Highest Voted 'symbolic-execution' Questions

1

vote

1 answer

Symbolic `show` for `SInt16`

I am looking for a way to turn an SInt16 into an SString. For my use case, it is enough that it does the right thing for concrete values, i.e. I will only be looking at the SString result for concrete SInt16s. I noticed there is a Show instance for…

haskell sbv symbolic-execution

asked Jul 30 '20 at 04:39

Cactus

27,075
9
69
149

1

vote

2 answers

What a Symbolic Model Looks Like

I am trying to understand how Symbolic Execution engines work. This paper surveys the techniques using C. They mention about symbolic memory: 3.1 Fully Symbolic Memory At the highest level of generality, an engine may treat memory addresses as…

logic formal-verification model-checking symbolic-execution

asked Jun 06 '18 at 04:48

Lance

75,200
93
289
503

1

vote

1 answer

error detection in static analysis and symbolic execution

what kind of errors static analysis (e.g. compiler) can detect and symbolic execution can not detect? and what kind of errors that symbolic execution can detect and static analysis can not detect? for example can symbolic execution detect syntax…

testing static-analysis verification symbolic-execution

asked Jul 23 '16 at 09:09

any

325
5
17

1

vote

0 answers

Symbolic executions over bit vectors

Is there any tool for bit vectors (QF_BV logic) which will symbolically execute the operations and return the outputs in terms of symbolic values of the bit vectors so that I can apply my own computations on them as needed? Or Is there any SMT…

smt bitvector symbolic-execution

asked Apr 24 '14 at 13:06

user3556033

31
2

0

votes

0 answers

How Can I execute a function in angr using concrete value?

In Angr, I have a code like this #include typedef struct A_struct { int data1; int data2; } A; void bar(A* a){ a->data2 += 1; } void foo(A* a) { a->data1 += 1; bar(a); } int main() { A a; a.data1 =…

reverse-engineering angr symbolic-execution

asked Jul 24 '23 at 19:51

damaoooo

1
1

0

votes

1 answer

How can I translate z3::expr(bv_val) into a bit representation of a number?

I am trying to translate Z3::expr into a bit representation of a number in order to find out how many bits 1 the number contains and if the number of bits 1 is even, then I raise the flag. I wrote the implementation below, but it doesn't work the…

c++ z3 symbolic-execution

asked May 13 '23 at 06:46

Leo Galante

15
5

0

votes

0 answers

Simulate global variable access with Claripy

I need to simulate this decompiled line of code in a Python script using claripy as solver engine, *(ulong *)(global_variable + (ulong)((uint)local_variable[local_inedx + 1] & 1) * 8) global_variable is basically an array cointaining a 0 and an…

security z3 ctf symbolic-execution angr

asked Dec 26 '22 at 14:30

batodev

51
8

0

votes

1 answer

How do I create a testcase that targets a specified branch?

I try to "dynamic symbolic execution" with klee. How do I create a testcase that targets a specified branch? int a = 0; klee_make_symbolic(&a, sizeof(a), "a"); if (a == 0) ... // I want to touch only this branch else if (a > 0) ... else …

llvm klee symbolic-execution

asked Oct 17 '22 at 08:55

bam

5
1

0

votes

0 answers

s2e-block: dirty sectors on close:11104 Terminating node id 0 (instance slot 0)

I tried to test OpenVSwitch using S2E. I wrote the OpenVSwitch installation script in bootstrap.sh. The image in the qemu virtual machine is the same as the image in the host machine, so the executable file compiled in the host machine should also…

symbolic-execution

asked Oct 05 '22 at 13:15

R.c

1

0

votes

1 answer

I am unable to get back the file I saved after exiting from the Klee

I am researching symbolic execution based on the klee tool. I am running klee via docker. I create a directory and save c program file in that directory. But after exiting from klee, and again If I try to enter back into the klee, it shows that…

c terminal ubuntu-18.04 klee symbolic-execution

asked Sep 30 '22 at 12:49

Julie

1
5

0

votes

1 answer

How to annotate a program to detect dead-code with z3-solver?

Intro Given a simple function written in C++ as below: int func(int x, int y) { if (x < 3) { y = 4; if (x < 4) { y = y + 2; } else { x = x + 4; } } else …

code-coverage z3 z3py dead-code symbolic-execution

asked Dec 05 '21 at 11:45

Farzan

745
10
25

0

votes

1 answer

Why is this Symbolic Execution with Z3 resulting in an error?

I am trying to generate test cases using a symbolic execution logic based on the SMT Solver Z3. I have the following code. void foo(int a, int b, int c){ int x = 0, y = 0, z = 0; if(a){ x = -2; } if (b < 5){ if (!a…

c z3 static-analysis symbolic-execution

asked Apr 28 '21 at 09:00

user12392751

0

votes

0 answers

In which circumstances we cannot use symbolic execution?

In which circumstances one cannot use symbolic execution for assertion checking? To illustrate, take the following example: int a = A, b = B, c = C; \\symbolic int x = 0, y = 0, z = 0; if (a){ x = -2 } if (b < 5){ if (!a && c) {y = 1;} z =…

assertion model-checking symbolic-execution

asked Feb 26 '21 at 17:21

Elahe

1,379
2
18
34

0

votes

0 answers

instrument a java lambda using ASM

I'm adding support for instrumenting invokedynamic in a concolic engine and the way we currently instrument is by using a custom classloader that finds the resource related to that class in the class path but as the lambda is a synthetic class…

java instrumentation java-bytecode-asm invokedynamic symbolic-execution

asked Nov 30 '20 at 14:56

Ignacio Lebrero

71
1
5

0

votes

1 answer

Analyzing firmware file with angr

I want to use angr to analyze IoT firmware file. I have read the documentation of angr,however, I could not find solution to analyze firmware file. So how can angr generate CFG file of Firmware? or How I can analyze firmware file with angr as…

firmware fuzzing angr symbolic-execution

asked Sep 22 '20 at 07:42

Ali

13
3

Questions tagged [symbolic-execution]