Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-02-08 | Mention default value in help text for `--strip-all` and `--strip-debug` | MartinNowack | |
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com> (cherry picked from commit 5d61fb6114bafbf67c59899d15e397684d4ceb28) | |||
2024-02-08 | Use `std::` namespace for `uint64_t` | MartinNowack | |
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com> (cherry picked from commit 5d9af025ee5a01b1650f11ed0612a10357a98308) | |||
2024-02-08 | Disable unsupported passes for newer LLVM versions | Martin Nowack | |
Similar functionality needs to be added using a new pass manager | |||
2024-02-08 | Add support to `aligned_alloc` generated by LLVM | Martin Nowack | |
Handle like `memalign` for now. | |||
2024-02-08 | Add support for `Intrinsic::get_rounding` for LLVM 16 | Martin Nowack | |
`Intrinsic::flt_rounds` got removed | |||
2024-02-08 | Use APIs of newer LLVM versions instead of unsupported ones | Martin Nowack | |
2024-02-08 | Add support for opaque pointers | Martin Nowack | |
2024-02-08 | Refactor invocation of old pass manager into legacy function | Martin Nowack | |
2024-01-30 | Change `GetConstraintLog` to work with `std::string`s instead of `char*`s | Daniel Schemmel | |
2024-01-30 | Avoid generating array names in solver builders that could accidently collide | Martin Nowack | |
If an array name ended with a number, adding a number-only suffix could generate the same name used as part of the solvers. In the specific testcase `val_1` became solver array `val_111` which collided with array `val_11` that became `val_111` as well. Using an `_` as prefix for the suffix, solves that problem in general, i.e. `val_1` becomes `val_1_11` and `val_11` becomes `val_11_1`. Fixes #1668 | |||
2024-01-30 | Modify getValueFromSeeds() to include more functionality and simplify its ↵ | Cristian Cadar | |
callers | |||
2024-01-30 | Make Assignment::evaluate be const | Cristian Cadar | |
2024-01-30 | Removed --zero-seed-extension, and merge it with --allow-seed-extension. ↵ | Cristian Cadar | |
This reworked logic also fixes a buffer overflow which could be triggered during seed extension. | |||
2024-01-30 | Refactored some code related to seeding. | Cristian Cadar | |
2024-01-30 | On a symbolic allocation, retrieve size from a seed, if available | Cristian Cadar | |
2024-01-30 | Concretize arguments to external function calls using seeds, if available. ↵ | Cristian Cadar | |
Added a test case. | |||
2024-01-30 | Concretize constants using seed values, when available. Added two tests (w/ ↵ | Cristian Cadar | |
and w/o seed extension) based on FP concretization. | |||
2024-01-12 | Follow-up: applied review comments, implemented meta-data cleanup (one more ↵ | Tomasz Kuchta | |
map added to ExecutionState); now storing addresses of MemoryObjects for easier cleanup | |||
2024-01-12 | Feature: implement single memory object resolution for symbolic addresses. | Tomasz Kuchta | |
This feature implements tracking of and resolution of memory objects in the presence of symbolic addresses. For example, an expression like the following: int x; klee_make_symbolic(&x, sizeof(x), "x"); int* tmp = &b.y[x].z; For a concrete array object "y", which is a member of struct "b", a symbolic offset "x" would normally be resolved to any matching memory object - including the ones outside of the object "b". This behaviour is consistent with symbex approach of exploring all execution paths. However, from the point of view of security testing, we would only be interested to know if we are still in-bounds or there is a buffer overflow. The implemented feature creates and tracks (via the GEP instruction) the mapping between the current symbolic offset and the base object it refers to: in our example we are able to tell that the reference should happen within the object "b" (as the array "y" is inside the same memory blob). As a result, we are able to minimize the symbolic exploration to only two paths: one within the bounds of "b", the other with a buffer overflow bug. The feature is turned on via the single-object-resolution command line flag. A new test case was implemented to illustrate how the feature works. | |||
2024-01-12 | Renamed PTree to ExecutionTree (and similar) | Cristian Cadar | |
2024-01-12 | Rename files from PTree to ExecutionTree (and similar) | Cristian Cadar | |
2024-01-12 | new: persistent ptree (-write-ptree) and klee-ptree | Frank Busse | |
Introduce three different kinds of process trees: 1. Noop: does nothing (e.g. no allocations for DFS) 2. InMemory: same behaviour as before (e.g. RandomPathSearcher) 3. Persistent: similar to InMemory but writes nodes to ptree.db and tracks information such as branch type, termination type or source location (asm) in nodes. Enabled with -write-ptree ptree.db files can be analysed/plotted with the new "klee-ptree" tool. | |||
2023-09-11 | Make KDAlloc the default memory allocator | Cristian Cadar | |
2023-09-07 | Remove broken experimental optimisation for validity (--cex-cache-exp) | Cristian Cadar | |
2023-07-21 | Add code to only keep in the --help menu the KLEE/Kleaver option categories | Cristian Cadar | |
2023-07-21 | Move some options to the klee namespace and declare them in OptionCategories.h | Cristian Cadar | |
2023-07-12 | Replaced --suppress-external-warnings and --all-external-warnings with ↵ | Cristian Cadar | |
--external-call-warnings=none|once-per-function|all. This eliminates the ambiguity when both of the old options were set. Added test for the new option. | |||
2023-07-08 | Combine all `ConstantExpr::toMemory` cases into one. | Daniel Schemmel | |
Note that (as it did previously), this relies on the native types having the same internal representation as the ApInt type. | |||
2023-07-08 | Using std::memcpy prevents alignment problems and removes an unnecessary ↵ | Daniel Schemmel | |
special case | |||
2023-07-06 | rename Allocator::location_info to Allocator::locationInfo for | Daniel Schemmel | |
consistency | |||
2023-06-26 | Remove parentheses around klee_ intrinsics from the help menu | Cristian Cadar | |
2023-06-26 | Fixed a couple of spelling issues in the help menu | Cristian Cadar | |
2023-06-26 | Improved help message for --exit-on-error-type=Abort | Cristian Cadar | |
2023-06-11 | SpecialFunctionHandler: use std::array for handlerInfo | Julian Büning | |
2023-06-09 | Fixed a format specifier pointed to by a compiler warning. | Cristian Cadar | |
2023-06-05 | make BatchingSearcher more readable | Julian Büning | |
2023-06-05 | fix BatchingSearcher's disabled time budget | Julian Büning | |
The functionality of the batching searcher that increases the time budget if it is shorter than the time between two calls to `selectState()` ignored the disabled time budget. Effectively, the batching searcher thus picks a very arbitrary time budget on its own. | |||
2023-06-05 | CMake: use built-in FindSQLite3 module | Julian Büning | |
available since CMake version 3.14 | |||
2023-05-26 | Improve error message when KDAlloc fails to create a mapping | Daniel Schemmel | |
2023-05-26 | Use unique_ptr for MemoryManager and avoid re-creating it in the first place | Martin Nowack | |
No need to re-create and re-alloc all the memory again after execution. | |||
2023-04-21 | use unique_ptr all throughout the solver chain | Daniel Schemmel | |
2023-04-21 | use unique_ptr in Solver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in QueryLoggingSolver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in IndependentSolver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in CexCachingSolver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in AssignmentValidatingSolver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in CachingSolver | Daniel Schemmel | |
2023-04-21 | use unique_ptr in StagedSolverImpl | Daniel Schemmel | |
2023-04-21 | use unique_ptr in Z3SolverImpl | Daniel Schemmel | |
2023-04-21 | use unique_ptr in ValidatingSolver | Daniel Schemmel | |