[klee-dev] Working with fixed memory locations.

Marco Vanotti mvanotti at dc.uba.ar
Thu Jun 16 18:55:55 BST 2022 

Hi klee-dev!

I am new to KLEE, and have a question about using it with one of my
programs.

I have a program that when compiled, adds a program header that loads a
data blob into a fixed memory location.

This means that my program has this fixed memory location hardcoded all
around the place (also this blob has references to itself).

I would like to load my program in KLEE to get a better understanding of
how it works. The problem I am facing is that I have no idea how to make
KLEE understand that I need this blob mapped in that address.

This are the things I've tried:

* Using wllvm/gclang to get the full program linked together, following my
link script, then extracting the bc and running that with KLEE. This didn't
work. KLEE complains that the pointers are invalid.

* Manually embedding the blob into my program as an array, then calling
`mmap` with `MAP_FIXED` to map the area that I want and copying over the
blob.

The issue here is that MAP_FIXED returns EPERM because probably the address
range I am trying to map is already mapped.


* Setting the KLEE deterministic allocations to encompass the range that I
care about, then doing a big `malloc` and making sure that my range is
inside that malloc chunk.

For this last one, I am using flags like:
--allocate-determ --allocate-determ-start-address=8404992
--allocate-determ-size=3145728

One of the things that I see is that KLEE fails to mmap big chunks (in the
order of 100MiB). But even if I decrease the size, I still get failures
when I try to assert things like:

uintptr_t malloc_addr = (uintptr_t) malloc(malloc_size);
klee_assert(BASE_ADDR >= malloc_addr);
klee_assert(BASE_ADDR < malloc_addr + malloc_size);

------

Something that might be relevant is that in reality I need two of these
blobs loaded into different regions of memory, but so far I can't even get
to load one. And they are not too far apart from each other, so if, for
example, the malloc approach works, I could just increase the size and make
the two allocations.

One thing that might complicate things, is that these addresses might
collide with where KLEE tries to load the program. I don't know how to deal
with that either.

Any advice on how to tune KLEE for this use case?

Best Regards,
Marco
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the klee-dev mailing list