Giters

eurecom-s3 / symcc

SymCC: efficient compiler-based symbolic execution

Home Page:http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

modify implementation of mmap() wrapper

tiedaoxiaotubie opened this issue · comments

commented

Hi, I noticed that mmap() and mmap64() didn't create symbolic expression in their libc wrapper. However, mmap sometimes will be used as a read function, since symbolic expression will be created in read() wrapper https://github.com/eurecom-s3/symcc/blob/master/runtime/LibcWrappers.cpp#L140, I also add these code in mmap64() wrapper, so that we can create symbolic expression inside it too. Here is my implementation:

void *SYM(mmap64)(void *addr, size_t len, int prot, int flags, int fildes,
            uint64_t off) {
        auto *result = mmap64(addr, len, prot, flags, fildes, off);
        _sym_set_return_expression(nullptr);

        if (result == MAP_FAILED)   // mmap failed
            return result;

        if (fildes == inputFileDescriptor) {
            // Reading symbolic input.
            ReadWriteShadow shadow(result, len);
            std::generate(shadow.begin(), shadow.end(),
                          []() { return _sym_get_input_byte(inputOffset++); });
        } else if (!isConcrete(result, len)) {
            ReadWriteShadow shadow(result, len);
            std::fill(shadow.begin(), shadow.end(), nullptr);
        }

        tryAlternative(len, _sym_get_parameter_expression(1), SYM(mmap64));

        return result;
    }

I can compile it successfully, however, I got error message when I tried to run target program:

Error: Sorts (_ BitVec 64) and (_ BitVec 32) are incompatible

Any idea about how to fix it?

commented

Hi,

interesting thanks for helping improving SymCC !

Is this for when you use SymCC with SYMCC_INPUT_FILE and the program mmaps that file? It would be nice to have a minimal test case to reproduce. More generally, it would be nice at some point to have a more generic way to make memory symbolic (like klee or S2E have).

I imagine the main problem in your code comes from the fact that mmap will map the file to memory and it will be accessed out of order, so a shadow memory for the the whole file should be created. If I understand well, now you copied the code from read which copies one word from the current file offset (inputOffset) and it does not make much sense to use the file offset to the input file for mmap. I think you should use the offset passed as parameter to mmap instead, the off parameter?
Interesting question is what to do when the same file is mapped at multiple addresses.

I assume the type error may be a consequence of that. Diagnosing it would require to log the generated constraints and see where the type mismatch happens.

commented

I have changed to use off to replace inputOffset, but still got the same error message.

What do you mean now you copied the code from read which copies *one word* from the current file offset?
I am using len when I create shadow memory in my code: ReadWriteShadow shadow(result, len);, so I will map the whole file to memory IMO, am I right?