Generative-Program-Analysis · butterunderflow · Jul 5, 2025 · Jul 7, 2025 · Jul 7, 2025 · Jul 7, 2025
diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml
@@ -79,3 +79,4 @@ jobs:
         sbt 'testOnly gensym.wasm.TestConcolic'
         sbt 'testOnly gensym.wasm.TestDriver'
         sbt 'testOnly gensym.wasm.TestStagedEval'
+        sbt 'testOnly gensym.wasm.TestStagedConcolicEval'
diff --git a/benchmarks/wasm/branch-strip-buggy.wat b/benchmarks/wasm/branch-strip-buggy.wat
@@ -29,6 +29,7 @@
       else
         i32.const 0
         call 2
+        i32.const 1 ;; to satisfy the type checker, this line will never be reached
       end
     end
   )

diff --git a/benchmarks/wasm/staged/brtable_concolic.wat b/benchmarks/wasm/staged/brtable_concolic.wat
@@ -0,0 +1,22 @@
+(module $brtable
+  (global (;0;) (mut i32) (i32.const 1048576))
+  (type (;0;) (func (param i32)))
+  (func (;0;) (type 1) (result i32)
+    i32.const 2
+    (block
+      (block
+        (block
+          i32.const 0
+          i32.symbolic
+          br_table 0 1 2 0 ;; br_table will consume an element from the stack
+        )
+        i32.const 1
+        call 1
+        br 1
+      )
+      i32.const 0
+      call 1
+    )
+  )
+  (import "console" "assert" (func (type 0)))
+  (start 0))
diff --git a/benchmarks/wasm/staged/return_poly.wat b/benchmarks/wasm/staged/return_poly.wat
@@ -0,0 +1,19 @@
+(module
+  (type (;0;) (func))
+  (type (;1;) (func (result i32))) 
+  ;; TODO: It seems that our parser or preprocessor has some problems; the result type of the last line doesn't take effect
+  (func (result i32)
+    block
+      i32.const 21
+      i32.const 35
+      i32.const 42
+      return
+    end
+    i32.const 100
+  )
+  (func (type 0)
+    call 0
+    ;; unreachable
+  )
+  (export "$real_main" (func 1))
+)
diff --git a/headers/wasm.hpp b/headers/wasm.hpp
@@ -2,5 +2,7 @@
 #define WASM_HEADERS
 
 #include "wasm/concrete_rt.hpp"
-
+#include "wasm/symbolic_rt.hpp"
+#include "wasm/concolic_driver.hpp"
+#include "wasm/utils.hpp"
 #endif
diff --git a/headers/wasm/concolic_driver.hpp b/headers/wasm/concolic_driver.hpp
@@ -0,0 +1,114 @@
+#ifndef CONCOLIC_DRIVER_HPP
+#define CONCOLIC_DRIVER_HPP
+
+#include "concrete_rt.hpp"
+#include "smt_solver.hpp"
+#include "symbolic_rt.hpp"
+#include "utils.hpp"
+#include <functional>
+#include <ostream>
+#include <string>
+#include <vector>
+
+class ConcolicDriver {
+  friend class ManagedConcolicCleanup;
+
+public:
+  ConcolicDriver(std::function<void()> entrypoint, std::string tree_file)
+      : entrypoint(entrypoint), tree_file(tree_file) {}
+  ConcolicDriver(std::function<void()> entrypoint)
+      : entrypoint(entrypoint), tree_file(std::nullopt) {}
+  void run();
+
+private:
+  Solver solver;
+  std::function<void()> entrypoint;
+  std::optional<std::string> tree_file;
+};
+
+class ManagedConcolicCleanup {
+  const ConcolicDriver &driver;
+
+public:
+  ManagedConcolicCleanup(const ConcolicDriver &driver) : driver(driver) {}
+  ~ManagedConcolicCleanup() {
+    if (driver.tree_file.has_value())
+      ExploreTree.dump_graphviz(driver.tree_file.value());
+  }
+};
+
+inline void ConcolicDriver::run() {
+  ExploreTree.reset_cursor();
+  while (true) {
+    ManagedConcolicCleanup cleanup{*this};
+
+    auto unexplored = ExploreTree.pick_unexplored();
+    if (!unexplored) {
+      GENSYM_INFO("No unexplored nodes found, exiting...");
+      return;
+    }
+    auto cond = unexplored->collect_path_conds();
+    auto result = solver.solve(cond);
+    if (!result.has_value()) {
+      GENSYM_INFO("Found an unreachable path, marking it as unreachable...");
+      unexplored->fillUnreachableNode();
+      continue;
+    }
+    auto new_env = result.value();
+
+    // update global symbolic environment from SMT solved model
+    SymEnv.update(std::move(new_env));
+    try {
+      GENSYM_INFO("Now execute the program with symbolic environment: ");
+      GENSYM_INFO(SymEnv.to_string());
+      if (auto snapshot_node =
+              dynamic_cast<SnapshotNode *>(unexplored->node.get())) {
+        snapshot_node->get_snapshot().resume_execution(SymEnv, unexplored);
+      } else {
+        entrypoint();
+      }
+
+      GENSYM_INFO("Execution finished successfully with symbolic environment:");
+      GENSYM_INFO(SymEnv.to_string());
+    } catch (...) {
+      ExploreTree.fillFailedNode();
+      GENSYM_INFO("Caught runtime error with symbolic environment:");
+      GENSYM_INFO(SymEnv.to_string());
+      return;
+    }
+#if defined(RUN_ONCE)
+    return;
+#endif
+  }
+}
+
+static std::monostate reset_stacks() {
+  Stack.reset();
+  Frames.reset();
+  SymStack.reset();
+  SymFrames.reset();
+  initRand();
+  Memory = Memory_t(1);
+  return std::monostate{};
+}
+
+static void start_concolic_execution_with(
+    std::function<std::monostate(std::monostate)> entrypoint,
+    std::string tree_file) {
+  ConcolicDriver driver([=]() { entrypoint(std::monostate{}); }, tree_file);
+  driver.run();
+}
+
+static void start_concolic_execution_with(
+    std::function<std::monostate(std::monostate)> entrypoint) {
+
+  const char *env_tree_file = std::getenv("TREE_FILE");
+
+  ConcolicDriver driver =
+      env_tree_file ? ConcolicDriver([=]() { entrypoint(std::monostate{}); },
+                                     env_tree_file)
+                    : ConcolicDriver([=]() { entrypoint(std::monostate{}); });
+  driver.run();
+}
+
+#endif // CONCOLIC_DRIVER_HPP
diff --git a/headers/wasm/concrete_rt.hpp b/headers/wasm/concrete_rt.hpp
@@ -1,3 +1,7 @@
+#ifndef WASM_CONCRETE_RT_HPP
+#define WASM_CONCRETE_RT_HPP
+
+#include "wasm/utils.hpp"
 #include <cassert>
 #include <cstdint>
 #include <cstdio>
@@ -49,8 +53,6 @@ static Num I32V(int v) { return v; }
 
