The current implementation for showing the stack trace of a crash for an unsafe function works by creating a modified copy of the Rust source code being analyzed.

In particular, it renames the original main function to _main and creates a new main function that calls the function being analyzed with arguments that cause the program to crash. This renaming of main to _main will probably cause issues if we try to analyze main (since it should now call _main instead of main).

We can consider what happens if _main already exists or we can maybe leave that as an unsupported edge case; it is easy enough for a user to manually rename a _main function to something else before using this tool.

Currently, the get_var_name function and code checking variable types parse magic strings.

We should find a less brittle alternative if possible.

Currently only i32 and i1 (bool) variables have their domain properly constrained.

This sort of constraint should be applied to all types we support in the future.

We make sure that the performance comparisons between KLEE and Wombat SymX are between equivalent actions.

Specifically, we should not include the compilation time of the Rust source code in Wombat SymX performance time if such compilation is not timed in the KLEE workflow.

Currently the panic function is matched to _ZN4core9panicking5panic17he60bb304466ccbafE which is not stable across machines (and possibly Rust/LLVM builds).

We need to find a way to identify such functions reliably to do codegen for LLVM call instructions.

Given a Phi instruction in basic block bb3 assigning x <- 1 when coming from bb1 and x <- 2 when coming from bb2, it is not correct to push the assignments into the bb1 and bb2 nor is it correct to condition the assignment based on the entry conditions from bb1 to bb3 and from bb2 to bb3.

This is because such a solution for converting to dynamic single assignment incorrectly assumes that bb1 and bb2 are never in the same execution path of the control flow graph. An example of this issue is having bb1 -> bb2, bb1 -> bb3, and bb2 -> bb3 as edges in our control flow graph.

To fix this, we can create intermediate dummy nodes for each edge in the original graph that are either empty or contain the assignments for the Phi instructions of its successor. These intermediate blocks always go to their destination unconditionally. This means only one such block can be in a path to a given node (due to the control flow graph being assumed to be acyclic so we must not enter the same destination node twice through the two nodes in a given execution path).

Currently all signed integer types below i128 are supported (ie. i1, i8, i16, i32, i64). Since the Z3 Int types were created using from_i64, this could not be immediately extended to i128.

This can probably be implemented still through using other init functions for Z3 Ints.

Relevant:

Issue: #9

PR #27

The current code on master is wrong for test3 (unsafe).
Patched: 17f9b0a

The i16 bounds have a typo causing them to be bounded as if they were i8s.

An automatic test suite will help catch regressions and should be easy to implement to for this sort of project.

If Phi functions in a basic block are always independent, then their relative order of assignment (within such a basic block) does not matter.

Double check order of parsing Phi statements in basic block.

The documentation of LLVM suggests the operand order of predicate, true_block, false_block. However, inkwell switches the order of true_block and false_block. We should suggest inkwell add this to their documentation.

The project currently assumes variables are either type i32 or i1.

We should find a scalable way to support the full range of LLVM types.

What happens if a signed type is compared to an unsigned type? Is this even possible?