Add klee_mock without chaking size before add_taint

Author: mamaria-k

include/klee/Core/MockBuilder.h

@@ -48,6 +48,8 @@ class MockBuilder {
   buildCallKleeMakeSymbolic(const std::string &kleeMakeSymbolicFunctionName,
                             llvm::Value *source, llvm::Type *type,
                             const std::string &symbolicName);
+  void buildCallKleeMakeMockAll(llvm::Value *source,
+                                const std::string &symbolicName);
   llvm::CallInst *buildCallKleeTaintFunction(const std::string &functionName,
                                              llvm::Value *source, size_t taint,
                                              llvm::Type *returnType);

lib/Core/MockBuilder.cpp

@@ -55,6 +55,21 @@ void MockBuilder::buildCallKleeMakeSymbolic(
                       {bitCastInst, llvm::ConstantInt::get(ctx, sz), gep});
 }
 
+void MockBuilder::buildCallKleeMakeMockAll(llvm::Value *source,
+                                           const std::string &symbolicName) {
+  auto *kleeMakeSymbolicName = llvm::FunctionType::get(
+      llvm::Type::getVoidTy(ctx),
+      {llvm::Type::getInt8PtrTy(ctx), llvm::Type::getInt8PtrTy(ctx)}, false);
+  auto kleeMakeSymbolicCallee = mockModule->getOrInsertFunction(
+      "klee_make_mock_all", kleeMakeSymbolicName);
+  auto bitCastInst =
+      builder->CreateBitCast(source, llvm::Type::getInt8PtrTy(ctx));
+  auto globalSymbolicName = builder->CreateGlobalString("@" + symbolicName);
+  auto gep = builder->CreateConstInBoundsGEP2_64(
+      globalSymbolicName->getValueType(), globalSymbolicName, 0, 0);
+  builder->CreateCall(kleeMakeSymbolicCallee, {bitCastInst, gep});
+}
+
 std::map<std::string, llvm::FunctionType *>
 MockBuilder::getExternalFunctions() {
   std::map<std::string, llvm::FunctionType *> externals;
@@ -544,44 +559,6 @@ MockBuilder::buildCallKleeTaintFunction(const std::string &functionName,
       false);
   auto kleeTaintFunctionCallee =
       mockModule->getOrInsertFunction(functionName, kleeTaintFunctionType);
-
-  //  //TODO: that's not all:
-  //  // - add var arg list (now it is not even considered
-  //  //                 when passing through the function
-  //  //                 parameters and never gets here)
-  //  // - think about **
-  //  // - add going by pointers
-  //  llvm::Value *beginPtr;
-  //  llvm::Value *countBytes;
-  //  if (!source->getType()->isPointerTy() && !source->getType()->isArrayTy())
-  //  {
-  //    beginPtr = builder->CreateAlloca(source->getType());
-  //    builder->CreateStore(source, beginPtr);
-  //
-  //    const size_t bytes = mockModule->getDataLayout().getTypeStoreSize(
-  //      source->getType()->getPointerElementType());
-  //    countBytes = llvm::ConstantInt::get(
-  //      mockModule->getContext(),
-  //      llvm::APInt(64, bytes, false));
-  //  } else if (source->getType()->isPointerTy()) {
-  //    beginPtr = builder->CreateBitCast(
-  //      source, llvm::Type::getInt8PtrTy(mockModule->getContext()));
-  //
-  //    if (source->getType()->getPointerElementType()->isIntegerTy(8)) {
-  //      auto *TLI = new
-  //      llvm::TargetLibraryInfo(llvm::TargetLibraryInfoImpl()); countBytes =
-  //      llvm::emitStrLen(source, *builder,
-  //                                    mockModule->getDataLayout(),TLI);
-  //    }
-  //    else {
-  //      const size_t bytes = mockModule->getDataLayout().getTypeStoreSize(
-  //        source->getType()->getPointerElementType());
-  //      countBytes = llvm::ConstantInt::get(
-  //        mockModule->getContext(),
-  //        llvm::APInt(64, bytes, false));
-  //    }
-  //  }
-
   llvm::Value *beginPtr;
   if (!source->getType()->isPointerTy() && !source->getType()->isArrayTy()) {
     beginPtr = builder->CreateAlloca(source->getType());
@@ -624,6 +601,7 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
 #else
     const auto arg = &func->arg_begin()[i];
 #endif
+    size_t offsetIndex = 0;
     auto statementsMap = unifyByOffset(statements[i]);
     for (const auto &[offset, statementsOffset] : statementsMap) {
       auto [prev, elem] = goByOffset(arg, offset);
@@ -632,6 +610,11 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
       Statement::Free *freePtr = nullptr;
       Statement::InitNull *initNullPtr = nullptr;
 
