vorpal-research / kex Goto Github PK

View Code? Open in Web Editor NEW

27.0 27.0 18.0 104.29 MB

A platform for analysis of Java bytecode

License: Apache License 2.0

Kotlin 96.27% Java 3.66% Python 0.08%

automated-testing concolic-testing java kex kotlin symbolic-execution white-box-fuzzing

kex's People

Contributors

Stargazers

Watchers

Forkers

maratdin7 saloed maksimzotov zhekehz maynekeen zadorotskas artemuntila frogofjuly vldf vitekkor despairedcontroller rapturemain niyaznigmatullin sbone-kenobi khbminus ilma4 mike-wazovsky andreiiurko

kex's Issues

Boolector SMT formula fail

Kex fail with IndexOutofBoundException when trying to analyze kex-test with Boolector solver.
Reason: resulting smt formula does not contain constraints for bound of array node. The model then returns array bounds that are not aligned by 32 bits.

Fix `ListLongTest`

Currently is is ignored, because ContextGuidedSelector fails to correctly traverse all the branches and SymbolicTraceBuilder fails to correctly coolect trace when there is an exception in the external method

Investigate ListLongTests on different seeds

ListLongTest is seems to be very dependent on the initial seed for EasyRandom.
Examples of failing seeds:
3735928561
3735928570

Support for soft constraints

Built in native dependencies

Include built in native dependencies from solvers to improve the usability

NullPointerException in the convertation from json to ExecutionResult

If this function:

kex/kex-runner/src/main/kotlin/org/vorpal/research/kex/asm/analysis/concolic/InstructionConcolicChecker.kt

Line 136 in ba00164

 private suspend fun collectTrace(method: Method, parameters: Parameters<Descriptor>): ExecutionResult? = tryOrNull { 

Change to this:

private suspend fun collectTrace(method: Method, parameters: Parameters<Descriptor>): ExecutionResult? = try {
    val generator = UnsafeGenerator(ctx, method, testNameGenerator.generateName(method, parameters))
    generator.generate(parameters)
    val testFile = generator.emit()

    compilerHelper.compileFile(testFile)
    collectTrace(generator.testKlassName)
} catch (e: Exception) {
    log.debug(e.stackTraceToString())
    null
}

And replace ListConcolicTests with the following class implementation taken from Collections4 (CollectionBag):

public final class ListConcolicTests<E> extends AbstractBagDecorator<E> {
    
    private static final long serialVersionUID = -2560033712679053143L;

    public static <E> Bag<E> collectionBag(final Bag<E> bag) {
        return new ListConcolicTests<>(bag);
    }
    public ListConcolicTests(final Bag<E> bag) {
        super(bag);
    }
    private void writeObject(final ObjectOutputStream out) throws IOException {
        out.defaultWriteObject();
        out.writeObject(decorated());
    }
    @SuppressWarnings("unchecked") // will throw CCE, see Javadoc
    private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
        in.defaultReadObject();
        setCollection((Collection<E>) in.readObject());
    }
    @Override
    public boolean containsAll(final Collection<?> coll) {
        return coll.stream().allMatch(this::contains);
    }
    @Override
    public boolean add(final E object) {
        return add(object, 1);
    }

    @Override
    public boolean addAll(final Collection<? extends E> coll) {
        boolean changed = false;
        for (final E current : coll) {
            final boolean added = add(current, 1);
            changed = changed || added;
        }
        return changed;
    }
    @Override
    public boolean remove(final Object object) {
        return remove(object, 1);
    }
    @Override
    public boolean removeAll(final Collection<?> coll) {
        if (coll != null) {
            boolean result = false;
            for (final Object obj : coll) {
                final boolean changed = remove(obj, getCount(obj));
                result = result || changed;
            }
            return result;
        }
        // let the decorated bag handle the case of null argument
        return decorated().removeAll(null);
    }
    @Override
    public boolean retainAll(final Collection<?> coll) {
        if (coll != null) {
            boolean modified = false;
            final Iterator<E> e = iterator();
            while (e.hasNext()) {
                if (!coll.contains(e.next())) {
                    e.remove();
                    modified = true;
                }
            }
            return modified;
        }
        // let the decorated bag handle the case of null argument
        return decorated().retainAll(null);
    }
    @Override
    public boolean add(final E object, final int count) {
        decorated().add(object, count);
        return true;
    }
}

And add this dependency to kex-test/pom.xml:

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-collections4</artifactId>
    <version>4.4</version>
</dependency>

When on the test execution several NullPointerExceptions will occur (can be found in kex-test.log). Here is an example:

java.lang.NullPointerException: null cannot be cast to non-null type org.vorpal.research.kfg.ir.value.instruction.Instruction

