Giters

eurecom-s3 / symcc

SymCC: efficient compiler-based symbolic execution

Home Page:http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

_sym_get_input_byte() in simple backend

ercoppa opened this issue · comments

commented

The current implementation of _sym_get_input_byte in the simple backend is:

Z3_ast _sym_get_input_byte(size_t offset, uint8_t) {
  static std::vector<SymExpr> stdinBytes;

  if (offset < stdinBytes.size())
    return stdinBytes[offset];

  auto varName = "stdin" + std::to_string(stdinBytes.size());
  auto *var = build_variable(varName.c_str(), 8);

  stdinBytes.resize(offset);
  stdinBytes.push_back(var);

  return var;
}

This does not work well in the case of lseek/fseek operations:

  1. suppose a *seek operation moves the offset to X > 0
  2. when asking for the input byte at offset X, the resize operation will create missing entries with NULL value for entries before X
  3. if another seek operation moves back the offset, then the check offset < stdinBytes.size() will then make return NULL for entries before X

Moreover, the varName should likely be "stdin" + std::to_string(offset) to be more intuitive.

Am I right?

Let me know if this could be a reasonable fix (or how to improve it).