+      bool isMocked = false;
+      std::string mockName = "klee_mock" + func->getName().str() + "_arg_" +
+                             std::to_string(i) + "_" +
+                             std::to_string(offsetIndex);
+
       for (const auto &statement : statementsOffset) {
         switch (statement->getKind()) {
         case Statement::Kind::Deref: {
@@ -697,13 +680,23 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
           if (!elem->getType()->isPointerTy()) {
             klee_error("Annotation: TaintOutput arg is not pointer");
           }
+
+          if (!isMocked) {
+            buildCallKleeMakeMockAll(elem, mockName);
+            isMocked = true;
+          }
           buildAnnotationTaintOutput(elem, statement);
           break;
         }
         case Statement::Kind::TaintPropagation: {
           if (!elem->getType()->isPointerTy()) {
             klee_error("Annotation: TaintPropagation arg is not pointer");
           }
+
+          if (!isMocked) {
+            buildCallKleeMakeMockAll(elem, mockName);
+            isMocked = true;
+          }
           buildAnnotationTaintPropagation(elem, statement, func,
                                           "_arg_" + std::to_string(i) + "_");
           break;
@@ -724,6 +717,7 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
         buildFree(elem, freePtr);
       }
       processingValue(prev, elem->getType(), allocSourcePtr, initNullPtr);
+      offsetIndex++;
     }
   }
 }
@@ -852,14 +846,6 @@ void MockBuilder::buildAnnotationForExternalFunctionReturn(
   std::string retName = "ret_" + func->getName().str();
   llvm::Value *retValuePtr = builder->CreateAlloca(returnType, nullptr);
 
-  //  TODO: fix strange type ("fopen" mock, store instruction)
-  //  if (func->getName() == "fopen") {
-  //    buildCallKleeMakeSymbolic("klee_make_mock", retValuePtr, returnType,
-  //                              func->getName().str());
-  //    llvm::Value *retValue = builder->CreateLoad(returnType, retValuePtr,
-  //    retName); builder->CreateRet(retValue); return;
-  //  }
-
   if (returnType->isPointerTy() && (allocSourcePtr || mustInitNull)) {
     processingValue(retValuePtr, returnType, allocSourcePtr,
                     mustInitNull || maybeInitNull);

lib/Core/SpecialFunctionHandler.cpp

@@ -116,6 +116,7 @@ static SpecialFunctionHandler::HandlerInfo handlerInfo[] = {
     add("klee_is_symbolic", handleIsSymbolic, true),
     add("klee_make_symbolic", handleMakeSymbolic, false),
     add("klee_make_mock", handleMakeMock, false),
+    add("klee_make_mock_all", handleMakeMockAll, false),
     add("klee_mark_global", handleMarkGlobal, false),
     add("klee_prefer_cex", handlePreferCex, false),
     add("klee_posix_prefer_cex", handlePosixPreferCex, false),
@@ -1077,6 +1078,71 @@ void SpecialFunctionHandler::handleMakeMock(ExecutionState &state,
   }
 }
 
