
A gentle introduction to symbolic execution - joelburget
https://blog.monic.co/a-gentle-introduction-to-symbolic-execution/
======
triska
Very nice, thank you for sharing this!

Symbolic execution is also known as _abstract interpretation_. The program is
being interpreted, with concrete values _abstracted away_ , generalized to
symbolic elements that often denote several or even infinitely many _concrete_
values.

Logic programming languages like Prolog are especially amenable to abstract
interpretation, since we can _absorb_ the Prolog system's built-in binding
environment for variables, and simply plug in different values for the
existing variables. We only have to _reify_ unification, i.e., implement it
within the language with suitable semantics.

An impressive application of this idea is contained in the paper _Meta-
circular Abstract Interpretation in Prolog_ by Michael Codish and Harald
Søndergaard:

[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.137....](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.137.3604)

As one of the examples, the authors show how abstract interpretation over the
abstract parity domain {zero, one, even, odd} can be used to derive non-
trivial facts about the Ackermann function.

In particular, they deduce that _Ackermann(i,j)_ is odd and greater than 1 for
all _i_ greater than 1, by taking a Prolog implementation of the Ackermann
function, and interpreting it with these abstract domain elements instead of
all concrete values (which would not terminate, since there are infinitely
many concrete values). This is computed by fixpoint computation, determining
the deductive closure of the relation.

~~~
mjn
> Symbolic execution is also known as abstract interpretation

These aren't the same thing! They do both use abstraction of concrete values,
but abstract interpretation solves for fixpoints in a lattice of abstract
values, which is a fairly different process from how symbolic execution works.
The answers here go into more detail:
[https://cstheory.stackexchange.com/questions/19708/symbolic-...](https://cstheory.stackexchange.com/questions/19708/symbolic-
execution-is-a-case-of-abstract-interpretation)

One way of digging into abstract interpretation non-theoretically is via this
recently open-sourced framework: [https://code.fb.com/open-
source/sparta/](https://code.fb.com/open-source/sparta/)

~~~
rscho
[https://docs.racket-lang.org/tutorial/index.html](https://docs.racket-
lang.org/tutorial/index.html)

For a very non-theoretical forage into that.

BTW the guy you are answering to is a prolog expert.

~~~
TACIXAT
This is the most digestible intro to abstract interpretation that I've found,
[https://wiki.mozilla.org/Abstract_Interpretation](https://wiki.mozilla.org/Abstract_Interpretation).

------
joelburget
Co-author here. We're planning to turn this into a series, with additional
posts on how symbolic execution works at a lower level, how to present
counterexamples to users, and ideas for future programming tools built on
symbolic execution.

~~~
dfabulich
One piece of feedback: I've often wished to work on static analysis tools, but
too much of the work in this area is focused on Haskell or Lisp. (All of the
code in this article is in Haskell or Lisp.)

Does any of this stuff work on Java, Python, or JavaScript? I want to improve
the quality of real-world programs written in industry-standard languages.

This "gentle introduction" makes it seem like the first step of the process is
"port your app to a homoiconic language," \-- or, in other words, "you can
prove the correctness of any language you want, as long as it's Haskell or
Lisp."

~~~
nickpsecurity
[https://en.wikipedia.org/wiki/List_of_tools_for_static_code_...](https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)

~~~
dfabulich
That's static analysis, but not symbolic execution. Looking at the JavaScript
section, you can't do any of the stuff described in the article with JSLint.

~~~
tluyben2
Abstract interpretation is a wider concept than symbolic execution; check the
post in the top thread answered by user mjn to get more info; the fb and
mozilla ones seem to focus on more mainstream languages.

------
souprock
There are actual jobs, in industry, making use of this stuff. For example,
here is one that I put in the "Who is hiring?" item this month:

[https://news.ycombinator.com/item?id=19543995](https://news.ycombinator.com/item?id=19543995)

Typically one would convert a binary executable into some other form, then
analyze it to find all possible bugs. Of course one quickly slams into
troubles like the halting problem, but it is still usually possible to gain
useful understanding of the binary executable.

~~~
saagarjha
I noticed that you didn’t mention an employer in that listing.

~~~
schoen
Looks like it's probably Raytheon Cyber:

[https://www.reddit.com/r/ReverseEngineering/comments/9x0v2z/...](https://www.reddit.com/r/ReverseEngineering/comments/9x0v2z/rreverseengineerings_triannual_hiring_thread/e9pvq79/)

------
kazinator
_When a program has a free variable, we can consider an entire space of
possible execution paths, one for each possible value the variable could
take._

Or we could put on a greasy old pragmatic ball cap and issue an "unbound
variable in line 42" error.

A free free variable has no "possible value". If a variable has a value, it
has a binding; if it has a binding, it is not a free variable.

If we suspect that the variable is not actually free, but rather its
definition has not yet appeared, we can defer the processing. Perhaps capture
a continuation of the symbolic execution machine, and dispatch it later.

If the expression which refers to the free variable is not actually evaluated
(as our symbolic execution shows), we can squelch the warning, or change its
wording.

The idea that a free variable is implicitly universally quantified works in
logic, but it doesn't transfer to an ordinary programming language (i.e. not
Prolog, and its ilk) very well.

------
llamathrowaway
Thank you for this. However the labels 'syntax Haskell' and 'syntax LLVM' do
not seem to display properly on Firefox. Wish you could find a way to fix
them.

~~~
joelburget
Thanks for the heads up. It never occurred to me the svg might render
differently. I'll see if we can fix this.

------
bediger4000
I visited this expecting a tutorial about burning someone in effigy. Imagine
my surprise!

~~~
joelburget
Stick around for part 2. We haven't gotten to the good stuff yet :)

------
fwip
When you say “what is the result when x is 3 and y is 100?” - shouldn't the
answer be 113, not 103?

~~~
joelburget
You have a keen eye -- thanks for the close reading.

