about summary refs log tree commit diff homepage
path: root/lib
AgeCommit message (Collapse)Author
2016-02-20Fix valueIsOnlyCalled() used by MD2U.Sean Bartell
CallInst::getOperand() uses incompatible operand orders across LLVM versions. Use CallSite::hasArgument() instead. This bug prevented the MD2U searcher from working correctly.
2016-02-14Handle Z3 API change between 4.4.1 and the current master branchDan Liew
for the ``Z3_get_error_msg()`` function.
2016-02-14Add basic implementation of Z3Builder and Z3Solver and Z3SolverImplDan Liew
which is based on the work of Andrew Santosa (see PR #295) but fixes many bugs in that implementation. The implementation communicates with Z3 via it's C API. This implementation is based of the STPSolver and STPBuilder and so it inherits a lot of its flaws (See TODOs and FIXMEs). I have also ripped out some of the optimisations (constructMulByConstant, constructSDivByConstant and constructUDivByConstant) that were used in the STPBuilder because * I don't trust them * Z3 can probably do these for us in the future if we use the ``Z3_simplify()`` At a glance its performance seems worse than STP but future work can look at improving this.
2016-02-10Add some of the basic plumbing required to support a Z3 solver in KLEE.Dan Liew
2016-02-08Fixed two spelling errors.Marko Dimjašević
2016-01-14MetaSMT build fixes.Dan Liew
2016-01-14Make it possible to build KLEE without using STP and only MetaSMT.Dan Liew
The default core solver is STP if KLEE is built with STP otherwise it is MetaSMT. Whilst I'm here rename SUPPORT_METASMT macro to ENABLE_METASMT for consistency.
2016-01-12Refactor setting the core solver (i.e. STP, MetaSMT or DummySolver) by providingDan Liew
a ``createCoreSolver()`` function. The solver used is set by the new ``--solver-backend`` command line argument. The default is STP. This change necessitated refactoring the MetaSMT stuff. That clearly didn't belong in the Executor! The MetaSMT command line option is now ``--metasmt-backend`` as this only picks the MetaSMT backend. In order to use MetaSMT ``--solver-backend=metasmt`` needs to be passed. Note I don't have MetaSMT built on my development machine so I don't know if the MetaSMT stuff even compiles...
2016-01-12Drop unnecessary ``#include``s from Solver.cpp.Dan Liew
2016-01-12Refactor MetaSMTSolver and MetaSMTSolverImpl out of Solver.cpp intoDan Liew
their own file ``MetaSMTSolver.cpp``. Whilst I'm here also clang-format the modified code. This might not be a NFC (non functional change) as there's a good chance this has broken the MetaSMT build of KLEE. I don't have a build of MetaSMT to hand and there is no TravisCI build. At this point because there is no maintainer for this code I think we should consider removing it as it is going bitrot.
2016-01-12[NFC] Refactor STPSolver and STPSolverImpl out of Solver.cpp into theirDan Liew
own file ``STPSolver.cpp``. Whilst I'm here also clang-format the modified code.
2016-01-12[NFC] Refactor DummySolver out of Solver.cpp into its own fileDan Liew
``DummySolver.cpp``. Whilst I'm here also clang-format the modified code.
2016-01-12[NFC] Refactor ValidatingSolver out of Solver.cpp into its own fileDan Liew
``ValidatingSolver.cpp``. Whilst I'm here also clang-format the modified code.
2016-01-07[NFC] Refactor SolverImpl out of Solver.cpp into its own fileDan Liew
(SolverImpl.cpp). Whilst I'm here also clang-format the modified code.
