From ferhat.erata at yale.edu Mon Apr 3 01:39:39 2023 From: ferhat.erata at yale.edu (Ferhat Erata) Date: Sun, 2 Apr 2023 20:39:39 -0400 Subject: [klee-dev] Getting symbolic expressions from the symbolic store with `klee_print_expr` Message-ID: Hi, I wanted to ask about converting symbolic expressions in KQuery format to SMTLIB format. Currently, I am able to obtain the symbolic expressions using `klee_print_expr` in KQuery format, but I need to manipulate them in bit-vector logic, which requires converting them to SMTLIB format to process them with preferably with Z3 or STP. I tried to modify the code in `SpecialFunctionHandler.cpp` to generate SMTLIB expressions. However, the resulting expressions are invalid assertions. I have included an example in the email to illustrate my situation. I would appreciate it if you could provide me with feedback. Thank you for your time and assistance. Best, ~ Ferhat ------------------------------------------ Please find an example in the following: ``` #include "klee/klee.h" int main(int argc, char *argv[]) { int x; klee_make_symbolic(&x, sizeof(x), "x"); int b, c; b = x + 10; klee_print_expr("b", b); c = x * x; klee_print_expr("c", c); } ``` KLEE returns the following output in KQuery representations for those variables as expected: ``` b:(Add w32 10 (ReadLSB w32 0 x)) c:(Mul w32 N0:(ReadLSB w32 0 x) N0) ``` The first thing that came to my mind was to convert those expressions to SMTLIB expressions. Therefore, I changed the code in `SpecialFunctionHandler.cpp` as follows: ``` void SpecialFunctionHandler::handlePrintExpr(ExecutionState &state, KInstruction *target, std::vector > &arguments) { assert(arguments.size()==2 && "invalid number of arguments to klee_print_expr"); std::string msg_str = readStringAtAddress(state, arguments[0]); llvm::errs() << msg_str << ":" << arguments[1] << "\n"; llvm::errs() << "----\n"; ExprSMTLIBPrinter printer; printer.setOutput(llvm::errs()); Query query(state.constraints, arguments[1]); printer.setQuery(query); printer.generateOutput(); } ``` Now, I get the following: ``` b:(Add w32 10 (ReadLSB w32 0 x)) (set-logic QF_AUFBV ) (declare-fun x () (Array (_ BitVec 32) (_ BitVec 8) ) ) (assert (= (_ bv4294967286 32) (concat (select x (_ bv3 32) ) (concat (select x (_ bv2 32) ) (concat (select x (_ bv1 32) ) (select x (_ bv0 32) ) ) ) ) ) ) (check-sat) (exit) c:(Mul w32 N0:(ReadLSB w32 0 x) N0) (set-logic QF_AUFBV ) (declare-fun x () (Array (_ BitVec 32) (_ BitVec 8) ) ) (assert (= (_ bv0 32) (bvmul (! (concat (select x (_ bv3 32) ) (concat (select x (_ bv2 32) ) (concat (select x (_ bv1 32) ) (select x (_ bv0 32) ) ) ) ) :named ?B1) ?B1 ) ) ) (check-sat) (exit) ``` However, you can see that the code that I added turns them into invalid assertions, however, I would expect getting symbolic expressions that is semantically equivalent to those of KQuery: ``` [4294967286 == Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] ------------------------ [0 == Concat(x[3], Concat(x[2], Concat(x[1], x[0])))* Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] ``` I would expect something similar to this with an additional symbolic input: ``` [Concat(b[3], Concat(b[2], Concat(b[1], b[0]))) == 10 + Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] ------------------------ [Concat(c[3], Concat(c[2], Concat(c[1], c[0]))) == Concat(x[3], Concat(x[2], Concat(x[1], x[0])))* Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] ``` Best, ~ Ferhat From c.cadar at imperial.ac.uk Mon Apr 3 15:48:24 2023 From: c.cadar at imperial.ac.uk (Cristian Cadar) Date: Mon, 3 Apr 2023 17:48:24 +0300 Subject: [klee-dev] General question In-Reply-To: References: Message-ID: Hi both, Let me answer this as part of the more detailed email Ferhat sent today. But more generally, you can use Kleaver to load queries in KQuery format and print them to SMT-LIB2 format: kleaver --print-smtlib file.kquery Best, Cristian On 30/03/2023 21:57, Ferhat Erata wrote: > Hi Teja, > > I was also looking for this feature. Have you come up with a workaround? > > Do you know if there is a way to transform expressions in?kquery format > to smt2 format? > > Best, > ~ Ferhat > > > On Mon, Jan 9, 2023 at 7:21?AM Teja Sai Srikar Bodavula > > wrote: > > Hello, I was