Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KLEE crashes on Coreutils / dwarfdump #8

Closed
andreamattavelli opened this issue Aug 1, 2017 · 3 comments
Closed

KLEE crashes on Coreutils / dwarfdump #8

andreamattavelli opened this issue Aug 1, 2017 · 3 comments

Comments

@andreamattavelli
Copy link
Collaborator

KLEE consistently crashes when run on Coreutils while looking for StoreInst:

andrea@ruchill:~/work/klee-slicing/klee-slicing-experiments/coreutils$ /home/andrea/work/klee-slicing/klee-build/bin/klee --stats-write-interval=1500 --istats-write-interval=1500 --simplify-sym-indices --output-module --max-memory=4095 --allocate-determ=true --allocate-determ-size=4095 --allocate-determ-start-address=0x7ffef66f3000 --max-sym-array-size=4096 --disable-inlining --use-forked-solver --use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls --only-output-states-covering-new --watchdog --max-memory-inhibit=false --max-static-fork-pct=1 --max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal --dump-states-on-halt=false --environ=/tmp/test.env --run-in=/tmp/sandbox --max-instruction-time=200. --max-solver-time=200. --max-time=4000. --search=random-state  --exit-on-error-type=Ptr --skip-functions=usage /home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc --sym-args 0 1 10 --sym-args 0 2 2 --sym-files 1 8 --sym-stdin 8 --sym-stdout
KLEE: KLEE: WATCHDOG: watching 17942

KLEE: NOTE: Using klee-uclibc : /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/klee-out-5"
Using STP solver backend
KLEE: Deterministic memory allocation starting from 0x7ffef66f3000
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
KLEE: WARNING: undefined reference to function: __crit_100_0
[...]
KLEE: WARNING: undefined reference to function: __crit_9_1
KLEE: WARNING: undefined reference to function: __ctype_b_loc
KLEE: WARNING: undefined reference to function: freelocale
KLEE: WARNING: undefined reference to function: newlocale
KLEE: WARNING: undefined reference to function: strtold_l
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 140733032923104)
KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: calling external: newlocale(8127, 140733032908096, 0)
KLEE: WARNING ONCE: calling external: strtold_l(140733032932552, 140733032962168, 46912528022368)
KLEE: WARNING ONCE: calling external: freelocale(46912528022368)
KLEE: WARNING ONCE: calling external: vprintf(140733032911768, 140733032989456)
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: invalid option -- 
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: option requires an argument -- 
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: invalid option -- 
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: option requires an argument -- 
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: invalid option -- 
/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/seq.bc: invalid option -- 
INFO: Points-to analysis took 0 sec 0 ms
Had no PTA node  %229 = load i64 (%struct.__STDIO_FILE_STRUCT.286*, i64, i64, i64)** %fp_outfunc.addr, align 8, !dbg !2868
klee: /home/andrea/work/klee-slicing/dg/src/llvm/analysis/ReachingDefinitions/ReachingDefinitions.cpp:305: dg::analysis::rd::RDNode* dg::analysis::rd::LLVMRDBuilder::createStore(const llvm::Instruction*): Assertion `pts && "Don't have the points-to information for store"' failed.
0  libSlicing.so   0x00002aaaab266302 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab265a74
2  libpthread.so.0 0x00002aaaabaa8390
3  libc.so.6       0x00002aaaac58a428 gsignal + 56
4  libc.so.6       0x00002aaaac58c02a abort + 362
5  libc.so.6       0x00002aaaac582bd7
6  libc.so.6       0x00002aaaac582c82
7  libLLVMdg.so    0x00002aaaad03f327 dg::analysis::rd::LLVMRDBuilder::createStore(llvm::Instruction const*) + 187
8  libLLVMdg.so    0x00002aaaad03f9c0 dg::analysis::rd::LLVMRDBuilder::buildBlock(llvm::BasicBlock const&) + 542
9  libLLVMdg.so    0x00002aaaad03ff1b dg::analysis::rd::LLVMRDBuilder::buildFunction(llvm::Function const&) + 351
10 libLLVMdg.so    0x00002aaaad04118b dg::analysis::rd::LLVMRDBuilder::build() + 151
11 libSlicing.so   0x00002aaaaaf05df4 dg::analysis::rd::LLVMReachingDefinitions::run() + 48
12 libSlicing.so   0x00002aaaaaf00486 Slicer::computeEdges() + 202
13 libSlicing.so   0x00002aaaaaf001cf Slicer::mark() + 503
14 libSlicing.so   0x00002aaaaaeffe81 Slicer::run() + 149
15 libSlicing.so   0x00002aaaaaf3229d SliceGenerator::generateSlice(llvm::Function*, unsigned int, ModRefAnalysis::SideEffectType) + 805
16 klee            0x000000000053cf6c klee::Executor::getSlice(llvm::Function*, unsigned int, ModRefAnalysis::SideEffectType) + 108
17 klee            0x0000000000544571 klee::Executor::executeCall(klee::ExecutionState&, klee::KInstruction*, llvm::Function*, std::vector<klee::ref<klee::Expr>, std::allocator<klee::ref<klee::Expr> > >&) + 753
18 klee            0x000000000054961a klee::Executor::executeInstruction(klee::ExecutionState&, klee::KInstruction*) + 14874
19 klee            0x000000000054bbc7 klee::Executor::run(klee::ExecutionState&) + 1927
20 klee            0x000000000054c42d klee::Executor::runFunctionAsMain(llvm::Function*, int, char**, char**) + 1901
21 klee            0x0000000000516ab6 main + 12998
22 libc.so.6       0x00002aaaac575830 __libc_start_main + 240
23 klee            0x0000000000526f29 _start + 41
KLEE: WARNING: KLEE: watchdog exiting (no child)

There's something fundamentally wrong in how we compute the mod/ref set.

@davidtr1037
Copy link
Owner

I don't think that it is related to the mod-ref, it is probably something in the slicer.
Can you attach the bitcode file?

@andreamattavelli
Copy link
Collaborator Author

@davidtr1037 you can find the script to build coreutils 6.10 on our repository for experiments

@andreamattavelli
Copy link
Collaborator Author

@davidtr1037 same issue appears also in dwarfdump

@andreamattavelli andreamattavelli changed the title KLEE crashes on Coreutils KLEE crashes on Coreutils / dwarfdump Aug 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants