我最近和KLEE一起玩。我按照文件" Building KLEE (LLVM 3.4)"并成功运行了教程中的所有示例。
但是,使用KLEE运行我自己的程序时:
$ klee -load=/usr/lib/x86_64-linux-gnu/libssl.so --libc=uclibc --posix-runtime -emit-all-errors -allow-external-sym-calls klee_client.bc
发生了一些错误。 (请参阅以下控制台输出)
KLEE: NOTE: Using klee-uclibc : /home/testuser/Downloads/klee/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/testuser/Downloads/klee/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/home/testuser/Downloads/klee_test/klee-out-3"
KLEE: WARNING ONCE: function "__libc_connect" has inline asm
KLEE: WARNING ONCE: function "setsockopt" has inline asm
KLEE: WARNING ONCE: function "shutdown" has inline asm
KLEE: WARNING ONCE: function "socket" has inline asm
KLEE: WARNING ONCE: function "__libc_recvfrom" has inline asm
KLEE: WARNING ONCE: function "__libc_sendto" has inline asm
KLEE: WARNING: undefined reference to function: ERR_clear_error
KLEE: WARNING: undefined reference to function: ERR_error_string
KLEE: WARNING: undefined reference to function: ERR_get_error
KLEE: WARNING: undefined reference to function: OPENSSL_config
KLEE: WARNING: undefined reference to function: SSL_CTX_ctrl
KLEE: WARNING: undefined reference to function: SSL_CTX_free
KLEE: WARNING: undefined reference to function: SSL_CTX_new
KLEE: WARNING: undefined reference to function: SSL_CTX_set_next_proto_select_cb
KLEE: WARNING: undefined reference to function: SSL_connect
KLEE: WARNING: undefined reference to function: SSL_free
KLEE: WARNING: undefined reference to function: SSL_get_error
KLEE: WARNING: undefined reference to function: SSL_library_init
KLEE: WARNING: undefined reference to function: SSL_load_error_strings
KLEE: WARNING: undefined reference to function: SSL_new
KLEE: WARNING: undefined reference to function: SSL_read
KLEE: WARNING: undefined reference to function: SSL_set_fd
KLEE: WARNING: undefined reference to function: SSL_shutdown
KLEE: WARNING: undefined reference to function: SSL_write
KLEE: WARNING: undefined reference to function: SSLv23_client_method
KLEE: WARNING: undefined reference to function: klee_posix_prefer_cex
...
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 40876048)
KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: __syscall_rt_sigaction: silently ignoring
KLEE: WARNING ONCE: calling external: OPENSSL_config(0)
KLEE: WARNING ONCE: calling external: SSL_load_error_strings()
KLEE: WARNING ONCE: calling external: SSL_library_init()
KLEE: WARNING ONCE: calling external: printf(35435072, 46338336)
KLEE: ERROR: /home/testuser/Downloads/klee-uclibc/libc/inet/socketcalls.c:362: inline assembly is unsupported
KLEE: done: total instructions = 99493
KLEE: done: completed paths = 1
KLEE: done: generated tests = 1
我很好奇为什么有与uclibc有关的错误?因为我将其编译为KLEE文档所说的内容,并且当找不到" configure" uclibc在编译之前。
此外,我还注意到有很多警告关于"未定义的函数引用:..."。我应该将相应的库编译为llvm bitcode而不是使用现有的共享对象吗?
谢谢!
答案 0 :(得分:1)
对于Q1:基本上,KLEE文档教育用户将uClibc编译为LLVM IR的存档。 uClibc中的许多函数都包含内联汇编(甚至直接用汇编开发)。这些程序集不会编译成LLVM IR,而是在IR中保持不变。在从ucLibc执行函数的IR之前,KLEE将检查IR中是否包含任何汇编。如果是这样,您将看到警告,因为"功能XXX具有内联asm"。没有禁用程序集的选项。要摆脱这些程序集,您必须找到一种方法将它们转换为LLVM IR。
对于Q2:您需要分离KLEE过程和待测试程序(例如,您的案例中的klee_client.bc)。将现有共享对象加载到KLEE时,实际上是将库链接到KLEE进程,而不是要测试的程序。要将待测试程序与库链接,您需要将库编译为IR,然后通过修改KLEE中的主函数(或使用KLEE中内置的一些选项,将其链接到待测试程序)我不清楚)。当要测试的程序被KLEE加载并与指定的库链接时,KLEE将检查是否存在所有必需的函数(由某些指令调用)。如果没有,您将看到警告。在您的情况下,您基本上没有将待测试程序与LibSSL的LLVM IR链接。