Generative-Program-Analysis · butterunderflow · Jul 5, 2025 · Jul 7, 2025 · Jul 7, 2025 · Jul 7, 2025
diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml
@@ -79,3 +79,4 @@ jobs:
         sbt 'testOnly gensym.wasm.TestConcolic'
         sbt 'testOnly gensym.wasm.TestDriver'
         sbt 'testOnly gensym.wasm.TestStagedEval'
+        sbt 'testOnly gensym.wasm.TestStagedConcolicEval'
diff --git a/benchmarks/wasm/Makefile b/benchmarks/wasm/Makefile
@@ -0,0 +1,7 @@
+.PHONY: clean
+
+clean:
+	find . -type f -name '*.cpp' -delete
+	find . -type f -name '*.cpp.exe' -delete
+	find . -type d -name '*.dSYM' -exec rm -rf {} +
+	find . -type f -name '*.dot' -delete
diff --git a/benchmarks/wasm/branch-strip-buggy.wat b/benchmarks/wasm/branch-strip-buggy.wat
@@ -29,6 +29,7 @@
       else
         i32.const 0
         call 2
+        i32.const 1 ;; to satisfy the type checker, this line will never be reached
       end
     end
   )

diff --git a/benchmarks/wasm/btree/2o1u-unlabeled.wat b/benchmarks/wasm/btree/2o1u-unlabeled.wat
@@ -2626,9 +2626,12 @@
     i32.and
     drop)
   (func (;7;) (type 4)
-    i32.const 3
     i32.const 2
+    i32.symbolic
     i32.const 1
+    i32.symbolic
+    i32.const 0
+    i32.symbolic
     call 6)
   (memory (;0;) 2)
   (export "main" (func 7))

diff --git a/benchmarks/wasm/global-sym.wat b/benchmarks/wasm/global-sym.wat
@@ -0,0 +1,21 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (type (;2;) (func (param i32) (result i32)))
+
+  (func (;0;) (type 2) (param i32) (result i32)
+    local.get 0
+    global.set 0
+    global.get 0
+  )
+  (func (;1;) (type 1)
+    i32.const 0
+    i32.symbolic
+    ;; TODO Somehow this value is always 0?
+    call 0
+    )
+  (start 1)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+  (global (;0;) (mut i32) (i32.const 42))
+)
diff --git a/benchmarks/wasm/load-offset.wat b/benchmarks/wasm/load-offset.wat
@@ -0,0 +1,19 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (func (;0;) (type 0) (result i32)
+    i32.const 0
+    i32.const 256
+    i32.store 
+    i32.const 0
+    i32.load offset=1
+  )
+  (func (;1;) (type 1)
+    call 0
+    ;; should be 1
+    ;; drop
+  )
+  (start 1)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+)
diff --git a/benchmarks/wasm/load-overflow1.wat b/benchmarks/wasm/load-overflow1.wat
@@ -0,0 +1,19 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (func (;0;) (type 0) (result i32)
+    i32.const 0
+    i32.const 256
+    i32.store 
+    i32.const 1
+    i32.load
+  )
+  (func (;1;) (type 1)
+    call 0
+    ;; should be 1
+    ;; drop
+  )
+  (start 1)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+)
diff --git a/benchmarks/wasm/load-overflow2.wat b/benchmarks/wasm/load-overflow2.wat
@@ -0,0 +1,19 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (func (;0;) (type 0) (result i32)
+    i32.const 0
+    i32.const 65536
+    i32.store 
+    i32.const 2
+    i32.load
+  )
+  (func (;1;) (type 1)
+    call 0
+    ;; should be 1
+    ;; drop
+  )
+  (start 1)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+)
diff --git a/benchmarks/wasm/load.wat b/benchmarks/wasm/load.wat
@@ -10,7 +10,7 @@
   )
   (func (;1;) (type 1)
     call 0
-    ;; should be 65536
+    ;; should be 1
     ;; drop
     )
   (start 1)

