Generate better .path files #473
Conversation
|
Hi @jirislaby , I'm happy to see this feature being tackled -- in fact I have already opened an issue about this a long time ago (see #55) but never managed to do it. I won't have time to review it just now, but I'll take a look as soon as I can, as I'd like to get the details right. |
|
On 09/29/2016, 01:42 PM, Cristian Cadar wrote:
Haha, it just reminds me I opened #273 one year ago :). BTW, in the current state, it breaks all the travis builds. It's P.S. we successfully used the output in the last year SV_COMP (converted js |
@jirislaby It is less straightforward than that. The current test fails because the replay functionality of KLEE does not work anymore with the new encoding of the |
jirislaby
force-pushed
the
better-paths
branch
6 times, most recently
from
8ae9dd8
to
01c4a0a
Compare
|
@jirislaby Thanks for your improved patch! I have only a couple of questions/comments:
|
jirislaby
force-pushed
the
better-paths
branch
from
01c4a0a
to
ef2ef6f
Compare
|
On 10/07/2016, 02:53 PM, Andrea Mattavelli wrote:
Fixed.
Theoretically, it can loop infinitely, of course. If we want to avoid But if there is some problem anywhere (like one which would have caused So whatever you prefer, I will rewrite the change accordingly :). thanks,js |
Right, but I would just check for the correctness of the returned value, and terminate. If something went wrong, there's nothing we can do, right? You might want to consider using |
jirislaby
force-pushed
the
better-paths
branch
from
ef2ef6f
to
731982a
Compare
|
I eliminated tellg completely :). |
@jirislaby Great! LGTM, but I give @ccadar the opportunity to comment. |
| @@ -18,6 +18,19 @@ namespace klee { | |||
| typedef unsigned TreeStreamID; | |||
| class TreeOStream; | |||
|
|
|||
| struct PathLocation { | |||
There was a problem hiding this comment.
@jirislaby This is a good idea but implementation wise you'll have a problem according to memory usage and performance.
Before you had one char per decision to make,
now you have: 1 char, a string potentially quite long, an int.
Normally, you'll generate a lot of entries per state.
Instead, I recommend you to use a reference to KInstruction and during printing the test case access that information.
Beside that, idea is great.
There was a problem hiding this comment.
@MartinNowack It's a good point, and some time ago I implemented this feature using KInstruction. The main issue (but maybe is due to my limited development skills) is the replay feature: do you want to instantiate (reading from the file!) the KInstruction? I don't think it is a good idea, but maybe you already have a better option.
There was a problem hiding this comment.
Right now, we discard everything from the .path file during replay except for the branch decision. So we're paying the price for extra memory consumption, without getting any benefits. As I mentioned before, we should indeed read the location back and use it to double-check that the replay proceeds correctly. However, we could leave this for later and just change PathLocation to have a reference to a KInstruction. @jirislaby , would you be happy with this decision?
|
Thanks again, @jirislaby . I agree with the current decision, argued by @andreamattavelli , of breaking backwards-compatibility with the old .path format, as I don't think it was used much. I agree with @MartinNowack regarding memory consumption. It could be addressed as suggested, although there are advantages to be able to just load a vector of |
|
@jirislaby Your code works just fine (but I guess you already know it). Unfortunately, on large runs the cost of dumping paths is tremendous: 30x-50x. |
|
I appreciate any help to move this forward :). I haven't had enough time to look into it yet. |
|
Looking into this again, I don't quite understand how do you want me to proceed. Compressing suggested by @andreamattavelli can be clearly done, there should be no issue with that. But adding a |
|
Hi @jirislaby, sorry for the late response.
Yes, I suppose it is doable (based on infinite effort :) ).
As I mentioned in my comment before, this is tricky. What I would attempt to do now is to just focus on serializing the |
|
I do want to point out that using only '0' and '1' as branch direction is not enough. I had similar need as the @jirislaby had, track down the execution path (source code line by line) for both correct and erroneous executions. I extended klee with my own function, that processes the bytecode to form a graph, and reads in the path info at the same time .ktest files are generated. Using both path info and the bytecode graph I got what I needed. My question is why do we have to stay with using '0' and '1' to record the branch decisions. |
|
Hi @gladtbx , this is what this PR is trying to accomplish. @jirislaby , I have some free cycles this week, and I could try to amend this along the lines we discussed, but only if it's not already on your todo list for the week :) |
|
Do we have to dump the branch info to files along the execution? And do we have to dump the info as string? I wonder because I would like to use some of the existing path info when picking new executionstate to advance. Dumping and reading from file is kind of painful to me. However I am OK with whatever decision you make. Thanks for your work @jirislaby . |
Another option is only record the branch decisions when doing serialization. Path info can be added at deserialization time. I have my code implemented this way. It avoids the overhead of recording KInstructions mutliple times, at a cost of additional processing time for each test case. |
Definitely not this week :). But I can test whatever you come up with. |
@gladtbx is the code available somewhere? |
|
Sorry, it looks like I overestimated my free time. I might still do this at some point, but cannot promise a due date. But I'm happy to help with a review, I think we have now agreed on how to implement this. |
We need witnesses for the upcoming SV-COMP. For that purpose we need to know the path through the source file. I.e. sequence of code lines how to get to an erroneous location. I implemented it though the generated .path files. Instead of emitting only a number 0/1 (false branch/true branch), I also put there file name and line number. This implements issue klee#55. Signed-off-by: Jiri Slaby <jslaby@suse.cz>
|
Given the age of the PR, I'll close it and move it to the KLEE Extensions project https://github.com/klee/klee/projects/4 |
We need witnesses for the upcoming SV-COMP. For that purpose we need to know the path through the source file. I.e. sequence of code lines how to get to an erroneous location. I implemented it though the generated .path files. Instead of emitting only a number 0/1 (false branch/true branch), I also put there file name and line number.
I guess this won't be merged as-is. Rather I would like to hear some feedback how you prefer to do it?