# Lab: Software Verification and Z3 Theorem Prover (Week 7)

Yulei Sui

School of Computer Science and Engineering University of New South Wales, Australia

# Quiz-2 + Lab-Exercise-2 + Assignment-2

- A set of guizzes on WebCMS (5 points)
  - Logical formula and predicate logic
  - Z3's knowledge and translation rules
- Lab-Exercise-2 (5 points)
  - Goal: Manually translate code into z3 formulas/constraints and verify the assertions embedded in the code.
  - **Specification:**https://github.com/SVF-tools/ Software-Security-Analysis/wiki/Lab-Exercise-2
  - SVF Z3 APIs: https: //github.com/SVF-tools/Software-Security-Analysis/wiki/SVF-Z3-API
- Assignment-2 (25 points)
  - **Goal:** automatically perform assertion-based verification for code using static symbolic execution.
  - Specification: https: //github.com/SVF-tools/Software-Security-Analysis/wiki/Assignment-2

# Methods to Be Implemented

You need to implement the following four functions in Assignment-4.cpp:

SSE::translatePath

SSE::handleNonBranch

SSE::handleCall

SSE::handleRet

SSE::handleBranch

- Remember to put your previously implemented Assignment-2.cpp in place (under the Assignment-2 folder).
- The required implementation parts are indicated with TODO comments and you only need to fill up the code template if a method is partially implemented.

In the following slides, we provide several examples to assist your understanding of SSE.

```
void foo(int* p) {
   *p = 1:
 int main() {
     int a = 0:
     foo(&a);
     svf_assert(a == 1);
           compile
void @foo(i32* %p) {
entry:
  store i32 1, i32* %p
  ret void
i32 @main() {
entry:
  %a = alloca i32
  store i32 0. i32* %a
  call void @foo(i32* %a)
  %0 = load i32, i32* %a
  %cmp = icmp eq i32 %0.1
  call void @svf_assert(i1 zeroext %cmp)
  ret i32 0
```

```
void foo(int* p) {
   *p = 1:
 int main() {
     int a = 0:
     foo(&a):
     svf_assert(a == 1);
            compile
void @foo(i32* %p) {
                                      SVF
entry:
  store i32 1. i32* %p
  ret void
i32 @main() {
entry:
  %a = alloca i32
  store i32 0. i32* %a
  call void @foo(i32* %a)
  %0 = load i32, i32* %a
  %cmp = icmp eq i32 %0.1
  call void @svf_assert(i1 zeroext %cmp)
  ret i32 0
```





```
-----SVFVar and Value-----
ObiVar25 (0x7f000019)
                        Value: NIII.I.
ObiVar19 (0x7f000013)
                        Value: 0
ObiVar16 (0x7f000010)
                        Value: NULL
ObiVar13 (0x7f00000d)
                        Value: NULL
ObiVar10 (0x7f00000a)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NIII.I.
ValVar24
                        Value: 0x7f000019
ObiVar2 (0x7f000002)
                        Value: NULL
ObjVar3 (0x7f000003)
                        Value: NULL
Val Var1
                        Value: 2
ValVar0
                        Value: 2
ValVar4
                        Value: 0x7f000005
ValVar9
                        Value: 1
ValVar12
                        Value: 0x7f00000d
ValVar18
                        Value: 0
```

The values of Z3 expressions for each SVFVar after analyzing GlobalICFGNode0 (use printExprValues() to print SVFVars and their Values)



```
Algorithm 1: 2 translatePath(path)

foreach edge ∈ path do

if IntraEdge ← dyn.cast⟨IntraCFGEdge⟩(edge) then

if handleIntra(IntraEdge) == false then

return false;

else if CallEdge ← dyn.cast⟨CallCFGEdge⟩(edge) then

handleCall(CallEdge);

else if RetEdge ← dyn.cast⟨RetCFGEdge⟩(edge) then

handleRet(RetEdge);

else

assert(false &&"what other edges we have?");

Return true;
```

10

14

16

18

20

21

```
Global TCEGNode®
 CopyStmt: [Var1 ← Var0] i8* null
  AddrStmt: [Var9 ← Var10] i32 1
  AddrStmt: [Var18 ← Var19] i32 0
    AddrStmt: [Var4 ← Var5] foo
  AddrStmt: [Var12 ← Var13] main
AddrStmt: [Var24 ← Var25] svf assert
                                         FunEntrvICFGNode1 {fun:foo}
     IntraICEGNode6 {fun: main}
     AddrStmt: [Var15 ← Var16]
                                           IntraICEGNode2 (fun: foo)
          %a = alloca i32
                                           StoreStmt: [Var7 ← Var9]
                                             store i32 1.i32* %n
     IntraICFGNode7 {fun: main}
    StoreStmt: [Var15 ← Var18]
                                           IntraICFGNode3 {fun: foo}
        store i32 0.i32* %a
                                                   ret void
      CallCFGNode8 {fun: main}
      CallPF: [Var7 ← Var15]
                                          FunExitICFGNode4 {fun:foo}
      call void @foo(i32* %a)
                                                  0×5583fba7
             0×5583fba7
      RetICFGNode12 {fun:main}
    IntraICFGNode10 {fun: main}
    LoadStmt: [Var21 ← Var15]
       %0 = load i32. i32* %a
                                              TCFG
    IntraICFGNode11 {fun: main}
CmpStmt: [Var22 ← Var21 pred32 Var9]
      %cmp = icmp eq i32 %0.1
```

```
Algorithm 2: 3 handleIntra(intraEdge)
```

```
then
4 | return false;
6 else
8 | handleNonBranch(edge);
```

2 if intraEdge.getCondition() && !handleBranch(intraEdge)

```
Algorithm 2: HandleNonBranch(intraEdge)
```

```
dst ← intraEdge.getDstNode():
   src ← intraEdge.getSrcNode();
    foreach stmt ∈ dst.getSVFStmts() do
     if addr ∈ dvn_cast(AddrStmt)(stmt) then
         obj ← getMemObjAddress(addr.getRHSVarID());
         lhs ← getZ3Expr(addr.getLHSVarID()):
10
         addToSolver(obj == lhs);
12
     else if copy ∈ dyn_cast(CopyStmt)(stmt) then
18
         lhs ← getZ3Expr(copv.getLHSVarID()):
16
18
         rhs ← getZ3Expr(copv.getRHSVarID());
         addToSolver(rhs == lhs):
20
     else if load ∈ dvn_cast(LoadStmt)(stmt) then
22
         lhs ← getZ3Expr(load.getLHSVarID());
24
         rhs ← getZ3Expr(load.getRHSVarID()):
         addToSolver(lhs == z3Mgr.loadValue(rhs));
29
        ...
```



```
-----SVEVar and Value-----
ObjVar25 (0x7f000019)
                        TIIIM . arr [eV
ObiVar19 (0x7f000013)
                        Value: 0
ObiVar16 (0x7f000010)
                        Value: NULL.
ObjVar13 (0x7f00000d)
                        Value: NIII.I.
ObiVar10 (0x7f00000a)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NUI.I.
ValVar24
                        Value: 0x7f000019
ObiVar2 (0x7f000002)
                        Value: NULL
ObjVar3 (0x7f000003)
                        Value: NULL
ValVar1
                        Value: 2
ValVar0
                        Value: 2
ValVar4
                        Value: 0x7f000005
ValVar9
                        Value: 1
ValVar12
                        Value: 0x7f00000d
ValVar18
                        Value: 0
+ValVar15
                       Value: 0x7f000010
```

```
## Analyzing IntralCFGNode6 {fun: main}
```

$$%a = alloca i32$$

```
Global TCEGNode®
  ConvStmt: [Var1 ← Var0] i8* null
  AddrStmt: [Var9 ← Var10] i32 1
  AddrStmt: [Var18 ← Var19] i32 0
    AddrStmt: [Var4 ← Var5] foo
   AddrStmt: [Var12 ← Var13] main
AddrStmt: [Var24 ← Var25] syf assert
                                          FunEntryICEGNode1 {fun:foo}
     IntraICEGNode6 {fun: main}
     AddrStmt: [Var15 ← Var16]
                                           IntraICFGNode2 {fun: foo}
           %a = alloca i32
                                           StoreStmt: [Var7 ← Var9]
                                              store i32 1.i32* %p
     IntraICEGNode7 (fun: main)
     StoreStmt: [Var15 ← Var18]
                                           IntraICFGNode3 {fun: foo}
         store i32 0.i32* %a
                                                   ret void
      CallCFGNode8 {fun: main}
       CallPE: [Var7 ← Var15]
                                          FunExitTCEGNode4 {fun:foo}
       call void @foo(i32* %a)
                                                  0×5583fba7
             0×5583fba7
      RetICFGNode12 {fun:main}
     IntraICFGNode10 {fun: main}
     LoadStmt: [Var21 ← Var15]
       %0 = load i32. i32* %a
                                              ICFG
     IntraICEGNode11 {fun: main}
CmpStmt: [Var22 ← Var21 pred32 Var9]
       %cmp = icmp eq i32 %0.1
```

```
Algorithm 3: 3 handleIntra(intraEdge)
2 if intraEdge.getCondition() && !handleBranch(intraEdge)
    then
      return false:
 6 else
      handleNonBranch(edge):
  Algorithm 3: HandleNonBranch(intraEdge)
    dst ← intraEdge.getDstNode():
   src ← intraEdge.getSrcNode();
    foreach stmt ∈ dst.getSVFStmts() do
13
     else if load \in dyn_cast(LoadStmt)(stmt) then
15
         lhs ← getZ3Expr(load.getLHSVarID());
17
19
         rhs ← getZ3Expr(load.getRHSVarID());
         addToSolver(lhs == z3Mgr.loadValue(rhs)):
21
     else if store ∈ dvn_cast(StoreStmt)(stmt) then
23
         lhs ← getZ3Expr(store.getLHSVarID());
25
         rhs ← getZ3Expr(store.getRHSVarID());
27
         z3Mgr.storeValue(lhs.rhs):
29
     else if gep ∈ dvn_cast(GepStmt)(stmt) then
30
         lhs ← getZ3Expr(gep.getLHSVarID()):
33
         rhs ← getZ3Expr(gep.getRHSVarID()):
35
         offset = z3Mgr.getGepOffset(gep);
         gepAddress = z3Mgr.getGepObjAddress(rhs, offset);
         addToSolver(lhs == gepAddress):
```



```
-----SVEVar and Value-----
ObjVar25 (0x7f000019)
                        TIIIM . arr [eV
ObiVar19 (0x7f000013)
                        Value: 0
ObiVar16 (0x7f000010)
                        Value: 0
ObjVar13 (0x7f00000d)
                        Value: NIII.I.
ObiVar10 (0x7f00000a)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NUI.I.
ValVar24
                        Value: 0x7f000019
ObiVar2 (0x7f000002)
                        Value: NULL
ValVar15
                       Value: 0x7f000010
ObiVar3 (0x7f000003)
                        Value: NIII.I.
Val Var1
                        Value: 2
ValVar0
                        Value: 2
ValVar4
                        Value: 0x7f000005
ValVar9
                        Value: 1
ValVar12
                        Value: 0v7f00000d
+ValVar18
                       Value: 0
```

## Analyzing IntralCFGNode6 {fun: main}

StoreStmt: [Var15 ← Var18]

store i32 0, i32 \* %a



```
Algorithm 4: 4 handleCall(callEdge)

callNode ← callEdge.getSrcNode();

FunEntryNode ← callEdge.getDstNode();

getSolver().push();

foreach callPE ∈ calledge.getCallPEs() do

lhs ← getZ3Expr(callPE.getLHSVarID());;

rhs ← getZ3Expr(callPE.getRHSVarID());

addToSolver(lhs == rhs);;

return true;;
```







path (a sequence of ICFGNodes represented by their IDs)

State of callstack after processing call edge between CallCFGNode8 and FunEntrylCFGNode1

```
Global TCEGNode®
  ConvStmt: [Var1 ← Var0] i8* null
   AddrStmt: [Var9 ← Var10] i32 1
  AddrStmt: [Var18 ← Var19] i32 0
    AddrStmt · [Var4 ← Var5] foo
   AddrStmt: [Var12 ← Var13] main
AddrStmt: [Var24 ← Var25] svf assert
                                          FunEntrvICFGNode1 {fun:foo}
     IntraICEGNode6 (fun: main)
     AddrStmt: [Var15 ← Var16]
                                           IntraICEGNode2 {fun: foo}
           %a = alloca i32
                                           StoreStmt: [Var7 ← Var9]
                                              store i32 1.i32* %n
     IntraICFGNode7 {fun: main}
     StoreStmt: [Var15 ← Var18]
         store i32 0.i32* %a
                                           IntraICEGNode3 {fun: foo}
                                                    ret void
      CallCEGNode8 {fun: main}
       CallPE: [Var7 ← Var15]
                                           FunExitICFGNode4 {fun:foo}
       call void @foo(i32* %a)
                                                   0×5583fba7
             0×5583fba7
      RetICFGNode12 {fun:main}
     IntraICFGNode10 {fun: main}
     LoadStmt: [Var21 ← Var15]
        %0 = load i32. i32* %a
                                              ICFG
     IntraICEGNode11 {fun: main}
CmpStmt: [Var22 ← Var21 pred32 Var9]
       %cmp = icmp eq i32 %0.1
```

```
Algorithm 5: 3 handleIntra(intraEdge)
2 if intraEdge.getCondition() && !handleBranch(intraEdge)
    then
      return false:
 6 else
      handleNonBranch(edge):
  Algorithm 5: HandleNonBranch(intraEdge)
    dst ← intraEdge.getDstNode():
   src ← intraEdge.getSrcNode();
    foreach stmt ∈ dst.getSVFStmts() do
13
     else if load ∈ dvn_cast(LoadStmt)(stmt) then
15
         lhs ← getZ3Expr(load.getLHSVarID());
17
19
         rhs ← getZ3Expr(load.getRHSVarID());
         addToSolver(lhs == z3Mgr.loadValue(rhs)):
21
     else if store ∈ dvn_cast(StoreStmt)(stmt) then
23
         lhs ← getZ3Expr(store.getLHSVarID());
25
         rhs ← getZ3Expr(store.getRHSVarID());
         z3Mgr.storeValue(lhs.rhs):
29
```

else if gep ∈ dvn\_cast(GepStmt)(stmt) then

lhs ← getZ3Expr(gep.getLHSVarID()):

rhs ← getZ3Expr(gep.getRHSVarID()):

gepAddress = z3Mgr.getGepObjAddress(rhs, offset);

offset = z3Mgr.getGepOffset(gep);

addToSolver(lhs == gepAddress):

30

33

35



ret void instruction.

Nothing needs to be done.

Continue.



```
Algorithm 6: 5 handleRet(retEdge)

rhs(getCtx());

if retPE 

retEdge.getRetPE() then

rhs 

getSolver().pop();;

fretPE 

retEdge.getRetPE() then

getSolver().pop();;

if retPE 

retEdge.getRetPE() then

lhs 

getZ3Expr(retPE.getLHSVarID());;

addToSolver(lhs == rhs);;

return true;;
```





```
Algorithm 7: 3 handleIntra(intraEdge)
```

```
2 if intraEdge.getCondition() && !handleBranch(intraEdge)
   then
    return false:
6 else
     handleNonBranch(edge):
```

#### Algorithm 7: HandleNonBranch(intraEdge)

```
dst ← intraEdge.getDstNode():
   src ← intraEdge.getSrcNode();
    foreach stmt ∈ dst.getSVFStmts() do
13
      else if load ∈ dyn_cast(LoadStmt)(stmt) then
15
         lhs ← getZ3Expr(load.getLHSVarID()):
17
19
         rhs ← getZ3Expr(load.getRHSVarID());
         addToSolver(lhs == z3Mgr.loadValue(rhs)):
21
      else if store \in dyn_cast(StoreStmt)(stmt) then
22
         lhs ← getZ3Expr(store.getLHSVarID());
25
         rhs ← getZ3Expr(store.getRHSVarID());
         z3Mgr.storeValue(lhs.rhs):
29
      else if gep ∈ dvn_cast(GepStmt)(stmt) then
31
         lhs ← getZ3Expr(gep.getLHSVarID()):
33
         rhs ← getZ3Expr(gep.getRHSVarID()):
35
         offset = z3Mgr.getGepOffset(gep);
         gepAddress = z3Mgr.getGepObjAddress(rhs, offset);
         addToSolver(lhs == gepAddress):
                                                             18
```



```
int main(){
       int x = 1, y = 1;
       int a = 1, b = 2;
       if (a > b) {
          y++;
       } else {
          X++:
          svf_assert (x == 2);
       return 0:
                 compile
i32 @main() {
entry:
  %cmp = icmp sat i32 1. 2
  br i1 %cmp, label %if.then, label %if.else
if then:
  %inc = add nsw i32 1, 1
  br label %if.end
if else:
  %inc1 = add nsw i32 1. 1
  %cmp2 = icmp eq i32 %inc1, 2
  call void @svf_assert(i1 zeroext %cmp2)
  br label %if end
if end:
ret i32 0
```

```
Global TCEGNode0
    int main(){
                                                                                         ConvStmt: [Var1 ← Var0] i8* null
        int x = 1, y = 1;
                                                                                          AddrStmt: [Var8 ← Var9] i32 1
        int a = 1. b = 2:
                                                                                         AddrStmt: [Var10 ← Var11] i32 2
        if (a > b) {
                                                                                         AddrStmt: [Var23 ← Var24] i32 0
            V++:
                                                                                          AddrStmt: [Var4 ← Var5] main
        } else {
                                                                                       AddrStmt: [Var19 ← Var20] syf assert
            X++:
            syf assert (x == 2):
                                                                                            IntraICFGNode2 {fun: main}
                                                                                        CmpStmt: [Var7 ← Var8 pred38 Var10]
        return 0:
                                                                                              %cmp = icmp eq i32 1.2
                    compile
                                                                                            IntraICFGNode3 {fun: main}
                                                                                           BranchStmt: [Condition Var7]
i32 @main() -
                                                       SVF
                                                                                      br i1% cmp.label %if.then label %if.else
entry:
  %cmp = icmp sat i32 1. 2
                                                                              IntraCEGNode5 (fun: main)
                                                                                                                IntraCEGNode4 (fun: main)
  br i1 %cmp, label %if.then, label %if.else
                                                                                                         BinaryOPStmt: Var16 ←(Var8 opcode13 Var8)
                                                                       BinaryOPStmt: Var16 ←(Var8 opcode13 Var8)
                                                                              %inc1 = add nsw i32 1,1
                                                                                                                 %inc = add nsw i32 1.1
if then:
  \%inc = add nsw i32 1. 1
                                                                           IntraICEGNode7 {fun: main}
  br label %if.end
                                                                     CmpStmt: [Var17 ← Var16 pred32 Var10]
                                                                           %cmp2=icmp eq i32 %inc1.2
if else:
  %inc1 = add nsw i32 1. 1
                                                                                   TCFGNode9
  %cmp2 = icmp eq i32 %inc1, 2
                                                                                svf assert(x=2)
  call void @svf_assert(i1 zeroext %cmp2)
                                                                                                                  TCFG
  br label %if end
if end:
ret i32 0
```



```
-----SVFVar and Value-----
ObiVar20 (0x7f000014)
                        Value: NIII.I.
ObiVar24 (0x7f000018)
                       Value: 0
ObjVar11 (0x7f00000b)
                       Value: 2
ObiVar9 (0x7f000009)
                        Value: 1
ObjVar5 (0x7f000005)
                       Value: NULL
ValVar19
                       Value: 0x7f000014
ValVar23
                       Value: 0
ObjVar2 (0x7f000002)
                       Value: NULL
ObiVar3 (0x7f000003)
                       Value: NIII.I.
ValVar1
                       Value: 3
ValVar0
                       Value: 3
ValVar4
                       Value: 0x7f000005
ValVar8
                       Value: 1
ValVar10
                        Value: 2
```

