chopper icon indicating copy to clipboard operation
chopper copied to clipboard
verified publisher icon davidtr1037

KLEE crashes on Coreutils 6.10 ptx

Open andreamattavelli opened this issue 8 years ago • 3 comments

Invocation /home/andrea/work/klee-slicing/klee-build/bin/klee --posix-runtime -libc=uclibc --search=random-state --max-time=360. --skip-functions=usage,quotearg ptx.bc --sym-args 0 1 10 --sym-args 0 2 2 --sym-files 1 8 --sym-stdin 8 --sym-stdout

Output:

...
  %2 = load i8* %1, align 1, !dbg !4400
Not able to retrieve address for LoadInst
UNREACHABLE executed at /home/andrea/work/klee-slicing/klee/lib/Core/Executor.cpp:4248!
0  libSlicing.so   0x00002aaaab266302 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab265a74
2  libpthread.so.0 0x00002aaaabaa8390
3  libc.so.6       0x00002aaaac58a428 gsignal + 56
4  libc.so.6       0x00002aaaac58c02a abort + 362
5  libSlicing.so   0x00002aaaab236fb0 LLVMInstallFatalErrorHandler + 0
6  klee            0x00000000005398ad klee::Executor::getLoadInfo(klee::ExecutionState&, klee::KInstruction*, unsigned long&, unsigned long&, std::pair<llvm::Value const*, unsigned long>&) + 1101
7  klee            0x00000000005399a4 klee::Executor::getAllRecoveryInfo(klee::ExecutionState&, klee::KInstruction*, std::__cxx11::list<klee::ref<klee::RecoveryInfo>, std::allocator<klee::ref<klee::RecoveryInfo> > >&) + 132
8  klee            0x00000000005452ff klee::Executor::handleMayBlockingLoad(klee::ExecutionState&, klee::KInstruction*) + 47
9  klee            0x0000000000549344 klee::Executor::executeInstruction(klee::ExecutionState&, klee::KInstruction*) + 15716
10 klee            0x000000000054b5a7 klee::Executor::run(klee::ExecutionState&) + 1927
11 klee            0x000000000054be0d klee::Executor::runFunctionAsMain(llvm::Function*, int, char**, char**) + 1901
12 klee            0x0000000000516b96 main + 12998
13 libc.so.6       0x00002aaaac575830 __libc_start_main + 240
14 klee            0x0000000000526fc9 _start + 41
Aborted (core dumped)

andreamattavelli avatar Jul 27 '17 12:07 andreamattavelli

The problematic load seems to be located in uClibc: klee-uclibc/libc/string/strlen.c

andreamattavelli avatar Jul 27 '17 13:07 andreamattavelli

Another crash:

