From cnx at loang.net  Fri Jul  7 06:57:35 2023
From: cnx at loang.net (=?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?=)
Date: Fri, 07 Jul 2023 14:57:35 +0900
Subject: [klee-dev] Why is ConstraintSet not a set?
In-Reply-To: <CTUZ5NHAFH7Z.2YWKKZO7LI2PV@nix>
References: <CTUZ5NHAFH7Z.2YWKKZO7LI2PV@nix>
Message-ID: <CTVPJD5H3ZWL.C8JF4CCYSXTI@nix>

Hi,

I notice that ConstraintSet is implemented via std::vector.
This make me wonder about the likelihood of duplucated constraints
during executions.

Does anyone have any emprical data or experience regarding this aspect?

Regards,
McSinyx


From 531490174 at qq.com  Sun Jul  9 13:25:04 2023
From: 531490174 at qq.com (=?gb18030?B?0vzCtMP5?=)
Date: Sun, 9 Jul 2023 20:25:04 +0800
Subject: [klee-dev] About Using KLEE to Check CoreBench
Message-ID: <tencent_FDCA53C9DFDB8634FA8F39445F171F4EE606@qq.com>

Hello, I would like to use KLEE to check CoreBench (an open source work on Coreutils). How should I compile CoreBench using wllvm and use KLEE to check CoreBench?Thank you for taking the time out of your busy schedule to read my letter. Looking forward to your reply
-------------- next part --------------
HTML attachment scrubbed and removed

From cnx at loang.net  Tue Jul 11 08:47:41 2023
From: cnx at loang.net (=?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?=)
Date: Tue, 11 Jul 2023 16:47:41 +0900
Subject: [klee-dev] About Using KLEE to Check CoreBench
In-Reply-To: <tencent_FDCA53C9DFDB8634FA8F39445F171F4EE606@qq.com>
References: <tencent_FDCA53C9DFDB8634FA8F39445F171F4EE606@qq.com>
Message-ID: <CTZ6DZ4W6FFJ.Y5AXXD5Y2PJU@guix>

On 2023-07-09 at 20:25+08:00, ??? wrote:
> How should I compile CoreBench using wllvm
> and use KLEE to check CoreBench?

CoreBench essentially provides the error-introducing and -fixing
commits for each bug.  Included programs use the GNU Build System,
which warrants neither backward nor forward compatibility.
Their release tarballs already had Autotools run however
and can be easily built with ./configure and then make.

I'd recommend overriding the codebase at each commit on top
of one of the closest release tarball so you can avoid having
to figure out the Autotools version and pulling the compatible gnulib.
Then, set respective CC, CXX and LLVM_COMPILER for wllvm
and proceed with the build.

For full reproducibility, I'd recommend using the Nix/Guix derivation
at the time of the package's release.  I started it for grep a while ago
if you're interested: https://trong.loang.net/~cnx/bux/tree?h=klee


From hossein.monjezi at stud.uni-saarland.de  Tue Jul 11 16:44:48 2023
From: hossein.monjezi at stud.uni-saarland.de (Hossein Monjezi)
Date: Tue, 11 Jul 2023 17:44:48 +0200
Subject: [klee-dev] Tracking changes of specific variables
Message-ID: <9297A5D9-DFF5-4E10-A040-500A0D3F5ED2@stud.uni-saarland.de>

Hello All,

I am trying to add a new search algorithm, so that the states where a certain variable change happens are selected for exploration over the others, and only fall back to the BFS/DFS when this given criteria does not exist in any of the possible states. For example, in this code I would like to select the path with `a > 0`, since `b` is changing in that path and stop exploring the `else` branch:

```
int main() {
	int a;
	klee_make_symbolic(&a, sizeof(a), ?a?);
	
	int b = 0;
	klee_subscribe_changing(&b, ?, ?b?);

	if (a > 0) {
		b++;
		.
		.
		.
	} else {
		a++;
		.
		.
		.
	}
	
	return 0;
}
```

I have already tried creating a vector of subscribed MemoryObjects in the ExecutionState class (similar to symbolics), but I have not been able to find a way to mark changes. I would appreciate it if anyone could tell me how I can mark these value changes (and more generally how I should approach this problem). 

Thank you for your help.

