Hi,
I tried to apply apisan on qemu, but when I built the qemu using apisan build make, it used all of my 64GB memory and 200GB of the 256GB swap and stopped running. Is it common? What should I do?
Thanks

Hi,

After reading the paper, I like your job actually. However, during the process of reading source code, I have met several confusions.

• First: where are the traces after symbolic execution? If convenient, would you mind saying its address in source code?

• Second: Where are the functions mentioned in the paper, such as returnValueContexts, argRelationContexts? I couldn't find them in source code. If convenient, would you mind saying its address?

• Third: Apisan is implement on the basis of clang and llvm. If convenient, would you mind saying the changes you've made on the framework?

Sincerely,
Liz

Hi Jakkdu!
your paper refers that APISAN unrolls each loop only once.
Now, I want to know where you changed it so that it only loops once.
Can you help me? Thank you！

Hi, Where I can find your symbolic executor's source code? can you please say its address?
Thanks.

Hi jakkdu. It seems like apisan doesn't support alias analyze of cpair checker. Consider the following code:

#include <stdio.h>
void good1(){
  int* a=(int*)malloc(sizeof(int));
  // do something...
  free(a);
}
// other similar malloc-free pattern omitted...
void goodx(){
  int* a=(int*)malloc(sizeof(int));
  int* b=a;
  // do something...
  free(b);
}

Apisan makes complaints that malloc-free pattern in goodx is a potential bug.

How to use clang to complie linux kernel into LLVM IR?

I can't understand the algorithm of your condition checker. Can you please explain what you have done to find the bugs?

Hi,

Is there any way to simply pass configure options when building with apisan?

Thanks,
N

Apisan rvchk can't detect the unchecked return value flaw in following code piece:
Note: the following code piece is modified from Juliet Test Suite

#include <stdio.h>

void bad()
{
    if(1)
    {
        /* FLAW: Do not check the return value */
        fprintf(stdout, "%s\n", "string");
    }
}

static void good1()
{
    if(0)
    {
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        printf("Benign, fixed string");
    }
    else
    {
        /* FIX: check the return value */
        if (fprintf(stdout, "%s\n", "string") < 0)
        {
            printf("test string");
        }
    }
}

static void good2()
{
    if(1)
    {
        /* FIX: check the return value */
        if (fprintf(stdout, "%s\n", "string") < 0)
        {
            printf("test string");
        }
    }
}

void good()
{
    good1();
    good2();
    good1();
    good2();
    good1();
    good2();
    good1();
    good2();
    good1();
    good2();
}

int main(int argc, char * argv[])
{
    printf("Calling good()...");
    good();
    printf("Finished good()");
    printf("Calling bad()...");
    bad();
    printf("Finished bad()");
    return 0;
}

In theory the rvchk can detect the missing check of `fprintf` in `bad()`, but nothing was reported. Can you tell me am I missing something?
Appreciate your attention.

JW, ZG
IMChecker Group, THU

I'm running the checker on an openssl database(about 2300 files), but the process became D(Uninterruptible Sleep) after running about 10 hours. And now it's switching between D and R(Run). How can I deal with it?

Hi,
I checked the apisan code, but I couldn't find where you extract the semantic believes (as explained in your paper). Do you extract the semantic belief in your code or just check for the minor uses?
Thanks.

Hi Jakkdu!
how to use apisan - -- checker= cpair - -- db =app1, app2
Should I put both apps in the same directory? Or just install them on my computer?

hello,
I could not understand what and where is SYM_EXEC_EXTRACTOR = "alpha.unix.SymExecExtract" in your code?
can you say some detail about it?

thank you