Conference Paper

Efficient Symbolic Simulation of Low Level Software.

DOI: 10.1109/DATE.2008.4484776 Conference: Design, Automation and Test in Europe, DATE 2008, Munich, Germany, March 10-14, 2008
Source: DBLP


Symbolic execution has long been a staple technique for formal hardware verification. Its application to software requires methods for dealing with software specific complexities. In this paper we elaborate methods for the efficient symbolic simulation of embedded software; some methods are new, others are improvements of existing methods. Using these techniques we have been able to symbolically execute real life microcode of thousands of lines, allowing formal methods to become an integral part of microcode validation in Intel Corporation.

Download full-text


Available from: Tamarah Arons, Oct 10, 2015
19 Reads
  • Source
    • "In order to reduce the size of formulae, MicroFormal merges sets of partial paths ending up in the same location into a single path by introducing extra variables and conditional assignments. The details are explained in [3], but for our purposes the relevant effect is that it removes open partial paths which have so far been generated, and replaces them with a new merged path which is equivalent to but syntactically different from the previous paths. Two other techniques that are used are based on caching and SSAT, briefly described below. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Microcode is a critical component in modern microprocessors, and substantial effort has been devoted in the past to verify its correctness. A prominent approach, based on symbolic execution, traditionally relies on the use of boolean SAT solvers as a backend engine. In this paper, we investigate the application of Satisfiability Modulo Theories (SMT) to the problem of microcode verification. We integrate MathSAT, an SMT solver for the theory of Bit Vectors, within the flow of microcode verification, and experimentally evaluate the effectiveness of some optimizations. The results demonstrate the potential of SMT technologies over pure boolean SAT.
    Proceedings of 10th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2010, Lugano, Switzerland, October 20-23; 01/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Symbolic execution is a well-known program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in part to the progress in decision procedures, availability of powerful computers and new algorithmic developments. We provide here a survey of some of the new research trends in symbolic execution, with particular emphasis on applications to test generation and program analysis. We first describe an approach that handles complex programming constructs such as input recursive data structures, arrays, as well as multithreading. Furthermore, we describe recent hybrid techniques that combine concrete and symbolic execution to overcome some of the inherent limitations of symbolic execution, such as handling native code or availability of decision procedures for the application domain. We follow with a discussion of techniques that can be used to limit the (possibly infinite) number of symbolic configurations that need to be analyzed for the symbolic execution of looping programs. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution.
    International Journal on Software Tools for Technology Transfer 10/2009; 11(4):339-353. DOI:10.1007/s10009-009-0118-1
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Symbolic execution by James C. King (1976) is a popular program verification technique, where the program inputs are initialized to unknown symbolic values, and then propagated along program paths with the help of decision procedures. This technique has two main bottlenecks: (a) the number of program execution paths to be explored may be exponential, and, (b) the state representation (map from variables to terms) may blow-up. We propose a new program verification technique that addresses the problems by (a) performing a work list based analysis that handles join points, and (b) simplifying the intermediate state representation by using term rewriting. In addition, our technique tries to compact expressions generated during analysis of program loops by using a term generalization technique based on anti-unification. We have implemented the proposed method in the F-SOFT verification framework using the Maude term rewriting engine. Preliminary experiments show that the proposed method is effective in improving verification times on real-life benchmarks.
    Formal Methods in Computer-Aided Design, FMCAD 2008, Portland, Oregon, USA, 17-20 November 2008; 01/2008
Show more