public Instruction execute(SystemState ss, KernelState ks, ThreadInfo ti) { if (!ti.isFirstStepInsn()) { InvocationCG cg = new InvocationCG("INVOKECG", invokes); ss.setNextChoiceGenerator(cg); return this; } else { InvocationCG cg = ss.getCurrentChoiceGenerator("INVOKECG", InvocationCG.class); assert (cg != null) : "no current InvocationCG"; Invocation call = cg.getNextChoice(); MethodInfo callee = call.getMethodInfo(); InstructionFactory insnFactory = MethodInfo.getInstructionFactory(); if (callee.isStatic()) { realInvoke = (InvokeInstruction) insnFactory.create(null, Constants.INVOKESTATIC); } else { realInvoke = (InvokeInstruction) insnFactory.create(null, Constants.INVOKENONVIRTUAL); } realInvoke.init(mi, offset, position); realInvoke.setInvokedMethod( callee.getClassInfo().getName(), callee.getName(), callee.getSignature()); pushArguments(ti, call.getArguments(), call.getAttrs()); return realInvoke; } }
public Instruction execute(SystemState ss, KernelState ks, ThreadInfo th) { RealExpression sym_fval = (RealExpression) th.getTopFrame().getOperandAttr(); if (sym_fval == null) { return super.execute(ss, ks, th); } else { // System.out.println("Execute symbolic F2L"); // here we get a hold of the current path condition and // add an extra mixed constraint sym_dval==sym_ival ChoiceGenerator<?> cg; if (!th.isFirstStepInsn()) { // first time around cg = new PCChoiceGenerator(1); // only one choice ss.setNextChoiceGenerator(cg); return this; } else { // this is what really returns results cg = ss.getChoiceGenerator(); assert (cg instanceof PCChoiceGenerator) : "expected PCChoiceGenerator, got: " + cg; } // get the path condition from the // previous choice generator of the same type PathCondition pc; ChoiceGenerator<?> prev_cg = cg.getPreviousChoiceGenerator(); while (!((prev_cg == null) || (prev_cg instanceof PCChoiceGenerator))) { prev_cg = prev_cg.getPreviousChoiceGenerator(); } if (prev_cg == null) pc = new PathCondition(); // TODO: handling of preconditions needs to be changed else pc = ((PCChoiceGenerator) prev_cg).getCurrentPC(); assert pc != null; th.pop(); th.longPush(0); // for symbolic expressions, the concrete value does not matter SymbolicInteger sym_lval = new SymbolicInteger(); StackFrame sf = th.getTopFrame(); sf.setLongOperandAttr(sym_lval); pc._addDet(Comparator.EQ, sym_fval, sym_lval); if (!pc.simplify()) { // not satisfiable ss.setIgnored(true); } else { // pc.solve(); ((PCChoiceGenerator) cg).setCurrentPC(pc); // System.out.println(((PCChoiceGenerator) cg).getCurrentPC()); } // System.out.println("Execute D2I: " + sf.getLongOperandAttr()); return getNext(th); } }
// the purpose of this method is to set the PCheap to the "eq null" constraint for the input // specified w/ stringRef public static int makeSymbolicNull(MJIEnv env, int objRef, int stringRef) { // introduce a heap choice generator for the element in the heap ThreadInfo ti = env.getVM().getCurrentThread(); SystemState ss = env.getVM().getSystemState(); ChoiceGenerator<?> cg; if (!ti.isFirstStepInsn()) { cg = new HeapChoiceGenerator(1); // new ss.setNextChoiceGenerator(cg); env.repeatInvocation(); return -1; // not used anyways } // else this is what really returns results cg = ss.getChoiceGenerator(); assert (cg instanceof HeapChoiceGenerator) : "expected HeapChoiceGenerator, got: " + cg; // see if there were more inputs added before ChoiceGenerator<?> prevHeapCG = cg.getPreviousChoiceGenerator(); while (!((prevHeapCG == null) || (prevHeapCG instanceof HeapChoiceGenerator))) { prevHeapCG = prevHeapCG.getPreviousChoiceGenerator(); } PathCondition pcHeap; SymbolicInputHeap symInputHeap; if (prevHeapCG == null) { pcHeap = new PathCondition(); symInputHeap = new SymbolicInputHeap(); } else { pcHeap = ((HeapChoiceGenerator) prevHeapCG).getCurrentPCheap(); symInputHeap = ((HeapChoiceGenerator) prevHeapCG).getCurrentSymInputHeap(); } String name = env.getStringObject(stringRef); String refChain = name + "[-1]"; // why is the type used here? should use the name of the field instead SymbolicInteger newSymRef = new SymbolicInteger(refChain); // create new HeapNode based on above info // update associated symbolic input heap pcHeap._addDet(Comparator.EQ, newSymRef, new IntegerConstant(-1)); ((HeapChoiceGenerator) cg).setCurrentPCheap(pcHeap); ((HeapChoiceGenerator) cg).setCurrentSymInputHeap(symInputHeap); // System.out.println(">>>>>>>>>>>> initial pcHeap: " + pcHeap.toString()); return -1; }
