feat: multi path searcher

libs2ecore/include/s2e/CorePlugin.h

@@ -508,6 +508,16 @@ class CorePlugin : public Plugin {
                 uint64_t /* address */>
         onInvalidPCAccess;
 
+    ///
+    /// Signal that is emitted before accessing memory at symbolic address.
+    ///
+    sigc::signal<void,
+                 S2EExecutionState*,
+                 uint64_t /* concrete address */,
+                 klee::ref<klee::Expr> /* symbolic Data */,
+                 bool /* is write */>
+        onSymbolicDataAccessConcreteMemory;
+
     // clang-format on
 };
 

libs2ecore/include/s2e/S2EExecutor.h

@@ -209,6 +209,8 @@ class S2EExecutor : public klee::Executor {
 
     void doDeviceStateRestore(S2EExecutionState *newState);
 
+    static void validPathSearcherStateSwitchCallback(void *opaque);
+
 protected:
     void updateClockScaling();
 

libs2ecore/src/FunctionHandlers.cpp

@@ -164,9 +164,6 @@ static void handlerBeforeMemoryAccess(klee::Executor *executor, klee::ExecutionS
 
     // 1st arg: virtual address
     klee::ref<Expr> vaddr = args[0];
-    if (isa<klee::ConstantExpr>(vaddr)) {
-        return;
-    }
 
     // 3rd arg: width
     Expr::Width width = cast<klee::ConstantExpr>(args[2])->getZExtValue() * 8;
@@ -187,6 +184,11 @@ static void handlerBeforeMemoryAccess(klee::Executor *executor, klee::ExecutionS
     S2EExecutionState *s2eState = static_cast<S2EExecutionState *>(state);
 
     g_s2e->getCorePlugin()->onBeforeSymbolicDataMemoryAccess.emit(s2eState, vaddr, value, flags);
+
+    if (isa<klee::ConstantExpr>(vaddr) && isa<klee::Expr>(value) && !value->isZero()) {
+        g_s2e->getCorePlugin()->onSymbolicDataAccessConcreteMemory.emit(
+            s2eState, cast<klee::ConstantExpr>(vaddr)->getZExtValue(), value, flags);
+    }
 }
 
 void handlerAfterMemoryAccess(Executor *executor, ExecutionState *state, klee::KInstruction *target,

libs2ecore/src/S2EExecutor.cpp

@@ -815,6 +815,24 @@ void S2EExecutor::stateSwitchTimerCallback(void *opaque) {
     libcpu_mod_timer(c->m_stateSwitchTimer, libcpu_get_clock_ms(host_clock) + 100);
 }
 
+void S2EExecutor::validPathSearcherStateSwitchCallback(void *opaque) {
+    S2EExecutor *c = (S2EExecutor *) opaque;
+
+    assert(env->current_tb == nullptr);
+
+    if (g_s2e_state) {
+        c->doLoadBalancing();
+        S2EExecutionState *nextState = c->selectNextState(g_s2e_state);
+        if (nextState) {
+            g_s2e_state = nextState;
+        } else {
+            // Do not reschedule the timer anymore
+            return;
+        }
+    }
+    libcpu_mod_timer(c->m_stateSwitchTimer, libcpu_get_clock_ms(host_clock) + 100);
+}
+
 void S2EExecutor::initializeStateSwitchTimer() {
     m_stateSwitchTimer = libcpu_new_timer_ms(host_clock, &stateSwitchTimerCallback, this);
     libcpu_mod_timer(m_stateSwitchTimer, libcpu_get_clock_ms(host_clock) + 100);
@@ -1910,7 +1928,11 @@ void S2EExecutor::setupTimersHandler() {
 bool S2EExecutor::suspendState(S2EExecutionState *state) {
     if (searcher) {
         searcher->removeState(state, nullptr);
+        g_s2e->getDebugStream() << "[states' size " << getStatesCount() << "] "
+                         << "\n";
         size_t r = states.erase(state);
+        g_s2e->getDebugStream() << "[states' size " << getStatesCount() << "] "
+                                << "\n";
         assert(r == 1);
         return true;
     }

libs2eplugins/src/CMakeLists.txt

@@ -172,6 +172,8 @@ add_library(
     s2e/Plugins/uEmu/uEmuExternalInterrupt.cpp
     s2e/Plugins/uEmu/ARMFunctionMonitor.cpp
     s2e/Plugins/uEmu/InvalidStatesDetection.cpp
+    s2e/Plugins/uEmu/DataInputChannelDetector.cpp
+    s2e/Plugins/uEmu/DebugPlugin.cpp
 
     # Support plugins
     s2e/Plugins/Support/KeyValueStore.cpp
@@ -222,6 +224,7 @@ add_library(
     s2e/Plugins/Searchers/CUPASearcher.cpp
     s2e/Plugins/Searchers/SeedSearcher.cpp
     s2e/Plugins/Searchers/SeedScheduler.cpp
+    s2e/Plugins/Searchers/ValidPathSearcher.cpp
 
     # Function models
     s2e/Plugins/Models/BaseFunctionModels.cpp