, then:

(1a) Ifais a generalization ofb(i.e., the corresponding conditions of the generalization rule are satisfied), then we draw a generalization edge frombtoa. Here, any SMT solver can be used to prove Condition (c) of the “generalization” rule.

(1b) Otherwise, removea’s children, and add a generalization edge fromato the merging cofaandb. Ifaalready had an incoming generalization edge from some stateq, then removeaand add a generalization edge fromqtocinstead.

(2) Otherwise, just evaluatebsymbolically as usual, applying refinements when needed.

Theorem 8 (Soundness and Termination of Merging)Let c result from merging the states a and b as in Def. 7. Then c is a generalization of a and b with the instantiationsµaandµb, respectively. Moreover, if a is not already a generalization of b, and n is the height of the call stacks in a, b, and c, then|⟪c⟫|+ (∑1≤i≤n|ALci|) +|ALc|+|PTc|<|⟪a⟫|+ (∑1≤i≤n|ALai|) + |ALa|+|PTa_|_{. Here, for any conjunction}

ϕ, let|ϕ|denote the number of its conjuncts. Thus,

the above strategy to construct symbolic execution graphs always terminates.

Proof To show thatcis a generalization ofaandbwith the instantiationsµaandµb, we have

(21)

to prove that the conditions (b) – (f) of the generalization rule are satisfied. By definition, LVa_i(x) =µa(vi_x) =µa(LVc_i(x))andLVb_i(x) =µb(LVc_i(x))for all 1≤i≤nand allx∈VP, which proves (b). Moreover, forJv1,v2K∈AL

c_{, we have}

Jv1,v2K∈µ

−1

a (ALa)andJv1,v2K∈

µb−1(AL

b₎_{. This implies}

Jµa(v1),µa(v2)K∈AL

a_and

Jµb(v1),µb(v2)K∈AL

b_{, which proves}

(d). Condition (e) onALc_i and condition (f) onPTc_{can be proved in a similar way.}

It remains to prove (c). AsKBc⊆µa−1(⟪a⟫), we have|=⟪a⟫⇒µa(KBc)and therefore

also|=hai ⇒µa(KBc). Moreover, as|=µ_b−1(hbi)⇒ϕholds for allϕ∈KBc, we also obtain

|=hbi ⇒µb(KBc). Note that we even have|=hai ⇒µa(hci)and|=hbi ⇒µb(hci). Finally, we show that|⟪c⟫|+ (∑1≤i≤n|ALci|) +|ALc|+|PTc|<|⟪a⟫|+ (∑1≤i≤n|ALai|) + |ALa|+|PTa_|_if_a_{is not a generalization of}_b.

We first show that⟪c⟫=hci. The reason is that whenever there is at1=t2∈ hci, then

t1=t2∈µa−1(⟪a⟫)and thus alsot1≥t2,t1≤t2∈µa−1(⟪a⟫). As|=µ− 1

b (hbi)⇒t1=t2also

implies|=µ_b−1(hbi)⇒t1≥t2and|=µ_b−1(hbi)⇒t1≤t2, we also havet1≥t2,t1≤t2∈ hci.

Moreover, suppose thatt16=t2∈ hciand|=hci ⇒t1>t2. This implies|=µa−1(hai)⇒t1>t2

(i.e.,t1>t2∈µa−1(⟪a⟫)) and|=µb−1(hbi)⇒t1>t2. Hence, we also obtaint1>t2∈ hci.

The case wheret16=t2∈ hciand|=hci ⇒t1<t2is analogous. Finally, consider the case that |=hci ⇒v1−v2=k1·k2∧v3−v4=k2holds for somek1,k2∈Nandv1,v2,v3,v4∈Vsym(c)

with(v1,v2)6= (v3,v4). Since|=hai ⇒µa(hci), we also haveµa(v1−v2=k1·(v3−v4))∈ ⟪a⟫, i.e.,(v1−v2=k1·(v3−v4))∈µa−1(⟪a⟫). Moreover, due to|=hbi ⇒µb(hci)we have |=µ_b−1(hbi)⇒v1−v2=k1·(v3−v4). This impliesv1−v2=k1·(v3−v4)∈KBc⊆ hci.

Next note thathci=KBc. Again the reason is that for anyϕ∈ hciwe haveϕ∈µa−1(⟪a⟫)

and|=µb−1(hbi)⇒ϕ. Thus, we only have to show that|KBc|+ (∑1≤i≤n|ALci|) +|AL c_|₊

|PTc|<|⟪a⟫|+ (∑1≤i≤n|ALai|) +|ALa|+|PTa|. From the definition, it is obvious that we

always have|KBc| ≤ |⟪a⟫|,|ALc| ≤ |ALa|,|ALc_i| ≤ |ALa_i|for all 1≤i≤n, and|PTc| ≤ |PTa|. Hence, it suffices to show that if|KBc|=|⟪a⟫|,|ALc|=|ALa|,|ALc_i|=|ALa_i| for all 1≤i≤n, and|PTc|=|PTa|, thenawould be a generalization ofbwith the instantiation

µb◦µa−1. To see this, note that we haveLVbi(x) =µb(vix) =µb(µ− 1

a (LVai(x))), i.e., condition

(b) of the generalization rule is satisfied. Clearly,|ALc|=|ALa|means thatµa−1(ALa) = µ_b−1(ALb). Thus, ifJv1,v2K∈AL

a_{, then}

Jµ

−1

a (v1),µa−1(v2)K∈µ

−1

a (ALa) =µ− 1 b (AL

b₎_and

hence,_Jµb(µa−1(v1)),µb(µa−1(v2))K∈AL

b_{, which shows condition (d). Conditions (e) and}

(f) follow from|ALc_i|=|ALa_i|resp.|PTc|=|PTa|for similar reasons. Finally,|KBc|=|⟪a⟫|

means that for allϕ∈µa−1(⟪a⟫), we have|=µb−1(hbi)⇒ϕ. Letψ∈µb(µ

−1

a (KBa)). Then

we have µ_b−1(ψ)∈µa−1(KBa)⊆µa−1(⟪a⟫). Hence, we can infer|=µb−1(hbi)⇒µ

−1 b (ψ)

which implies|=hbi ⇒ψ, cf. condition (c). ut

4 Correctness of Symbolic Execution

We now prove the correctness of our approach in Sect. 2 and 3, i.e., that our symbolic ex-ecution graphs represent an over-approximation of all concrete program runs. We proceed in two stages, as depicted graphically in Fig. 4. This proof structure is inspired by the cor-rectness proof of our termination technique forJavaw.r.t. a suitable formal semantics [11]. First, we relate theformaldefinition of theLLVMsemantics from theVellvmproject [73] to our semantics→LLVMofLLVMfrom Sect. 2 and 3 that we use for program analysis. Here,