Sincerely Yours,
Hossein
-------------- next part --------------
HTML attachment scrubbed and removed

From c.cadar at imperial.ac.uk  Wed Jul 12 22:03:48 2023
From: c.cadar at imperial.ac.uk (Cristian Cadar)
Date: Wed, 12 Jul 2023 22:03:48 +0100
Subject: [klee-dev] Why is ConstraintSet not a set?
In-Reply-To: <CTVPJD5H3ZWL.C8JF4CCYSXTI@nix>
References: <CTUZ5NHAFH7Z.2YWKKZO7LI2PV@nix> <CTVPJD5H3ZWL.C8JF4CCYSXTI@nix>
Message-ID: <c7ac7a7b-117c-9624-7abc-7d4e0f34c28e@imperial.ac.uk>

Hi,

KLEE does not add duplicate constraints, in fact it does not add a 
constraint if it is implied by the current PC.

Best,
Cristian

On 07/07/2023 06:57, Nguy?n Gia Phong wrote:
> Hi,
> 
> I notice that ConstraintSet is implemented via std::vector.
> This make me wonder about the likelihood of duplucated constraints
> during executions.
> 
> Does anyone have any emprical data or experience regarding this aspect?
> 
> Regards,
> McSinyx
> 
> _______________________________________________
> klee-dev mailing list
> klee-dev at imperial.ac.uk
> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev


From cnx at loang.net  Sat Jul 15 03:57:18 2023
From: cnx at loang.net (=?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?=)
Date: Sat, 15 Jul 2023 11:57:18 +0900
Subject: [klee-dev] Why is ConstraintSet not a set?
In-Reply-To: <c7ac7a7b-117c-9624-7abc-7d4e0f34c28e@imperial.ac.uk>
References: <CTUZ5NHAFH7Z.2YWKKZO7LI2PV@nix> <CTVPJD5H3ZWL.C8JF4CCYSXTI@nix>
	<c7ac7a7b-117c-9624-7abc-7d4e0f34c28e@imperial.ac.uk>
Message-ID: <CU2EPTWNWSH3.2PMBAO9LBZ5YE@guix>

On 2023-07-12 at 22:03+01:00, Cristian Cadar wrote:
> On 07/07/2023 06:57, Nguy?n Gia Phong wrote:
> > I notice that ConstraintSet is implemented via std::vector.
> > This make me wonder about the likelihood of duplucated constraints
> > during executions.
>
> KLEE does not add duplicate constraints, in fact it does not add a 
> constraint if it is implied by the current PC.

Thanks, I see the check now.


From saitejakuchi98 at gmail.com  Tue Jul 25 14:20:21 2023
From: saitejakuchi98 at gmail.com (Sailesh Sai Teja)
Date: Tue, 25 Jul 2023 18:50:21 +0530
Subject: [klee-dev] All possible paths from source to destination function.
Message-ID: <CAMMW=G+sVaoaZoBTFrY=aDehVMMA8y249TW-=ajuHtAWV86QMA@mail.gmail.com>

Hello all,

I am performing static analysis on a codebase and for that I am trying to
find all the possible paths from function 'A' to function 'B' along with
the conditions that are responsible while traversing that path. My input is
a large llvm IR file which contains all the functions definitions.

So if we consider the below toy example :-

int functionA(int a) {
if (a > 0) {
return functionB(20, 50);
}
else {
return functionC(100, 500);
}
}

int functionB(int x, int y) {
if(x > y){
return multiply(x, y);
}
else {
return divide(y, x);
}
}

int functionC(int x, int y) {
if(y > 0){
return divide(x, y);
}
else {
return multiply(y, x);
}
}

int multiply(int a, int b){
return a*b;
}

int divide(int x, int y){
return x/y;
}

So lets say I want to trace the execution path from function "functionA" to
function "divide", the following is the output I am expecting

1. "functionA && ((x < y) && divide)"
2. "functionA && ((y > 0) && divide)"

or it can be combined as "functionA && ((x < y) || (y > 0)) && divide"

I just want to know whether klee is capable of performing such analysis
(not exact as I knew I need to modify few things to arrive at the final
solution but you get the gist). If yes, can you please provide some
references and resources that I can look into.

Thank you.
-------------- next part --------------
HTML attachment scrubbed and removed