diff options
author | Frank Busse <bb0xfb@gmail.com> | 2017-10-13 15:26:05 +0100 |
---|---|---|
committer | MartinNowack <martin.nowack@gmail.com> | 2018-05-01 15:34:38 +0200 |
commit | 76e4240f6e17ab1f17200c603cf827b2bb28458d (patch) | |
tree | 118bc50bf6ecbfe1c275411829095e9faaaf4c1a /lib/Core | |
parent | 3d00adf56f866a802c857682b382d11972a727a1 (diff) | |
download | klee-76e4240f6e17ab1f17200c603cf827b2bb28458d.tar.gz |
add blockaddress and indirectbr instructions
Diffstat (limited to 'lib/Core')
-rw-r--r-- | lib/Core/Executor.cpp | 75 | ||||
-rw-r--r-- | lib/Core/ExecutorUtil.cpp | 5 |
2 files changed, 79 insertions, 1 deletions
diff --git a/lib/Core/Executor.cpp b/lib/Core/Executor.cpp index 794b5980..81b9ec3c 100644 --- a/lib/Core/Executor.cpp +++ b/lib/Core/Executor.cpp @@ -1526,6 +1526,79 @@ void Executor::executeInstruction(ExecutionState &state, KInstruction *ki) { } break; } + case Instruction::IndirectBr: { + // implements indirect branch to a label within the current function + const auto bi = cast<IndirectBrInst>(i); + auto address = eval(ki, 0, state).value; + address = toUnique(state, address); + + // concrete address + if (const auto CE = dyn_cast<ConstantExpr>(address.get())) { + const auto bb_address = (BasicBlock *) CE->getZExtValue(Context::get().getPointerWidth()); + transferToBasicBlock(bb_address, bi->getParent(), state); + break; + } + + // symbolic address + const auto numDestinations = bi->getNumDestinations(); + std::vector<BasicBlock *> targets; + targets.reserve(numDestinations); + std::vector<ref<Expr>> expressions; + expressions.reserve(numDestinations); + + ref<Expr> errorCase = ConstantExpr::alloc(1, Expr::Bool); + SmallPtrSet<BasicBlock *, 5> destinations; + // collect and check destinations from label list + for (unsigned k = 0; k < numDestinations; ++k) { + // filter duplicates + const auto d = bi->getDestination(k); + if (destinations.count(d)) continue; + destinations.insert(d); + + // create address expression + const auto PE = Expr::createPointer((uint64_t) (unsigned long) (void *) d); + ref<Expr> e = EqExpr::create(address, PE); + + // exclude address from errorCase + errorCase = AndExpr::create(errorCase, Expr::createIsZero(e)); + + // check feasibility + bool result; + bool success __attribute__ ((unused)) = solver->mayBeTrue(state, e, result); + assert(success && "FIXME: Unhandled solver failure"); + if (result) { + targets.push_back(d); + expressions.push_back(e); + } + } + // check errorCase feasibility + bool result; + bool success __attribute__ ((unused)) = solver->mayBeTrue(state, errorCase, result); + assert(success && "FIXME: Unhandled solver failure"); + if (result) { + expressions.push_back(errorCase); + } + + // fork states + std::vector<ExecutionState *> branches; + branch(state, expressions, branches); + + // terminate error state + if (result) { + terminateStateOnExecError(*branches.back(), "indirectbr: illegal label address"); + branches.pop_back(); + } + + // branch states to resp. target blocks + assert(targets.size() == branches.size()); + for (std::vector<ExecutionState *>::size_type k = 0; k < branches.size(); ++k) { + if (branches[k]) { + transferToBasicBlock(targets[k], bi->getParent(), *branches[k]); + } + } + + break; + } case Instruction::Switch: { SwitchInst *si = cast<SwitchInst>(i); ref<Expr> cond = eval(ki, 0, state).value; @@ -1641,7 +1714,7 @@ void Executor::executeInstruction(ExecutionState &state, KInstruction *ki) { } } break; - } + } case Instruction::Unreachable: // Note that this is not necessarily an internal bug, llvm will // generate unreachable instructions in cases where it knows the diff --git a/lib/Core/ExecutorUtil.cpp b/lib/Core/ExecutorUtil.cpp index 62d65c31..a0f4de3d 100644 --- a/lib/Core/ExecutorUtil.cpp +++ b/lib/Core/ExecutorUtil.cpp @@ -119,6 +119,11 @@ namespace klee { assert(isa<ConstantExpr>(res) && "result of constant vector built is not a constant"); return cast<ConstantExpr>(res); + } else if (const BlockAddress * ba = dyn_cast<BlockAddress>(c)) { + // return the address of the specified basic block in the specified function + const auto arg_bb = (BasicBlock *) ba->getOperand(1); + const auto res = Expr::createPointer((uint64_t) (unsigned long) (void *) arg_bb); + return cast<ConstantExpr>(res); } else { std::string msg("Cannot handle constant "); llvm::raw_string_ostream os(msg); |