2015-12-23Fix memory leak detected by ASan whenDan Liew
``IndependentSolver::computeInitialValues()`` was called where at least one of the constraint sets computed by ``getAllIndependentConstraintsSets()`` is either unsatisfiable or the solver failed. To make things (a little) clearer I've made it so that no ``std::list<>*`` is passed to``getAllIndependentConstraintsSets()``. Instead ``getAllIndependentConstraintsSets()`` now returns a ``std::list<>*`` that the caller is responsible for cleaning up. The behaviour previously was really confusing because it was unclear if the caller or callee was responsible for the clean up. This fixes #322
2015-12-23[NFC]Dan Liew
Reformat ``getAllIndependentConstraintsSets()`` using clang-format. It was not formatted correctly and was consequently a little hard to read. Also add braces around a for loop body. The original code for this function came from d9bcbba2c94086039c11c86200670639ee2ec19f
2015-12-23Merge pull request #323 from delcypher/support_objectsize_intrinsicDan Liew
Implement support for lowering the ``llvm.objectsize`` intrinsic
2015-12-23Merge pull request #321 from delcypher/fix_parser_leakDan Liew
Fix a leak detected by ASan in the KQuery parser where on destruction of
2015-12-19Implement support for lowering the ``llvm.objectsize`` intrinsicDan Liew
introduced in LLVM 2.7. Previously KLEE would emit the following error message when ``IntrinsicLowering::LowerIntrinsicCall()`` was called on the intrinsic ``` LLVM ERROR: Code generator does not support intrinsic function 'llvm.objectsize.i64.p0i8'! ``` The ``IntrinsicCleaner`` pass now lowers this intrinsic to a constant integer depending on the second argument to the intrinsic. This corresponds to the case where the size of the object pointed to by the first argument is unknown. An alternative design would be to handle this intrinsic in the Executor where is actually possible to know the size of objects during execution. However that would be much more complicated because if the pointer is symbolic we would have to fork for every object that could be pointed to. The implementation is similar to #260 but we handle the second argument to the intrinsic correctly and also have a simple test case. Unfortunately we have to have a different version of the test case for LLVM 2.9 because the expected suffix for the intrinsic is different in LLVM 2.9.
2015-12-18Fix a leak detected by ASan in the KQuery parser where on destruction ofDan Liew
the ``ParserImpl`` it wouldn't free allocated ``Identifier``s
2015-12-18Move lib/Solver/SolverStats.h -> include/klee/SolverStats.hDan Liew
so that it is possible to ``#include "klee/util/ArrayExprHash.h"``
2015-12-18Fix memory leaks of ``Array`` objects detected by ASan.Dan Liew
Some of these leaks were introduced by the factory constructor for Array objects (f049ff3bc04daead8c3bb9f06e89e71e2054c82a) but a few others have been around for far longer. This leak was fixed by introducing a ``ArrayCache`` object which has two purposes * Retains ownership of all created ``Array`` objects and destroys them when the ``ArrayCache`` destructor is called. * Mimic the caching behaviour for symbolic arrays that was introduced by f049ff3bc04daead8c3bb9f06e89e71e2054c82a where arrays with the same name and size get "uniqued". The Executor now maintains a ``arrayCache`` member that it uses and passes by pointer to objects that need to construct ``Array`` objects (i.e. ``ObjectState``). This way when the Executor is destroyed all the ``Array`` objects get freed which seems like the right time to do this. For Kleaver the ``ParserImpl`` has a ``TheArrayCache`` member that is used for building ``Array`` objects. This means that the Parser must live as long as the built expressions will be used otherwise we will have a use after free. I'm not sure this is the right design choice. It might be better to transfer ownership of the ``Array`` objects to the root ``Decl`` returned by the parser.
2015-12-17Clean up the check in the previous commit by using one of KLEE'sDan Liew
helper functions.
2015-12-17Fixed a bug with how non power 2 values were written to memory, added test ↵Timotej Kapus
for it
2015-12-17[Solver]Add support to dump STP qeries usingMartin Nowack
Use "-debug-dump-stp-queries" argument for KLEE/Kleaver to print out each STP query sent to the STP Solver. Queries have the format which `stp` frontend can understand.
2015-12-17Report fatal error in case CexCache Bindings do not matchMartin Nowack
2015-12-17[Solver]Add simple option to dump queriesMartin Nowack
2015-12-17Refactoring: Moving klee_warning/_error functions to ErrorHandling in ↵Martin Nowack
Support directory
2015-12-17Fix a memory leak in ``UpdateList`` detected by AddressSanitizer.Dan Liew
The overloaded assignment operator previously only deleted the head ``UpdateNode`` if the ``UpdateList`` had exclusive ownership which left the remaining list of ``UpdateNode``s dangling if those nodes had ``refCount`` of 1. To fix this the logic that was previously in the ``UpdateList`` destructor for deleting nodes that were exclusively referenced by the UpdateList has been moved into ``UpdateList::tryFreeNodes()`` so that it can be called from ``UpdateList::operator=()``. It looks like this bug has been in KLEE since the beginning.
2015-12-11Reword help description for ``--silent-klee-assume`` command lineDan Liew
flag as suggested by @ccadar
2015-12-11Add command line flag ``--silent-klee-assume``to suppress errors due toValentin Wüstholz
infeasible assumptions.
2015-12-04Remove dead ifdef in STPBuilder header file. There is noDan Liew
``stp/stplog.h`` header file in the current version of STP and no support in the build system for setting this define so this code is completly dead.
2015-12-04Remove dead ``tempVars`` and ``getTempVar()`` method in STPBuilderDan Liew
2015-09-22[STPBuilder] Generate SRrem expressions correctlyMartin Nowack
The '%' operater in C is not Gauss Modulo but remainder operations. Using a negative number as right operand can result in a negative number. Fix appropriate SRem building Note: MetaSMTlib implementation doesn't have that bug.
2015-09-21Merge pull request #274 from MartinNowack/fix_sdiv_1Cristian Cadar
Fix signed division by constant 1/ -1
2015-09-05Allow to generate initial values with empty constraint setMartin Nowack
2015-08-30Fix signed division by constant 1/ -1Martin Nowack
Division by constant divisor get optimized using shift and multiplication operations in STP builder. The used method cannot be applied for divisor 1 and -1. In that case use slow path.
2015-08-17Merge pull request #239 from yotann/masterCristian Cadar
Fix assertion failure in getDirectCallTarget
2015-08-03Merge pull request #198 from holycrap872/IndependentSolverGetInitialValuesCristian Cadar
New version of the get initial values functionality which makes use of the independent solver.
2015-08-03Merge pull request #243 from ccadar/masterCristian Cadar
Option --readable-posix-inputs used to turn on/off POSIX-related CEX preferences
2015-07-06Make the super-set check in CexCachingSolver default offEric Rizzi
The super-set check in the CexCachingSolver takes MUCH longer than the sub-set check. Upon closer inspection, the super-set check gets slower and slower as more counterexamples fill the UBTree. Pretty quickly, the cost of the super-set check becomes larger than the time required to simply bypass it and go to the Solver.
2015-06-03Added an option --readable-posix-inputs which is used to turn on/off the CEX ↵Cristian Cadar
preferences added in the POSIX model. Removed option --prefer-cex which controlled all CEX preferences.
2015-05-31Make use of prefer-cex optional rather than defaultEric Rizzi
Previously, default Klee would go through every byte in a test case and attempt to bound it to be between 0 and 127, making it human readable. While this may be useful when attempting to understand Klee, it also means that the time required to create large test suites was greatly increased. By making this behavior default off, unsuspecting users won't incur these additional costs.
2015-04-29Fix assertion failure in getDirectCallTargetSean Bartell
It failed when the function being called is a bitcasted alias.
2015-04-25Report the git tag if exists in the output of --version from kleeDan Liew
and kleaver.
2015-04-25Give KLEE release version information in the output of klee and kleaverDan Liew
when they are given the --version command line option. Unfortunately to make the build type and git revision available we need to check this for every build which means KLEE's support library will be rebuilt for every build which will slow down incremental builds. This addresses issue #231
2015-04-15Fix the handling of AShrExpr in ExprSMTLIBPrinter so that an overshiftDan Liew
always goes to zero (matches LLVM's APInt::ashr(...)). This is meant to partially address issue #218. There are a few problems with this commit * It is possible for AShrExpr to not be abbreviated because the scan methods will not see that we print the 0th child of the AShrExpr twice * The added test case should really be run through an SMT solver ( i.e. STP) but that requires infrastructure changes.
2015-04-09Added a new option, --rewrite-equalities, which makes it possible to disable ↵Cristian Cadar
the optimisation that rewrites existing constraints when an equality with a constant is added
2015-04-03Fixed issue introduce during a previous refactoring, related to field ordering.Cristian Cadar
2015-04-02Silenced some compilation warnings.Cristian Cadar