Hi Marco! I have a program that when compiled, adds a program header that loads a data blob into a fixed memory location. I'm sorry to ask, but could you explain a bit more how this works? At first glance, I'd say that if any of this happens on a stage later than LLVM-IR, it may be hard to mimic in KLEE.
As far as I understand, when KLEE executes a LLVM-IR load instruction<https://github.com/klee/klee/blob/master/lib/Core/Executor.cpp#L2722>, it will try to find<https://github.com/klee/klee/blob/master/lib/Core/Executor.cpp#L4191> the MemoryObjects (more than one if it is a symbolic pointer) that contain the address. Conceptually, you want KLEE to somehow have a MemoryObject at the hardcoded address. One way to go could be modelling this as a LLVM-IR GlobalVariable at your fixed address with the content of your blob. If this makes sense, you may want to check this function<https://github.com/klee/klee/blob/master/lib/Core/Executor.cpp#L648> and addExternalObject perhaps as well. I apologise if you already know this! Best regards, Manuel. ________________________________ From: klee-dev-boun...@imperial.ac.uk <klee-dev-boun...@imperial.ac.uk> on behalf of Marco Vanotti <mvano...@dc.uba.ar> Sent: 16 June 2022 18:55 To: klee-dev <klee-dev@imperial.ac.uk> Subject: [klee-dev] Working with fixed memory locations. Hi klee-dev! I am new to KLEE, and have a question about using it with one of my programs. I have a program that when compiled, adds a program header that loads a data blob into a fixed memory location. This means that my program has this fixed memory location hardcoded all around the place (also this blob has references to itself). I would like to load my program in KLEE to get a better understanding of how it works. The problem I am facing is that I have no idea how to make KLEE understand that I need this blob mapped in that address. This are the things I've tried: * Using wllvm/gclang to get the full program linked together, following my link script, then extracting the bc and running that with KLEE. This didn't work. KLEE complains that the pointers are invalid. * Manually embedding the blob into my program as an array, then calling `mmap` with `MAP_FIXED` to map the area that I want and copying over the blob. The issue here is that MAP_FIXED returns EPERM because probably the address range I am trying to map is already mapped. * Setting the KLEE deterministic allocations to encompass the range that I care about, then doing a big `malloc` and making sure that my range is inside that malloc chunk. For this last one, I am using flags like: --allocate-determ --allocate-determ-start-address=8404992 --allocate-determ-size=3145728 One of the things that I see is that KLEE fails to mmap big chunks (in the order of 100MiB). But even if I decrease the size, I still get failures when I try to assert things like: uintptr_t malloc_addr = (uintptr_t) malloc(malloc_size); klee_assert(BASE_ADDR >= malloc_addr); klee_assert(BASE_ADDR < malloc_addr + malloc_size); ------ Something that might be relevant is that in reality I need two of these blobs loaded into different regions of memory, but so far I can't even get to load one. And they are not too far apart from each other, so if, for example, the malloc approach works, I could just increase the size and make the two allocations. One thing that might complicate things, is that these addresses might collide with where KLEE tries to load the program. I don't know how to deal with that either. Any advice on how to tune KLEE for this use case? Best Regards, Marco
_______________________________________________ klee-dev mailing list klee-dev@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
