Re: [klee-dev] One question about external dispatcher
Thanks. You are right. I solved the problem. Best regards, Qiuping Yi Parasol Laboratory Department of Computer Science and Engineering Texas A University College Station TX 77843 On Sat, Jan 28, 2017 at 4:12 AM, Dan Liewwrote: > On 27 January 2017 at 04:18, Qiuping Yi wrote: > > Dear all, > > > > I encountered a strange problem when testing the next code snippet: > > > > 1 if (pw = getpwuid(getuid()) == NULL) > > 2 return ; > > > > 3 .. = pw->pw_dir; > > Please use the correct mailing list (klee-dev@imperial.ac.uk) instead > of the old klee-...@keeda.stanford.edu mailing list. > > It would be better if you provided a small complete example. Like this. > > ``` > #include > #include > #include > #include > #include > > int main(int arc, char** argv) { > struct passwd* pw; > uid_t uid = getuid(); > printf("uid is %d\n", uid); > if (pw = getpwuid(getuid()) == NULL) { > printf("Failed\n"); > return 1; > } > assert(pw && "pw cannot be NULL"); > > char* pw_dir = pw->pw_dir; > printf("pw_dir: %s\n", pw_dir); > return 0; > } > ``` > > Your code is wrong. > > if (pw = getpwuid(getuid()) == NULL) > > is doing this > > if ( pw = ( getpwuid(getuid()) == NULL ) > > so a pointer is returned by `getpwuid()` and then we compare with NULL > which is false so then `pw` gets assigned the value zero. > > However once I fix your code to > > if ((pw = getpwuid(getuid())) == NULL) { > > then I can reproduce the problem if I just run `klee program.bc` > > I suspect it's to do with the fact `getpwuid()` returns a pointer to > "real memory" which does not point to anything in KLEE's own model of > the memory (i.e. the address space of the program under). > > To fix this you need not call `getpwuid()` as an external function but > instead call it from klee-uclibc so that it can be symbolically > executed. > > If you run > > ``` > klee -libc=uclibc program.bc > ``` > > no out of bounds access is reported. > > HTH, > Dan. > ___ klee-dev mailing list klee-dev@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
Re: [klee-dev] One question about external dispatcher
On 27 January 2017 at 04:18, Qiuping Yiwrote: > Dear all, > > I encountered a strange problem when testing the next code snippet: > > 1 if (pw = getpwuid(getuid()) == NULL) > 2 return ; > > 3 .. = pw->pw_dir; Please use the correct mailing list (klee-dev@imperial.ac.uk) instead of the old klee-...@keeda.stanford.edu mailing list. It would be better if you provided a small complete example. Like this. ``` #include #include #include #include #include int main(int arc, char** argv) { struct passwd* pw; uid_t uid = getuid(); printf("uid is %d\n", uid); if (pw = getpwuid(getuid()) == NULL) { printf("Failed\n"); return 1; } assert(pw && "pw cannot be NULL"); char* pw_dir = pw->pw_dir; printf("pw_dir: %s\n", pw_dir); return 0; } ``` Your code is wrong. if (pw = getpwuid(getuid()) == NULL) is doing this if ( pw = ( getpwuid(getuid()) == NULL ) so a pointer is returned by `getpwuid()` and then we compare with NULL which is false so then `pw` gets assigned the value zero. However once I fix your code to if ((pw = getpwuid(getuid())) == NULL) { then I can reproduce the problem if I just run `klee program.bc` I suspect it's to do with the fact `getpwuid()` returns a pointer to "real memory" which does not point to anything in KLEE's own model of the memory (i.e. the address space of the program under). To fix this you need not call `getpwuid()` as an external function but instead call it from klee-uclibc so that it can be symbolically executed. If you run ``` klee -libc=uclibc program.bc ``` no out of bounds access is reported. HTH, Dan. ___ klee-dev mailing list klee-dev@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
[klee-dev] One question about external dispatcher
Dear all, I encountered a strange problem when testing the next code snippet: 1 if (pw = getpwuid(getuid()) == NULL) 2 return ; 3 .. = pw->pw_dir; When handling line 1, KLEE firstly invokes *externalDispatcher->executeCall* which will invoke *runProtectedCall* to execute the external function and store the result to a given memory location. Then, it will invoke *fromMemory* to get the return value from the location. However, it encounters an "out of bound" error when handling line 3. I printed the value of variable *pw* at line 1, and got something like *139894903382656*, which definitely does not equal to ' *null*', thus it will arrive line 3. Actually, *139894903382656* seems an invalid address. So why does this strange situation happen? Thank you all in advance. Best regards, Qiuping Yi Parasol Laboratory Department of Computer Science and Engineering Texas A University College Station TX 77843 ___ klee-dev mailing list klee-dev@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/klee-dev