From h3fan at seas.upenn.edu Mon Dec 11 20:07:41 2023 From: h3fan at seas.upenn.edu (Haozhi Fan) Date: Mon, 11 Dec 2023 15:07:41 -0500 Subject: [klee-dev] Question about KLEE Implementation on Collecting Symbolic Variables Message-ID: Dear klee-dev members, I was wondering if you could share some insight into how KLEE collects the set of symbolic names from an expression? Namely, how does KLEE generate the kquery for a specific path condition and from which files should I be looking for the details of such implementation? Thank you! Best regards, Haozhi Fan -------------- next part -------------- HTML attachment scrubbed and removed From yukzhao at 163.com Tue Dec 12 01:55:34 2023 From: yukzhao at 163.com (yukai zhao) Date: Tue, 12 Dec 2023 09:55:34 +0800 (CST) Subject: [klee-dev] Using Klee with Dynamic Libraries Message-ID: <78c1ec1.d49.18c5bbc9387.Coremail.yukzhao@163.com> hi? I am curious about the boundary situation of Klee. Will it constrain the generation of functions in the file specified by the parameter "-- link llvm lib"? Of course, this file is also a. bc file, in fact it is a dynamic library generated by the project. My executable file is dynamically linked to this library, and it will call some functions in this library. I think the ideal scenario would be because this library is also from the project to be tested, but in a simple example, I found that it is not the case. As shown below, I designed a main function: #include #include "math_operations.h" #include int main() { int a, b; klee_make_symbolic(&a, sizeof(a), "a"); klee_make_symbolic(&b, sizeof(b), "b"); printf("Max: %d\n", max(a, b)); printf("Min: %d\n", min(a, b)); return 0; } In this example, the max() and min() functions are both located in the library libmath_operations.so. However, KLEE only generated one test case in my testing scenario. This is my execution statement: klee --link-llvm-lib=/home/directly_in/build/libmath_operations.so.bc -libc=uclibc main.bc Thank you for your time and help. I look forward to receiving your letter. I'm not sure if I'm not using Klee correctly. If so, are there any recommended methods that can help me. Thank you for your time and assistance. I look forward to your insights. Best regards, yukai zhao -------------- next part -------------- HTML attachment scrubbed and removed From m.nowack at imperial.ac.uk Tue Dec 12 10:42:34 2023 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Tue, 12 Dec 2023 10:42:34 +0000 Subject: [klee-dev] Question about KLEE Implementation on Collecting Symbolic Variables In-Reply-To: References: Message-ID: Hi Haozhi Fan, The symbolic names are generated using the call `klee_make_symbolic` indirectly or directly in your software under test. KLEE tracks the memory object that have been associated with these calls (https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/lib/Core/Executor.cpp#L4435) and assigns it an array that has the same name or similar name that is unique. Reading from this memory will result in read expressions that reference this array and are later used as part of the solver calls. Best, Martin > On 11. Dec 2023, at 20:07, Haozhi Fan wrote: > > Dear klee-dev members, > > I was wondering if you could share some insight into how KLEE collects the set of symbolic names from an expression? Namely, how does KLEE generate the kquery for a specific path condition and from which files should I be looking for the details of such implementation? Thank you! > > Best regards, > Haozhi Fan > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From m.nowack at imperial.ac.uk Tue Dec 12 10:46:35 2023 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Tue, 12 Dec 2023 10:46:35 +0000 Subject: [klee-dev] Using Klee with Dynamic Libraries In-Reply-To: <78c1ec1.d49.18c5bbc9387.Coremail.yukzhao@163.com> References: <78c1ec1.d49.18c5bbc9387.Coremail.yukzhao@163.com> Message-ID: <2B2111DE-8DFD-456D-9E15-125008224CC7@imperial.ac.uk> Hi Yukai Zhao, Can you provide the output of your KLEE run? My guess is that `max`, `min` are treated as external functions that forces a and b to be concretised, i.e. which leads to only one path being generated. But let?s have a look at your output to confirm this. Best, Martin > On 12. Dec 2023, at 01:55, yukai zhao wrote: > > hi? > I am curious about the boundary situation of Klee. Will it constrain the generation of functions in the file specified by the parameter "-- link llvm lib"? Of course, this file is also a. bc file, in fact it is a dynamic library generated by the project. My executable file is dynamically linked to this library, and it will call some functions in this library. > I think the ideal scenario would be because this library is also from the project to be tested, but in a simple example, I found that it is not the case. > As shown below, I designed a main function: > > #include > #include "math_operations.h" > #include > int main() { > int a, b; > klee_make_symbolic(&a, sizeof(a), "a"); > klee_make_symbolic(&b, sizeof(b), "b"); > printf("Max: %d\n", max(a, b)); > printf("Min: %d\n", min(a, b)); > return 0; > } > > In this example, the max() and min() functions are both located in the library libmath_operations.so. However, KLEE only generated one test case in my testing scenario. > This is my execution statement: > > klee --link-llvm-lib=/home/directly_in/build/libmath_operations.so.bc -libc=uclibc main.bc > > Thank you for your time and help. I look forward to receiving your letter. > I'm not sure if I'm not using Klee correctly. If so, are there any recommended methods that can help me. > Thank you for your time and assistance. I look forward to your insights. > > Best regards, > yukai zhao > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From sokolsky at cis.upenn.edu Tue Dec 12 14:23:14 2023 From: sokolsky at cis.upenn.edu (Oleg Sokolsky) Date: Tue, 12 Dec 2023 09:23:14 -0500 Subject: [klee-dev] Question about KLEE Implementation on Collecting Symbolic Variables In-Reply-To: References:

