Coverage

flag tritondse.coverage.BranchSolvingStrategy(value)[source]

Bases: IntFlag

Branch strategy enumerate. It defines the manner with which branches are checked with SMT on a single trace, namely a CoverageSingleRun. For a given branch that has not been covered strategies are:

  • ALL_NOT_COVERED: check by SMT all occurrences

  • FIRST_LAST_NOT_COVERED: check only the first and last occurrence in the trace

Member Type:

int

Valid values are as follows:

ALL_NOT_COVERED = <BranchSolvingStrategy.ALL_NOT_COVERED: 1>

check by SMT all occurrences of a given branch (true by default)

FIRST_LAST_NOT_COVERED = <BranchSolvingStrategy.FIRST_LAST_NOT_COVERED: 2>

check by SMT the first and last occurrence of a given branch

UNSAT_ONCE = <BranchSolvingStrategy.UNSAT_ONCE: 4>

if a branch is UNSAT do not try solving it again

TIMEOUT_ONCE = <BranchSolvingStrategy.TIMEOUT_ONCE: 8>

if a branch is TIMEOUT do not try solving it again

TIMEOUT_ALWAYS = <BranchSolvingStrategy.TIMEOUT_ALWAYS: 16>

always try solving again a TIMEOUT branch (incompatible with TIMEOUT_ONCE)

COVER_SYM_DYNJUMP = <BranchSolvingStrategy.COVER_SYM_DYNJUMP: 32>

try covering dynamic jumps on a symbolic register or memory value

COVER_SYM_READ = <BranchSolvingStrategy.COVER_SYM_READ: 64>

try enumerating values for symbolic reads

COVER_SYM_WRITE = <BranchSolvingStrategy.COVER_SYM_WRITE: 128>

try enumerating values for symbolic writes

SOUND_MEM_ACCESS = <BranchSolvingStrategy.SOUND_MEM_ACCESS: 256>

enables adding a constraint when using a symbolic read/write or jump

MANUAL = <BranchSolvingStrategy.MANUAL: 512>

disable automatic branch solving after an execution (has to be done manually in callbacks)

The Flag and its members also have the following methods:

conjugate()

Returns self, the complex conjugate of any int.

bit_length()

Number of bits necessary to represent self in binary.

>>> bin(37)
'0b100101'
>>> (37).bit_length()
6
bit_count()

Number of ones in the binary representation of the absolute value of self.

Also known as the population count.

>>> bin(13)
'0b1101'
>>> (13).bit_count()
3
to_bytes(length=1, byteorder='big', *, signed=False)

Return an array of bytes representing an integer.

length

Length of bytes object to use. An OverflowError is raised if the integer is not representable with the given number of bytes. Default is length 1.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Determines whether two’s complement is used to represent the integer. If signed is False and a negative integer is given, an OverflowError is raised.

from_bytes(byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

as_integer_ratio()

Return integer ratio.

Return a pair of integers, whose ratio is exactly equal to the original int and with a positive denominator.

>>> (10).as_integer_ratio()
(10, 1)
>>> (-10).as_integer_ratio()
(-10, 1)
>>> (0).as_integer_ratio()
(0, 1)
real

the real part of a complex number

imag

the imaginary part of a complex number

numerator

the numerator of a rational number in lowest terms

denominator

the denominator of a rational number in lowest terms

tritondse.coverage.CovItem

Variant type representing a coverage item. It can be:

alias of int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]

class tritondse.coverage.CoverageSingleRun(strategy: CoverageStrategy)[source]

Bases: object

Coverage produced by a Single Execution Depending on the strategy given to the constructor it stores different data.

Parameters:

strategy (CoverageStrategy) – Strategy to employ

add_covered_address(address: tritondse.types.Addr) None[source]

Add an instruction address covered. (Called by :py:obj:`SymbolicExecutor` for each instruction executed)

Parameters:

address (tritondse.types.Addr) – The address of the instruction

add_covered_branch(program_counter: tritondse.types.Addr, taken_addr: tritondse.types.Addr, not_taken_addr: tritondse.types.Addr) None[source]

Add a branch to our covered branches list. Each branch is encoded according to the coverage strategy. For code coverage, the branch encoding is the address of the instruction. For edge coverage, the branch encoding is the tupe (src address, dst address). For path coverage, the branch encoding is the MD5 of the conjunction of all taken branch addresses.

Parameters:
  • program_counter (tritondse.types.Addr) – The address taken in by the branch

  • taken_addr (Addr) – Target address of branch taken

  • not_taken_addr (Addr) – Target address of branch not taken

add_covered_dynamic_branch(source: tritondse.types.Addr, target: tritondse.types.Addr) None[source]

Add a dynamic branch covered. The branch will be encoded according to the coverage strategy.

Parameters:
  • source – Address of the dynamic jump

  • target – Target address on which the jump is performed

Returns:

covered_instructions: Dict[int, int]

Instruction coverage. Counter for code coverage)

covered_items: Dict[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]], int]

Stores covered items whatever they are

difference(other: CoverageSingleRun) Set[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]][source]
is_covered(item: int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]) bool[source]

Return whether the item has been covered or not. The item should match the strategy

Parameters:

item (CovItem) – An address, an edge or a path

Returns:

bool

post_execution() None[source]

Function is called after each execution for post-processing or clean-up. (Not doing anything at the moment)

pp_item(covitem: int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]) str[source]

Pretty print a CovItem according the coverage strategy

Parameters:

covitem – An address, an edge or a path

Returns:

str

strategy: CoverageStrategy

Coverage strategy

property total_instruction_executed: int
Returns:

The number of total instruction executed

property unique_covitem_covered: int
Returns:

The number of unique edges covered

property unique_instruction_covered: int
Returns:

The number of unique instructions covered

enum tritondse.coverage.CoverageStrategy(value)[source]

Bases: str, Enum

Coverage strategy (metric) enum. This enum will change whether a given branch have to be solved or not.

Member Type:

str

Valid values are as follows:

BLOCK = <CoverageStrategy.BLOCK: 'block'>

block coverage, only tracks new basic blocks covered

EDGE = <CoverageStrategy.EDGE: 'edge'>

edge coverage, tracks CFGs edges covered

PATH = <CoverageStrategy.PATH: 'path'>

tracks any new path covered

PREFIXED_EDGE = <CoverageStrategy.PREFIXED_EDGE: 'PREFIXED_EDGE'>

edge coverage but also taking in account path prefix

The Enum and its members also have the following methods:

encode(encoding='utf-8', errors='strict')

Encode the string using the codec registered for encoding.

encoding

The encoding in which to encode the string.

errors

The error handling scheme to use for encoding errors. The default is ‘strict’ meaning that encoding errors raise a UnicodeEncodeError. Other possible values are ‘ignore’, ‘replace’ and ‘xmlcharrefreplace’ as well as any other name registered with codecs.register_error that can handle UnicodeEncodeErrors.

replace(old, new, count=-1, /)

Return a copy with all occurrences of substring old replaced by new.

count

Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.

If the optional argument count is given, only the first count occurrences are replaced.

split(sep=None, maxsplit=-1)

Return a list of the substrings in the string, using sep as the separator string.

sep

The separator used to split the string.

When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.

maxsplit

Maximum number of splits. -1 (the default value) means no limit.

Splitting starts at the front of the string and works to the end.

Note, str.split() is mainly useful for data that has been intentionally delimited. With natural text that includes punctuation, consider using the regular expression module.

rsplit(sep=None, maxsplit=-1)

Return a list of the substrings in the string, using sep as the separator string.

sep

The separator used to split the string.

When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.

maxsplit

Maximum number of splits. -1 (the default value) means no limit.

Splitting starts at the end of the string and works to the front.

join(iterable, /)

Concatenate any number of strings.

The string whose method is called is inserted in between each given string. The result is returned as a new string.

Example: ‘.’.join([‘ab’, ‘pq’, ‘rs’]) -> ‘ab.pq.rs’

capitalize()

Return a capitalized version of the string.

More specifically, make the first character have upper case and the rest lower case.

casefold()

Return a version of the string suitable for caseless comparisons.

title()

Return a version of the string where each word is titlecased.

More specifically, words start with uppercased characters and all remaining cased characters have lower case.

center(width, fillchar=' ', /)

Return a centered string of length width.

Padding is done using the specified fill character (default is a space).

count(sub[, start[, end]]) int

Return the number of non-overlapping occurrences of substring sub in string S[start:end]. Optional arguments start and end are interpreted as in slice notation.

expandtabs(tabsize=8)

Return a copy where all tab characters are expanded using spaces.

If tabsize is not given, a tab size of 8 characters is assumed.

find(sub[, start[, end]]) int

Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

partition(sep, /)

Partition the string into three parts using the given separator.

This will search for the separator in the string. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing the original string and two empty strings.

index(sub[, start[, end]]) int

Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Raises ValueError when the substring is not found.

ljust(width, fillchar=' ', /)

Return a left-justified string of length width.

Padding is done using the specified fill character (default is a space).

lower()

Return a copy of the string converted to lowercase.

lstrip(chars=None, /)

Return a copy of the string with leading whitespace removed.

If chars is given and not None, remove characters in chars instead.

rfind(sub[, start[, end]]) int

Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Return -1 on failure.

rindex(sub[, start[, end]]) int

Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.

Raises ValueError when the substring is not found.

rjust(width, fillchar=' ', /)

Return a right-justified string of length width.

Padding is done using the specified fill character (default is a space).

rstrip(chars=None, /)

Return a copy of the string with trailing whitespace removed.

If chars is given and not None, remove characters in chars instead.

rpartition(sep, /)

Partition the string into three parts using the given separator.

This will search for the separator in the string, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.

If the separator is not found, returns a 3-tuple containing two empty strings and the original string.

splitlines(keepends=False)

Return a list of the lines in the string, breaking at line boundaries.

Line breaks are not included in the resulting list unless keepends is given and true.

strip(chars=None, /)

Return a copy of the string with leading and trailing whitespace removed.

If chars is given and not None, remove characters in chars instead.

swapcase()

Convert uppercase characters to lowercase and lowercase characters to uppercase.

translate(table, /)

Replace each character in the string using the given translation table.

table

Translation table, which must be a mapping of Unicode ordinals to Unicode ordinals, strings, or None.

The table must implement lookup/indexing via __getitem__, for instance a dictionary or list. If this operation raises LookupError, the character is left untouched. Characters mapped to None are deleted.

upper()

Return a copy of the string converted to uppercase.

startswith(prefix[, start[, end]]) bool

Return True if S starts with the specified prefix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. prefix can also be a tuple of strings to try.

endswith(suffix[, start[, end]]) bool

Return True if S ends with the specified suffix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. suffix can also be a tuple of strings to try.

removeprefix(prefix, /)

Return a str with the given prefix string removed if present.

If the string starts with the prefix string, return string[len(prefix):]. Otherwise, return a copy of the original string.

removesuffix(suffix, /)

Return a str with the given suffix string removed if present.

If the string ends with the suffix string and that suffix is not empty, return string[:-len(suffix)]. Otherwise, return a copy of the original string.

isascii()

Return True if all characters in the string are ASCII, False otherwise.

ASCII characters have code points in the range U+0000-U+007F. Empty string is ASCII too.

islower()

Return True if the string is a lowercase string, False otherwise.

A string is lowercase if all cased characters in the string are lowercase and there is at least one cased character in the string.

isupper()

Return True if the string is an uppercase string, False otherwise.

A string is uppercase if all cased characters in the string are uppercase and there is at least one cased character in the string.

istitle()

Return True if the string is a title-cased string, False otherwise.

In a title-cased string, upper- and title-case characters may only follow uncased characters and lowercase characters only cased ones.

isspace()

Return True if the string is a whitespace string, False otherwise.

A string is whitespace if all characters in the string are whitespace and there is at least one character in the string.

isdecimal()

Return True if the string is a decimal string, False otherwise.

A string is a decimal string if all characters in the string are decimal and there is at least one character in the string.

isdigit()

Return True if the string is a digit string, False otherwise.

A string is a digit string if all characters in the string are digits and there is at least one character in the string.

isnumeric()

Return True if the string is a numeric string, False otherwise.

A string is numeric if all characters in the string are numeric and there is at least one character in the string.

isalpha()

Return True if the string is an alphabetic string, False otherwise.

A string is alphabetic if all characters in the string are alphabetic and there is at least one character in the string.

isalnum()

Return True if the string is an alpha-numeric string, False otherwise.

A string is alpha-numeric if all characters in the string are alpha-numeric and there is at least one character in the string.

isidentifier()

Return True if the string is a valid Python identifier, False otherwise.

Call keyword.iskeyword(s) to test whether string s is a reserved identifier, such as “def” or “class”.

isprintable()

Return True if the string is printable, False otherwise.

A string is printable if all of its characters are considered printable in repr() or if it is empty.

zfill(width, /)

Pad a numeric string with zeros on the left, to fill a field of the given width.

The string is never truncated.

format(*args, **kwargs) str

Return a formatted version of S, using substitutions from args and kwargs. The substitutions are identified by braces (‘{’ and ‘}’).

format_map(mapping) str

Return a formatted version of S, using substitutions from mapping. The substitutions are identified by braces (‘{’ and ‘}’).

static maketrans()

Return a translation table usable for str.translate().

If there is only one argument, it must be a dictionary mapping Unicode ordinals (integers) or characters to Unicode ordinals, strings or None. Character keys will be then converted to ordinals. If there are two arguments, they must be strings of equal length, and in the resulting dictionary, each character in x will be mapped to the character at the same position in y. If there is a third argument, it must be a string, whose characters will be mapped to None in the result.

class tritondse.coverage.GlobalCoverage(strategy: CoverageStrategy, branch_strategy: BranchSolvingStrategy)[source]

Bases: CoverageSingleRun

Global Coverage. Represent the overall coverage of the exploration. It is filled by iteratively call merge with the CoverageSingleRun objects created during exploration.

Parameters:
COVERAGE_FILE = 'coverage.json'
add_covered_address(address: tritondse.types.Addr) None

Add an instruction address covered. (Called by :py:obj:`SymbolicExecutor` for each instruction executed)

Parameters:

address (tritondse.types.Addr) – The address of the instruction

add_covered_branch(program_counter: tritondse.types.Addr, taken_addr: tritondse.types.Addr, not_taken_addr: tritondse.types.Addr) None

Add a branch to our covered branches list. Each branch is encoded according to the coverage strategy. For code coverage, the branch encoding is the address of the instruction. For edge coverage, the branch encoding is the tupe (src address, dst address). For path coverage, the branch encoding is the MD5 of the conjunction of all taken branch addresses.

Parameters:
  • program_counter (tritondse.types.Addr) – The address taken in by the branch

  • taken_addr (Addr) – Target address of branch taken

  • not_taken_addr (Addr) – Target address of branch not taken

add_covered_dynamic_branch(source: tritondse.types.Addr, target: tritondse.types.Addr) None

Add a dynamic branch covered. The branch will be encoded according to the coverage strategy.

