From cnx at loang.net  Thu Aug 10 05:12:21 2023
From: cnx at loang.net (=?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?=)
Date: Thu, 10 Aug 2023 13:12:21 +0900
Subject: [klee-dev] All possible paths from source to destination
 function.
In-Reply-To: <CAMMW=G+sVaoaZoBTFrY=aDehVMMA8y249TW-=ajuHtAWV86QMA@mail.gmail.com>
References: <CAMMW=G+sVaoaZoBTFrY=aDehVMMA8y249TW-=ajuHtAWV86QMA@mail.gmail.com>
Message-ID: <CUOKLGFX5MUC.S6MGZI924TB6@nix>

On 2023-07-25 at 18:50+05:30, Sailesh Sai Teja wrote:
> So lets say I want to trace the execution path from function
> "functionA" to function "divide", the following is the output
> I am expecting
>
> 1. "functionA && ((x < y) && divide)"
> 2. "functionA && ((y > 0) && divide)"

Since no one gave any suggestion, you can try the following
(very cursed) idea if instrumenting each function with something like

bool __trace_tmp;
klee_make_symbolic(&__trace_tmp, 1, "function!name");
klee_assert(__trace_tmp);

and then analyse the path conditions.

Alternatively, in Executor::executeInstruction for Instruction::Call,
you can get the function name and manually log it as well as handling
the ordering of call trace and path conditions, e.g. x < y.


From cnx at loang.net  Wed Aug 16 05:54:22 2023
From: cnx at loang.net (=?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?=)
Date: Wed, 16 Aug 2023 13:54:22 +0900
Subject: [klee-dev] ExprVisitor::visitExpr[Post] and ExprReplaceVisitor[2]
Message-ID: <CUTOVFOZR6S7.3LHY3RWRD3WHO@guix>

Hi,

In lib/Expr/Constraints.cpp I notice

class ExprReplaceVisitor : public ExprVisitor {
public:
  Action visitExpr(const Expr &e) override {
    if (e == *src) {
      return Action::changeTo(dst);
    }
    return Action::doChildren();
  }

  Action visitExprPost(const Expr &e) override {
    if (e == *src) {
      return Action::changeTo(dst);
    }
    return Action::doChildren();
  }
};

while ExprReplaceVisitor2 : ExprVisitor only overrides visitExprPost.
Why does ExprReplaceVisitor have the duplicated code there?
Following ExprVisitor::visitActual,

switch (visitExpr(e)) {
  case Action::ChangeTo:
    return [replacement expr];
  case Action::DoChildren:
    if (!isa<ConstantExpr>(e))
      if (visitExprPost(*e.get()) == Action::ChangeTo)
        return [replacement expr post];
    return e;
}

it seems to me overriding visitExprPost is unnecessary
for replacing an expression.  Is my analisys correct
and if not, what did I miss?

Kind regards,
Phong