-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend SymCC to perform forking exploration (not just concolic execution) #14
Comments
Hi @pgarba, The behavior in your test case unfortunately depends on the input you pass to the program: if it's less than 0x10, it's very unlikely that you get 0x10 immediately (although you will eventually if you keep feeding the new test cases back to SymCC), while higher inputs are likely to give you 0x10 on the first attempt. The reason is that, when the compiler doesn't simplify the In the optimized case, in contrast, the program probably sets As far as I know, this is a problem in all symbolic executors. The best countermeasure, I suppose, is to have the compiler optimize the program as much as possible - this also helps to reduce the cost of solving, e.g., when the compiler replaces multiplications with shifts. Hope this makes sense :) Cheers, |
Thanks for your answer. After reading the SymCC paper it's a little bit more clear to me why this test case is failing. What I still don't understand is why the true path for For this test cases I think KLEE can create a valid test cases that reaches the true path. It just takes longer to prove that one. Thanks, |
When the program compares
KLEE lacks an abstract view of loops just like SymCC, but it explores all possible paths where SymCC only gives you the "closest" new paths. Effectively, KLEE solves the test by trying all possible numbers of loop iterations (which is why it can take very long). You get the same result by running SymCC in a loop that feeds the newly generated test cases back into the program. Cheers, |
Would be it possible to have an option in SymCC to enforce exploration of all possible paths ? I'm asking as we would like to use SymCC in our tool SATURN to explorer all possible paths in a partial control flow graph that is lifted from an input binary. Thanks, |
Hi,
Yes this would be possible, and nice to have. I imagine this could rely on doing a fork() at each branch instead of only following the concrete one, plus a way to schedule processes. Using the copy on write memory would allow to limit the performance impact. However, I imagine there will be weirdness with sockets and file handles and I'm not sure how best to handle this. Best, |
@AndrewQuijano I don't think #157 addresses this particular issue; it's an introspection feature, mainly intended to help with debugging incorrect expressions in SymCC and other projects using the same runtime. |
Hi,
I'm testing with a simple test case and it seems to fail. Any idea what's going wrong ?
I'm compiling with
-O0
and the expected result should be0x10
. It works with>=-O2
as thefor
loop will be simplified by LLVM.Thanks,
Peter
The text was updated successfully, but these errors were encountered: