call z3 to solve constraints

butterunderflow · butterunderflow · commit b75a627a59c8 · 2025-07-19T13:20:40.000+08:00
diff --git a/headers/wasm/concolic_driver.hpp b/headers/wasm/concolic_driver.hpp
@@ -1,11 +1,13 @@
 #ifndef CONCOLIC_DRIVER_HPP
 #define CONCOLIC_DRIVER_HPP
 
+#include "concrete_rt.hpp"
 #include "smt_solver.hpp"
 #include "symbolic_rt.hpp"
 #include <functional>
 #include <ostream>
 #include <string>
+#include <vector>
 
 class ConcolicDriver {
   friend class ManagedConcolicCleanup;
@@ -45,16 +47,19 @@ inline void ConcolicDriver::run() {
       return;
     }
     auto cond = unexplored->collect_path_conds();
-    auto new_env = solver.solve(cond);
-    if (!new_env.has_value()) {
+    std::vector<Num> new_env;
+    std::set<int> valid_ids;
+    auto result = solver.solve(cond);
+    if (!result.has_value()) {
       // TODO: current implementation is buggy, there could be other reachable
       // unexplored paths
       std::cout << "Found an unreachable path, marking it as unreachable..."
                 << std::endl;
       unexplored->fillUnreachableNode();
-      continue;  
+      continue;
     }
-    SymEnv.update(std::move(new_env.value()));
+    std::tie(new_env, valid_ids) = std::move(result.value());
+    SymEnv.update(std::move(new_env), std::move(valid_ids));
     try {
       entrypoint();
       std::cout << "Execution finished successfully with symbolic environment:"
diff --git a/headers/wasm/smt_solver.hpp b/headers/wasm/smt_solver.hpp
@@ -3,26 +3,124 @@
 
 #include "concrete_rt.hpp"
 #include "symbolic_rt.hpp"
+#include "z3++.h"
 #include <array>
+#include <set>
+#include <string>
+#include <tuple>
 #include <vector>
 
 class Solver {
 public:
-  Solver() : count(0) {
-    envs[0] = {Num(0), Num(0)};
-    envs[1] = {Num(1), Num(2)};
-  }
-  std::optional<std::vector<Num>> solve(const std::vector<SymVal> &conditions) {
-    // here is just a placeholder implementation to simulate solving result
-    if (count >= envs.size()) {
-      return std::nullopt; // No more environments to return
+  Solver() {}
+  std::optional<std::tuple<std::vector<Num>, std::set<int>>>
+  solve(const std::vector<SymVal> &conditions) {
+    // make an conjunction of all conditions
+    z3::expr conjunction = z3_ctx.bool_val(true);
+    for (const auto &cond : conditions) {
+      auto z3_cond = build_z3_expr(cond);
+      conjunction = conjunction && z3_cond != z3_ctx.bv_val(0, 32);
+    }
+#ifdef DEBUG
+    std::cout << "Symbolic conditions size: " << conditions.size() << std::endl;
+    std::cout << "Solving conditions: " << conjunction << std::endl;
+#endif
+    // call z3 to solve the condition
+    z3::solver z3_solver(z3_ctx);
+    z3_solver.add(conjunction);
+    switch (z3_solver.check()) {
+    case z3::unsat:
+      return std::nullopt; // No solution found
+    case z3::sat: {
+      z3::model model = z3_solver.get_model();
+      std::vector<Num> result(max_id + 1, Num(0));
+      // Reference:
+      // https://github.com/Z3Prover/z3/blob/master/examples/c%2B%2B/example.cpp#L59
+
+      std::cout << "Solved Z3 model" << model << std::endl;
+      std::set<int> seen_ids;
+      for (unsigned i = 0; i < model.size(); ++i) {
+        z3::func_decl var = model[i];
+        z3::expr value = model.get_const_interp(var);
+        std::string name = var.name().str();
+        if (name.starts_with("s_")) {
+          int id = std::stoi(name.substr(2));
+          seen_ids.insert(id);
+          result[id] = Num(value.get_numeral_int());
+        } else {
+          std::cout << "Find a variable that is not created by GenSym: " << name
+                    << std::endl;
+        }
+      }
+      return std::make_tuple(result, seen_ids);
     }
-    return envs[count++ % envs.size()];
+    case z3::unknown:
+      throw std::runtime_error("Z3 solver returned unknown status");
+    }
+    return std::nullopt; // Should not reach here
   }
 
 private:
-  std::array<std::vector<Num>, 5> envs;
-  int count;
+  z3::context z3_ctx;
+  z3::expr build_z3_expr(const SymVal &sym_val);
 };
 
