Age | Commit message (Collapse) | Author |
|
Provide an additional argument to select the concretisation policy.
Fix a bug where the concretisation of a shared memory object was visible
across different states by retrieving a writable object state first.
|
|
Use existing `Executor::toConstant()` function to transform a symbolic
byte of an `ObjectState` to its concrete representation.
This will also add constraints if required.
|
|
Before, only partially symbolic variables have been concretized.
Now, every object that is not fully concrete is concretized correctly
this includes fully symbolic objects.
|
|
Before, external changes to symbolic variables have not been propagated
back to their internal representation.
Do a byte-by-byte comparison and update object state if required.
|
|
|
|
|
|
whether the expression is concretised. Also changed a C string argument to std::string.
|
|
with symbolic arguments. It also introduces a new external call policy, where the symbolic inputs are left unconstrained following such a call, useful for certain external calls such as printf.
|
|
--compress-execution-tree to --compress-exec-tree. Fix an incorrect reference to --write-exec-tree.
|
|
|
|
|
|
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com>
(cherry picked from commit 5d61fb6114bafbf67c59899d15e397684d4ceb28)
|
|
Co-authored-by: Daniel Schemmel <danielschemmel@users.noreply.github.com>
(cherry picked from commit 5d9af025ee5a01b1650f11ed0612a10357a98308)
|
|
Similar functionality needs to be added using a new pass manager
|
|
Handle like `memalign` for now.
|
|
`Intrinsic::flt_rounds` got removed
|
|
|
|
|
|
|
|
|
|
If an array name ended with a number, adding a number-only suffix could
generate the same name used as part of the solvers.
In the specific testcase `val_1` became solver array `val_111` which
collided with array `val_11` that became `val_111` as well.
Using an `_` as prefix for the suffix, solves that problem in general,
i.e. `val_1` becomes `val_1_11` and `val_11` becomes `val_11_1`.
Fixes #1668
|
|
callers
|
|
|
|
This reworked logic also fixes a buffer overflow which could be triggered during seed extension.
|
|
|
|
|
|
Added a test case.
|
|
and w/o seed extension) based on FP concretization.
|
|
map added to ExecutionState); now storing addresses of MemoryObjects for easier cleanup
|
|
This feature implements tracking of and resolution of memory objects in the presence of
symbolic addresses.
For example, an expression like the following:
int x;
klee_make_symbolic(&x, sizeof(x), "x");
int* tmp = &b.y[x].z;
For a concrete array object "y", which is a member of struct "b", a symbolic offset "x" would normally be resolved to any matching
memory object - including the ones outside of the object "b".
This behaviour is consistent with symbex approach of exploring all execution paths.
However, from the point of view of security testing, we would only be interested to know if we are still
in-bounds or there is a buffer overflow.
The implemented feature creates and tracks (via the GEP instruction) the mapping between the current
symbolic offset and the base object it refers to: in our example we are able to tell that the reference
should happen within the object "b" (as the array "y" is inside the same memory blob). As a result, we are able to minimize
the symbolic exploration to only two paths: one within the bounds of "b", the other with a buffer overflow bug.
The feature is turned on via the single-object-resolution command line flag.
A new test case was implemented to illustrate how the feature works.
|
|
|
|
|
|
Introduce three different kinds of process trees:
1. Noop: does nothing (e.g. no allocations for DFS)
2. InMemory: same behaviour as before (e.g. RandomPathSearcher)
3. Persistent: similar to InMemory but writes nodes to ptree.db
and tracks information such as branch type, termination
type or source location (asm) in nodes. Enabled with
-write-ptree
ptree.db files can be analysed/plotted with the new "klee-ptree"
tool.
|
|
|
|
|
|
|
|
|
|
--external-call-warnings=none|once-per-function|all.
This eliminates the ambiguity when both of the old options were set.
Added test for the new option.
|
|
Note that (as it did previously), this relies on the native types having
the same internal representation as the ApInt type.
|
|
special case
|
|
consistency
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The functionality of the batching searcher that increases the time
budget if it is shorter than the time between two calls to
`selectState()` ignored the disabled time budget. Effectively, the
batching searcher thus picks a very arbitrary time budget on its own.
|
|
available since CMake version 3.14
|
|
|