doxygen/html/SeedInfo_8cpp_source.html

//===-- SeedInfo.cpp ------------------------------------------------------===//

//

//                     The KLEE Symbolic Virtual Machine

//

// This file is distributed under the University of Illinois Open Source

// License. See LICENSE.TXT for details.

//

//===----------------------------------------------------------------------===//


#include "SeedInfo.h"


#include "ExecutionState.h"

#include "Memory.h"

#include "TimingSolver.h"


#include "klee/ADT/KTest.h"

#include "klee/Expr/Expr.h"

#include "klee/Expr/ExprUtil.h"

#include "klee/ADT/KTest.h"

#include "klee/Support/ErrorHandling.h"


using namespace klee;


KTestObject *SeedInfo::getNextInput(const MemoryObject *mo,

                                   bool byName) {

  if (byName) {

    unsigned i;


    for (i=0; i<input->numObjects; ++i) {

      KTestObject *obj = &input->objects[i];

      if (std::string(obj->name) == mo->name)

        if (used.insert(obj).second)

          return obj;

    }


    // If first unused input matches in size then accept that as

    // well.

    for (i=0; i<input->numObjects; ++i)

      if (!used.count(&input->objects[i]))

        break;

    if (i<input->numObjects) {

      KTestObject *obj = &input->objects[i];

      if (obj->numBytes == mo->size) {

        used.insert(obj);

        klee_warning_once(mo, "using seed input %s[%d] for: %s (no name match)",

                          obj->name, obj->numBytes, mo->name.c_str());

        return obj;

      }

    }


    klee_warning_once(mo, "no seed input for: %s", mo->name.c_str());

    return 0;

  } else {

    if (inputPosition >= input->numObjects) {

      return 0;

    } else {

      return &input->objects[inputPosition++];

    }

  }

}


void SeedInfo::patchSeed(const ExecutionState &state,

                         ref<Expr> condition,

                         TimingSolver *solver) {

  ConstraintSet required(state.constraints);

  ConstraintManager cm(required);

  cm.addConstraint(condition);


  // Try and patch direct reads first, this is likely to resolve the

  // problem quickly and avoids long traversal of all seed

  // values. There are other smart ways to do this, the nicest is if

  // we got a minimal counterexample from STP, in which case we would

  // just inject those values back into the seed.

  std::set< std::pair<const Array*, unsigned> > directReads;

  std::vector< ref<ReadExpr> > reads;

  findReads(condition, false, reads);

  for (std::vector< ref<ReadExpr> >::iterator it = reads.begin(),

         ie = reads.end(); it != ie; ++it) {

    ReadExpr *re = it->get();

    if (ConstantExpr *CE = dyn_cast<ConstantExpr>(re->index)) {

      directReads.insert(std::make_pair(re->updates.root,

                                        (unsigned) CE->getZExtValue(32)));

    }

  }


  for (std::set< std::pair<const Array*, unsigned> >::iterator

         it = directReads.begin(), ie = directReads.end(); it != ie; ++it) {

    const Array *array = it->first;

    unsigned i = it->second;

    ref<Expr> read = ReadExpr::create(UpdateList(array, 0),

                                      ConstantExpr::alloc(i, Expr::Int32));


    // If not in bindings then this can't be a violation?

    Assignment::bindings_ty::iterator it2 = assignment.bindings.find(array);

    if (it2 != assignment.bindings.end()) {

      ref<Expr> isSeed = EqExpr::create(read,

                                        ConstantExpr::alloc(it2->second[i],

                                                            Expr::Int8));

      bool res;

      bool success =

          solver->mustBeFalse(required, isSeed, res, state.queryMetaData);

      assert(success && "FIXME: Unhandled solver failure");

      (void) success;

      if (res) {

        ref<ConstantExpr> value;

        bool success =

            solver->getValue(required, read, value, state.queryMetaData);

        assert(success && "FIXME: Unhandled solver failure");

        (void) success;

        it2->second[i] = value->getZExtValue(8);

        cm.addConstraint(EqExpr::create(

            read, ConstantExpr::alloc(it2->second[i], Expr::Int8)));

      } else {

        cm.addConstraint(isSeed);

      }

    }

  }


  bool res;

  bool success =

      solver->mayBeTrue(state.constraints, assignment.evaluate(condition), res,

                        state.queryMetaData);

  assert(success && "FIXME: Unhandled solver failure");

  (void) success;

  if (res)

    return;


  // We could still do a lot better than this, for example by looking at

  // independence. But really, this shouldn't be happening often.

  for (Assignment::bindings_ty::iterator it = assignment.bindings.begin(),

         ie = assignment.bindings.end(); it != ie; ++it) {

    const Array *array = it->first;

    for (unsigned i=0; i<array->size; ++i) {

      ref<Expr> read = ReadExpr::create(UpdateList(array, 0),

                                        ConstantExpr::alloc(i, Expr::Int32));

      ref<Expr> isSeed = EqExpr::create(read,

                                        ConstantExpr::alloc(it->second[i],

                                                            Expr::Int8));

      bool res;

      bool success =

          solver->mustBeFalse(required, isSeed, res, state.queryMetaData);

      assert(success && "FIXME: Unhandled solver failure");