+void SpecialFunctionHandler::handleMakeMockAll(
+    ExecutionState &state, KInstruction *target,
+    std::vector<ref<Expr>> &arguments) {
+  std::string name;
+
+  if (arguments.size() != 2) {
+    executor.terminateStateOnUserError(state,
+                                       "Incorrect number of arguments to "
+                                       "klee_make_mock_all(void*, char*)");
+    return;
+  }
+
+  name = arguments[1]->isZero()
+             ? ""
+             : readStringAtAddress(state, executor.makePointer(arguments[1]));
+
+  if (name.empty()) {
+    executor.terminateStateOnUserError(
+        state, "Empty name of function in klee_make_mock_all");
+    return;
+  }
+
+  KFunction *kf = target->parent->parent;
+
+  Executor::ExactResolutionList rl;
+  executor.resolveExact(state, arguments[0],
+                        executor.typeSystemManager->getUnknownType(), rl,
+                        "make_symbolic");
+
+  for (auto &it : rl) {
+    ObjectPair op = it.second->addressSpace.findObject(it.first);
+    const MemoryObject *mo = op.first;
+    mo->setName(name);
+    mo->updateTimestamp();
+
+    const ObjectState *old = op.second;
+    ExecutionState *s = it.second;
+
+    if (old->readOnly) {
+      executor.terminateStateOnUserError(
+          *s, "cannot make readonly object symbolic");
+      return;
+    }
+
+    ref<SymbolicSource> source;
+    switch (executor.interpreterOpts.MockStrategy) {
+    case MockStrategyKind::Naive:
+      source =
+          SourceBuilder::mockNaive(executor.kmodule.get(), *kf->function(),
+                                   executor.updateNameVersion(state, name));
+      break;
+    case MockStrategyKind::Deterministic:
+      std::vector<ref<Expr>> args(kf->getNumArgs());
+      for (size_t i = 0; i < kf->getNumArgs(); i++) {
+        args[i] = executor.getArgumentCell(state, kf, i).value;
+      }
+      source = SourceBuilder::mockDeterministic(executor.kmodule.get(),
+                                                *kf->function(), args);
+      break;
+    }
+    executor.executeMakeSymbolic(state, mo, old->getDynamicType(), source,
+                                 false);
+  }
+}
+
 void SpecialFunctionHandler::handleMarkGlobal(
     ExecutionState &state, KInstruction *target,
     std::vector<ref<Expr>> &arguments) {
@@ -1231,6 +1297,11 @@ void SpecialFunctionHandler::handleAddTaint(klee::ExecutionState &state,
                                        "klee_add_taint(void*, size_t)");
     return;
   }
+
+//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+//  printf("klee_add_taint source: %zu\n", taintSource);
+//  executor.executeChangeTaintSource(
+//      state, target, executor.makePointer(arguments[0]), taintSource, true);
 }
 
 void SpecialFunctionHandler::handleClearTaint(
@@ -1242,6 +1313,11 @@ void SpecialFunctionHandler::handleClearTaint(
                                        "klee_clear_taint(void*, size_t)");
     return;
   }
+
+//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+//  printf("klee_clear_taint source: %zu\n", taintSource);
+//  executor.executeChangeTaintSource(
+//      state, target, executor.makePointer(arguments[0]), taintSource, false);
 }
 
 void SpecialFunctionHandler::handleCheckTaintSource(
@@ -1255,8 +1331,9 @@ void SpecialFunctionHandler::handleCheckTaintSource(
   }
 
 //  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
-//  executor.executeCheckTaintSource(state, target,
-//                                   executor.makePointer(arguments[0]), taintSource);
+//  printf("klee_check_taint_source source: %zu\n", taintSource);
+//  executor.executeCheckTaintSource(
+//      state, target, executor.makePointer(arguments[0]), taintSource);
 }
 
 void SpecialFunctionHandler::handleGetTaintRule(
@@ -1269,11 +1346,12 @@ void SpecialFunctionHandler::handleGetTaintRule(
     return;
   }
 