The values of Z3 expressions for each SVFVar after analyzing GlobalICFGNode0



Code for handling CmpStmt has been implemented in the HandleNonBranch() function.





```
-----SVFVar and Value-----
ObiVar20 (0x7f000014)
                        Value: NIII.I.
ObjVar24 (0x7f000018)
                        Value: 0
ObiVar11 (0x7f00000b)
                        Value: 2
ObiVar9 (0x7f000009)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NIII.I.
ValVar19
                        Value: 0x7f000014
ValVar23
                        Value: 0
ObiVar2 (0x7f000002)
                        Value: NIII.I.
ObiVar3 (0x7f000003)
                        Value: NIII.I.
ValVar1
                        Value: 3
OreViev
                        Value: 3
ValVar4
                        Value: 0x7f000005
ValVar8
                        Value: 1
ValVar10
                        Value: 2
ValVar7
                        Value: 0
```

```
Branch IntraCFGEdge: [ICFGNode5 ← ICFGNode3]
branchCondition: %cmp = icmp sgt i32 1, 2
(= ValVar7 0)
This conditional ICFGEdge is feasible!!
```



```
-----SVFVar and Value-----
                        Value: NULL
ObiVar20 (0x7f000014)
ObiVar24 (0x7f000018)
                         Value: 0
ObiVar11 (0x7f00000b)
                        Value: 2
ObiVar9 (0x7f000009)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NIII.I.
ValVar19
                        Value: 0x7f000014
ValVar23
                        Value: 0
ValVar17
                        Value: 1
ObiVar2 (0x7f000002)
                        Value: NIII.I.
ObjVar3 (0x7f000003)
                        Value: NIII.I.
ValVar16
                        Value: 2
ValVar1
                        Value: 3
ValVar0
                        Value: 3
ValVar4
                        Value: 0x7f000005
ValVar8
                        Value: 1
ValVar10
                        Value: 2
ValVar7
                        Value: 0
```

Analyzing IntralCFGNode7 fun: main

CmpStmt: [Var17 ← (Var16 predicate32 Var10)]



The assertion is successfully verified!!

START: 0 
$$\rightarrow$$
 1  $\rightarrow$  2  $\rightarrow$  3  $\rightarrow$  5  $\rightarrow$  7  $\rightarrow$  9  $\rightarrow$   $\textit{END}$ 



```
-----SVFVar and Value-----
ObiVar20 (0x7f000014)
                        Value: NIII.I.
ObjVar24 (0x7f000018)
                        Value: 0
ObiVar11 (0x7f00000b)
                        Value: 2
ObiVar9 (0x7f000009)
                        Value: 1
ObiVar5 (0x7f000005)
                        Value: NULL
ValVar19
                        Value: 0x7f000014
ValVar23
                        Value: 0
ObiVar2 (0x7f000002)
                        Value: NIII.I.
ObiVar3 (0x7f000003)
                        Value: NIII.I.
ValVar1
                        Value: 3
OreViev
                        Value: 3
ValVar4
                        Value: 0x7f000005
ValVar8
                        Value: 1
ValVar10
                        Value: 2
ValVar7
                        Value: 0
```

```
Branch IntraCFGEdge: [ICFGNode4 ← ICFGNode3] branchCondition: %cmp = icmp sgt i32 1, 2
```

$$(= ValVar7 1)$$

This conditional ICFGEdge is **infeasible**!!