1<!--2SPDX-FileCopyrightText: 2025 Sören Tempel <soeren+git@soeren-tempel.net>34SPDX-License-Identifier: GPL-3.0-only5-->67## README89A work-in-progress software analysis framework built around the [QBE] intermediate language.1011### Motivation1213Existing analysis frameworks are predominantly built around [LLVM].14Unfortunately, LLVM is a fast-moving target with constant changes and updates to its intermediate representation.15Therefore, tooling built on LLVM often requires dated LLVM versions (e.g., [KLEE] currently [recommends LLVM 13][KLEE LLVM] released in 2022).16Obtaining these LLVM versions can be cumbersome and often hinders employment of these tools.17To overcome these issues, maintainers of analysis tooling need to constantly invest time to catch up with LLVM releases instead of focusing on improving their analysis framework.1819In order to reduce the maintenance burden, this project attempts to investigates the utilization of another intermediate language for software analysis: [QBE].20QBE is a much [smaller-scale project][QBE vs LLVM] than LLVM and thereby offers a higher degree of stability.21Further, QBE is simpler than LLVM (e.g., providing fewer operations) and thereby eases the implementation of analysis techniques.22Nonetheless, there exist compiler frontends that can emit a representation in the QBE intermediate representation (which can then be analyzed using quebex!).23For example, [SCC], [cproc], or the [Hare compiler][Hare].2425### Status2627I currently consider this a vertical prototype.28A lot of the desired functionality is already there, but not fully developed.29Presently, it covers the majority of QBE features needed for medium-complexity QBE programs (e.g., as emitted by [cproc]).30Notably, proper support for unions and variadic functions is missing.31In terms of analysis features, the implementation presently focuses on dynamic analysis techniques (primarily [symbolic execution]).32Unfortunately, there is basically no documentation for the API and the provided command-line frontends (`quebex` and `quebex-symex`) are presently very basic.3334### Architecture3536This project provides a formal, yet executable, description of the QBE intermediate language.37Currently, it targets [v1.2 of the QBE specification][QBE v1.2].38The syntax is specified using [literate Haskell][literate programming] and [parser combinators] in the `quebex-syntax` library.39The language semantics are expressed in a modular way by distinguishing abstract and actual semantics.40*Abstract semantics* of the QBE language are described in terms of a `Simulator` monad (i.e., an [abstract monad]).41This monad must then be instantiated, whereby *actual semantics* are specified.42Presently, the following instantiations are supported:43441. Concrete semantics, provided by `Language.QBE.Simulator.Default.State`.45 This is useful for simulation of the QBE intermediate language.462. [Symbolic][symbolic execution] (more specifically [concolic][concolic testing]) semantics, provided by `Language.QBE.Simulator.Concolic.State`.47 This is intended for automated software testing using [symbolic execution].4849The abstract description of the QBE semantics, in terms of the `Simulator` monad, and its concrete instantiation are provided by the `quebex` library.50The symbolic semantics are implemented by a separate `quebex-symex` library.51Additional semantics can be implemented by building on top of these existing Haskell libraries.5253Further, executable programs are provided by the `quebex-cli` component.54Presently the following executable program components are available:55561. `quebex`: A simulator for QBE programs built on top of the concrete semantics.572. `quebex-symex`: An automated software testing tool facilitating the symbolic semantics.5859These program components can be used directly on QBE input programs.6061### Installation6263After cloning the repository, individual components can be installed using `cabal install`.64However, presently specific GHC versions are required; therefore, installation using [Guix] is recommended.65For example, in order to install the `quebex-cli` component using Guix:6667```68$ guix time-machine -C .guix/channels.scm -- install -L .guix/modules/ quebex-cli69```7071Afterwards, if Guix is configured correctly, the aforementioned program components (`quebex` and `quebex-symex`) should be available in your `$PATH`.72The following section demonstrates usage of these components.7374### Demonstration7576This framework is primarily *intended to be used as a library*, allowing the implementation of both static and dynamic analysis techniques based on QBE.77Presently, it focuses on dynamic analysis, and sufficient documentation of the library interface is still lacking.78Nonetheless, it is already capable of executing QBE representations of medium-complexity C code (e.g., as emitted by [cproc]).79In order to experiment with the