Message-ID: Hi Martin, Thanks for the quick response.? Our question was slightly different, let me clarify.? Given an instance of the Expr object, we want to obtain the set of symbolic names used in that instance.? ExprPPrinter does it, for example, but in a very specific way and, frankly, we struggled to understand how it works.? We were wondering if there is a generic way to do it.? I was expecting a visitor in the Expr hierarchy, or something similar, but could not find it. Thanks again, Oleg On 12/12/23 05:42, Nowack, Martin wrote: > Hi Haozhi Fan, > > The symbolic names are generated using the call `klee_make_symbolic` indirectly or directly in your software under test. > KLEE tracks the memory object that have been associated with these calls (https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/lib/Core/Executor.cpp*L4435) and assigns it an array that has the same name or similar name that is unique. > Reading from this memory will result in read expressions that reference this array and are later used as part of the solver calls. > > Best, > Martin > >> On 11. Dec 2023, at 20:07, Haozhi Fan wrote: >> >> Dear klee-dev members, >> >> I was wondering if you could share some insight into how KLEE collects the set of symbolic names from an expression? Namely, how does KLEE generate the kquery for a specific path condition and from which files should I be looking for the details of such implementation? Thank you! >> >> Best regards, >> Haozhi Fan >> _______________________________________________ >> klee-dev mailing list >> klee-dev at imperial.ac.uk >> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From m.nowack at imperial.ac.uk Tue Dec 12 14:40:39 2023 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Tue, 12 Dec 2023 14:40:39 +0000 Subject: [klee-dev] Question about KLEE Implementation on Collecting Symbolic Variables In-Reply-To: References:

Message-ID: Hi Oleg, Ah - yeah there is. The name is `klee::findSymbolicObjects` but it?s a bit hidden: https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/include/klee/Expr/ExprUtil.h#L38 and https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/lib/Expr/ExprUtil.cpp#L123 In a nutshell, it?s a tree traversal and returns all used arrays. This functionality is only really required in KLEE?s current implementation when a solver is called to generate assignments for expressions, e.g.: https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/lib/Solver/STPSolver.cpp#L233. Therefore, it?s not really visible. Best, Martin > On 12. Dec 2023, at 14:23, Oleg Sokolsky wrote: > > Hi Martin, > > Thanks for the quick response. Our question was slightly different, let me clarify. Given an instance of the Expr object, we want to obtain the set of symbolic names used in that instance. ExprPPrinter does it, for example, but in a very specific way and, frankly, we struggled to understand how it works. We were wondering if there is a generic way to do it. I was expecting a visitor in the Expr hierarchy, or something similar, but could not find it. > > Thanks again, > Oleg > > On 12/12/23 05:42, Nowack, Martin wrote: >> Hi Haozhi Fan, >> >> The symbolic names are generated using the call `klee_make_symbolic` indirectly or directly in your software under test. >> KLEE tracks the memory object that have been associated with these calls (https://github.com/klee/klee/blob/fc83f06b17221bf5ef20e30d9da1ccff927beb17/lib/Core/Executor.cpp*L4435) and assigns it an array that has the same name or similar name that is unique. >> Reading from this memory will result in read expressions that reference this array and are later used as part of the solver calls. >> >> Best, >> Martin >> >>> On 11. Dec 2023, at 20:07, Haozhi Fan wrote: >>> >>> Dear klee-dev members, >>> >>> I was wondering if you could share some insight into how KLEE collects the set of symbolic names from an expression? Namely, how does KLEE generate the kquery for a specific path condition and from which files should I be looking for the details of such implementation? Thank you! >>> >>> Best regards, >>> Haozhi Fan >>> _______________________________________________ >>> klee-dev mailing list >>> klee-dev at imperial.ac.uk >>> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev >> >> _______________________________________________ >> klee-dev mailing list >> klee-dev at imperial.ac.uk >> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From c.cadar at imperial.ac.uk Mon Dec 18 14:22:03 2023 From: c.cadar at imperial.ac.uk (Cristian Cadar) Date: Mon, 18 Dec 2023 14:22:03 +0000 Subject: [klee-dev] KLEE'24 workshop late submission deadline this Friday Message-ID: <39a68579-6183-ba90-92cf-4ce8e9184331@imperial.ac.uk> Dear all, The late (and last) submission deadline for the KLEE'24 workshop is this Friday! We have already accepted a number of interesting presentations and posters in the early submission round, and we are looking forward to more interesting contributions in the second round! https://srg.doc.ic.ac.uk/klee24/ Also, the registration for the workshop, which next year is co-located with ICSE'24, is open! https://conf.researchr.org/attending/icse-2024/registration Best wishes, Cristian