 static Num I64V(int64_t v) { return v; }
 
-using Slice = std::vector<Num>;
-
 const int STACK_SIZE = 1024 * 64;
 
 class Stack_t {
@@ -71,9 +73,7 @@ class Stack_t {
 
   Num pop() {
 #ifdef DEBUG
-    if (count == 0) {
-      throw std::runtime_error("Stack underflow");
-    }
+    assert(count > 0 && "Stack underflow");
 #endif
     Num num = stack_ptr[count - 1];
     count--;
@@ -115,7 +115,20 @@ class Stack_t {
   }
 
   void initialize() {
-    // do nothing for now
+    // todo: remove this method
+    reset();
+  }
+
+  void reset() { count = 0; }
+
+  void resize(int32_t new_size) {
+    assert(new_size >= 0);
+    count = new_size;
+  }
+
+  void set_from_front(int32_t index, const Num &num) {
+    assert(index >= 0 && index < count);
+    stack_ptr[index] = num;
   }
 
 private:
@@ -148,6 +161,21 @@ class Frames_t {
     count += size;
   }
 
+  void reset() { count = 0; }
+
+  size_t size() const { return count; }
+
+  void set_from_front(int32_t index, const Num &num) {
+    GENSYM_DBG(index);
+    assert(index >= 0 && index < count && "Index out of bounds");
+    stack_ptr[index] = num;
+  }
+
+  void resize(int32_t new_size) {
+    assert(new_size >= 0);
+    count = new_size;
+  }
+
 private:
   int32_t count;
   Num *stack_ptr;
@@ -200,4 +228,6 @@ struct Memory_t {
   }
 };
 
-static Memory_t Memory(1); // 1 page memory
+static Memory_t Memory(1); // 1 page memory
+
+#endif // WASM_CONCRETE_RT_HPP
diff --git a/headers/wasm/controls.hpp b/headers/wasm/controls.hpp
@@ -0,0 +1,12 @@
+
+#ifndef WASM_CONTROLS_HPP
+#define WASM_CONTROLS_HPP
+
+#include <functional>
+
+#include <variant>
+
+using MCont_t = std::function<std::monostate(std::monostate)>;
+using Cont_t = std::function<std::monostate(MCont_t)>;
+
+#endif // WASM_CONTROLS_HPP
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ @@
           else
             i32.const 0
             call 2
+            i32.const 1 ;; to satisfy the type checker, this line will never be reached
           end
         end
       )
@@ Expand Down @@