onRecoveryStateExit called twice for a single recovery state

jordr commented 4 years ago

~/code/exp/libtasn1/CVE-2015-3622 $
klee -inline=strcmp,strlen -libc=uclibc --posix-runtime --search=dfs -skip-functions-not=asn1_get_tag_der,asn1_parser2tree,read,__fd_open,_asn1_yylex -output-module -debug-only=recovery -keep=_asn1_check_identifier,_asn1_set_name,_asn1_set_value,__ctype_b_loc,_asn1_str_cpy,_asn1_add_static_node,hash_pjw_bare,_asn1_get_last_right,_asn1_type_set_config,asn1_create_element,type_field259,_asn1_get_up260,_asn1_copy_structure2,asn1_find_node,_asn1_expand_identifier,_asn1_set_right test.bc 32 2>&1 | grep asn1_get_octet_string
...
[6e6b35] KLEE: ■ ■ ■ ■ ■ ■  __wrap__asn1_get_octet_string (skipped)
[baf203] KLEE: ■ ■ ■ ■ ■ ■  __wrap__asn1_get_octet_string (recovery) 
[dc58bf] KLEE: > > > > > >  __wrap__asn1_get_octet_string
[dc58bf] KLEE: R R R R R R  __wrap__asn1_get_octet_string
[dc58bf] KLEE: R R R R R R R  _asn1_get_octet_string
[dc58bf] KLEE: < < < < < <  __wrap__asn1_get_octet_string
[baf203] KLEE: ■ ■ ■ ■ ■ ■  __wrap__asn1_get_octet_string (recovery) 
[dc58bf] KLEE: > > > > > >  __wrap__asn1_get_octet_string
[dc58bf] KLEE: R R R R R R  __wrap__asn1_get_octet_string
[dc58bf] KLEE: R R R R R R R  _asn1_get_octet_string
[dc58bf] KLEE: < < < < < <  __wrap__asn1_get_octet_string
[dc58bf] KLEE: < < < < < <  __wrap__asn1_get_octet_string
[1]    10772 abort (core dumped)

jordr commented 4 years ago

Debug: onRecoveryStateExit called twice for a single recovery state

jordr commented 4 years ago

Seemingly, when the solver does not answer True or False, a fork is triggered:

https://github.com/jordr/chopper/blob/1a3a0cc824378a2cd0d4ce43e21f0220731efa8c/lib/Core/Executor.cpp#L1007-L1037

This explains the duplication of recovery states. This is fine but means we need a more elaborate way of handling timers that takes this in account, so leaving the issue up

jordr / chopper

onRecoveryStateExit called twice for a single recovery state #38