1<!--2SPDX-FileCopyrightText: 2025 Sören Tempel <soeren+git@soeren-tempel.net>34SPDX-License-Identifier: GPL-3.0-only5-->67## README89A work-in-progress software analysis framework built around the [QBE] intermediate language.1011### Motivation1213Existing analysis frameworks are predominantly built around [LLVM].14Unfortunately, LLVM is a fast-moving target with constant changes and updates to its intermediate representation.15Therefore, tooling built on LLVM often requires dated LLVM versions (e.g., [KLEE] currently [recommends LLVM 13][KLEE LLVM] released in 2022).16Obtaining these LLVM versions can be cumbersome and often hinders employment of these tools.17To overcome these issues, maintainers of analysis tooling need to constantly invest time to catch up with LLVM releases instead of focusing on improving their analysis framework.1819In order to reduce the maintenance burden, this project attempts to investigates the utilization of another intermediate language for software analysis: [QBE].20QBE is a much [smaller-scale project][QBE vs LLVM] than LLVM and thereby offers a higher degree of stability.21Further, QBE is simpler than LLVM (e.g., providing fewer operations) and thereby eases the implementation of analysis techniques.22Nonetheless, there exist compiler frontends that can emit a representation in the QBE intermediate representation (which can then be analyzed using quebex!).23For example, [SCC], [cproc], or the [Hare compiler][Hare].2425### Status2627Proof of concept, not much to see here yet.28Come back later!2930### Installation3132The framework consists of several components.33After cloning the repository, individual components can be installed using `cabal install`.34However, presently specific GHC versions are required; therefore, installation using [Guix] is recommended.35For example, in order to install the `quebex-cli` component using Guix:3637```38$ guix time-machine -C .guix/channels.scm -- install -L .guix/modules/ quebex-cli39```4041Afterwards, if Guix is configured correctly, `quebex-cli` should be available in your `$PATH`.42The following section demonstrates usage of `quebex-cli`.4344### Demonstration4546This framework is primarily *intended to be used as a library*, allowing the implementation of both static and dynamic analysis techniques based on QBE.47Presently, it focuses on dynamic analysis, and sufficient documentation of the library interface is lacking.48Nonetheless, it is already capable of executing QBE representations of medium-complexity C code (e.g., as emitted by [cproc]).49To experiment with the current capabilities, a command-line tool called `quebex-cli` is available that provides a frontend to quebex's [symbolic execution] library.50Symbolic execution is a dynamic software analysis technique that explores reachable program paths based on a symbolic input variable.51For example, consider the following C program:5253```C54#include <stdio.h>55#include <stddef.h>5657extern void quebex_symbolic_array(void *ptr, size_t nelem, size_t elsiz, const char *name);5859int main(void) {60 puts("<path>");6162 int a;63 quebex_symbolic_array(&a, 1, sizeof(a), "a");64 if (a == 42) {65 puts("you found the answer");66 } else {67 puts("not the answer");68 }6970 puts("</path>");71 return 0;72}73```7475This program can be compiled using [cproc] as follows:7677```78$ cproc -emit-qbe example.c79```8081The resulting QBE representation (`example.qbe`) can be symbolically executed using quebex:8283```84$ quebex-cli example.qbe85```8687This will yield the following output:8889```90<path>91not the answer92</path>93<path>94you found the answer95</path>9697Amount of paths: 298```99100This tells us that quebex found two paths through our program based on the symbolic variable `a`.101In the future, it will be possible to obtain test inputs for each path in a standardized format using `quebex-cli`, which can then be used to automatically [generate high-coverage tests][KLEE OSDI].102However, for now the focus is on improving the library, not the command-line interface.103104### Design Goals105106This project is intentionally written in a simple subset of the [Haskell] programming language.107It should be usable by anyone with a basic Haskell background (e.g., as obtained by reading [Learn You a Haskell for Great Good!][learnyouahaskell]).108Further, the project should require minimal long-term maintenance and should also support older GHC versions.109Therefore, it uses the [GHC2021] language standard and avoids usage of additional language extensions.110Further, whenever possible, dependencies on external libraries that are [not bundled by GHC][GHC libraries] must be avoided.111112### Development113114Code should be formatted using [ormolu][ormolu github].115Git hooks performing several sanity checks, including ensuring the proper code formatting, are available.116These hooks can be enabled using:117118 $ git config --local core.hooksPath .githooks119120Further, a [Guix] environment for development purposes can be obtained using:121122 $ guix time-machine -C .guix/channels.scm -- shell -L .guix/modules/ -m .guix/manifest.scm123124### License125126This project uses the [REUSE Specification] to indicated used software license.127128[QBE]: https://c9x.me/compile/129[QBE vs LLVM]: https://c9x.me/compile/doc/llvm.html130[LLVM]: https://llvm.org/131[KLEE]: https://klee-se.org132[KLEE LLVM]: https://klee-se.org/build/build-llvm13/133[KLEE OSDI]: https://www.usenix.org/legacy/events/osdi08/tech/full_papers/cadar/cadar.pdf134[SCC]: https://www.simple-cc.org/135[cproc]: https://sr.ht/~mcf/cproc/136[Hare]: https://harelang.org/137[Haskell]: https://haskell.org/138[GHC]: https://www.haskell.org/ghc/139[GHC2021]: https://ghc.gitlab.haskell.org/ghc/doc/users_guide/exts/control.html#extension-GHC2021140[GHC libraries]: https://ghc.gitlab.haskell.org/ghc/doc/libraries/index.html141[learnyouahaskell]: https://learnyouahaskell.github.io/chapters.html142[libriscv]: https://github.com/agra-uni-bremen/libriscv143[ormolu github]: https://github.com/tweag/ormolu144[REUSE Specification]: https://reuse.software/spec-3.3/145[Guix]: https://guix.gnu.org146[symbolic execution]: https://en.wikipedia.org/wiki/Symbolic_execution