I didn't have time to check this, but it should work by adding a call to
klee_define_fixed_object(<my ptr>, <my ptr size>) in the program, somewhere
before <my ptr> is dereferenced. See lib/Core/SpecialFunctionHandler.cpp for
the intrinsic implementation.
Paul
On 5 Dec 2011, at 16:06, arrowdodger wrote:
> Hello. I've compiled this code into bytecode:
>
> void foo(int * a) { printf("%d",a); }
> void main() { foo(NULL) }
>
> After that, i've hacked klee's main.cpp so after loading bitcode from the
> file, it replaces foo(NULL) call with foo(<my ptr>), where <my ptr> is
> IntToPtrInst pointing to klee's process heap:
>
> char * mem = new char;
> fooCallInst->setArgOperand(0, new IntToPtrInst(...));
>
> To be sure, i'm dumping whole module and @main looks like this:
>
> define i32 @main() nounwind uwtable {
> entry:
> %retval = alloca i32, align 4
> store i32 0, i32* %retval
> %0 = inttoptr i64 34397700356 to i32*
> call void @foo(i32* %0)
> ret i32 0
> }
>
> which is ok. But during execution i get
> KLEE: ERROR: memory error: out of bound pointer
> KLEE: NOTE: now ignoring this error at this location
>
> I suppose, this memory location isn't registered within klee's memory
> manager, or something like this. So, what should i hack to make it work? And
> is this possible at all? Would it be possible to symbolicaze such memory?
> _______________________________________________
> klee-dev mailing list
> [email protected]
> http://keeda.Stanford.EDU/mailman/listinfo/klee-dev
_______________________________________________
klee-dev mailing list
[email protected]
http://keeda.Stanford.EDU/mailman/listinfo/klee-dev