+inline z3::expr Solver::build_z3_expr(const SymVal &sym_val) {
+  if (auto sym = std::dynamic_pointer_cast<Symbol>(sym_val.symptr)) {
+    return z3_ctx.bv_const(("s_" + std::to_string(sym->get_id())).c_str(), 32);
+  } else if (auto concrete =
+                 std::dynamic_pointer_cast<SymConcrete>(sym_val.symptr)) {
+    return z3_ctx.bv_val(concrete->value.value, 32);
+  } else if (auto binary =
+                 std::dynamic_pointer_cast<SymBinary>(sym_val.symptr)) {
+    auto bit_width = 32;
+    z3::expr zero_bv =
+        z3_ctx.bv_val(0, bit_width); // Represents 0 as a 32-bit bitvector
+    z3::expr one_bv =
+        z3_ctx.bv_val(1, bit_width); // Represents 1 as a 32-bit bitvector
+
+    z3::expr left = build_z3_expr(binary->lhs);
+    z3::expr right = build_z3_expr(binary->rhs);
+    // TODO: make sure the semantics of these operations are aligned with wasm
+    switch (binary->op) {
+    case EQ: {
+      auto temp_bool = left == right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case NEQ: {
+      auto temp_bool = left != right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case LT: {
+      auto temp_bool = left < right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case LEQ: {
+      auto temp_bool = left <= right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case GT: {
+      auto temp_bool = left > right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case GEQ: {
+      auto temp_bool = left >= right;
+      return z3::ite(temp_bool, one_bv, zero_bv);
+    }
+    case ADD: {
+      return left + right;
+    }
+    case SUB: {
+      return left - right;
+    }
+    case MUL: {
+      return left * right;
+    }
+    case DIV: {
+      return left / right;
+    }
+    }
+  }
+  throw std::runtime_error("Unsupported symbolic value type");
+}
 #endif // SMT_SOLVER_HPP
diff --git a/headers/wasm/symbolic_rt.hpp b/headers/wasm/symbolic_rt.hpp
@@ -9,6 +9,7 @@
 #include <memory>
 #include <optional>
 #include <ostream>
+#include <set>
 #include <string>
 #include <variant>
 #include <vector>
@@ -19,9 +20,13 @@ class Symbolic {
   virtual ~Symbolic() = default; // Make Symbolic polymorphic
 };
 
+static int max_id = 0;
+
 class Symbol : public Symbolic {
 public:
-  Symbol(int id) : id(id) {}
+  // TODO: add type information to determine the size of bitvector
+  // for now we just assume that only i32 will be used
+  Symbol(int id) : id(id) { max_id = std::max(max_id, id); }
   int get_id() const { return id; }
 
 private:
@@ -190,7 +195,7 @@ static SymFrames_t SymFrames;
 struct Node;
 
 struct NodeBox {
-  explicit NodeBox();
+  explicit NodeBox(NodeBox *parent);
   std::unique_ptr<Node> node;
   NodeBox *parent;
 
@@ -247,9 +252,9 @@ struct IfElseNode : Node {
   std::unique_ptr<NodeBox> true_branch;
   std::unique_ptr<NodeBox> false_branch;
 
-  IfElseNode(SymVal cond)
-      : cond(cond), true_branch(std::make_unique<NodeBox>()),
-        false_branch(std::make_unique<NodeBox>()) {}
+  IfElseNode(SymVal cond, NodeBox *parent)
+      : cond(cond), true_branch(std::make_unique<NodeBox>(parent)),
+        false_branch(std::make_unique<NodeBox>(parent)) {}
 
   std::string to_string() override {
     std::string result = "IfElseNode {\n";
@@ -357,15 +362,15 @@ struct Unreachable : Node {
   }
 };
 
-inline NodeBox::NodeBox()
+inline NodeBox::NodeBox(NodeBox *parent)
     : node(std::make_unique<UnExploredNode>()),
       /* TODO: avoid allocation of unexplored node */
-      parent(nullptr) {}
+      parent(parent) {}
 
 inline std::monostate NodeBox::fillIfElseNode(SymVal cond) {
   // fill the current NodeBox with an ifelse branch node it's unexplored
   if (dynamic_cast<UnExploredNode *>(node.get())) {
-    node = std::make_unique<IfElseNode>(cond);
+    node = std::make_unique<IfElseNode>(cond, this);
   }
   assert(dynamic_cast<IfElseNode *>(node.get()) != nullptr &&
          "Current node is not an IfElseNode, cannot fill it!");
@@ -425,7 +430,7 @@ inline std::vector<SymVal> NodeBox::collect_path_conds() {
 class ExploreTree_t {
 public:
   explicit ExploreTree_t()
-      : root(std::make_unique<NodeBox>()), cursor(root.get()) {}
+      : root(std::make_unique<NodeBox>(nullptr)), cursor(root.get()) {}
 
   void reset_cursor() {
     // Reset the cursor to the root of the tree
@@ -513,13 +518,22 @@ static ExploreTree_t ExploreTree;
 class SymEnv_t {
 public:
   Num read(SymVal sym) {
-    return Num(0);
     auto symbol = dynamic_cast<Symbol *>(sym.symptr.get());
     assert(symbol);
+    if (symbol->get_id() >= map.size()) {
+      map.resize(symbol->get_id() + 1);
+    }
+#if DEBUG
+    std::cout << "Read symbol: " << symbol->get_id()
+              << " from symbolic environment" << std::endl;
+    std::cout << "Current symbolic environment: " << to_string() << std::endl;
+#endif
     return map[symbol->get_id()];
   }
 
-  void update(std::vector<Num> new_env) { map = std::move(new_env); }
+  void update(std::vector<Num> new_env, std::set<int> valid_ids) {
+    map = std::move(new_env);
+  }
 
   std::string to_string() const {
     std::string result;
@@ -534,7 +548,8 @@ class SymEnv_t {
   }
 
 private:
-  std::vector<Num> map; // The symbolic environment, a vector of Num
+  std::vector<Num> map;    // The symbolic environment, a vector of Num
+  std::set<int> valid_ids; // The set of valid IDs in the symbolic environment
 };
 
 static SymEnv_t SymEnv;
