[klee-dev] Excuse me??i maybe find an error which is in the implementation of KLEE

[????]

Hi, all, 
 
   I have followed the tutorial below which is used to test the function 
"match" , but i found that the generated tests cannot cause memory errors.
 
         Second tutorial: Testing a simple regular expression library. 

         (the website is: http://klee.github.io/tutorials/testing-regex/)

the main code is: 

int main() {

  // The input regular expression.

  char re[SIZE];

    // Make the input symbolic. 

  klee_make_symbolic(re, sizeof re, "re");

  // Try to match against a constant string "hello".

  match(re, "hello");

  return 0;



}
 
the output is:
         
KLEE: Using STP solver backend
   
KLEE: ERROR:   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp.c:23: memory   
error: out of bound pointer
   
KLEE: NOTE: now ignoring this error at   this location
   
KLEE: ERROR:   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp.c:25: memory 
error:   out of bound pointer
   
KLEE: NOTE: now ignoring this error at   this location
   
KLEE: done: total instructions = 4598603
   
KLEE: done: completed paths = 7438
   
KLEE: done: generated tests = 16
     
  
As reported, there are two errors occured.

And the error information is in two files in the below:
 

 
The data in test000007.ktest is:
 

 
I read the source code of ktest-tool and know the following bytes in red circle 
are the data which are generated to assign the array "re".
 

 
So I change the file Regexp.c as below
         
int main() {
   
    // The input regular expression.
   
    char re[SIZE];
   
  re[0]=0x5E;
   
  re[1]=0x01;
   
  re[2]=0x2A;
   
  re[3]=0x01;
   
  re[4]=0x2A;
   
  re[5]=0x01;
   
  re[6]=0x2A;
   
    // Make the input symbolic. 
   
    //klee_make_symbolic(re, sizeof re, "re");
   
    //klee_assume(re[SIZE - 1] == '\0');
   
 
   
    // Try to match against a constant string "hello".
   
    match(re, "hello");
   
 
   
    return 0;
   
}
     
  
After compiling using gcc, i use valgrind to check it, the result is:
         
valgrind --tool=memcheck   --leak-check=full ./Regexp3 
   
==19827== Memcheck, a memory error   detector
   
==19827== Copyright (C) 2002-2015, and   GNU GPL'd, by Julian Seward et al.
   
==19827== Using Valgrind-3.12.0 and   LibVEX; rerun with -h for copyright info
   
==19827== Command: ./Regexp3
   
==19827== 
   
==19827== Conditional jump or move   depends on uninitialised value(s)
   
==19827==    at 0x4005EF: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400680: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400582: matchstar (in 
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400610: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400582: matchstar (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400610: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x4006BB: match (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827==    by 0x400739: main (in 
/home/klee/xiaojiework/kleeexperiment/examples/regexp/Regexp3)
   
==19827== 
   
==19827== 
   
==19827== HEAP SUMMARY:
   
==19827==     in use at exit: 0 bytes in 0 blocks
   
==19827==   total heap usage: 0 allocs, 0 frees, 0   bytes allocated
   
==19827== 
   
==19827== All heap blocks were freed --   no leaks are possible
   
==19827== 
   
==19827== For counts of detected and   suppressed errors, rerun with: -v
   
==19827== Use --track-origins=yes to see   where uninitialised values come from
   
==19827== ERROR SUMMARY: 1 errors from 1   contexts (suppressed: 0 from 0)
   
klee@ubuntu:~/xiaojiework/kleeexperiment/examples/regexp$
     
  
Nothing about out of bound pointer is found. only one error which is about 
using uninitialised value(s).
 
I doubt that maybe I was wrong in some steps. So I use the following script 
which is offered by the klee website
         
export   
LD_LIBRARY_PATH=/home/klee/xiaojiework/klee-xiaojie/build/debug/lib/:$LD_LIBRARY_PATH
   
gcc -L   /home/klee/xiaojiework/klee-xiaojie/build/debug/lib/ Regexp.c 
-lkleeRuntest
   
valgrind --tool=memcheck ./a.out
     
  
During execution, it needs to type in the ktest file path manually.

The result is as below and nothing wrong about out of bound pointer is found. 
         
==19176== Memcheck, a memory error   detector
   
==19176== Copyright (C) 2002-2015, and   GNU GPL'd, by Julian Seward et al.
   
==19176== Using Valgrind-3.12.0 and   LibVEX; rerun with -h for copyright info
   
==19176== Command: ./a.out   KTEST_FILE=klee-last/test000007.ktest
   
==19176== 
   
KLEE-RUNTIME: KTEST_FILE not set, please   enter .ktest path: 
klee-last/test000007.ktest
   
==19176== Conditional jump or move   depends on uninitialised value(s)
   
==19176==    at 0x400796: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x400742: matchstar (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4007D0: matchhere (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x40087B: match (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176==    by 0x4008F3: main (in   
/home/klee/xiaojiework/kleeexperiment/examples/regexp/a.out)
   
==19176== 
   
==19176== 
   
==19176== HEAP SUMMARY:
   
==19176==     in use at exit: 92 bytes in 6 blocks
   
==19176==   total heap usage: 7 allocs, 1 frees, 660   bytes allocated
   
==19176== 
   
==19176== LEAK SUMMARY:
   
==19176==    definitely lost: 0 bytes in 0 blocks
   
==19176==    indirectly lost: 0 bytes in 0 blocks
   
==19176==      possibly lost: 0 bytes in 0 blocks
   
==19176==    still reachable: 92 bytes in 6 blocks
   
==19176==         suppressed: 0 bytes in 0 blocks
   
==19176== Rerun with --leak-check=full to   see details of leaked memory
   
==19176== 
   
==19176== For counts of detected and   suppressed errors, rerun with: -v
   
==19176== Use --track-origins=yes to see   where uninitialised values come from
   
==19176== ERROR SUMMARY: 1 errors from 1   contexts (suppressed: 0 from 0)
     
  
Am I wrong?Maybe i was too uncareful in some steps, but i cannot found where i 
operate wrongly by myself. Hope for your help!

7FF9E532@1A9ED30C.17D90E59.png
Description: Binary data

ED774A2A@761B3E10.17D90E59.png
Description: Binary data

_______________________________________________
klee-dev mailing list
klee-dev@imperial.ac.uk
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev