1. C 내부에서 함수의 매개변수만 심볼릭하게 - 에러 없음
* 사용한 코드
#include <stdio.h>
int addResult;
int mulResult;
int addNum(int num) {
num += num;
return num;
}
int mulNum(int num) {
num *= 2;
return num;
}
int main() {
int num;
addResult = addNum(num);
mulResult = mulNum(num);
return 0;
}
2. IR 직접 수정하여 main에서 num변수만 심볼릭하게 - provably false
; ModuleID = 'test3.c'
source_filename = "test3.c"
target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
target triple = "arm64-apple-macosx13.0.0"
@addResult = dso_local global i32 0, align 4
@mulResult = dso_local global i32 0, align 4
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @addNum(i32 %0) #0 {
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = load i32, i32* %2, align 4
%5 = add nsw i32 %4, %3
store i32 %5, i32* %2, align 4
%6 = load i32, i32* %2, align 4
ret i32 %6
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @mulNum(i32 %0) #0 {
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = mul nsw i32 %3, 2
store i32 %4, i32* %2, align 4
%5 = load i32, i32* %2, align 4
ret i32 %5
}
; klee 헤더 포함 X
; klee 함수 선언
declare dso_local void @klee_make_symbolic(i8*, i64, i8*)
declare dso_local void @klee_assume(i1)
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @main() #0 {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
store i32 0, i32* %1, align 4
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %2 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%3 = load i32, i32* %2, align 4
%4 = call i32 @addNum(i32 %3)
store i32 %4, i32* @addResult, align 4
%5 = load i32, i32* %2, align 4
%6 = call i32 @mulNum(i32 %5)
store i32 %6, i32* @mulResult, align 4
%7 = load i32, i32* @addResult, align 4
%8 = load i32, i32* @mulResult, align 4
; klee_assume 함수 호출
%cmp = icmp ne i32 %7, %8
call void @klee_assume(i1 %cmp)
ret i32 0
}
attributes #0 = { noinline nounwind optnone ssp uwtable "disable-tail-calls"="false" "frame-pointer"="non-leaf" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-a12" "target-features"="+aes,+crc,+crypto,+fp-armv8,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+v8.3a,+zcm,+zcz" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0, !1, !2, !3, !4, !5}
!llvm.ident = !{!6}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 1, !"branch-target-enforcement", i32 0}
!2 = !{i32 1, !"sign-return-address", i32 0}
!3 = !{i32 1, !"sign-return-address-all", i32 0}
!4 = !{i32 1, !"sign-return-address-with-bkey", i32 0}
!5 = !{i32 7, !"PIC Level", i32 2}
!6 = !{!"Homebrew clang version 12.0.1"}
3. IR 직접 수정하여 함수의 매개변수 (함수의 진입점에서), main의 num를 심볼릭하게 - provable false
; ModuleID = 'test3.c'
source_filename = "test3.c"
target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
target triple = "arm64-apple-macosx13.0.0"
; klee 헤더 포함 X
; klee 함수 선언
declare dso_local void @klee_make_symbolic(i8*, i64, i8*)
declare dso_local void @klee_assume(i1)
@addResult = dso_local global i32 0, align 4
@mulResult = dso_local global i32 0, align 4
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @addNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %0 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = load i32, i32* %2, align 4
%5 = add nsw i32 %4, %3
store i32 %5, i32* %2, align 4
%6 = load i32, i32* %2, align 4
ret i32 %6
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @mulNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %2 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = mul nsw i32 %3, 2
store i32 %4, i32* %2, align 4
%5 = load i32, i32* %2, align 4
ret i32 %5
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @main() #0 {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
store i32 0, i32* %1, align 4
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %2 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%3 = load i32, i32* %2, align 4
%4 = call i32 @addNum(i32 %3)
store i32 %4, i32* @addResult, align 4
%5 = load i32, i32* %2, align 4
%6 = call i32 @mulNum(i32 %5)
store i32 %6, i32* @mulResult, align 4
%7 = load i32, i32* @addResult, align 4
%8 = load i32, i32* @mulResult, align 4
; klee_assume 함수 호출
%cmp = icmp ne i32 %7, %8
call void @klee_assume(i1 %cmp)
ret i32 0
}
attributes #0 = { noinline nounwind optnone ssp uwtable "disable-tail-calls"="false" "frame-pointer"="non-leaf" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-a12" "target-features"="+aes,+crc,+crypto,+fp-armv8,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+v8.3a,+zcm,+zcz" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0, !1, !2, !3, !4, !5}
!llvm.ident = !{!6}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 1, !"branch-target-enforcement", i32 0}
!2 = !{i32 1, !"sign-return-address", i32 0}
!3 = !{i32 1, !"sign-return-address-all", i32 0}
!4 = !{i32 1, !"sign-return-address-with-bkey", i32 0}
!5 = !{i32 7, !"PIC Level", i32 2}
!6 = !{!"Homebrew clang version 12.0.1"}
4. IR 직접 수정하여 1번과 같도록 함수의 매개변수만 심볼릭하게 - provable false
; ModuleID = 'test3.c'
source_filename = "test3.c"
target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
target triple = "arm64-apple-macosx13.0.0"
; klee 헤더 포함 X
; klee 함수 선언
declare dso_local void @klee_make_symbolic(i8*, i64, i8*)
declare dso_local void @klee_assume(i1)
@addResult = dso_local global i32 0, align 4
@mulResult = dso_local global i32 0, align 4
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @addNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %0 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = load i32, i32* %2, align 4
%5 = add nsw i32 %4, %3
store i32 %5, i32* %2, align 4
%6 = load i32, i32* %2, align 4
ret i32 %6
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @mulNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %2 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = mul nsw i32 %3, 2
store i32 %4, i32* %2, align 4
%5 = load i32, i32* %2, align 4
ret i32 %5
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @main() #0 {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
store i32 0, i32* %1, align 4
; num을 klee_make_symbolic으로 전달하면서 호출
;%num.addr = bitcast i32* %2 to i8*
;call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* null)
%3 = load i32, i32* %2, align 4
%4 = call i32 @addNum(i32 %3)
store i32 %4, i32* @addResult, align 4
%5 = load i32, i32* %2, align 4
%6 = call i32 @mulNum(i32 %5)
store i32 %6, i32* @mulResult, align 4
%7 = load i32, i32* @addResult, align 4
%8 = load i32, i32* @mulResult, align 4
; klee_assume 함수 호출
%cmp = icmp ne i32 %7, %8
call void @klee_assume(i1 %cmp)
ret i32 0
}
attributes #0 = { noinline nounwind optnone ssp uwtable "disable-tail-calls"="false" "frame-pointer"="non-leaf" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-a12" "target-features"="+aes,+crc,+crypto,+fp-armv8,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+v8.3a,+zcm,+zcz" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0, !1, !2, !3, !4, !5}
!llvm.ident = !{!6}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 1, !"branch-target-enforcement", i32 0}
!2 = !{i32 1, !"sign-return-address", i32 0}
!3 = !{i32 1, !"sign-return-address-all", i32 0}
!4 = !{i32 1, !"sign-return-address-with-bkey", i32 0}
!5 = !{i32 7, !"PIC Level", i32 2}
!6 = !{!"Homebrew clang version 12.0.1"}
5. 함수 매개변수만 심볼릭 변수, 변수 이름 지정
; ModuleID = 'test3.c'
source_filename = "test3.c"
target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
target triple = "arm64-apple-macosx13.0.0"
; klee 헤더 포함 X
; klee 함수 선언
declare dso_local void @klee_make_symbolic(i8*, i64, i8*)
declare dso_local void @klee_assume(i64)
@.str = private unnamed_addr constant [5 x i8] c"num1\00", align 1
@.str.1 = private unnamed_addr constant [5 x i8] c"num2\00", align 1
@addResult = dso_local global i32 0, align 4
@mulResult = dso_local global i32 0, align 4
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @addNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num = alloca i32, align 4
store i32 %0, i32* %num, align 4
%num.addr = bitcast i32* %num to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* getelementptr inbounds ([5 x i8], [5 x i8]* @.str, i64 0, i64 0))
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = load i32, i32* %2, align 4
%5 = add nsw i32 %4, %3
store i32 %5, i32* %2, align 4
%6 = load i32, i32* %2, align 4
ret i32 %6
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @mulNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num = alloca i32, align 4
store i32 %0, i32* %num, align 4
%num.addr = bitcast i32* %num to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* getelementptr inbounds ([5 x i8], [5 x i8]* @.str.1, i64 0, i64 0))
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = mul nsw i32 %3, 2
store i32 %4, i32* %2, align 4
%5 = load i32, i32* %2, align 4
ret i32 %5
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @main() #0 {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
store i32 0, i32* %1, align 4
%3 = load i32, i32* %2, align 4
%4 = call i32 @addNum(i32 %3)
store i32 %4, i32* @addResult, align 4
%5 = load i32, i32* %2, align 4
%6 = call i32 @mulNum(i32 %5)
store i32 %6, i32* @mulResult, align 4
%7 = load i32, i32* @addResult, align 4
%8 = load i32, i32* @mulResult, align 4
; klee_assume 함수 호출
%cmp = icmp ne i32 %7, %8
%conv = zext i1 %cmp to i32
%conv2 = sext i32 %conv to i64
call void @klee_assume(i64 %conv2)
ret i32 0
}
attributes #0 = { noinline nounwind optnone ssp uwtable "disable-tail-calls"="false" "frame-pointer"="non-leaf" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-a12" "target-features"="+aes,+crc,+crypto,+fp-armv8,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+v8.3a,+zcm,+zcz" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0, !1, !2, !3, !4, !5}
!llvm.ident = !{!6}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 1, !"branch-target-enforcement", i32 0}
!2 = !{i32 1, !"sign-return-address", i32 0}
!3 = !{i32 1, !"sign-return-address-all", i32 0}
!4 = !{i32 1, !"sign-return-address-with-bkey", i32 0}
!5 = !{i32 7, !"PIC Level", i32 2}
!6 = !{!"Homebrew clang version 12.0.1"}
6. 함수 매개변수, main의 num 모두 심볼릭, 변수 이름 지정
; ModuleID = 'test3.c'
source_filename = "test3.c"
target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
target triple = "arm64-apple-macosx13.0.0"
; klee 헤더 포함 X
; klee 함수 선언
declare dso_local void @klee_make_symbolic(i8*, i64, i8*)
declare dso_local void @klee_assume(i64)
@.str = private unnamed_addr constant [5 x i8] c"num1\00", align 1
@.str.1 = private unnamed_addr constant [5 x i8] c"num2\00", align 1
@.str.2 = private unnamed_addr constant [4 x i8] c"num\00", align 1
@addResult = dso_local global i32 0, align 4
@mulResult = dso_local global i32 0, align 4
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @addNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num = alloca i32, align 4
store i32 %0, i32* %num, align 4
%num.addr = bitcast i32* %num to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* getelementptr inbounds ([5 x i8], [5 x i8]* @.str, i64 0, i64 0))
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = load i32, i32* %2, align 4
%5 = add nsw i32 %4, %3
store i32 %5, i32* %2, align 4
%6 = load i32, i32* %2, align 4
ret i32 %6
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @mulNum(i32 %0) #0 {
; num을 klee_make_symbolic으로 전달하면서 호출
%num = alloca i32, align 4
store i32 %0, i32* %num, align 4
%num.addr = bitcast i32* %num to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* getelementptr inbounds ([5 x i8], [5 x i8]* @.str.1, i64 0, i64 0))
%2 = alloca i32, align 4
store i32 %0, i32* %2, align 4
%3 = load i32, i32* %2, align 4
%4 = mul nsw i32 %3, 2
store i32 %4, i32* %2, align 4
%5 = load i32, i32* %2, align 4
ret i32 %5
}
; Function Attrs: noinline nounwind optnone ssp uwtable
define dso_local i32 @main() #0 {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
store i32 0, i32* %1, align 4
; num을 klee_make_symbolic으로 전달하면서 호출
%num.addr = bitcast i32* %2 to i8*
call void @klee_make_symbolic(i8* %num.addr, i64 4, i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str.2, i64 0, i64 0))
%3 = load i32, i32* %2, align 4
%4 = call i32 @addNum(i32 %3)
store i32 %4, i32* @addResult, align 4
%5 = load i32, i32* %2, align 4
%6 = call i32 @mulNum(i32 %5)
store i32 %6, i32* @mulResult, align 4
%7 = load i32, i32* @addResult, align 4
%8 = load i32, i32* @mulResult, align 4
; klee_assume 함수 호출
%cmp = icmp ne i32 %7, %8
%conv = zext i1 %cmp to i32
%conv2 = sext i32 %conv to i64
call void @klee_assume(i64 %conv2)
ret i32 0
}
attributes #0 = { noinline nounwind optnone ssp uwtable "disable-tail-calls"="false" "frame-pointer"="non-leaf" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-a12" "target-features"="+aes,+crc,+crypto,+fp-armv8,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+v8.3a,+zcm,+zcz" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0, !1, !2, !3, !4, !5}
!llvm.ident = !{!6}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 1, !"branch-target-enforcement", i32 0}
!2 = !{i32 1, !"sign-return-address", i32 0}
!3 = !{i32 1, !"sign-return-address-all", i32 0}
!4 = !{i32 1, !"sign-return-address-with-bkey", i32 0}
!5 = !{i32 7, !"PIC Level", i32 2}
!6 = !{!"Homebrew clang version 12.0.1"}
왜 IR에 직접 추가했을 땐 에러가 나고, C에서 진행했을 땐 에러가 안 났는지?
'CNUproject > 코드 동일성 검사 도구' 카테고리의 다른 글
| 24_Python IR에 KLEE 함수 직접 추가해보기 (1) | 2023.11.02 |
|---|---|
| 23_IR에 Klee 함수 호출 직접 추가 (0) | 2023.10.19 |
| 20_LLVM IR 최적화를 위해 패스 적용하기 오류 (0) | 2023.09.24 |
| 19_Docker와 KLEE 개념 및 설치 (1) | 2023.09.21 |
| 18_LLVM Pass 작성 후 적용하기 (with Z3) (2) | 2023.09.13 |
