You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I hold back the difinition of String library in uclibc so KLEE will take function in String library as external functions.
When KLEE encounters a call for strcmp(which both arguments are pointer) such as:
KLEE will call flushToConcreteStore() for objectStates that pointed by pointer arguments to get concrete value for each symbolic byte in the objectState. Here the two objectStates are:
According to the path constraints, arg00 has been set to "-", which first byte is 45 and second byte is 0. The result of strcmp(arg00,"-") is expected to be 0. However, the acutal result of strcmp(arg00, "-") is not 0 but -45.
I investigated the reason and found:
According to the semantic of flushToConcreteStore() , KLEE will only try to get a concrete value for bytes that are knownSymbolic and store the concrete value into concreteStore.
voidObjectState::flushToConcreteStore(TimingSolver *solver,
const ExecutionState &state) const {
for (unsigned i = 0; i < size; i++) {
if (isByteKnownSymbolic(i)) {
ref<ConstantExpr> ce;
bool success = solver->getValue(state.constraints, read8(i), ce,
state.queryMetaData);
if (!success)
klee_warning("Solver timed out when getting a value for external call, ""byte %p+%u will have random value",
(void *)object->address, i);
else
ce->toMemory(concreteStore + i);
}
}
}
However, the source code of ObjectState constructor show that for these ObjectState created with an array(like arg00),KLEE will not set the bytes to knownSymbolic(as you can see in the objectState). So when calling flushToConcrete() for these objectStates, nothing happens.
By setting all bytes to knownSymbolic and set each knownSymbolic[offset] to corresponding ReadExpr to array when KLEE creates objectState with array, the above problem will not happen again.
I do not know the reason for original implementation of the ObjectState constructor but it seems that it makes flushToConcrete() not work when encountering similar situation. I want to know whether it is a bug or there are other reasons for designing ObjectState constructor like this?
Looking forward to your kind reply!
The text was updated successfully, but these errors were encountered:
I run KLEE3.0 on program
base64
in coreutils-9.4 and found KLEE cannot get correct concrete value for pointer arguments.My KLEE version
The command line options used for execution are :
I hold back the difinition of String library in uclibc so KLEE will take function in String library as external functions.
When KLEE encounters a call for
strcmp
(which both arguments are pointer) such as:KLEE will call
flushToConcreteStore()
for objectStates that pointed by pointer arguments to get concrete value for each symbolic byte in the objectState. Here the two objectStates are:When executing strcmp, the path constraints of current state is:
According to the path constraints,
arg00
has been set to"-"
, which first byte is 45 and second byte is 0. The result ofstrcmp(arg00,"-")
is expected to be 0. However, the acutal result ofstrcmp(arg00, "-")
is not 0 but -45.I investigated the reason and found:
According to the semantic of
flushToConcreteStore()
, KLEE will only try to get a concrete value for bytes that areknownSymbolic
and store the concrete value intoconcreteStore
.However, the source code of ObjectState constructor show that for these ObjectState created with an array(like
arg00
),KLEE will not set the bytes toknownSymbolic
(as you can see in the objectState). So when calling flushToConcrete() for these objectStates, nothing happens.By setting all bytes to
knownSymbolic
and set eachknownSymbolic[offset]
to corresponding ReadExpr to array when KLEE creates objectState with array, the above problem will not happen again.I do not know the reason for original implementation of the ObjectState constructor but it seems that it makes
flushToConcrete()
not work when encountering similar situation. I want to know whether it is a bug or there are other reasons for designing ObjectState constructor like this?Looking forward to your kind reply!
The text was updated successfully, but these errors were encountered: