quebex

A software analysis framework built around the QBE intermediate language

git clone https://git.8pit.net/quebex.git

commits

2026-01-21 quebex-cli: Support the old legacy header for .ktest too Sören Tempel
2026-01-12 quebex-cli: validate ktest version Sören Tempel
2026-01-11 quebex-cli: Improve output of quebex-symex a bit Sören Tempel
2026-01-11 README.md: Better reference to Guix environment Sören Tempel
2026-01-11 README.md: Fix markdown link Sören Tempel

Clone the repository to access all 425 commits.

README

A work-in-progress software analysis framework built around the QBE intermediate language.

Motivation

Existing analysis frameworks are predominantly built around LLVM. Unfortunately, LLVM is a fast-moving target with constant changes and updates to its intermediate representation. Therefore, tooling built on LLVM often requires dated LLVM versions (e.g., KLEE currently recommends LLVM 13 released in 2022). Obtaining these LLVM versions can be cumbersome and often hinders employment of these tools. To overcome these issues, maintainers of analysis tooling need to constantly invest time to catch up with LLVM releases instead of focusing on improving their analysis framework.

In order to reduce the maintenance burden, this project attempts to investigates the utilization of another intermediate language for software analysis: QBE. QBE is a much smaller-scale project than LLVM and thereby offers a higher degree of stability. Further, QBE is simpler than LLVM (e.g., providing fewer operations) and thereby eases the implementation of analysis techniques. Nonetheless, there exist compiler frontends that can emit a representation in the QBE intermediate representation (which can then be analyzed using quebex!). For example, SCC, cproc, or the Hare compiler.

Status

I currently consider this a vertical prototype. A lot of the desired functionality is already there, but not fully developed. Presently, it covers the majority of QBE features needed for medium-complexity QBE programs (e.g., as emitted by cproc). Notably, proper support for variadic functions is missing. In terms of analysis features, the implementation presently focuses on dynamic analysis techniques (primarily symbolic execution). Unfortunately, there is basically no documentation for the API and the provided command-line frontends (quebex and quebex-symex) are presently very basic.

Architecture

This project provides a formal, yet executable, description of the QBE intermediate language. Currently, it targets v1.2 of the QBE specification. The syntax is specified using literate Haskell and parser combinators in the quebex-syntax library. The language semantics are expressed in a modular way by distinguishing abstract and actual semantics. Abstract semantics of the QBE language are described in terms of a Simulator monad (i.e., an abstract monad). This monad must then be instantiated, whereby actual semantics are specified. Presently, the following instantiations are supported:

  1. Concrete semantics, provided by Language.QBE.Simulator.Default.State. This is useful for simulation of the QBE intermediate language.
  2. Symbolic (more specifically concolic) semantics, provided by Language.QBE.Simulator.Concolic.State. This is intended for automated software testing using symbolic execution.

The abstract description of the QBE semantics, in terms of the Simulator monad, and its concrete instantiation are provided by the quebex library. The symbolic semantics are implemented by a separate quebex-symex library. Additional semantics can be implemented by building on top of these existing Haskell libraries.

Further, executable programs are provided by the quebex-cli component. Presently the following executable program components are available:

  1. quebex: A simulator for QBE programs built on top of the concrete semantics.
  2. quebex-symex: An automated software testing tool facilitating the symbolic semantics.

These program components can be used directly on QBE input programs.

Installation

After cloning the repository, individual components can be installed using cabal install. However, presently specific GHC versions are required; therefore, installation using Guix is recommended. For example, in order to install the quebex-cli component using Guix:

$ guix time-machine -C .guix/channels.scm -- install -L .guix/modules/ quebex-cli

Afterwards, if Guix is configured correctly, the aforementioned program components (quebex and quebex-symex) should be available in your $PATH. The following section demonstrates usage of these components.

Demonstration

This framework is primarily intended to be used as a library, allowing the implementation of both static and dynamic analysis techniques based on QBE. Presently, it focuses on dynamic analysis, and sufficient documentation of the library interface is still lacking. Nonetheless, it is already capable of executing QBE representations of medium-complexity C code (e.g., as emitted by cproc). In order to experiment with the current capabilities, the following subsections demonstrate utilization of the aforementioned program components.

Concrete Execution

Consider the following “Hello, World!” program:

#include <stdio.h>

int main(void) {
    puts("Hello, World!");
    return 0;
}

In order to concretly execute this program using quebex, we need to obtain an equivalent representation in QBE. To this end, we can invoke the cproc compiler as follows:

$ cproc -emit-qbe hello.c

The resulting QBE file can then be executed with the concrete semantics using:

$ quebex hello.qbe
Hello, World!

Note that quebex is only able to invoke the puts(3) function because it intercepts its execution, providing a “simulated” version of it. Presently, only a limited amount of standard library functions are intercepted in this way. As such, interactions with the file system or more complex output functions (e.g. printf(3)) are currently not supported.

Symbolic Execution

Symbolic execution is a dynamic software analysis technique that explores reachable program paths based on a symbolic input variable (i.e., an input source). As an example, consider the following C program:

#include <stdio.h>
#include <stddef.h>

extern void quebex_symbolic_array(void *ptr, size_t nelem, size_t elsiz, const char *name);

int main(void) {
    int a;
    quebex_symbolic_array(&a, 1, sizeof(a), "a");
    if (a == 42) {
        puts("you found the answer");
    } else {
        puts("not the answer");
    }

    return 0;
}

This program can be compiled using the QBE-based cproc C compiler as follows:

$ cproc -emit-qbe example.c

The resulting QBE representation (example.qbe) can be symbolically executed using quebex-symex:

$ quebex-symex --write-tests tests/ example.qbe

This will yield the following output:

not the answer
you found the answer

---
Amount of paths: 2

This indicates that we found two execution paths through our program based on the symbolic variable a. Due to the --write-tests option, quebex-symex will create a tests/ directory that contains test inputs in the ktest format, one for each execution path. These files can be inspected with the ktest-tool from KLEE (which is included in the Guix development environment described below). For example:

$ ktest-tool tests/test000002.ktest
ktest file : 'tests/test000002.ktest'
args       : ['example.qbe']
num objects: 1
object 0: name: 'a1'
object 0: size: 4
object 0: data: b'*\x00\x00\x00'
object 0: hex : 0x2a000000
object 0: int : 42
object 0: uint: 42
object 0: text: *...

This tells us that the second execution path, where the program prints you found the answer, was triggered with a1 := 42. From these files, we can—for example—automatically generate high-coverage test cases. In the future, it will be possible to replay selected .ktest files using quebex-cli.

Design Goals

This project is intentionally written in a simple subset of the Haskell programming language. It should be usable by anyone with a basic Haskell background (e.g., as obtained by reading Learn You a Haskell for Great Good!). Further, the project should require minimal long-term maintenance and should also support older GHC versions. Therefore, it uses the GHC2021 language standard and avoids usage of additional language extensions. Further, whenever possible, dependencies on external libraries that are not bundled by GHC must be avoided.

Development

Code should be formatted using ormolu. Git hooks performing several sanity checks, including ensuring the proper code formatting, are available. These hooks can be enabled using:

$ git config --local core.hooksPath .githooks

Further, a Guix environment for development purposes can be obtained using:

$ guix time-machine -C .guix/channels.scm -- shell -L .guix/modules/ -m .guix/manifest.scm

License

This project uses the REUSE Specification to indicated used software license.