From austinwang2333 at gmail.com Mon Apr 18 10:55:47 2022 From: austinwang2333 at gmail.com (Wang Austin) Date: Mon, 18 Apr 2022 17:55:47 +0800 Subject: [klee-dev] How to determine the concretized size when dealing with malloc() Message-ID: Hello klee-dev members, I'm working on a project involving KLEE and SMT solvers. We are collecting queries from KLEE using the v2.2 klee docker image with the "--use-query-log=solver:smt2" option. I observed that the queries collected are not always complete when KLEE dealing with malloc(), and KLEE would throw an error: ... KLEE: ERROR: tif_unix.c:334: concretized symbolic size ... I'm expecting to determine the concretized size for malloc() in accordance with the value of size in the actual execution and check if the queries are more complete in this case. I checked the source code (klee/lib/Core/Executor.cpp), finding that KLEE would "optimize" when the size is symbolized. And I tried the "--allocate-determ" option for memory management according to the document, which I thought would determine the size to a specific value and resolve the error, whereas, it doesn?t seem to be running right, here are the results. 1) Normal execution: ... KLEE: ERROR: tif_unix.c:334: concretized symbolic size KLEE: NOTE: now ignoring this error at this location KLEE: seeding done (0 states remain) ... 2) Execution with --allocate-determ=1 --allocate-determ-size=10: ... KLEE: ERROR: tif_unix.c:334: concretized symbolic size KLEE: NOTE: now ignoring this error at this location KLEE: seeding done (0 states remain) KLEE: Deterministic memory allocation starting frow 0x7ff30000000 ... The size still got concretized or perhaps I misunderstood the usage of the "--allocate-determ" option. I?m wondering if there is a way to "determine the concretized size to a specific value when malloc()" or "NOT to optimize the size", so I can collect queries with more completeness using KLEE. Best Regards, Austin Wang -------------- next part -------------- HTML attachment scrubbed and removed