Skip to content

fix string of known length read in memory #953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
redianthus merged 1 commit into from
Apr 8, 2026
Merged

fix string of known length read in memory #953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 17 additions & 13 deletions src/symbolic/symbolic_wasm_ffi.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,17 +115,21 @@ module M :
make_str_null_terminated m (ch :: accu) (Int32.add i (Int32.of_int 1))
| _ -> assert false

let rec make_str_of_length m accu i len =
let open Symbolic_choice in
if len < i then return (List.rev accu |> Array.of_list)
else
let* p = Symbolic_memory.load_8_u m (Symbolic_i32.of_int i) in
match Smtml.Typed.view p with
| Val (Bitv bv) when Smtml.Bitvector.numbits bv = 32 ->
let c = Smtml.Bitvector.to_int32 bv in
let ch = char_of_int (Int32.to_int c) in
make_str_of_length m (ch :: accu) (succ i) len
| _ -> assert false
let make_str_of_length ~mem ~ptr ~len =
let rec aux acc i =
let open Symbolic_choice in
if i >= len then return (List.rev acc |> Array.of_list)
else
let* p = Symbolic_memory.load_8_u mem (Symbolic_i32.of_int (ptr + i)) in
match Smtml.Typed.view p with
| Val (Bitv bv) when Smtml.Bitvector.numbits bv = 32 ->
let c = Smtml.Bitvector.to_int32 bv in
let ch = char_of_int (Int32.to_int c) in
let i = succ i in
aux (ch :: acc) i
| _ -> assert false
in
aux [] 0

let cov_label_is_covered id =
let open Symbolic_choice in
Expand Down Expand Up @@ -166,13 +170,13 @@ module M :
let str = String.init (Array.length chars) (Array.get chars) in
open_scope str

let open_scope_of_length m ptr len =
let open_scope_of_length mem ptr len =
let open Symbolic_choice in
let* ptr = select_i32 ptr in
let ptr = Int32.to_int ptr in
let* len = select_i32 len in
let len = Int32.to_int len in
let* bytes = make_str_of_length m [] ptr len in
let* bytes = make_str_of_length ~mem ~ptr ~len in
let str = String.init len (Array.get bytes) in
open_scope str

Expand Down
15 changes: 15 additions & 0 deletions test/rust/basic_named_symbol.t/f.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
use owi_sym::Symbolic;

fn mean1(x: i32, y: i32) -> i32 {
(x + y) / 2
}

fn mean2(x: i32, y: i32) -> i32 {
(x & y) + ((x ^ y) >> 1)
}

fn main() {
let x = i32::named_symbol("x");
let y = i32::named_symbol("y");
owi_sym::assert(mean1(x, y) == mean2(x, y))
}
8 changes: 8 additions & 0 deletions test/rust/basic_named_symbol.t/run.t
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
$ owi rust ./f.rs -w1
owi: [ERROR] Trap: unreachable
model {
symbol symbol_0 i32 -1816735914 x
symbol symbol_1 i32 -1802216685 y
}
owi: [ERROR] Reached problem!
[13]
Loading