current capabilities, the following subsections demonstrate utilization of the aforementioned program components.8081#### Concrete Execution8283Consider the following "Hello, World!" program:8485```C86#include <stdio.h>8788int main(void) {89 puts("Hello, World!");90 return 0;91}92```9394In order to concretly execute this program using `quebex`, we need to obtain an equivalent representation in QBE.95To this end, we can invoke the [cproc] compiler as follows:9697```98$ cproc -emit-qbe hello.c99```100101The resulting QBE file can then be executed with the concrete semantics using:102103```104$ quebex hello.qbe105Hello, World!106```107108Note that `quebex` is only able to invoke the `puts(3)` function because it intercepts its execution, providing a "simulated" version of it.109Presently, only a limited amount of standard library functions are intercepted in this way.110As such, interactions with the file system or more complex output functions (e.g. `printf(3)`) are currently not supported.111112#### Symbolic Execution113114[Symbolic execution][symbolic execution] is a dynamic software analysis technique that explores reachable program paths based on a symbolic input variable.115For example, consider the following C program:116117```C118#include <stdio.h>119#include <stddef.h>120121extern void quebex_symbolic_array(void *ptr, size_t nelem, size_t elsiz, const char *name);122123int main(void) {124 puts("<path>");125126 int a;127 quebex_symbolic_array(&a, 1, sizeof(a), "a");128 if (a == 42) {129 puts("you found the answer");130 } else {131 puts("not the answer");132 }133134 puts("</path>");135 return 0;136}137```138139This program can be compiled using [cproc] as follows:140141```142$ cproc -emit-qbe example.c143```144145The resulting QBE representation (`example.qbe`) can be symbolically executed using quebex:146147```148$ quebex-symex example.qbe149```150151This will yield the following output:152153```154<path>155not the answer156</path>157<path>158you found the answer159</path>160161Amount of paths: 2162```163164This tells us that quebex found two paths through our program based on the symbolic variable `a`.165In the future, it will be possible to obtain test inputs for each path in a standardized format using `quebex-symex`, which can then be used to automatically [generate high-coverage tests][KLEE OSDI].166However, for now the focus is on improving the library, not the command-line interface.167168### Design Goals169170This project is intentionally written in a simple subset of the [Haskell] programming language.171It should be usable by anyone with a basic Haskell background (e.g., as obtained by reading [Learn You a Haskell for Great Good!][learnyouahaskell]).172Further, the project should require minimal long-term maintenance and should also support older GHC versions.173Therefore, it uses the [GHC2021] language standard and avoids usage of additional language extensions.174Further, whenever possible, dependencies on external libraries that are [not bundled by GHC][GHC libraries] must be avoided.175176### Development177178Code should be formatted using [ormolu][ormolu github].179Git hooks performing several sanity checks, including ensuring the proper code formatting, are available.180These hooks can be enabled using:181182 $ git config --local core.hooksPath .githooks183184Further, a [Guix] environment for development purposes can be obtained using:185186 $ guix time-machine -C .guix/channels.scm -- shell -L .guix/modules/ -m .guix/manifest.scm187188### License189190This project uses the [REUSE Specification] to indicated used software license.191192[QBE]: https://c9x.me/compile/193[QBE vs LLVM]: https://c9x.me/compile/doc/llvm.html194[QBE v1.2]: https://c9x.me/compile/doc/il-v1.2.html195[LLVM]: https://llvm.org/196[KLEE]: https://klee-se.org197[KLEE LLVM]: https://klee-se.org/build/build-llvm13/198[KLEE OSDI]: https://www.usenix.org/legacy/events/osdi08/tech/full_papers/cadar/cadar.pdf199[SCC]: https://www.simple-cc.org/200[cproc]: https://sr.ht/~mcf/cproc/201[Hare]: https://harelang.org/202[Haskell]: https://haskell.org/203[GHC]: https://www.haskell.org/ghc/204[GHC2021]: https://ghc.gitlab.haskell.org/ghc/doc/users_guide/exts/control.html#extension-GHC2021205[GHC libraries]: https://ghc.gitlab.haskell.org/ghc/doc/libraries/index.html206[learnyouahaskell]: https://learnyouahaskell.github.io/chapters.html207[libriscv]: https://github.com/agra-uni-bremen/libriscv208[ormolu github]: https://github.com/tweag/ormolu209[REUSE Specification]: https://reuse.software/spec-3.3/210[Guix]: https://guix.gnu.org211[symbolic execution]: https://en.wikipedia.org/wiki/Symbolic_execution212[concolic testing]: https://en.wikipedia.org/wiki/Concolic_testing213[literate programming]: https://en.wikipedia.org/wiki/Literate_programming214[parser combinators]: https://en.wikipedia.org/wiki/Parser_combinator215[abstract monad]: https://doi.org/10.1145/3607833