Symbolic-length reads from symbolic sockets #1786
Conversation
|
The uncovered paths seem acceptable to me, but I can spend more time writing tests if anyone thinks it's important enough to do so. |
|
|
||
| def __getstate__(self): | ||
| state = super().__getstate__() | ||
| state["inputs_recvd"] = self.inputs_recvd | ||
| state["symb_name"] = self.symb_name | ||
| state["recv_pos"] = self.recv_pos | ||
| state["max_recv_symbolic"] = self.max_recv_symbolic | ||
| state["constraints"] = self._constraints |
There was a problem hiding this comment.
Why'd you remove the constraint set from the pickled state? It seems to me like you'd want it to persist.
There was a problem hiding this comment.
Good question. I believe this should be taken care of during the SLinux __setstate__ here
manticore/manticore/platforms/linux.py
Lines 3278 to 3282 in 8989185
We also initialize a SymbolicSocket with a reference to the ConstraintSet in SLinux here
manticore/manticore/platforms/linux.py
Line 3413 in 8989185
I'm open to suggestions for redesigning how/where the constraints are added. However, without removing this line, I think we are duplicating serialization of the constraint set, right?
There was a problem hiding this comment.
The problem with keeping links to the constraintset is forking.
This all needs a refactor/simplification. But currently we fork using a context manager:
manticore/manticore/core/manticore.py
Lines 504 to 515 in 8989185
Note that there the State is spawned into a child state using the width statement. Supposedly modifying anything of the child state would not affect the parent. (This is a lie except for constraints)
Note that the child constraints reference/references are updated when spawning a child from a parent:
manticore/manticore/core/state.py
Line 150 in 8989185
If you keep a new reference to a constraintset it should be updated there.
There was a problem hiding this comment.
Yes it looks like the new reference to the constraints are correctly propagated with that.
There was a problem hiding this comment.
@ehennenfent Anything else you're wondering about this after the latest commits?
There was a problem hiding this comment.
Nope, looks good to me! All this constraint set stuff is tricky...
* master: Change types.FunctionType=<class 'function'> (#1803) Fix test regressions (#1804) State Introspection API (#1775) Fix EVM account existence checks for selfdestruct and call (#1801) Add partial implementation of sendto syscall (#1791) crytic-compile: use latest release (#1795) Update gas metering for calls to empty accounts (#1774) Fix BitVec with symbolic offset and fix TranslatorSmtlib.unique thread safety (#1792) Fix Coveralls for external PRs (#1794) Convert plugin list to dict (#1781) Symbolic-length reads from symbolic sockets (#1786) Removing Thread unsafe global caching (#1788) Add Manticore native State-specific hooks (#1777)
A
readdoesn't have to always return the number of bytes provided in thesizeargument. This is especially true for network sockets that may receive only partial bytes of data at a time.This PR adds a feature to allow Manticore to fork when a
receiveis called on a SymbolicSocket and to more precisely emulate network data transmissions that may be sent in chunks less than what is requested.Currently, we choose symbolic values from
[1, remaining_bytes]to avoid too much state explosion.