Exception when running with kex.sh

./kex.sh -cp kex-test/target/kex-test-0.0.1-jar-with-dependencies.jar --config kex.ini
Exception in thread "main" java.lang.NoSuchMethodError: kotlin.collections.CollectionsKt.maxOrNull(Ljava/lang/Iterable;)Ljava/lang/Comparable;
        at org.jetbrains.research.kfg.builder.cfg.impl.FrameState.appendFrame(FrameState.kt:147)
        at org.jetbrains.research.kfg.builder.cfg.CfgBuilder.convertFrame(CfgBuilder.kt:694)
        at org.jetbrains.research.kfg.builder.cfg.CfgBuilder.buildInstructions(CfgBuilder.kt:998)
        at org.jetbrains.research.kfg.builder.cfg.CfgBuilder.build(CfgBuilder.kt:1025)
        at org.jetbrains.research.kfg.ClassManager.initialize(ClassManager.kt:184)
        at org.jetbrains.research.kfg.ClassManager.initialize(ClassManager.kt:164)
        at org.jetbrains.research.kex.Kex.<init>(kex.kt:156)
        at org.jetbrains.research.kex.MainKt.main(main.kt:9)

При запуске через kex.sh из командной строки вылетает exception. Собран jar через mvn clean package -Pz3. При запуске через идею всё работает нормально.

icfpc2018.kt test reachability conditions

Constructor inlining breaks some of the Intrinsics.assertReachable() conditions in BasicLongTest.testIcfpc2018

Probably bug in ConstantPropagator

Looks like operand shoud be negated.

kex/core/src/main/kotlin/org/jetbrains/research/kex/state/transformer/ConstantPropagator.kt

Line 119 in b75e902

return term { const(operand) }

Failure when trying to generate test with nested arrays

    public void foo(char[][] a) {
        if (a.length > 10) {
            if (a[0].length < 2) {
                System.out.println("s");
            }
        }
    }

ExecutorAS2Printer::printReflectionNewArray does not expect to see nested array type

Incremental SMT solving

Z3 floating point conversion fail

Z3 fails when converting floating point expressions when analyzing fescar-core project.

Command to run:

./kex.sh --jar fescar-core-0.1.0-SNAPSHOT.jar --target com.alibaba.fescar.core.*

Error message:

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007fc4d5664cc0, pid=3034021, tid=0x00007fc51f6f0700
#
# JRE version: OpenJDK Runtime Environment (8.0_242-b08) (build 1.8.0_242-b08)
# Java VM: OpenJDK 64-Bit Server VM (25.242-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C  [libz3.so+0x1f7cc0]  Z3_mk_fpa_to_fp_float+0x60
#
# Core dump written. Default location: /home/abdullin/workspace/kex/core or core.3034021
#
# An error report file with more information is saved as:
# /home/abdullin/workspace/kex/hs_err_pid3034021.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

fescar-core-0.1.0-SNAPSHOT.zip

Better coverage counting

Current CoverageCounter only counts basic block coverage. It is not perfect and it does not use any of the generated test cases for experiments.

We can improve two things:

also count branch coverage
use JaCoCo for coverage

loop deroller fails when unrolling to more than iteration

rt-1.8.jar
java/util/logging/FileHandler::generate(java/lang/String, int, int): java/io/File

options:

[loop]
derollCount = 3
maxDerollCount = 0

causes failure

Better random object generator

Current random object generation library (easy-random) often fails to generate complex objects. Maybe we can consider switching to another library (or writing custom generator)

Migrate to Gradle build

Learn to handle Reanimator corner cases

E.g. okio library has a Buffer class that has over a 100 public methods. Reanimator hangs on that class for over 20 minutes each time

Investigte KAFLongTest performance in CI

When comparing these two runs:
https://github.com/vorpal-research/kex/actions/runs/2630735116
https://github.com/vorpal-research/kex/actions/runs/2681554661

It takes too much time (1.5 times longer than it should)
It consistently achieves only 99% coverage when it should reach 100%

    fun whenExprTest(a: Int) = when (a) {
        0, 1 -> 0
        2, 3 -> 1
        else -> 10
    }

State:

(BEGIN
 <OR> (
  @P arg$0 = 1
  @S %1 = 0
),  <OR> (
  @P arg$0 = 3
  @S %1 = 1
),  <OR> (
  @P arg$0 !in (0, 1, 2, 3)
  @S %1 = 10
) END) -> (
  @S <retval> = %1
)

KFG seems to be correct: