[klee-dev] Excuse me,i maybe find an error which is in the implementation of KLEE

曾杰 zyj183247166 at qq.com
Sun May 7 09:21:43 BST 2017 

Hi, all, 
 
   I have followed the tutorial below which is used to test the function "match" , but i found that the generated tests cannot cause memory errors.
 
         Second tutorial: Testing a simple regular expression library. 

         (the website is: http://klee.github.io/tutorials/testing-regex/)

the main code is: 

int main() {

  // The input regular expression.

  char re[SIZE];

    // Make the input symbolic. 

  klee_make_symbolic(re, sizeof re, "re");

  // Try to match against a constant string "hello".

  match(re, "hello");

  return 0;



}
 
the output is:
         
KLEE: Using STP solver backend
   
KLEE: ERROR:   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp.c:23: memory   error: out of bound pointer
   
KLEE: NOTE: now ignoring this error at   this location
   
KLEE: ERROR:   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp.c:25: memory error:   out of bound pointer
   
KLEE: NOTE: now ignoring this error at   this location
   
KLEE: done: total instructions = 4598603
   
KLEE: done: completed paths = 7438
   
KLEE: done: generated tests = 16
     
  
As reported, there are two errors occured.

And the error information is in two files in the below:
 

 
The data in test000007.ktest is:
 

 
I read the source code of ktest-tool and know the following bytes in red circle are the data which are generated to assign the array "re".
 

 
So I change the file Regexp.c as below
         
int main() {
   
    // The input regular expression.
   
    char re[SIZE];
   
  re[0]=0x5E;
   
  re[1]=0x01;
   
  re[2]=0x2A;
   
  re[3]=0x01;
   
  re[4]=0x2A;
   
  re[5]=0x01;
   
  re[6]=0x2A;
   
    // Make the input symbolic. 
   
    //klee_make_symbolic(re, sizeof re, "re");
   
    //klee_assume(re[SIZE - 1] == '\0');
   
 
   
    // Try to match against a constant string "hello".
   
    match(re, "hello");
   
 
   
    return 0;
   
}
     
  
After compiling using gcc, i use valgrind to check it, the result is:
         
valgrind --tool=memcheck   --leak-check=full ./Regexp3 
   
==19827== Memcheck, a memory error   detector
   
==19827== Copyright (C) 2002-2015, and   GNU GPL'd, by Julian Seward et al.
   
==19827== Using Valgrind-3.12.0 and   LibVEX; rerun with -h for copyright info
   
==19827== Command: ./Regexp3
   
==19827== 
   
==19827== Conditional jump or move   depends on uninitialised value(s)
   
==19827==    at 0x4005EF: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400680: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400582: matchstar (in /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400610: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400582: matchstar (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400610: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x4006BB: match (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400739: main (in /home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827== 
   
==19827== 
   
==19827== HEAP SUMMARY:
   
==19827==     in use at exit: 0 bytes in 0 blocks
   
==19827==   total heap usage: 0 allocs, 0 frees, 0   bytes allocated
   
==19827== 
   
==19827== All heap blocks were freed --   no leaks are possible
   
==19827== 
   
==19827== For counts of detected and   suppressed errors, rerun with: -v
   
==19827== Use --track-origins=yes to see   where uninitialised values come from
   
==19827== ERROR SUMMARY: 1 errors from 1   contexts (suppressed: 0 from 0)
   
klee at ubuntu:~/xiaojiework/kleeexperiment/examples/regexp$
     
  
Nothing about out of bound pointer is found. only one error which is about using uninitialised value(s).
 
I doubt that maybe I was wrong in some steps. So I use the following script which is offered by the klee website
         
export   LD_LIBRARY_PATH=/home/klee/xiaojiework/klee-xiaojie/build/debug/lib/:$LD_LIBRARY_PATH
   
gcc -L   /home/klee/xiaojiework/klee-xiaojie/build/debug/lib/ Regexp.c -lkleeRuntest
   
valgrind --tool=memcheck ./a.out
     
  
During execution, it needs to type in the ktest file path manually.

The result is as below and nothing wrong about out of bound pointer is found. 
         
==19176== Memcheck, a memory error   detector
   
==19176== Copyright (C) 2002-2015, and   GNU GPL'd, by Julian Seward et al.
   
==19176== Using Valgrind-3.12.0 and   LibVEX; rerun with -h for copyright info
   
==19176== Command: ./a.out   KTEST_FILE=klee-last/test000007.ktest
   
==19176== 
   
KLEE-RUNTIME: KTEST_FILE not set, please   enter .ktest path: klee-last/test000007.ktest
   
==19176== Conditional jump or move   depends on uninitialised value(s)
   
==19176==    at 0x400796: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x40087B: match (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4008F3: main (in   /home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176== 
   
==19176== 
   
==19176== HEAP SUMMARY:
   
==19176==     in use at exit: 92 bytes in 6 blocks
   
==19176==   total heap usage: 7 allocs, 1 frees, 660   bytes allocated
   
==19176== 
   
==19176== LEAK SUMMARY:
   
==19176==    definitely lost: 0 bytes in 0 blocks
   
==19176==    indirectly lost: 0 bytes in 0 blocks
   
==19176==      possibly lost: 0 bytes in 0 blocks
   
==19176==    still reachable: 92 bytes in 6 blocks
   
==19176==         suppressed: 0 bytes in 0 blocks
   
==19176== Rerun with --leak-check=full to   see details of leaked memory
   
==19176== 
   
==19176== For counts of detected and   suppressed errors, rerun with: -v
   
==19176== Use --track-origins=yes to see   where uninitialised values come from
   
==19176== ERROR SUMMARY: 1 errors from 1   contexts (suppressed: 0 from 0)
     
  
Am I wrong?Maybe i was too uncareful in some steps, but i cannot found where i operate wrongly by myself. Hope for your help!
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7FF9E532 at 1A9ED30C.17D90E59.png
Type: application/octet-stream
Size: 12282 bytes
Desc: not available
URL: <http://mailman.ic.ac.uk/pipermail/klee-dev/attachments/20170507/20728767/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 47F5EBBD at BDBB7C4C.17D90E59.jpg
Type: image/jpeg
Size: 12099 bytes
Desc: not available
URL: <http://mailman.ic.ac.uk/pipermail/klee-dev/attachments/20170507/20728767/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ED774A2A at 761B3E10.17D90E59.png
Type: application/octet-stream
Size: 6730 bytes
Desc: not available
URL: <http://mailman.ic.ac.uk/pipermail/klee-dev/attachments/20170507/20728767/attachment-0001.obj>

More information about the klee-dev mailing list