From sandipsmit at gmail.com Mon May 2 19:22:17 2022 From: sandipsmit at gmail.com (Sandip Ghosal) Date: Mon, 2 May 2022 20:22:17 +0200 Subject: [klee-dev] Need help in understanding a kquery generated by KLEE Message-ID: Hello, I need help in understanding a kquery file generated by KLEE. Consider the following C program: void* foo(struct node *item1. struct node *item2){ if(item1 == item2){ item1->next = NULL; } return item1; } void main(){ struct list *array[3]; // next allocate memory for each array[I], i=0,1,2 int item1 = klee_range(0, 3, "item1"); int item2 = klee_range(0, 3, "item2"); foo(array[item1], array[item2]); } Since my main objective is to understand the query, the above program is simplified and loosely written for reference. Now KLEE generates one kquery as follows: array const_arr1[24] : w32 -> w8 = [32 77 0 133 168 85 0 0 240 68 0 133 168 85 0 0 0 77 0 133 168 85 0 0] array item1[4] : w32 -> w8 = symbolic array item2[4] : w32 -> w8 = symbolic (query [(Ult N0:(ReadLSB w32 0 item1) 3) (Ult N1:(ReadLSB w32 0 item2) 3) (Eq N2:(ReadLSB w64 N3:(Extract w32 0 (Mul w64 8 (SExt w64 N0))) const_arr1) (ReadLSB w64 N4:(Extract w32 0 (Mul w64 8 (SExt w64 N1))) const_arr1)) (Eq false (Ult (Add w64 18446649891435295456 N2) 9)) (Ult (Add w64 18446649891435295488 N2) 9)] false) I am struggling to understand the second and third last line of the query which seems to be performing a boundary check on a flat byte memory address. I understand KLEE is implicitly branching over the statement item1->next = NULL, 18446649891435295456 perhaps is the base address for item1, and N2 computes the offset. However, I am failing to understand how the base address is computed and why it is always compared with a constant value of 9? Thanks in advance. -- Thanks & Regards Sandip Ghosal -------------- next part -------------- HTML attachment scrubbed and removed From niklaus.leuenb at gmail.com Mon May 2 08:50:23 2022 From: niklaus.leuenb at gmail.com (Niklaus Leuenberger) Date: Mon, 2 May 2022 09:50:23 +0200 Subject: [klee-dev] KLEE for stateful C API Message-ID: Hello klee-dev members, I'm currently testing out a few approaches on how to test and fuzz a stateful C API. In the process thereof I found KLEE and am fascinated by it. I managed to get it to work and am now asking if my approach is ok or if it has some major drawbacks or problems. Let's suppose we have following simple but buggy stateful API: --- #include static int g_state; void setState(int state) { g_state = state; } void run(void) { if (g_state == 123) { assert(0); } } --- If the state is set to 123 and then run() is invoked the placed assertion fails. For this I have written following KLEE harness: --- #include "klee/klee.h" #include "buggy_api.h" int main(void) { for (int i = 0; i < 2; ++i) { // sequentially call 2 APIs int f_select = klee_choose(2); // what API to call if (f_select == 0) { int state = 0; klee_make_symbolic(&state, sizeof(state), "state"); setState(state); } else if (f_select == 1) { run(); } } return 0; } --- When running with KLEE, the sequence of calls necessary to trigger the assertion is found almost immediately. But when extending it with more functions, each doubles the runtime. So it scales rather poorly on larger APIs. Is this how I can use KLEE for checking an API? Or does someone have pointers to a better approach? Best Regards, Niklaus Leuenberger From c.cadar at imperial.ac.uk Mon May 16 23:00:20 2022 From: c.cadar at imperial.ac.uk (Cristian Cadar) Date: Mon, 16 May 2022 23:00:20 +0100 Subject: [klee-dev] 3rd International KLEE Workshop on Symbolic Execution -- 15-16 September, London and online Message-ID: <3c0f0a23-7252-b11f-9f2c-beb59e56c986@imperial.ac.uk> Hi all, I'm very excited to announce the 3rd International KLEE Workshop on Symbolic Execution (KLEE 2022), taking place in London and online on 15-16 September 2022: https://srg.doc.ic.ac.uk/klee22/ https://twitter.com/kleesymex/status/1526310428485341187 The first two workshops were really great, with participants from around the world (over 80 to the first one in London, over 200 to the second one online) with an array of interesting keynotes, talks and posters: https://srg.doc.ic.ac.uk/klee18/ https://srg.doc.ic.ac.uk/klee21/ I am looking forward to another one, so please consider contributing an interesting presentation and/or poster: https://srg.doc.ic.ac.uk/klee22/cfpresentations.html https://srg.doc.ic.ac.uk/klee22/cfposters.html Big thanks to Daniel, Frank, Martin, Hassan and Jamie for their role as co-organizers of this 3rd edition! Many thanks to Bloomberg, Samsung, Google and Imperial College London for their sponsorship! To keep registration costs low, we are still looking for a few more sponsors, so if your organization is interested in sponsoring the workshop, please let me know. Looking forward to seeing many of you in September! Cristian From shaheen at gmail.com Tue May 31 21:44:49 2022 From: shaheen at gmail.com (Shaheen Cullen-Baratloo) Date: Tue, 31 May 2022 13:44:49 -0700 Subject: [klee-dev] Klee terminating oddly Message-ID: Hi, I'm running Klee on a program that performs binary multiplication: ------- #include #include int binmult(long binary1, long binary2) { long multiply = 0; int digit, factor = 1; while (binary2 != 0) { digit = binary2 % 10; if (digit == 1) { binary1 = binary1 * factor; int i = 0, remainder = 0, sum[20]; int binaryprod = 0; while (binary1 != 0 || binary2 != 0) { sum[i++] =(binary1 % 10 + binary2 % 10 + remainder) % 2; remainder =(binary1 % 10 + binary2 % 10 + remainder) / 2; binary1 = binary1 / 10; binary2 = binary2 / 10; } if (remainder != 0) sum[i++] = remainder; --i; while (i >= 0) binaryprod = binaryprod * 10 + sum[i--]; multiply = binaryprod; } else binary1 = binary1 * factor; binary2 = binary2 / 10; factor = 10; } return 0; } int main() { long binary1; klee_make_symbolic(&binary1, sizeof(binary1), "2b6700e0c99f4934b960a895efa60e22"); long binary2; klee_make_symbolic(&binary2, sizeof(binary2), "f55f4c1e835743c3b415e6f1290b372f"); return binmult(binary1, binary2); } ------- I'm compiling it with clang-6.0 -I /app/klee/include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone binmult.c and running klee with klee --max-time=1min --watchdog binmult.bc On a computer running Ubuntu 22.04, running this occasionally works properly but mostly gives me a message about solver failure, and then trying to check the output gives incomplete results (there's no number for paths covered, for example): ------- KLEE: WARNING: KLEE: WATCHDOG: time expired, attempting halt via INT KLEE: WARNING: Unexpected solver failure. Reason is "interrupted from keyboard," /usr/lib/llvm-6.0/lib/libLLVM-6.0.so.1(_ZN4llvm3sys15PrintStackTraceERNS_11raw_ostreamE+0x1a)[0x7ff50e16471a] /usr/lib/llvm-6.0/lib/libLLVM-6.0.so.1(_ZN4llvm3sys17RunSignalHandlersEv+0x3e)[0x7ff50e1627ee] /usr/lib/llvm-6.0/lib/libLLVM-6.0.so.1(+0x92097d)[0x7ff50e16297d] /lib/x86_64-linux-gnu/libc.so.6(+0x37840)[0x7ff50d395840] /lib/x86_64-linux-gnu/libc.so.6(gsignal+0x10b)[0x7ff50d3957bb] /lib/x86_64-linux-gnu/libc.so.6(abort+0x121)[0x7ff50d380535] klee(+0xbf782)[0x56326e66a782] klee(+0xc06cf)[0x56326e66b6cf] klee(+0xc3fb0)[0x56326e66efb0] klee(+0xc4864)[0x56326e66f864] klee(+0xc29f5)[0x56326e66d9f5] klee(+0xb8387)[0x56326e663387] klee(+0x838ed)[0x56326e62e8ed] klee(+0x4d08e)[0x56326e5f808e] klee(+0x564b6)[0x56326e6014b6] klee(+0x5be21)[0x56326e606e21] klee(+0x5c6a5)[0x56326e6076a5] klee(+0x2d919)[0x56326e5d8919] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb)[0x7ff50d38209b] klee(+0x3928a)[0x56326e5e428a] KLEE: WARNING: KLEE: watchdog exiting (no child) ------- On my 2019 MacBook Pro running macOS Monterey, the error happens very occasionally but it usually runs and terminates fine. I am running Klee in a Docker image, so it's extra strange that the two machines run differently. Does anyone have any idea why this could be happening, and how to get the path count/test count to display properly when the program halts? Thanks, Shaheen -------------- next part -------------- HTML attachment scrubbed and removed