I wanted to broaden the ways that users can make symbolic variables and provide more readable output.

The result is a helper crate with a function mksym, that takes any Sized variable and fills it with symbolic bytes. Usage looks like

let mut t = MyStruct { a: 0, b: 0 };
seer_helper::mksym(&mut t);
if t.a == 123 && t.b == 321 {
    panic!();
}

I did two things to make the output easier to read:

• separate the variables so it clear what data corresponds to which variable in the program
• replace the [u8] representation with the Debug representation for the type

The result looks like this:

ExecutionComplete { input: [stdin: [], t: "MyStruct { a: 123, b: 321 }"], result: Err(...) }
hit an error. halting

In implementation, seer_helper::mksym is an empty function, but Seer intercepts calls to it and overwrites the memory of the argument with (so far unconstrained) abstract bytes. In order to improve the output, the name and type of the argument is stored in the ConstraintContext. For formatting, the idea is to evaluate a call to a generic formatting function that returns a String in a fresh EvalContext (see format_executor.rs). I had some trouble finding DefIds for functions in the helper crate, so I resorted to making the client crate use an init macro that defines the function inside the client crate.

The code I am working on uses the cttz intrinsic on PrimVal::Abstract, resulting in a panic on line 624 in intrinsic.rs.

What would be the best approach to implement it? I believe an open-coded implementation (based on comparisons) would work/be required for these intrinsics, as Z3 does not seem to provide them natively.

I would likt to work on these intrinsics, but I just started looking at the code and I might use some directions :)

This adds overflow checks for abstract addition and subtraction. intrinsic_with_overflow can now store an abstract PrimVal for the overflow bool. This allows the compiler-inserted Asserts to be evaluated meaningfully for Add and Sub with at least one abstract operand.

Some of the function signatures in operator.rs have been changed: instead of returning a bool to indicate overflow, a PrimVal is used. This allows us to return abstract values when needed.

I ran into some trouble with tests failing because intrinsic_overflowing had to return a bool. If the overflow PrimVal is abstract, conversion to bool is unimplemented!(). The workaround returns to the old behavior of just returning false (no overflow) for all abstract ops. From a quick search of the codebase, it seems like none of the users of the function actually use the returned overflow bool. It might be a better solution to just remove the overflow bool from the return value.

A few other tests failed because Seer stops at the first panic, which ended up being an overflow. I replaced the adds with wrapping_add, which prevents the insertion of overflow checks.

When I try to use cargo seer on examples/base64, it fails with message

error: unknown debugging option: `no-trans`

MIRI has recently replaced its use of the -Zno-trans arg with --emit=dep-info,metadata in https://github.com/solson/miri/commit/675587280f5cee0ea99ebb4c4f70043e89aa1aed. This PR does the same for Seer, making the example work again.

If Seer is configured with a consumer that wants to continue execution when encountering errors (a consumer that always returns true), it repeatedly reports the same error. This is because the unmodified EvalContext is pushed back on the stack in the main loop in the error case. This fixes the problem.

An implementation of cttz :)

I added a test to check that it works (aka it gets translated to valid Z3 constraints and it gets the correct anwser in at least one case XD )

WARNING: Running it on my target code I get multiple ExecutionComplete { ... result: Ok(()) } outputs before the final ExecutionComplete { ..., result: Err(Panic) } one, which is different from what happens in other (standalone) examples (but maybe this is expected?).

Consider the following program.

enum Token {
    _LeftAngle,
    _RightAngle
}

struct Failures<P> {
    _point: P,
}

struct ParseMaster<P> {
    _failures: Failures<P>,
}

struct Alternate<'pm, P: 'pm, T> {
    _master: &'pm mut ParseMaster<P>,
    _current: Option<Progress<P, T>>,
    _point: P,
}

struct TokenPoint<'a, T: 'a> {
    _offset: usize,
    _sub_offset: Option<u8>,
    _s: &'a [T],
}

impl <P> ParseMaster<P> {
    fn alternate<'pm, T>(&'pm mut self, pt: P) -> Alternate<'pm, P, T> {
        Alternate {
            _master: self,
            _current: None,
            _point: pt,
        }
    }
}

struct Progress<P, T> {
    _point: P,
    _status: Status<T>,
}

enum Status<T> {
    _Success(T),
    _Failure,
}

fn main() {
    let mut pm : ParseMaster<TokenPoint<Token>> = ParseMaster {
        _failures: Failures {
            _point: TokenPoint {
                _offset: 0,
                _sub_offset: None,
                _s:&[],
            },
        },
    };

    pm.alternate::<()>(TokenPoint {
        _offset: 0,
        _sub_offset: None,
        _s:&[],
    });

