[klee-dev] Prevent klee from terminating a state upon facing an error
Randolph Wong
u1tlmaw3apon at gmail.com
Thu Aug 18 10:40:19 BST 2016
Hello,
I'm wondering if there is an option to prevent klee from terminating a state
upon facing an error. Here's a toy example to motivate my question:
int main(int argc, char **argv)
{
char a[10];
/* An illegal memory read. Klee will terminate here. */
fputc(a[10], stderr);
/*
* Since klee terminated due to the illegal memory read, we don't get
* to find this exploitable bug.
*/
strcpy(a, argv[1]);
}
If there isn't an option for it, is there a simple/straight forward way
to implement this?
My hacky attempt at implementing was to make a copy of
Executor::terminateStateOnError and just remove the line that does
terminateState(state). When a memory error happens, I'll just make it
call my new function. I thought that this would help to at least produce
a test case when the first error happens. However, I'm sure this isn't
the right way. Indeed, running the modified klee on the above code
caused a seg fault.
Would appreciate if someone could give me some directions or feedback on
this. Thanks.
Randolph
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the klee-dev
mailing list