Warning: this does not work correctly with tests that soft fail, e.g.
via a `CHECK` assertion. This is because the soft failures only update
the child's `DeepState_TestFailed` global variable, but do not exit.
What we will soon do is share memory with the child process, and derive
the "test result" from that shared memeory.
In take-over mode, the "test" is the entire binary being executed as a
child process. So, we want to exit, rather than trying to `longjmp()` to
`DeepState_ReturnToRun`, which was never initialized.
Now we have API parity with the angr executor, and return 1 from
`DeepState_TakeOver()` when it is hooked for symbolic execution under
the Manticore backend.
- Add `--take_over` flag
- Allow running tests from non-function instruction addr
- Hook `DeepState_TakeOver()` with a `SimProcedure` that returns 1
- Make a fake test case that starts after `TakeOver` returns
This matches the command-line API described in the paper, and lets users
invoke the Manticore backend without relying on the fact that it is the
default (which might change).
Clarify the readme:
* incorporated the paper reference into the first paragraph so it gets excerpted together
* removed a lot of extraneous guidance from the building and installing sections
* added a new contributing section that notes the "good first issue" label, bounties, and our Slack
* noted the the best usage guidance is available in the examples and readme for now
We only want to save a `.crash` file if the input would cause a crash
when executing using the native harness. The old impl treated any state
termination as a crash. Now we add a predicate which checks the `reason`
and decides if the termination represents a crash in the program being
analyzed.
For now, we only flag `InvalidMemoryAccess` exceptions as crashes, as
identified by the `message` property on a `TerminateState` exception.
We don't just want to exit here, but `longjmp()` back to the conditional
via a call to `DeepState_Fail()`. In doing so, we end up in the common
`DeepState_CatchFail()` branch, which exits with the same nonzero error
code, but also saves the test case if appropriate.
