csa = CodeStructureAnalyzer(imm, start_addr)
bb_graph = csa.getBasicBlockGraph()
pg = PathGenerator(bb_graph.basic_blocks, bb_graph.bb_out_edges)
pg.imm = imm
false_path_cnt = 0
path_cnt = 0
for path in pg.generatePaths(start_addr):
path_cnt += 1
p_walker = PathWalker(imm, debug=DEBUG)
checker = IntOverflowChecker(imm, debug=DEBUG)
try:
p_walker.walk(path, analysis_mods=[checker])
except UnsatPathConditionException, e:
false_path_cnt += 1
continue
analysis_results = p_walker.getAnalysisResults(checker=checker)
for bug_check_res in analysis_results:
imm.log("Potential integer overflow @ %s" % \
bug_check_res.addr, bug_check_res.addr)
imm.log("%d/%d paths were feasible and checked" % \
(path_cnt - false_path_cnt, path_cnt))
return "Finished. Check log for details"
# Use the path generator to dump all possible paths
pg = PathGenerator(bb_graph.basic_blocks, bb_graph.bb_out_edges)
pg.imm = imm
cnt = 0
feasible_paths = []
for path in pg.generatePaths(start_addr):
cnt += 1
imm.log("%s" % str(path))
if not prune_paths:
continue
p_walker = PathWalker(imm, debug=True)
try:
p_walker.walk(path)
feasible_paths.append(path)
except UnsatPathConditionException, e:
imm.log("%s" % str(e))
ret_str = ""
if prune_paths:
imm.log("** FEASIBLE PATHS **")
for path in feasible_paths:
imm.log("%s" % str(path))
f_cnt = len(feasible_paths)
ret_str = "%d feasible paths out of %d candidates" % (f_cnt, cnt)
else:
ret_str = "%d candidate paths, use -p to prune" % cnt
# Use the path generator to dump all possible paths
pg = PathGenerator(bb_graph.basic_blocks, bb_graph.bb_out_edges)
pg.imm = imm
cnt = 0
feasible_paths = []
for path in pg.generatePaths(start_addr):
cnt += 1
imm.log("%s" % str(path))
if not prune_paths:
continue
p_walker = PathWalker(imm, debug=True)
try:
p_walker.walk(path)
feasible_paths.append(path)
except UnsatPathConditionException, e:
imm.log("%s" % str(e))
ret_str = ""
if prune_paths:
imm.log("** FEASIBLE PATHS **")
for path in feasible_paths:
imm.log("%s" % str(path))
f_cnt = len(feasible_paths)
ret_str = "%d feasible paths out of %d candidates" % (f_cnt, cnt)
else:
ret_str = "%d candidate paths, use -p to prune" % cnt
csa = CodeStructureAnalyzer(imm, start_addr)
bb_graph = csa.getBasicBlockGraph()
pg = PathGenerator(bb_graph.basic_blocks, bb_graph.bb_out_edges)
pg.imm = imm
false_path_cnt = 0
path_cnt = 0
for path in pg.generatePaths(start_addr):
path_cnt += 1
p_walker = PathWalker(imm, debug=DEBUG)
checker = IntOverflowChecker(imm, debug=DEBUG)
try:
p_walker.walk(path, analysis_mods=[checker])
except UnsatPathConditionException, e:
false_path_cnt += 1
continue
analysis_results = p_walker.getAnalysisResults(checker=checker)
for bug_check_res in analysis_results:
imm.log("Potential integer overflow @ %s" % \
bug_check_res.addr, bug_check_res.addr)
imm.log("%d/%d paths were feasible and checked" % \
(path_cnt - false_path_cnt, path_cnt))
return "Finished. Check log for details"
