Hi Randolph,
If a path exposes an error only for some values, KLEE reports the error,
and then continues execution on that path for the other values that
don't expose this error.
If a buffer overflow always occurs on a certain path, as in your
example, what would you like the semantics of the continued execution to
be? There is research on continued execution in face of memory errors,
but combining it with the kind of bug finding performed by KLEE would
require a lot of care.
Best,
Cristian
On 18/08/16 10:40, Randolph Wong wrote:
Hello,
I'm wondering if there is an option to prevent klee from terminating a state
upon facing an error. Here's a toy example to motivate my question:
int main(int argc, char **argv)
{
char a[10];
/* An illegal memory read. Klee will terminate here. */
fputc(a[10], stderr);
/*
* Since klee terminated due to the illegal memory read, we don't get
* to find this exploitable bug.
*/
strcpy(a, argv[1]);
}
If there isn't an option for it, is there a simple/straight forward way
to implement this?
My hacky attempt at implementing was to make a copy of
Executor::terminateStateOnError and just remove the line that does
terminateState(state). When a memory error happens, I'll just make it
call my new function. I thought that this would help to at least produce
a test case when the first error happens. However, I'm sure this isn't
the right way. Indeed, running the modified klee on the above code
caused a seg fault.
Would appreciate if someone could give me some directions or feedback on
this. Thanks.
Randolph
_______________________________________________
klee-dev mailing list
[email protected]
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
_______________________________________________
klee-dev mailing list
[email protected]
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