}

I expect seer to be able to run this program successfully. Indeed, miri has no problem running it. However, seer returns an error:

Unimplemented("can\'t handle type: std::option::Option<u8>, with layout: General { discr: I8, variants: [Struct { align: Align { abi: 0, pref: 3 }, primitive_align: Align { abi: 0, pref: 3 }, packed: false, sized: true, offsets: [Size { raw: 0 }], memory_index: [0], min_size: Size { raw: 1 } }, Struct { align: Align { abi: 0, pref: 3 }, primitive_align: Align { abi: 0, pref: 3 }, packed: false, sized: true, offsets: [Size { raw: 0 }, Size { raw: 1 }], memory_index: [0, 1], min_size: Size { raw: 2 } }], size: Size { raw: 2 }, align: Align { abi: 0, pref: 3 }, primitive_align: Align { abi: 0, pref: 3 } }")

It now hits the error NoMirFor("alloc::allocator::Layout::from_size_align"). It looks like this is due to https://github.com/rust-lang/rust/pull/42313.

Due to https://github.com/rust-lang/rust/pull/52597, we get a bunch of errors:

error[E0432]: unresolved import `rustc::mir::Literal`
   --> src/eval_context.rs:815:21
    |
815 |                 use rustc::mir::Literal;
    |                     ^^^^^^^^^^^^^^^^^^^ no `Literal` in `mir`

error[E0433]: failed to resolve. Could not find `Literal` in `mir`
   --> src/step.rs:203:18
    |
203 |             mir::Literal::Value { value: &ty::Const { val: ConstValue::Unevaluated(def_id, substs), .. } } => {
    |                  ^^^^^^^ Could not find `Literal` in `mir`

error[E0433]: failed to resolve. Could not find `Literal` in `mir`
   --> src/step.rs:206:18
    |
206 |             mir::Literal::Value { .. } => {}
    |                  ^^^^^^^ Could not find `Literal` in `mir`

error[E0433]: failed to resolve. Could not find `Literal` in `mir`
   --> src/step.rs:207:18
    |
207 |             mir::Literal::Promoted { index } => {
    |                  ^^^^^^^ Could not find `Literal` in `mir`

error: aborting due to 4 previous errors

If I add examples/base64/Xargo.toml:

[dependencies]
std = {features = ["panic_unwind", "jemalloc"]}

and try to run the example with

RUSTFLAGS="-Z always-encode-mir" xargo seer

the Err(Panic) in the output is gone and I get a different error:

ExecutionComplete { input: [116, 104, 105, 115, 32, 105, 115, 35, 64, 0, 0, 0], result: Err(NoMirFor("std::sys::unix::fast_thread_local::register_dtor::::__cxa_thread_atexit_impl")) }
as string: Ok("this is#@\u{0}\u{0}\u{0}")
hit an error. halting

I think this happens because we have MIR for the expansion of panic!(). Seer detects panics in src/terminator/mod.rs in fn call_missing_fn. Since MIR is not missing, the panic is not detected and we run into this other error.

Hi, I'd like to use seer for concolic testing. However, the examples are all code with main functions, and do not show how to hook into the engine for extension. I'd like to run concolic testing on library functions rather than whole programs. Could you please give me some pointers on how to achieve this?

~~~Right now, the crate doesn't seem to compile on the latest nightly, but I would imagine that to be a somewhat easy fix.~~~ (it compiles on master, just not on crates.io)

My question is, how close is seer to being able to verify some pretty simplistic but long stateless code? If the effort isn't so high (more than a week or so of work), I would be interested to help get the project there.