[klee-dev] Instruction and Branch Coverage of CoreUtils experiment

[Yu Hu]

Hi,

I'm running Klee with CoreUtils experiment but I found the instruction and
branch coverage is pretty low. I'm using klee's docker with KLEE 1.3.0.0
and LLVM version 3.4. The coverage for some program is shown below:

CoreUtils-6.11

Instruction coverage %

Branch coverage %

CoreUtils-8.24

Instruction Coverage %

Branch Coverage %

fold

47.50

34.89

fold

46.56

34.28

uniq

49.69

38.27

uniq

49.47

37.91

cat

43.54

31.18

cat

36.32

26.03

od

59.07

44.43

od

64.60

48.32

cksum

44.18

32.08

cksum

54.44

40.68

nl

39.82

28.19

nl

43.76

32.03

base64

50.11

37.86

base64

48.20

36.25

head

41.54

31.30

head

46.43

34.89

The command I used is same as http://klee.github.io/docs/
coreutils-experiments/:

klee --simplify-sym-indices --write-cvcs --write-cov --output-module
--max-memory=1000 --disable-inlining --optimize --use-forked-solver
--use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls
--only-output-states-covering-new --environ=test.env --run-in=/tmp/sandbox
--max-sym-array-size=4096 --max-instruction-time=30. --max-time=3600.
--watchdog --max-memory-inhibit=false --max-static-fork-pct=1
--max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal
--search=random-path --search=nurs:covnew --use-batching-search
--batch-instructions=10000 fold.bc --sym-args 0 1 10 --sym-args 0 2 2
--sym-files 1 8 --sym-stdin 8 --sym-stdout

May I ask the methodology you used to measure the coverage? And also any
comments about the experiments are welcome.

Thank you.

Best,
Yu
-------------- next part --------------
HTML attachment scrubbed and removed