1

我最近在玩 KLEE。我按照文档“ Building KLEE (LLVM 3.4) ”成功运行了教程中的所有示例。

但是,当使用 KLEE 运行我自己的程序时:

$ klee -load=/usr/lib/x86_64-linux-gnu/libssl.so --libc=uclibc --posix-runtime -emit-all-errors -allow-external-sym-calls klee_client.bc

发生了一些错误。(请参阅以下控制台输出)

KLEE: NOTE: Using klee-uclibc : /home/testuser/Downloads/klee/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/testuser/Downloads/klee/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/home/testuser/Downloads/klee_test/klee-out-3"
KLEE: WARNING ONCE: function "__libc_connect" has inline asm
KLEE: WARNING ONCE: function "setsockopt" has inline asm
KLEE: WARNING ONCE: function "shutdown" has inline asm
KLEE: WARNING ONCE: function "socket" has inline asm
KLEE: WARNING ONCE: function "__libc_recvfrom" has inline asm
KLEE: WARNING ONCE: function "__libc_sendto" has inline asm
KLEE: WARNING: undefined reference to function: ERR_clear_error
KLEE: WARNING: undefined reference to function: ERR_error_string
KLEE: WARNING: undefined reference to function: ERR_get_error
KLEE: WARNING: undefined reference to function: OPENSSL_config
KLEE: WARNING: undefined reference to function: SSL_CTX_ctrl
KLEE: WARNING: undefined reference to function: SSL_CTX_free
KLEE: WARNING: undefined reference to function: SSL_CTX_new
KLEE: WARNING: undefined reference to function: SSL_CTX_set_next_proto_select_cb
KLEE: WARNING: undefined reference to function: SSL_connect
KLEE: WARNING: undefined reference to function: SSL_free
KLEE: WARNING: undefined reference to function: SSL_get_error
KLEE: WARNING: undefined reference to function: SSL_library_init
KLEE: WARNING: undefined reference to function: SSL_load_error_strings
KLEE: WARNING: undefined reference to function: SSL_new
KLEE: WARNING: undefined reference to function: SSL_read
KLEE: WARNING: undefined reference to function: SSL_set_fd
KLEE: WARNING: undefined reference to function: SSL_shutdown
KLEE: WARNING: undefined reference to function: SSL_write
KLEE: WARNING: undefined reference to function: SSLv23_client_method
KLEE: WARNING: undefined reference to function: klee_posix_prefer_cex
...
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 40876048)
KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: __syscall_rt_sigaction: silently ignoring
KLEE: WARNING ONCE: calling external: OPENSSL_config(0)
KLEE: WARNING ONCE: calling external: SSL_load_error_strings()
KLEE: WARNING ONCE: calling external: SSL_library_init()
KLEE: WARNING ONCE: calling external: printf(35435072, 46338336)
KLEE: ERROR: /home/testuser/Downloads/klee-uclibc/libc/inet/socketcalls.c:362: inline assembly is unsupported

KLEE: done: total instructions = 99493
KLEE: done: completed paths = 1
KLEE: done: generated tests = 1

我很好奇为什么会出现与 uclibc 相关的错误?因为我按照 KLEE 文档所说的那样编译它,并且在编译之前“配置” uclibc 时,我没有找到任何禁用汇编代码(例如 no-asm)的选项。

此外,我还注意到有很多关于“undefined reference to function: ...”的警告。我应该将相应的库编译为 llvm 位码而不是使用现有的共享对象吗?

谢谢!

4

1 回答 1

1

对于 Q1:基本上,KLEE 文档教育用户将 uClibc 编译成 LLVM IR 的存档。uClibc 内部的许多函数都包含内联汇编(甚至直接用汇编开发)。这些程序集不会被编译到 LLVM IR 中,而是在 IR 中保持不变。在从 ucLibc 执行函数的 IR 之前,KLEE 将检查 IR 中是否包含任何程序集。如果是这样,您将看到警告为“函数 XXX 具有内联汇编”。没有禁用装配的选项。要摆脱这些程序集,您必须找到将它们转换为 LLVM IR 的方法。

对于 Q2:您需要将 KLEE 进程和要测试的程序(例如,您的案例中的 klee_client.bc)分开。当您将现有的共享对象加载到 KLEE 时,您实际上是将库链接到 KLEE 进程,而不是要测试的程序。将待测程序与库链接,需要将库编译成IR,然后通过修改KLEE中的main函数(或使用KLEE内置的一些选项,约我不清楚)。当被测程序被KLEE加载并链接到指定的库时,KLEE会检查每个需要的函数(被某些指令调用)是否存在。如果没有,您将看到警告。在您的情况下,您基本上没有将要测试的程序与 LibSSL 的 LLVM IR 链接。

于 2015-11-24T17:22:53.683 回答