@Override public Instruction execute(SystemState ss, KernelState ks, ThreadInfo ti) { StackFrame sf = ti.getTopFrame(); IntegerExpression sym_v1 = (IntegerExpression) sf.getOperandAttr(1); IntegerExpression sym_v2 = (IntegerExpression) sf.getOperandAttr(0); if ((sym_v1 == null) && (sym_v2 == null)) { // both conditions are concrete // System.out.println("Execute IF_ICMPEQ: The conditions are concrete"); return super.execute(ss, ks, ti); } else { // at least one condition is symbolic ChoiceGenerator<?> cg; if (!ti.isFirstStepInsn()) { // first time around cg = new PCChoiceGenerator(2); ss.setNextChoiceGenerator(cg); return this; } else { // this is what really returns results cg = ss.getChoiceGenerator(); assert (cg instanceof PCChoiceGenerator) : "expected PCChoiceGenerator, got: " + cg; conditionValue = (Integer) cg.getNextChoice() == 0 ? false : true; } int v2 = ti.pop(); int v1 = ti.pop(); // System.out.println("Execute IF_ICMPEQ: "+ conditionValue); PathCondition pc; // pc is updated with the pc stored in the choice generator above // get the path condition from the // previous choice generator of the same type ChoiceGenerator<?> prev_cg = cg.getPreviousChoiceGenerator(); while (!((prev_cg == null) || (prev_cg instanceof PCChoiceGenerator))) { prev_cg = prev_cg.getPreviousChoiceGenerator(); } if (prev_cg == null) pc = new PathCondition(); else pc = ((PCChoiceGenerator) prev_cg).getCurrentPC(); assert pc != null; if (conditionValue) { if (sym_v1 != null) { if (sym_v2 != null) { // both are symbolic values pc._addDet(Comparator.EQ, sym_v1, sym_v2); } else pc._addDet(Comparator.EQ, sym_v1, v2); } else pc._addDet(Comparator.EQ, v1, sym_v2); if (!pc.simplify()) { // not satisfiable ss.setIgnored(true); } else { // pc.solve(); ((PCChoiceGenerator) cg).setCurrentPC(pc); // System.out.println(((PCChoiceGenerator) cg).getCurrentPC()); } return getTarget(); } else { if (sym_v1 != null) { if (sym_v2 != null) { // both are symbolic values pc._addDet(Comparator.NE, sym_v1, sym_v2); } else pc._addDet(Comparator.NE, sym_v1, v2); } else pc._addDet(Comparator.NE, v1, sym_v2); if (!pc.simplify()) { // not satisfiable ss.setIgnored(true); } else { // pc.solve(); ((PCChoiceGenerator) cg).setCurrentPC(pc); // System.out.println(((PCChoiceGenerator) cg).getCurrentPC()); } return getNext(ti); } } }
public static void makeFieldsSymbolic(MJIEnv env, int objRef, int stringRef, int objvRef) { // makes all the fields of obj v symbolic and adds obj v to the symbolic heap to kick off lazy // initialization if (objvRef == -1) throw new RuntimeException("## Error: null object"); // introduce a heap choice generator for the element in the heap ThreadInfo ti = env.getVM().getCurrentThread(); SystemState ss = env.getVM().getSystemState(); ChoiceGenerator<?> cg; if (!ti.isFirstStepInsn()) { cg = new HeapChoiceGenerator(1); // new ss.setNextChoiceGenerator(cg); env.repeatInvocation(); return; // not used anyways } // else this is what really returns results cg = ss.getChoiceGenerator(); assert (cg instanceof HeapChoiceGenerator) : "expected HeapChoiceGenerator, got: " + cg; // see if there were more inputs added before ChoiceGenerator<?> prevHeapCG = cg.getPreviousChoiceGenerator(); while (!((prevHeapCG == null) || (prevHeapCG instanceof HeapChoiceGenerator))) { prevHeapCG = prevHeapCG.getPreviousChoiceGenerator(); } PathCondition pcHeap; SymbolicInputHeap symInputHeap; if (prevHeapCG == null) { pcHeap = new PathCondition(); symInputHeap = new SymbolicInputHeap(); } else { pcHeap = ((HeapChoiceGenerator) prevHeapCG).getCurrentPCheap(); symInputHeap = ((HeapChoiceGenerator) prevHeapCG).getCurrentSymInputHeap(); } // set all the fields to be symbolic ClassInfo ci = env.getClassInfo(objvRef); FieldInfo[] fields = ci.getDeclaredInstanceFields(); FieldInfo[] staticFields = ci.getDeclaredStaticFields(); String name = env.getStringObject(stringRef); String refChain = name + "[" + objvRef + "]"; // why is the type used here? should use the name of the field instead SymbolicInteger newSymRef = new SymbolicInteger(refChain); // ElementInfo eiRef = DynamicArea.getHeap().get(objvRef); ElementInfo eiRef = JVM.getVM().getHeap().get(objvRef); Helper.initializeInstanceFields(fields, eiRef, refChain); Helper.initializeStaticFields(staticFields, ci, ti); // create new HeapNode based on above info // update associated symbolic input heap ClassInfo typeClassInfo = eiRef.getClassInfo(); HeapNode n = new HeapNode(objvRef, typeClassInfo, newSymRef); symInputHeap._add(n); pcHeap._addDet(Comparator.NE, newSymRef, new IntegerConstant(-1)); ((HeapChoiceGenerator) cg).setCurrentPCheap(pcHeap); ((HeapChoiceGenerator) cg).setCurrentSymInputHeap(symInputHeap); // System.out.println(">>>>>>>>>>>> initial pcHeap: " + pcHeap.toString()); return; }