Parameters:
  • source – Address of the dynamic jump

  • target – Target address on which the jump is performed

Returns:

can_cover_symbolic_pointers(execution: SymbolicExecutor) bool[source]

Determines if this execution has symbolic memory accesses to enumerate. If so we may want to enumerate them even though

can_improve_coverage(other: CoverageSingleRun) bool[source]

Check if some of the non-covered are not already in the global coverage Used to know if an input is relevant to keep or not

Parameters:

other – The CoverageSingleRun to check against our global coverage state

Returns:

bool

clone() GlobalCoverage[source]
covered_instructions: Dict[int, int]

Instruction coverage. Counter for code coverage)

covered_items: Dict[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]], int]

Stores covered items whatever they are

covered_symbolic_pointers: Set[int]

Set of addresses for which pointers have been enumerated

difference(other: CoverageSingleRun) Set[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]]
static from_file(file: str | Path) GlobalCoverage[source]
improve_coverage(other: CoverageSingleRun) bool[source]

Checks if the given object do cover new covitem than the current coverage. More concretely it performs the difference between the two covered dicts. If other contains new items return True.

Parameters:

other – coverage on which to check coverage

Returns:

Whether the coverage covers new items

is_covered(item: int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]) bool

Return whether the item has been covered or not. The item should match the strategy

Parameters:

item (CovItem) – An address, an edge or a path

Returns:

bool

iter_new_paths(path_constraints: List[PathConstraint]) Generator[Tuple[SymExType, List[PathConstraint], PathBranch, int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]], int], SolverStatus | None, None][source]

The function iterate the given path predicate and yield PatchConstraint to consider as-is and PathBranch representing the new branch to take. It acts as a black-box so that the SeedManager does not have to know what strategy is being used under the hood. From an implementation perspective the goal of the function is to manipulate the path WITHOUT doing any SMT related things.

Parameters:

path_constraints – list of path constraint to iterate

Returns:

generator of path constraint and branches to solve. The first tuple item is a list of PathConstraint to add in the path predicate and the second is the branch to solve (but not to keep in path predicate)

merge(other: CoverageSingleRun) None[source]

Merge a CoverageSingeRun instance into this instance

Parameters:

other (CoverageSingleRun) – The CoverageSingleRun to merge into self

new_items_to_cover(other: CoverageSingleRun) Set[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]][source]

Return all coverage items (addresses, edges, paths) that the given CoverageSingleRun can cover if it is possible to negate their branches

Parameters:

other – The CoverageSingleRun to check with our global coverage state

Returns:

A set of CovItem

not_covered_items: Set[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]]
pending_coverage: Set[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]]

Set of pending coverage items. These are items for which a branch as already been solved and

post_execution() None

Function is called after each execution for post-processing or clean-up. (Not doing anything at the moment)

post_exploration(workspace: Workspace) None[source]

Function called at the very end of the exploration. It saves the coverage in the workspace.

Parameters:

workspace (Workspace) – Workspace in which to save coverage

pp_item(covitem: int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]]) str

Pretty print a CovItem according the coverage strategy

Parameters:

covitem – An address, an edge or a path

Returns:

str

strategy: CoverageStrategy

Coverage strategy

to_file(file: str | Path) None[source]
property total_instruction_executed: int
Returns:

The number of total instruction executed

uncoverable_items: Dict[int | Tuple[int, int] | str | Tuple[str, Tuple[int, int]], SolverStatus]

CovItems that are determined not to be coverable.

property unique_covitem_covered: int
Returns:

The number of unique edges covered

property unique_instruction_covered: int
Returns:

The number of unique instructions covered

enum tritondse.CoverageStrategy(value)[source]

Coverage strategy (metric) enum. This enum will change whether a given branch have to be solved or not.

Member Type:

str

Valid values are as follows:

BLOCK = <CoverageStrategy.BLOCK: 'block'>

block coverage, only tracks new basic blocks covered

EDGE = <CoverageStrategy.EDGE: 'edge'>

edge coverage, tracks CFGs edges covered

PATH = <CoverageStrategy.PATH: 'path'>

tracks any new path covered

PREFIXED_EDGE = <CoverageStrategy.PREFIXED_EDGE: 'PREFIXED_EDGE'>

edge coverage but also taking in account path prefix