Path.MakeSourceMain implementation of the signature S.
include S
with type state = State.t
and type value = State.Value.t
and type model = State.Model.t
and module State = StateA path.
A symbolic state (see State.VALUE).
A concrete assignment (see State.MODEL)
addr p returns the current program counter of the path p.
symbolize p v assigns the variable v with a new symbolic value.
Each call to symbolize records the new value on top of the symbols history.
assign p v e assigns the variable v with the expression e.
assign p v e assigns the variable v with a new symbolic value.
Clobbered variables are expected to not be used by the program and are not recorded in the symbols history.
val load :
t ->
Binsec_kernel.Dba.Var.t ->
string option ->
addr:Binsec_kernel.Dba.Expr.t ->
Binsec_kernel.Machine.endianness ->
unitload p v m ~addr d assigns the variable v with the bytes read at the address addr from the memory array m.
When m is None, the load is performed from the main memory @.
The bit size of v should be a multiple of the size of a byte (8). The byte order is determined by the endianness d.
val store :
t ->
string option ->
addr:Binsec_kernel.Dba.Expr.t ->
Binsec_kernel.Dba.Expr.t ->
Binsec_kernel.Machine.endianness ->
unitstore p m ~addr e d writes the expression e at the address addr in the memory array m.
When m is None, the write is performed in the main memory @.
The bit size of e should be a multiple of the size of a byte (8). The byte order is determined by the endianness d.
val memcpy :
t ->
string option ->
addr:Binsec_kernel.Dba.Expr.t ->
int ->
Binsec_kernel.Loader_types.buffer ->
unitmemcpy p m ~addr len content initializes the memory array m at the address addr with len bytes from the zero extended buffer content.
When m is None, the write is performed in the main memory @.
predicate p returns the path predicate as a list of boolean value.
is_symbolic p e checks if the expression e may depend on symbolic values.
When it returns false, the path predicate of p implies that e has a single value. This value can be obtained via eval.
Otherwise, it means that e syntactically depends on a symbolic value. Use enumerate with n = 2 to prove or disprove that it can take several values.
is_zero p e checks if the boolean expression e may depend on symbolic values.
It returns True when the path predicate implies e is false and False when the path predicate implies e is true.
Otherwise, it returns Unknown, that means that e syntactically depends on a symbolic value. Use enumerate with n = 2 to prove or disprove that it can take several values.
assume p e tests if the condition e can be true. If so, it returns a witness model (Some) and updates the symbolic predicate. Otherwise, nothing is updated and it returns None.
check_sat_assuming p ~retain e tests if the condition e can be true. If so, it returns a witness model (Some), otherwise, it returns None.
If retain is true (default), the model is saved into the path p.
partition p e tests if the condition e can be true and update its internal symbolic state accordingly.
It returns True when the path predicate implies e is true and False when the path predicate implies e is false.
It returns Trueish when the path predicate allows e to be true but may allow false too, and Falsish when the path predicate allows e to be false but may allow true too. The returned state can be used to check the other assumption.
It returns Split when the path predicate allows e to be both true and false. The current path keeps models for which e evaluates to true (same as assume) while the returned state comes with a list of models for which e evaluates to false.
val enumerate :
t ->
?retain:bool ->
?n:int ->
?accumulator:model Binsec_kernel.Bitvector.Map.t ->
?assuming:Binsec_kernel.Dba.Expr.t ->
Binsec_kernel.Dba.Expr.t ->
model Binsec_kernel.Bitvector.Map.tenumerate p ~retain ~n ~accumulator ~assuming e lists the possible values of the expression e.
It returns a map of up to n new possible values that are not already present in accumulator, together with their respective model witnesses. When n is omitted, the enumeration is unbounded.
The new models satisfy the predicate assuming when present.
If retain is true (default), new models are saved into the path p.
check_model p ~retain m returns true if the model m is a witness for the path predicate of p.
If retain is true (default), the model is saved into the path p when the function returns true.
eval p e evaluates the expression e in the last witness model.
The returned values are consistent with each other as long as the witness model is not updated via assume, check_sat_assuming, enumerate, check_model or partition.
get_value p e evaluates the expression e to its symbolic value.
lookup p v evaluates the content of the variable v to its symbolic value.
val read :
t ->
string option ->
addr:Binsec_kernel.Dba.Expr.t ->
int ->
Binsec_kernel.Machine.endianness ->
valueread p m ~addr n d reads the content of the memory array m at the address addr.
When m is None, the load is performed from the main memory.
Returns a value of n bytes. The byte order is determined by the endianness d.
symbols p returns the (reverse) history of symbols created by symbolize.
A key entry associated to a value of type 'a.
val load_v :
t ->
Binsec_kernel.Dba.Var.t ->
string option ->
addr:value ->
Binsec_kernel.Machine.endianness ->
unitval store_v :
t ->
string option ->
addr:value ->
value ->
Binsec_kernel.Machine.endianness ->
unitval memcpy_v :
t ->
string option ->
addr:value ->
int ->
Binsec_kernel.Loader_types.buffer ->
unitSame as is_symbolic but with value input.
Same as check_sat_assuming_v but with value input.
val enumerate_v :
t ->
?retain:bool ->
?n:int ->
?accumulator:model Binsec_kernel.Bitvector.Map.t ->
?assuming:value ->
value ->
model Binsec_kernel.Bitvector.Map.tval read_v :
t ->
string option ->
addr:value ->
int ->
Binsec_kernel.Machine.endianness ->
valueset_pc p v replaces the current program counter of p by v.
set_models p l replaces the witness models of p by the ones in l.
Warning. It is the caller responsibility to ensure that l is non-empty and that each model in l is consistent with the current symbolic state state.
set_state p s replaces the symbolic state of p by s.
Warning. It is the caller responsibility to ensure that each model in models is consistent with the new symbolic state s.
cookie p returns the cookie of p (see State.COOKIE for more details).
A path is a mutable table which maps typed keys to their values. Each instance of Make has its own set of keys. The current implementation requires that all keys be known (i.e. declare_field) before a path is created (create). A value can then be read with get and written with set.
declare_field ~copy ~merge default registers a new field with the initial value default, then returns the typed key to access it.
When given, the copy function will be called to initialize this field in the new path during fork.
When given, the merge function will be called to initialize this field in the new path during merge. Returning None prevents the paths to be merged.
create () makes a path with all fields initialized with their default values.
Warning. It is an error to try adding more fields after calling this function.
fork p returns a copy of p with a new identifier.
Fields are copied using the copy functions given via declare_field (default to Fun.id).
merge p1 p2 tries to merge all the fields of p1 and p2 using the merge functions given via declare_field (default works only when values are physically equal). Returns None if any field fails to merge.