diff --git a/benchmarks/wasm/mem-sym-extract.wat b/benchmarks/wasm/mem-sym-extract.wat
@@ -0,0 +1,32 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (type (;2;) (func (param i32) (result i32)))
+  (type (;3;) (func (param i32)))
+  (import "console" "assert" (func (type 3)))
+  (func (;1;) (type 2) (param i32) (result i32)
+    i32.const 0
+    local.get 0
+    i32.store
+    i32.const 0
+    i32.load
+    i32.const 1
+    i32.eq
+    if (result i32)  ;; if x == 256
+      i32.const 1 ;; return 1
+    else
+      i32.const 0 
+      call 0 ;; assert false
+      i32.const 1 ;; to satisfy the type checker, this line will never be reached
+    end
+  )
+  (func (;2;) (type 1)
+    i32.const 0
+    i32.symbolic ;; call it x
+    call 1
+  )
+  (start 2)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+  (global (;0;) (mut i32) (i32.const 42))
+)
diff --git a/benchmarks/wasm/mem-sym.wat b/benchmarks/wasm/mem-sym.wat
@@ -0,0 +1,43 @@
+(module
+  (type (;0;) (func (result i32)))
+  (type (;1;) (func))
+  (type (;2;) (func (param i32) (result i32)))
+  (type (;3;) (func (param i32)))
+  (import "console" "assert" (func (type 3)))
+  (func (;1;) (type 2) (param i32) (result i32)
+    i32.const 0
+    local.get 0
+    i32.store
+    i32.const 0
+    i32.load
+    i32.const 25
+    i32.eq
+    if (result i32)  ;; if x == 25
+      i32.const 0 
+      call 0 ;; assert false
+      i32.const 1 ;; to satisfy the type checker, this line will never be reached
+    else
+      i32.const 1
+      i32.load
+      i32.const 1
+      i32.eq
+      if (result i32) ;; if x >> 8 == 1
+        i32.const 0
+        call 0 ;; assert false
+        i32.const 1 ;; to satisfy the type checker, this line will never be reached
+      else
+        i32.const 1
+      end
+      i32.const 1
+    end
+  )
+  (func (;2;) (type 1)
+    i32.const 0
+    i32.symbolic ;; call it x
+    call 1
+  )
+  (start 2)
+  (memory (;0;) 2)
+  (export "main" (func 1))
+  (global (;0;) (mut i32) (i32.const 42))
+)
diff --git a/benchmarks/wasm/staged/brtable_concolic.wat b/benchmarks/wasm/staged/brtable_concolic.wat
@@ -0,0 +1,22 @@
+(module $brtable
+  (global (;0;) (mut i32) (i32.const 1048576))
+  (type (;0;) (func (param i32)))
+  (func (;0;) (type 1) (result i32)
+    i32.const 2
+    (block
+      (block
+        (block
+          i32.const 0
+          i32.symbolic
+          br_table 0 1 2 0 ;; br_table will consume an element from the stack
+        )
+        i32.const 1
+        call 1
+        br 1
+      )
+      i32.const 0
+      call 1
+    )
+  )
+  (import "console" "assert" (func (type 0)))
+  (start 0))
diff --git a/benchmarks/wasm/staged/return_poly.wat b/benchmarks/wasm/staged/return_poly.wat
@@ -0,0 +1,19 @@
+(module
+  (type (;0;) (func))
+  (type (;1;) (func (result i32))) 
+  ;; TODO: It seems that our parser or preprocessor has some problems; the result type of the last line doesn't take effect
+  (func (result i32)
+    block
+      i32.const 21
+      i32.const 35
+      i32.const 42
+      return
+    end
+    i32.const 100
+  )
+  (func (type 0)
+    call 0
+    ;; unreachable
+  )
+  (export "$real_main" (func 1))
+)
diff --git a/benchmarks/wasm/staged/simple_global.wat b/benchmarks/wasm/staged/simple_global.wat
@@ -0,0 +1,22 @@
+(module $simple_global
+  (type (;0;) (func (param i32 i32) (result i32)))
+  (type (;1;) (func (result i32)))
+  (type (;2;) (func (param i32)))
+  (func $real_main (type 1) (result i32)
+    (local i32)
+    i32.const 0
+    i32.symbolic
+    local.tee 0
+    local.get 0
+    global.set 0
+    if
+    else
+      i32.const 0
+      call 1
+    end)
+  (import "console" "assert" (func (type 2)))
+  (memory (;0;) 16)
+  (global $__stack_pointer (mut i32) (i32.const 1048576))
+  (global (;1;) i32 (i32.const 1048576))
+  (global (;2;) i32 (i32.const 1048576))
+  (export "real_main" (func 0)))
diff --git a/headers/wasm.hpp b/headers/wasm.hpp
@@ -2,5 +2,7 @@
 #define WASM_HEADERS
 
 #include "wasm/concrete_rt.hpp"
-
+#include "wasm/symbolic_rt.hpp"
+#include "wasm/concolic_driver.hpp"
+#include "wasm/utils.hpp"
 #endif
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ @@
           else
             i32.const 0
             call 2
+            i32.const 1 ;; to satisfy the type checker, this line will never be reached
           end
         end
       )
@@ Expand Down @@