      (void) success;

      if (res) {

        ref<ConstantExpr> value;

        bool success =

            solver->getValue(required, read, value, state.queryMetaData);

        assert(success && "FIXME: Unhandled solver failure");

        (void) success;

        it->second[i] = value->getZExtValue(8);

        cm.addConstraint(EqExpr::create(

            read, ConstantExpr::alloc(it->second[i], Expr::Int8)));

      } else {

        cm.addConstraint(isSeed);

      }

    }

  }


#ifndef NDEBUG

  {

    bool res;

    bool success =

        solver->mayBeTrue(state.constraints, assignment.evaluate(condition),

                          res, state.queryMetaData);

    assert(success && "FIXME: Unhandled solver failure");

    (void) success;

    assert(res && "seed patching failed");

  }

#endif

}

ErrorHandling.h

ExecutionState.h

ExprUtil.h

Expr.h

KTest.h

Memory.h

SeedInfo.h

TimingSolver.h

klee::Array
Definition: Expr.h:483

klee::Array::size
const unsigned size
Definition: Expr.h:489

klee::Assignment::evaluate
ref< Expr > evaluate(const Array *mo, unsigned index) const
Definition: Assignment.h:69

klee::Assignment::bindings
bindings_ty bindings
Definition: Assignment.h:26

klee::ConstantExpr
Definition: Expr.h:996

klee::ConstantExpr::alloc
static ref< ConstantExpr > alloc(const llvm::APInt &v)
Definition: Expr.h:1065

klee::ConstraintManager
Manages constraints, e.g. optimisation.
Definition: Constraints.h:50

klee::ConstraintManager::addConstraint
void addConstraint(const ref< Expr > &constraint)
Definition: Constraints.cpp:158

klee::ConstraintSet
Definition: Constraints.h:19

klee::ExecutionState
ExecutionState representing a path under exploration.
Definition: ExecutionState.h:147

klee::ExecutionState::queryMetaData
SolverQueryMetaData queryMetaData
Statistics and information.
Definition: ExecutionState.h:189

klee::ExecutionState::constraints
ConstraintSet constraints
Constraints collected so far.
Definition: ExecutionState.h:184

klee::Expr::Int32
static const Width Int32
Definition: Expr.h:103

klee::Expr::Int8
static const Width Int8
Definition: Expr.h:101

klee::MemoryObject
Definition: Memory.h:35

klee::MemoryObject::size
unsigned size
size in bytes
Definition: Memory.h:52

klee::MemoryObject::name
std::string name
Definition: Memory.h:53

klee::ReadExpr
Class representing a one byte read from an array.
Definition: Expr.h:565

klee::ReadExpr::index
ref< Expr > index
Definition: Expr.h:572

klee::ReadExpr::updates
UpdateList updates
Definition: Expr.h:571

klee::ReadExpr::create
static ref< Expr > create(const UpdateList &updates, ref< Expr > i)
Definition: Expr.cpp:538

klee::SeedInfo::used
std::set< struct KTestObject * > used
Definition: SeedInfo.h:30

klee::SeedInfo::input
KTest * input
Definition: SeedInfo.h:28

klee::SeedInfo::inputPosition
unsigned inputPosition
Definition: SeedInfo.h:29

klee::SeedInfo::assignment
Assignment assignment
Definition: SeedInfo.h:27

klee::SeedInfo::patchSeed
void patchSeed(const ExecutionState &state, ref< Expr > condition, TimingSolver *solver)
Definition: SeedInfo.cpp:62

klee::TimingSolver
Definition: TimingSolver.h:27

klee::TimingSolver::getValue
bool getValue(const ConstraintSet &, ref< Expr > expr, ref< ConstantExpr > &result, SolverQueryMetaData &metaData)
Definition: TimingSolver.cpp:90

klee::TimingSolver::mustBeFalse
bool mustBeFalse(const ConstraintSet &, ref< Expr >, bool &result, SolverQueryMetaData &metaData)
Definition: TimingSolver.cpp:67

klee::TimingSolver::mayBeTrue
bool mayBeTrue(const ConstraintSet &, ref< Expr >, bool &result, SolverQueryMetaData &metaData)
Definition: TimingSolver.cpp:72

klee::UpdateList
Class representing a complete list of updates into an array.
Definition: Expr.h:539

klee::UpdateList::root
const Array * root
Definition: Expr.h:543

klee::ref< Expr >

klee
Definition: main.cpp:291

klee::findReads
void findReads(ref< Expr > e, bool visitUpdates, std::vector< ref< ReadExpr > > &result)
Definition: ExprUtil.cpp:19

klee::klee_warning_once
void void void void klee_warning_once(const void *id, const char *msg,...) __attribute__((format(printf
Definition: ErrorHandling.cpp:161

KTestObject
Definition: KTest.h:18

KTestObject::name
char * name
Definition: KTest.h:19

KTestObject::numBytes
unsigned numBytes
Definition: KTest.h:20

KTest::numObjects
unsigned numObjects
Definition: KTest.h:35

KTest::objects
KTestObject * objects
Definition: KTest.h:36