Crate haybale

source ·
Expand description

For an introduction to the crate and how to get started, see the crate’s README.

Re-exports

Modules

  • Utility functions for performing memory allocation. These may be useful in implementing hooks for various functions that perform memory allocation.
  • Traits which abstract over the backend (BV types, memory implementation, etc) being used.
  • Functions and structures for defining and activating instruction callbacks
  • Implementation of a Memory based on a Boolector array and 64-bit cells. Handles fully general read and write operations: arbitrary addresses, sizes, and alignments.
  • The Config structure for configuring haybale, and other associated definitions
  • Functions and structures for defining and activating function hooks
  • Utility functions for performing memset or memcpy operations. These may be useful in implementing hooks for other functions.
  • Simple implementation of a Memory based on a Boolector array and 8-bit cells. Like the more complicated Memory in cell_memory.rs, this handles fully general read and write operations: arbitrary addresses, sizes, and alignments. Despite being simpler, it seems to outperform the Memory in cell_memory.rs in many situations.
  • Simple utilities for interacting with the solver
  • Structures for defining and processing memory watchpoints

Structs

  • An ExecutionManager allows you to symbolically explore executions of a function. Conceptually, it is an Iterator over possible paths through the function. Calling next() on an ExecutionManager explores another possible path, returning either an Ok with a ReturnValue representing the function’s symbolic return value at the end of that path, or an Err if an error was encountered while processing the path.
  • Fully describes a code location within the LLVM IR.
  • Describes a location in LLVM IR in a format more suitable for printing - for instance, uses function names rather than references to Function objects. For a richer representation of a code location, see Location.
  • Describes one segment of a path through the LLVM IR. The “segment” will be one or more consecutive instructions in a single basic block.
  • A Project is a collection of LLVM code to be explored, consisting of one or more LLVM modules.
  • A State describes the full program state at a given moment during symbolic execution.

Enums

  • Denotes either a particular instruction in a basic block, or its terminator.
  • Error types used throughout this crate.
  • A simple enum describing the value returned from a function
  • A simple enum describing either an integer value or a pointer

Functions

  • Given a function, find values of its inputs such that it returns zero.
  • Returns the number of LLVM instructions in a passed path. The returned value is only accurate if the path under analysis does not include a panic, exception, exit, or any hooked calls (such as inline assembly).
  • Get a description of the possible return values of a function, for given argument values. Considers all possible paths through the function given these arguments.
  • Begin symbolic execution of the function named funcname, obtaining an ExecutionManager.

Type Aliases

  • A type alias for convenience, similar to how std::io::Result is used for I/O operations