wondering if there is way in which we can get > symbolic?formula for a variable in a code in smt2 format unlike > kquery?format which we get using klee_print_expr. > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev > > > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From c.cadar at imperial.ac.uk Mon Apr 3 15:58:53 2023 From: c.cadar at imperial.ac.uk (Cristian Cadar) Date: Mon, 3 Apr 2023 17:58:53 +0300 Subject: [klee-dev] Getting symbolic expressions from the symbolic store with `klee_print_expr` In-Reply-To: References: Message-ID: Hi Ferhat, Essentially, you want something like this: printer.printExpression(arguments[1], ExprSMTLIBPrinter::SORT_BITVECTOR); To do this right requires a bit more work, but as a quick proof of concept, just change the visibility of this method. Best, Cristian On 03/04/2023 01:39, Ferhat Erata wrote: > Hi, > > I wanted to ask about converting symbolic expressions in KQuery format > to SMTLIB format. > > Currently, I am able to obtain the symbolic expressions using > `klee_print_expr` in KQuery format, but I need to manipulate them in > bit-vector logic, which requires converting them to SMTLIB format to > process them with preferably with Z3 or STP. I tried to modify the > code in `SpecialFunctionHandler.cpp` to generate SMTLIB expressions. > However, the resulting expressions are invalid assertions. > > I have included an example in the email to illustrate my situation. I > would appreciate it if you could provide me with feedback. > > Thank you for your time and assistance. > > Best, > ~ Ferhat > > ------------------------------------------ > > Please find an example in the following: > ``` > #include "klee/klee.h" > > int main(int argc, char *argv[]) { > int x; > klee_make_symbolic(&x, sizeof(x), "x"); > int b, c; > b = x + 10; > klee_print_expr("b", b); > c = x * x; > klee_print_expr("c", c); > } > ``` > > KLEE returns the following output in KQuery representations for those > variables as expected: > ``` > b:(Add w32 10 > (ReadLSB w32 0 x)) > c:(Mul w32 N0:(ReadLSB w32 0 x) > N0) > ``` > > The first thing that came to my mind was to convert those expressions > to SMTLIB expressions. Therefore, I changed the code in > `SpecialFunctionHandler.cpp` as follows: > ``` > void SpecialFunctionHandler::handlePrintExpr(ExecutionState &state, > KInstruction *target, > std::vector > &arguments) { > assert(arguments.size()==2 && > "invalid number of arguments to klee_print_expr"); > > std::string msg_str = readStringAtAddress(state, arguments[0]); > llvm::errs() << msg_str << ":" << arguments[1] << "\n"; > > llvm::errs() << "----\n"; > ExprSMTLIBPrinter printer; > printer.setOutput(llvm::errs()); > Query query(state.constraints, arguments[1]); > printer.setQuery(query); > printer.generateOutput(); > } > ``` > > Now, I get the following: > ``` > b:(Add w32 10 > (ReadLSB w32 0 x)) > (set-logic QF_AUFBV ) > (declare-fun x () (Array (_ BitVec 32) (_ BitVec 8) ) ) > (assert (= (_ bv4294967286 32) (concat (select x (_ bv3 32) ) > (concat (select x (_ bv2 32) ) (concat (select x (_ bv1 32) ) > (select x (_ bv0 32) ) ) ) ) ) ) > (check-sat) > (exit) > > c:(Mul w32 N0:(ReadLSB w32 0 x) > N0) > (set-logic QF_AUFBV ) > (declare-fun x () (Array (_ BitVec 32) (_ BitVec 8) ) ) > (assert (= (_ bv0 32) (bvmul (! (concat (select x (_ bv3 32) ) > (concat (select x (_ bv2 32) ) (concat (select x (_ bv1 32) ) > (select x (_ bv0 32) ) ) ) ) :named ?B1) ?B1 ) ) ) > (check-sat) > (exit) > ``` > > However, you can see that the code that I added turns them into > invalid assertions, however, I would expect getting symbolic > expressions that is semantically equivalent to those of KQuery: > ``` > [4294967286 == > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] > ------------------------ > [0 == > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))* > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] > ``` > > I would expect something similar to this with an additional symbolic input: > ``` > [Concat(b[3], Concat(b[2], Concat(b[1], b[0]))) == 10 + > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] > ------------------------ > [Concat(c[3], Concat(c[2], Concat(c[1], c[0]))) == > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))* > Concat(x[3], Concat(x[2], Concat(x[1], x[0])))] > ``` > > Best, > ~ Ferhat > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From delphine.longuet at thalesgroup.com Mon Apr 24 10:53:36 2023 From: delphine.longuet at thalesgroup.com (LONGUET Delphine) Date: Mon, 24 Apr 2023 09:53:36 +0000 Subject: [klee-dev] Symbolic calls to mqueue.h functions ? Message-ID: Hello, I am trying to execute Klee on a code using mqueue.h and despite the -posix-runtime and -libc=uclibc options, functions mq_open, mq_close, etc, remain "undefined references". I can see that there actually are implementations of these functions in /klee-uclibc/librt/, but they don't seem to exist in klee-uclibc.bca which is used during the execution of Klee. #include #include #include int main() { mqd_t mq; char name[5]; klee_make_symbolic(name, sizeof(name), "name"); mq = mq_open(name, O_RDWR | O_CREAT, 0700, NULL); if(mq == -1) { return 1; } return 0; } $ clang -c -g -I ~/klee/include -emit-llvm queue.c $ klee -posix-runtime -libc=uclibc queue.bc KLEE: NOTE: Using POSIX model: /home/user/klee_deps/klee_build110stp_z3/runtime/lib/libkleeRuntimePOSIX64_Debug+Asserts.bca KLEE: NOTE: Using klee-uclibc: /home/user/klee_deps/klee_build110stp_z3/runtime/lib/klee-uclibc.bca [...] KLEE: WARNING: undefined reference to function: mq_open [...] KLEE: WARNING ONCE: calling external: mq_open(93983045383648, 66, 448, 0) at queue.c [...] KLEE: done: completed paths = 1 Is there something I am doing wrong? How can I link to the Klee implementation of function mq_open? In a more general way, how can I know what exactly is in klee-uclibc? Thank you very much for your help. Best regards, Delphine Longuet From m.nowack at imperial.ac.uk Tue Apr 25 14:59:08 2023 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Tue, 25 Apr 2023 13:59:08 +0000 Subject: [klee-dev] Symbolic calls to mqueue.h functions ? In-Reply-To: References: Message-ID: Hi, > On 24. Apr 2023, at 10:53, LONGUET Delphine wrote: > > > I am trying to execute Klee on a code using mqueue.h and despite the -posix-runtime and -libc=uclibc options, functions mq_open, mq_close, etc, remain "undefined references". I can see that there actually are implementations of these functions in /klee-uclibc/librt/, but they don't seem to exist in klee-uclibc.bca which is used during the execution of Klee. With `-libc=uclibc`, only `klee-uclibc/lib/libc.a` is linked/loaded (it?s an archive containing respective bitcode files). Functions like `mq_*` are part of `lib/librt.a`. This library is not loaded which is unfortunately not that obvious. Can you try to link/load the library using `--link-llvm-lib=/path/to/klee-uclibc/lib/librt.a` as an additional argument for KLEE? The library should contain the necessary additional bitcode files. > In a more general way, how can I know what exactly is in klee-uclibc? With `ar t klee-uclibc/lib/libc.a` the files that are part of the library are listed. Their names mirror the source code files. Let me know if that works. Best, Martin From delphine.longuet at thalesgroup.com Tue Apr 25 16:07:53 2023 From: delphine.longuet at thalesgroup.com (LONGUET Delphine) Date: Tue, 25 Apr 2023 15:07:53 +0000 Subject: [klee-dev] Symbolic calls to mqueue.h functions ? In-Reply-To: References:

Message-ID: Hi Martin, Thanks a lot for your answer. That works, in the sense that now mq_open is found, but unfortunately, the implementation contains assembly code not supported by Klee : KLEE: WARNING: function "__syscall_mq_open" has inline asm [...] KLEE: ERROR: librt/mq_open.c:15: inline assembly is unsupported In file librt/mq_open.c (lines 14-15): #define __NR___syscall_mq_open __NR_mq_open static inline _syscall4(int, __syscall_mq_open, const char*, name, int, oflag, __kernel_mode_t, mode, void *, attr); Is there anything I can do about it? Thank you. Best regards, Delphine > -----Message d'origine----- > De?: Nowack, Martin > Envoy??: mardi 25 avril 2023 15:59 > ??: LONGUET Delphine > Cc?: klee-dev > Objet?: Re: [klee-dev] Symbolic calls to mqueue.h functions ? > > Hi, > > > On 24. Apr 2023, at 10:53, LONGUET Delphine > wrote: > > > > > > I am trying to execute Klee on a code using mqueue.h and despite the - > posix-runtime and -libc=uclibc options, functions mq_open, mq_close, etc, > remain "undefined references". I can see that there actually are > implementations of these functions in /klee-uclibc/librt/, but they don't seem > to exist in klee-uclibc.bca which is used during the execution of Klee. > > With `-libc=uclibc`, only `klee-uclibc/lib/libc.a` is linked/loaded (it?s an > archive containing respective bitcode files). Functions like `mq_*` are part of > `lib/librt.a`. This library is not loaded which is unfortunately not that obvious. > Can you try to link/load the library using `--link-llvm-lib=/path/to/klee- > uclibc/lib/librt.a` as an additional argument for KLEE? The library should > contain the necessary additional bitcode files. > > > In a more general way, how can I know what exactly is in klee-uclibc? > With `ar t klee-uclibc/lib/libc.a` the files that are part of the library are listed. > Their names mirror the source code files. > > Let me know if that works. > > Best, > Martin From m.nowack at imperial.ac.uk Thu Apr 27 17:48:40 2023 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Thu, 27 Apr 2023 16:48:40 +0000 Subject: [klee-dev] Symbolic calls to mqueue.h functions ? In-Reply-To: References:

Message-ID: Hi Delphine, > On 25. Apr 2023, at 16:07, LONGUET Delphine wrote: > > Hi Martin, > > Thanks a lot for your answer. That works, in the sense that now mq_open is found, but unfortunately, the implementation contains assembly code not supported by Klee : > > KLEE: WARNING: function "__syscall_mq_open" has inline asm > [...] > KLEE: ERROR: librt/mq_open.c:15: inline assembly is unsupported > > In file librt/mq_open.c (lines 14-15): > > #define __NR___syscall_mq_open __NR_mq_open > static inline _syscall4(int, __syscall_mq_open, const char*, name, int, oflag, __kernel_mode_t, mode, void *, attr); > > Is there anything I can do about it? Yes, there are mainly two options: * support for handling inline assembly was added recently and is available as part of upstream but not as part of a released version of KLEE. If you can, use the development branch to check if that helps you. (If you want to back port specific changes to your code base, have a look here: https://github.com/klee/klee/pull/1515) * In KLEE uclibc?s libc, we use a different technique. Essentially, a generic `syscall` function call is used for all system calls (https://www.gnu.org/software/libc/manual/html_node/System-Calls.html). The same approach is used for libc as well by disabling system-specific asm includes, which triggers a fallback to the function call approach (https://github.com/klee/klee-uclibc/commit/e7b3e0f0e8c7cfff58f3770b1bb1434ede0fb6c3) I haven?t had a closer look, why this isn?t used for `librt` either, but you could rewrite the librt code to use the syscall function as well, e.g as a proof of concept. Let me know if any of those options work for you. Best, Martin > > Thank you. > Best regards, > Delphine > >> -----Message d'origine----- >> De : Nowack, Martin >> Envoy? : mardi 25 avril 2023 15:59 >> ? : LONGUET Delphine >> Cc : klee-dev >> Objet : Re: [klee-dev] Symbolic calls to mqueue.h functions ? >> >> Hi, >> >>> On 24. Apr 2023, at 10:53, LONGUET Delphine >> wrote: >>> >>> >>> I am trying to execute Klee on a code using mqueue.h and despite the - >> posix-runtime and -libc=uclibc options, functions mq_open, mq_close, etc, >> remain "undefined references". I can see that there actually are >> implementations of these functions in /klee-uclibc/librt/, but they don't seem >> to exist in klee-uclibc.bca which is used during the execution of Klee. >> >> With `-libc=uclibc`, only `klee-uclibc/lib/libc.a` is linked/loaded (it?s an >> archive containing respective bitcode files). Functions like `mq_*` are part of >> `lib/librt.a`. This library is not loaded which is unfortunately not that obvious. >> Can you try to link/load the library using `--link-llvm-lib=/path/to/klee- >> uclibc/lib/librt.a` as an additional argument for KLEE? The library should >> contain the necessary additional bitcode files. >> >>> In a more general way, how can I know what exactly is in klee-uclibc? >> With `ar t klee-uclibc/lib/libc.a` the files that are part of the library are listed. >> Their names mirror the source code files. >> >> Let me know if that works. >> >> Best, >> Martin