void SpecialFunctionHandler::handleRealloc(ExecutionState &state,
		KInstruction *target, std::vector<ref<Expr> > &arguments) {
	// XXX should type check args
	assert(arguments.size() == 2 && "invalid number of arguments to realloc");
	ref<Expr> address = arguments[0];
	ref<Expr> size = arguments[1];

	Executor::StatePair zeroSize = executor.fork(state,
			Expr::createIsZero(size), true);

	if (zeroSize.first) { // size == 0
		executor.executeFree(*zeroSize.first, address, target);
	}
	if (zeroSize.second) { // size != 0
		Executor::StatePair zeroPointer = executor.fork(*zeroSize.second,
				Expr::createIsZero(address), true);

		if (zeroPointer.first) { // address == 0
			executor.executeAlloc(*zeroPointer.first, size, false, target);
		}
		if (zeroPointer.second) { // address != 0
			Executor::ExactResolutionList rl;
			executor.resolveExact(*zeroPointer.second, address, rl, "realloc");

			for (Executor::ExactResolutionList::iterator it = rl.begin(), ie =
					rl.end(); it != ie; ++it) {
				executor.executeAlloc(*it->second, size, false, target, false,
						it->first.second);
			}
		}
	}
}
Exemplo n.º 2
0
void SpecialFunctionHandler::handleMakeSymbolic(ExecutionState &state,
                                                KInstruction *target,
                                                std::vector<ref<Expr> > &arguments) {
  std::string name;

  // FIXME: For backwards compatibility, we should eventually enforce the
  // correct arguments.
  if (arguments.size() == 2) {
    name = "unnamed";
  } else {
    // FIXME: Should be a user.err, not an assert.
    assert(arguments.size()==3 &&
           "invalid number of arguments to klee_make_symbolic");  
    name = readStringAtAddress(state, arguments[2]);
  }

  Executor::ExactResolutionList rl;
  executor.resolveExact(state, arguments[0], rl, "make_symbolic");
  
  for (Executor::ExactResolutionList::iterator it = rl.begin(), 
         ie = rl.end(); it != ie; ++it) {
    const MemoryObject *mo = it->first.first;
    mo->setName(name);
    
    const ObjectState *old = it->first.second;
    ExecutionState *s = it->second;
    
    if (old->readOnly) {
      executor.terminateStateOnError(*s, 
                                     "cannot make readonly object symbolic", 
                                     "user.err");
      return;
    } 

    // FIXME: Type coercion should be done consistently somewhere.
    bool res;
    bool success __attribute__ ((unused)) =
      executor.solver->mustBeTrue(*s, 
                                  EqExpr::create(ZExtExpr::create(arguments[1],
                                                                  Context::get().getPointerWidth()),
                                                 mo->getSizeExpr()),
                                  res);
    assert(success && "FIXME: Unhandled solver failure");
    
    if (res) {
      executor.executeMakeSymbolic(*s, mo, name);
    } else {      
      executor.terminateStateOnError(*s, 
                                     "wrong size given to klee_make_symbolic[_name]", 
                                     "user.err");
    }
  }
}
void SpecialFunctionHandler::handleGetObjSize(ExecutionState &state,
		KInstruction *target, std::vector<ref<Expr> > &arguments) {
	// XXX should type check args
	assert(
			arguments.size() == 1
					&& "invalid number of arguments to klee_get_obj_size");
	Executor::ExactResolutionList rl;
	executor.resolveExact(state, arguments[0], rl, "klee_get_obj_size");
	for (Executor::ExactResolutionList::iterator it = rl.begin(), ie = rl.end();
			it != ie; ++it) {
		executor.bindLocal(target, it->second->currentThread,
				ConstantExpr::create(it->first.first->size, Expr::Int32));
	}
}
Exemplo n.º 4
0
void SpecialFunctionHandler::handleMakeLengthSymbolic(ExecutionState &state,
                                                KInstruction *target,
                                                std::vector<ref<Expr> > &arguments) {
  std::string name;
  assert(arguments.size()==3 && "invalid number of arguments to klee_make_symbolic");  
  name = readStringAtAddress(state, arguments[2]);
  
  //std::cerr << "make_length_symbolic called len_rl.size=" << len_rl.size() << " \n";
    
  Executor::ExactResolutionList rl;
  executor.resolveExact(state, arguments[0], rl, "make_symbolic");
  
  for (Executor::ExactResolutionList::iterator it = rl.begin(), 
         ie = rl.end(); it != ie; ++it) {
    
    const ObjectState *old = it->first.second;
    ExecutionState *s = it->second;
    
    //allocate space for len_mo
    MemoryObject *len_mo = executor.executeNoBindAlloc(*s, 4);  //4-byte int
    len_mo->setName(name + "_len");
    len_mo->onlyTrackLength = 0;
    len_mo->isALength = 1;  
    executor.executeMakeSymbolic(*s, len_mo);    

    MemoryObject *mo = (MemoryObject*) it->first.first;
    mo->setName(name);
    mo->onlyTrackLength = 1;
    mo->isALength = 0;
    
    mo->length = len_mo;  //important! makes len_mo track mo->length
    
    if (old->readOnly) { 
      executor.terminateStateOnError(*s, "cannot make readonly object symbolic", "user.err");
      return;
    } 

    // FIXME: Type coercion should be done consistently somewhere.
    bool res;
    bool success = executor.solver->mustBeTrue(*s,EqExpr::create(ZExtExpr::create(arguments[1], Context::get().getPointerWidth()), mo->getSizeExpr()), res);
    assert(success && "FIXME: Unhandled solver failure");
    
    if (res) {
      executor.executeMakeSymbolic(*s, mo);
    } else {      
      executor.terminateStateOnError(*s, "wrong size given to klee_make_symbolic[_name]", "user.err");
    }
  }
}
void SpecialFunctionHandler::handleMarkGlobal(ExecutionState &state,
		KInstruction *target, std::vector<ref<Expr> > &arguments) {
	assert(
			arguments.size() == 1
					&& "invalid number of arguments to klee_mark_global");

	Executor::ExactResolutionList rl;
	executor.resolveExact(state, arguments[0], rl, "mark_global");

	for (Executor::ExactResolutionList::iterator it = rl.begin(), ie = rl.end();
			it != ie; ++it) {
		const MemoryObject *mo = it->first.first;
		assert(!mo->isLocal);
		mo->isGlobal = true;
	}
}
Exemplo n.º 6
0
void SpecialFunctionHandler::handlePreferCex(ExecutionState &state,
                                             KInstruction *target,
                                             std::vector<ref<Expr> > &arguments) {
  assert(arguments.size()==2 &&
         "invalid number of arguments to klee_prefex_cex");

  ref<Expr> cond = arguments[1];
  if (cond->getWidth() != Expr::Bool)
    cond = NeExpr::create(cond, ConstantExpr::alloc(0, cond->getWidth()));

  Executor::ExactResolutionList rl;
  executor.resolveExact(state, arguments[0], rl, "prefex_cex");
  
  assert(rl.size() == 1 &&
         "prefer_cex target must resolve to precisely one object");

  rl[0].first.first->cexPreferences.push_back(cond);
}