about summary refs log tree commit diff homepage
path: root/lib
AgeCommit message (Collapse)Author
2024-02-08Mention default value in help text for `--strip-all` and `--strip-debug`MartinNowack
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com> (cherry picked from commit 5d61fb6114bafbf67c59899d15e397684d4ceb28)
2024-02-08Use `std::` namespace for `uint64_t`MartinNowack
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com> (cherry picked from commit 5d9af025ee5a01b1650f11ed0612a10357a98308)
2024-02-08Disable unsupported passes for newer LLVM versionsMartin Nowack
Similar functionality needs to be added using a new pass manager
2024-02-08Add support to `aligned_alloc` generated by LLVMMartin Nowack
Handle like `memalign` for now.
2024-02-08Add support for `Intrinsic::get_rounding` for LLVM 16Martin Nowack
`Intrinsic::flt_rounds` got removed
2024-02-08Use APIs of newer LLVM versions instead of unsupported onesMartin Nowack
2024-02-08Add support for opaque pointersMartin Nowack
2024-02-08Refactor invocation of old pass manager into legacy functionMartin Nowack
2024-01-30Change `GetConstraintLog` to work with `std::string`s instead of `char*`sDaniel Schemmel
2024-01-30Avoid generating array names in solver builders that could accidently collideMartin Nowack
If an array name ended with a number, adding a number-only suffix could generate the same name used as part of the solvers. In the specific testcase `val_1` became solver array `val_111` which collided with array `val_11` that became `val_111` as well. Using an `_` as prefix for the suffix, solves that problem in general, i.e. `val_1` becomes `val_1_11` and `val_11` becomes `val_11_1`. Fixes #1668
2024-01-30Modify getValueFromSeeds() to include more functionality and simplify its ↵Cristian Cadar
callers
2024-01-30Make Assignment::evaluate be constCristian Cadar
2024-01-30Removed --zero-seed-extension, and merge it with --allow-seed-extension. ↵Cristian Cadar
This reworked logic also fixes a buffer overflow which could be triggered during seed extension.
2024-01-30Refactored some code related to seeding.Cristian Cadar
2024-01-30On a symbolic allocation, retrieve size from a seed, if availableCristian Cadar
2024-01-30Concretize arguments to external function calls using seeds, if available. ↵Cristian Cadar
Added a test case.
2024-01-30Concretize constants using seed values, when available. Added two tests (w/ ↵Cristian Cadar
and w/o seed extension) based on FP concretization.
2024-01-12Follow-up: applied review comments, implemented meta-data cleanup (one more ↵Tomasz Kuchta
map added to ExecutionState); now storing addresses of MemoryObjects for easier cleanup
2024-01-12Feature: implement single memory object resolution for symbolic addresses.Tomasz Kuchta
This feature implements tracking of and resolution of memory objects in the presence of symbolic addresses. For example, an expression like the following: int x; klee_make_symbolic(&x, sizeof(x), "x"); int* tmp = &b.y[x].z; For a concrete array object "y", which is a member of struct "b", a symbolic offset "x" would normally be resolved to any matching memory object - including the ones outside of the object "b". This behaviour is consistent with symbex approach of exploring all execution paths. However, from the point of view of security testing, we would only be interested to know if we are still in-bounds or there is a buffer overflow. The implemented feature creates and tracks (via the GEP instruction) the mapping between the current symbolic offset and the base object it refers to: in our example we are able to tell that the reference should happen within the object "b" (as the array "y" is inside the same memory blob). As a result, we are able to minimize the symbolic exploration to only two paths: one within the bounds of "b", the other with a buffer overflow bug. The feature is turned on via the single-object-resolution command line flag. A new test case was implemented to illustrate how the feature works.
2024-01-12Renamed PTree to ExecutionTree (and similar)Cristian Cadar
2024-01-12Rename files from PTree to ExecutionTree (and similar)Cristian Cadar
2024-01-12new: persistent ptree (-write-ptree) and klee-ptreeFrank Busse
Introduce three different kinds of process trees: 1. Noop: does nothing (e.g. no allocations for DFS) 2. InMemory: same behaviour as before (e.g. RandomPathSearcher) 3. Persistent: similar to InMemory but writes nodes to ptree.db and tracks information such as branch type, termination type or source location (asm) in nodes. Enabled with -write-ptree ptree.db files can be analysed/plotted with the new "klee-ptree" tool.
2023-09-11Make KDAlloc the default memory allocatorCristian Cadar
2023-09-07Remove broken experimental optimisation for validity (--cex-cache-exp)Cristian Cadar
2023-07-21Add code to only keep in the --help menu the KLEE/Kleaver option categoriesCristian Cadar
2023-07-21Move some options to the klee namespace and declare them in OptionCategories.hCristian Cadar
2023-07-12Replaced --suppress-external-warnings and --all-external-warnings with ↵Cristian Cadar
--external-call-warnings=none|once-per-function|all. This eliminates the ambiguity when both of the old options were set. Added test for the new option.
2023-07-08Combine all `ConstantExpr::toMemory` cases into one.Daniel Schemmel
Note that (as it did previously), this relies on the native types having the same internal representation as the ApInt type.
2023-07-08Using std::memcpy prevents alignment problems and removes an unnecessary ↵Daniel Schemmel
special case
2023-07-06rename Allocator::location_info to Allocator::locationInfo forDaniel Schemmel
consistency
2023-06-26Remove parentheses around klee_ intrinsics from the help menuCristian Cadar
2023-06-26Fixed a couple of spelling issues in the help menuCristian Cadar
2023-06-26Improved help message for --exit-on-error-type=AbortCristian Cadar
2023-06-11SpecialFunctionHandler: use std::array for handlerInfoJulian Büning
2023-06-09Fixed a format specifier pointed to by a compiler warning.Cristian Cadar
2023-06-05make BatchingSearcher more readableJulian Büning
2023-06-05fix BatchingSearcher's disabled time budgetJulian Büning
The functionality of the batching searcher that increases the time budget if it is shorter than the time between two calls to `selectState()` ignored the disabled time budget. Effectively, the batching searcher thus picks a very arbitrary time budget on its own.
2023-06-05CMake: use built-in FindSQLite3 moduleJulian Büning
available since CMake version 3.14
2023-05-26Improve error message when KDAlloc fails to create a mappingDaniel Schemmel
2023-05-26Use unique_ptr for MemoryManager and avoid re-creating it in the first placeMartin Nowack
No need to re-create and re-alloc all the memory again after execution.
2023-04-21use unique_ptr all throughout the solver chainDaniel Schemmel
2023-04-21use unique_ptr in SolverDaniel Schemmel
2023-04-21use unique_ptr in QueryLoggingSolverDaniel Schemmel
2023-04-21use unique_ptr in IndependentSolverDaniel Schemmel
2023-04-21use unique_ptr in CexCachingSolverDaniel Schemmel
2023-04-21use unique_ptr in AssignmentValidatingSolverDaniel Schemmel
2023-04-21use unique_ptr in CachingSolverDaniel Schemmel
2023-04-21use unique_ptr in StagedSolverImplDaniel Schemmel
2023-04-21use unique_ptr in Z3SolverImplDaniel Schemmel
2023-04-21use unique_ptr in ValidatingSolverDaniel Schemmel