-//  // TODO: now mock
-  ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
-  executor.bindLocal(target, state, result);
+  //  // TODO: now mock
+    ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
+    executor.bindLocal(target, state, result);
 
 //  uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+//  printf("klee_get_taint_rule source: %zu\n", taintSink);
 //  executor.executeGetTaintRule(state, target,
 //                               executor.makePointer(arguments[0]), taintSink);
 }
@@ -1287,7 +1365,7 @@ void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
     return;
   }
 
-  uint64_t ruleId = dyn_cast<ConstantExpr>(arguments[0])->getZExtValue();
-//  printf("klee_taint_hit for rule: %zu\n", ruleId);
-  executor.terminateStateOnTargetTaintError(state, ruleId);
+  uint64_t taintRule = dyn_cast<ConstantExpr>(arguments[0])->getZExtValue();
+  printf("klee_taint_hit rule: %zu\n", taintRule);
+  executor.terminateStateOnTargetTaintError(state, taintRule);
 }

lib/Core/SpecialFunctionHandler.h

@@ -130,6 +130,7 @@ class SpecialFunctionHandler {
   HANDLER(handleIsSymbolic);
   HANDLER(handleMakeSymbolic);
   HANDLER(handleMakeMock);
+  HANDLER(handleMakeMockAll);
   HANDLER(handleMalloc);
   HANDLER(handleMemalign);
   HANDLER(handleMarkGlobal);

runtime/Runtest/intrinsics.c

@@ -165,11 +165,12 @@ void klee_make_mock(void *ret_array, size_t ret_nbytes, const char *fname) {
 }
 
 // TODO: add for tests
-void klee_add_taint(void *array, size_t taint_source) {}
-void klee_clear_taint(void *array, size_t taint_source) {}
-bool klee_check_taint_source(void *array, size_t taint_source) {}
-bool klee_check_taint_sink(void *array, size_t taint_sink) {}
-void klee_taint_sink_hit(size_t taint_sink) {}
+//void klee_make_mock_all(void *ret_array, const char *fname);
+//void klee_add_taint(void *array, size_t taint_source) {}
+//void klee_clear_taint(void *array, size_t taint_source) {}
+//bool klee_check_taint_source(void *array, size_t taint_source) {}
+//size_t klee_get_taint_rule(void *array, size_t taint_sink) {}
+//void klee_taint_hit(size_t rule) {}
 
 void klee_silent_exit(int x) { exit(x); }
 

tools/klee/main.cpp

@@ -1087,12 +1087,12 @@ static const char *modelledExternals[] = {
     "klee_get_valuef", "klee_get_valued", "klee_get_valuel", "klee_get_valuell",
     "klee_get_value_i32", "klee_get_value_i64", "klee_get_obj_size",
     "klee_is_symbolic", "klee_make_symbolic", "klee_make_mock",
-    "klee_add_taint", "klee_clear_taint", "klee_check_taint_source",
-    "klee_get_taint_rule", "klee_taint_hit", "klee_mark_global",
-    "klee_open_merge", "klee_close_merge", "klee_prefer_cex",
-    "klee_posix_prefer_cex", "klee_print_expr", "klee_print_range",
-    "klee_report_error", "klee_set_forking", "klee_silent_exit", "klee_warning",
-    "klee_warning_once", "klee_stack_trace",
+    "klee_make_mock_all", "klee_add_taint", "klee_clear_taint",
+    "klee_check_taint_source", "klee_get_taint_rule", "klee_taint_hit",
+    "klee_mark_global", "klee_open_merge", "klee_close_merge",
+    "klee_prefer_cex", "klee_posix_prefer_cex", "klee_print_expr",
+    "klee_print_range", "klee_report_error", "klee_set_forking",
+    "klee_silent_exit", "klee_warning", "klee_warning_once", "klee_stack_trace",
 #ifdef SUPPORT_KLEE_EH_CXX
     "_klee_eh_Unwind_RaiseException_impl", "klee_eh_typeid_for",
 #endif