andrea@ruchill:~/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src$ ~/work/klee-slicing/klee-build/bin/klee -search=random-state -skip-functions=copy_unescaped_string,getenv,getopt_long -posix-runtime -libc=uclibc ./ptx.bc --sym-args 0 1 10 --sym-args 0 2 2 --sym-files 1 8 --sym-stdin 8 --sym-stdout
KLEE: NOTE: Using klee-uclibc : /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/coreutils/coreutils-6.10/obj-llvm/src/./klee-out-12"
Using STP solver backend
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
KLEE: WARNING: undefined reference to function: __crit_100_0
[..]
KLEE: WARNING: undefined reference to function: __ctype_b_loc
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 211324704)
KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: calling external: vprintf(207663136, 215104176)
Try `./ptx.bc --help' for more information.
KLEE: WARNING ONCE: calling close_stdout with extra arguments.
INFO: Points-to analysis took 0 sec 0 ms
Had no PTA node  %229 = load i64 (%struct.__STDIO_FILE_STRUCT.290*, i64, i64, i64)** %fp_outfunc.addr, align 8, !dbg !4716
klee: /home/andrea/work/klee-slicing/dg/src/llvm/analysis/ReachingDefinitions/ReachingDefinitions.cpp:305: dg::analysis::rd::RDNode* dg::analysis::rd::LLVMRDBuilder::createStore(const llvm::Instruction*): Assertion `pts && "Don't have the points-to information for store"' failed.
0  libSlicing.so   0x00002aaaab266302 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab265a74
2  libpthread.so.0 0x00002aaaabaa8390
3  libc.so.6       0x00002aaaac58a428 gsignal + 56
4  libc.so.6       0x00002aaaac58c02a abort + 362
5  libc.so.6       0x00002aaaac582bd7
6  libc.so.6       0x00002aaaac582c82
7  libLLVMdg.so    0x00002aaaad03f327 dg::analysis::rd::LLVMRDBuilder::createStore(llvm::Instruction const*) + 187
8  libLLVMdg.so    0x00002aaaad03f9c0 dg::analysis::rd::LLVMRDBuilder::buildBlock(llvm::BasicBlock const&) + 542
9  libLLVMdg.so    0x00002aaaad03ff1b dg::analysis::rd::LLVMRDBuilder::buildFunction(llvm::Function const&) + 351
10 libLLVMdg.so    0x00002aaaad03fcda dg::analysis::rd::LLVMRDBuilder::createCallToFunction(llvm::Function const*) + 220
11 libLLVMdg.so    0x00002aaaad040b3e dg::analysis::rd::LLVMRDBuilder::createCall(llvm::Instruction const*) + 458
12 libLLVMdg.so    0x00002aaaad03fa0b dg::analysis::rd::LLVMRDBuilder::buildBlock(llvm::BasicBlock const&) + 617
13 libLLVMdg.so    0x00002aaaad03ff1b dg::analysis::rd::LLVMRDBuilder::buildFunction(llvm::Function const&) + 351
14 libLLVMdg.so    0x00002aaaad04118b dg::analysis::rd::LLVMRDBuilder::build() + 151
15 libSlicing.so   0x00002aaaaaf05df4 dg::analysis::rd::LLVMReachingDefinitions::run() + 48
16 libSlicing.so   0x00002aaaaaf00486 Slicer::computeEdges() + 202
17 libSlicing.so   0x00002aaaaaf001cf Slicer::mark() + 503
18 libSlicing.so   0x00002aaaaaeffe81 Slicer::run() + 149
19 libSlicing.so   0x00002aaaaaf3229d SliceGenerator::generateSlice(llvm::Function*, unsigned int, ModRefAnalysis::SideEffectType) + 805
20 klee            0x000000000053cf6c klee::Executor::getSlice(llvm::Function*, unsigned int, ModRefAnalysis::SideEffectType) + 108
21 klee            0x0000000000544571 klee::Executor::executeCall(klee::ExecutionState&, klee::KInstruction*, llvm::Function*, std::vector<klee::ref<klee::Expr>, std::allocator<klee::ref<klee::Expr> > >&) + 753
22 klee            0x000000000054961a klee::Executor::executeInstruction(klee::ExecutionState&, klee::KInstruction*) + 14874
23 klee            0x000000000054bbc7 klee::Executor::run(klee::ExecutionState&) + 1927
24 klee            0x000000000054c42d klee::Executor::runFunctionAsMain(llvm::Function*, int, char**, char**) + 1901
25 klee            0x0000000000516ab6 main + 12998
26 libc.so.6       0x00002aaaac575830 __libc_start_main + 240
27 klee            0x0000000000526f29 _start + 41
Aborted (core dumped)

@davidtr1037 what's happening?

andreamattavelli avatar Aug 01 '17 12:08 andreamattavelli

After the latest update on se-slicing:

/home/andrea/work/klee-slicing/klee-build/bin/klee --stats-write-interval=1500 --istats-write-interval=1500 --simplify-sym-indices --output-module --max-memory=4095 --allocate-determ=true --allocate-determ-size=4095 --allocate-determ-start-address=0x7ffef66f3000 --max-sym-array-size=4096 --disable-inlining --use-forked-solver --use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls --only-output-states-covering-new --max-memory-inhibit=false --max-static-fork-pct=1 --max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal --dump-states-on-halt=false --environ=/tmp/test.env --run-in=/tmp/sandbox --max-instruction-time=200. --max-solver-time=200. --max-time=4000. --search=random-state --exit-on-error-type=Ptr --link-llvm-lib=/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc -skip-functions=elf_version,suppress_check_dwarf,suppress_print_dwarf dwarfdump.bc -ka A --sym-files 1 80 --sym-stdin 8 --sym-stdout
KLEE: NOTE: Using klee-uclibc : /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: Linking in library: /home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc.

KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/dwarf-20110612/dwarfdump/klee-out-10"
Using STP solver backend
KLEE: Deterministic memory allocation starting from 0x7ffef66f3000
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
i8 undef
ERROR: ^^^ global variable initializer not handled
i8 undef
ERROR: ^^^ global variable initializer not handled
IntToPtr with constant:   <badref> = inttoptr i64 -1 to i8*
klee: /home/andrea/work/klee-slicing/dg/src/llvm/analysis/PointsTo/PointerSubgraph.cpp:1657: void dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentOperands(const llvm::CallInst*, dg::analysis::pta::PSNode*, int): Assertion `idx < (int) CI->getNumArgOperands()' failed.
0  libSlicing.so   0x00002aaaab26b262 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab26a9d4
2  libpthread.so.0 0x00002aaaabaae390
3  libc.so.6       0x00002aaaac590428 gsignal + 56
4  libc.so.6       0x00002aaaac59202a abort + 362
5  libc.so.6       0x00002aaaac588bd7
6  libc.so.6       0x00002aaaac588c82
7  libLLVMpta.so   0x00002aaaad31c2e5 dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentOperands(llvm::CallInst const*, dg::analysis::pta::PSNode*, int) + 71
8  libLLVMpta.so   0x00002aaaad31c537 dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentsOperands(llvm::Function const*, llvm::CallInst const*) + 295
9  libLLVMpta.so   0x00002aaaad31c94d dg::analysis::pta::LLVMPointerSubgraphBuilder::addInterproceduralOperands(llvm::Function const*, dg::analysis::pta::LLVMPointerSubgraphBuilder::Subgraph&, llvm::CallInst const*) + 47
10 libLLVMpta.so   0x00002aaaad3193ce dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 214
11 libLLVMpta.so   0x00002aaaad3192f5 dg::analysis::pta::LLVMPointerSubgraphBuilder::createFuncptrCall(llvm::CallInst const*, llvm::Function const*) + 51
12 libSlicing.so   0x00002aaaaaefe77d SVFPointerAnalysis::functionPointerCall(dg::analysis::pta::PSNode*, dg::analysis::pta::PSNode*) + 203
13 libSlicing.so   0x00002aaaaaefe68c SVFPointerAnalysis::handleFuncPtr(dg::analysis::pta::PSNode*) + 198
14 libSlicing.so   0x00002aaaaaefe34a SVFPointerAnalysis::handleVirtualCalls() + 516
15 libSlicing.so   0x00002aaaaaefdf0f SVFPointerAnalysis::run() + 39
16 libSlicing.so   0x00002aaaaaf36be5 SliceGenerator::generate() + 333
17 klee            0x000000000058a84b klee::KModule::prepare(klee::Interpreter::ModuleOptions const&, std::vector<klee::Interpreter::SkippedFunctionOption, std::allocator<klee::Interpreter::SkippedFunctionOption> > const&, klee::InterpreterHandler*, ReachabilityAnalysis*, Inliner*, AAPass*, ModRefAnalysis*, Cloner*, SliceGenerator*) + 3435
18 klee            0x000000000053415f klee::Executor::setModule(llvm::Module*, klee::Interpreter::ModuleOptions const&) + 1551
19 klee            0x0000000000514a91 main + 4689
20 libc.so.6       0x00002aaaac57b830 __libc_start_main + 240
21 klee            0x0000000000526f39 _start + 41
Aborted (core dumped)

andreamattavelli avatar Aug 04 '17 15:08 andreamattavelli