From adarshs2023 at gmail.com Wed Apr 3 20:02:02 2024 From: adarshs2023 at gmail.com (Adarsh Sudheer) Date: Thu, 4 Apr 2024 00:32:02 +0530 Subject: [klee-dev] Why can't we use ExecutionState object in vector or map templates in cpp Message-ID: Hi all, Recently i tried to map the current the executionstate to it's left and right nodes using execution tree and all seemed fine until I encountered various segmentation errors. Firsty, in the ExecutionState class definition, i defined my new attribute as like this std::vector NextStates; I tried to then insert the states like this if(IS_OUR_NODE_VALID(p->left) && IS_OUR_NODE_VALID(p->right)){ p->state->NextStates.push_back(p->left.getPointer()->state); p->state->NextStates.push_back(p->right.getPointer()->state); } else if(IS_OUR_NODE_VALID(p->left)){ p->state->NextStates.push_back(p->left.getPointer()->state); p= p->left.getPointer(); } else{ p->state->NextStates.push_back(p->right.getPointer()->state); p= p->right.getPointer(); } I was relieved when the build didn't raised any error but when i tried to get the intermediate results (not included) , I repeatedly get seg-fault. Here is the error logs #0 0x00007f719c63fd01 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3fd01) #1 0x00007f719c63da0c llvm::sys::RunSignalHandlers() (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3da0c) #2 0x00007f719c640236 (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe40236) #3 0x00007f719b042520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520) #4 0x000055757d0c292e std::vector >::push_back(klee::ExecutionState* const&) /usr/include/c++/11/bits/stl_vector.h:1189:20 #5 0x000055757d0c292e klee::RandomPathSearcher::selectState() /home/adarsh2023/research/klee/lib/Core/Searcher.cpp:331:37 #6 0x000055757d0a0008 klee::KInstIterator::operator klee::KInstruction*() const /home/adarsh2023/research/klee/include/klee/Module/KInstIterator.h:35:45 #7 0x000055757d0a0008 klee::Executor::run(klee::ExecutionState&) /home/adarsh2023/research/klee/lib/Core/Executor.cpp:3619:30 #8 0x000055757d0a0dbf std::__uniq_ptr_impl >::reset(klee::ExecutionTree*) /usr/include/c++/11/bits/unique_ptr.h:179:16 #9 0x000055757d0a0dbf std::unique_ptr >::reset(klee::ExecutionTree*) /usr/include/c++/11/bits/unique_ptr.h:456:12 #10 0x000055757d0a0dbf std::unique_ptr >::operator=(std::nullptr_t) /usr/include/c++/11/bits/unique_ptr.h:397:7 #11 0x000055757d0a0dbf klee::Executor::runFunctionAsMain(llvm::Function*, int, char**, char**) /home/adarsh2023/research/klee/lib/Core/Executor.cpp:4700:19 #12 0x000055757d050b44 main /home/adarsh2023/research/klee/tools/klee/main.cpp:1520:5 #13 0x00007f719b029d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #14 0x00007f719b029e40 call_init ./csu/../csu/libc-start.c:128:20 #15 0x00007f719b029e40 __libc_start_main ./csu/../csu/libc-start.c:379:5 #16 0x000055757d060f45 _start (/home/adarsh2023/research/klee/build/bin/klee+0x40f45) Segmentation fault When i went to the vector.h file as mentioned in 4 point, I encountered this condition void push_back(const value_type& __x) { if (this->_M_impl._M_finish != this->_M_impl._M_end_of_storage) { _GLIBCXX_ASAN_ANNOTATE_GROW(1); _Alloc_traits::construct(this->_M_impl, this->_M_impl._M_finish, __x); ++this->_M_impl._M_finish; _GLIBCXX_ASAN_ANNOTATE_GREW(1); } else _M_realloc_insert(end(), __x); } I think this is some memory storage issue if so, what i can do and if not why? How can i include execution state as a template in maps and vectors -------------- next part -------------- HTML attachment scrubbed and removed From adarshs2023 at gmail.com Wed Apr 3 20:06:01 2024 From: adarshs2023 at gmail.com (Adarsh Sudheer) Date: Thu, 4 Apr 2024 00:36:01 +0530 Subject: [klee-dev] Why can't we use ExecutionState object in vector or map templates in cpp In-Reply-To: References: Message-ID: Please forgive me for some grammatical errors. I just was in a hurry. On Thu, Apr 4, 2024 at 12:32?AM Adarsh Sudheer wrote: > Hi all, > > Recently i tried to map the current the executionstate to it's left and > right nodes using execution tree and all seemed fine until I encountered > various segmentation errors. Firsty, in the ExecutionState class > definition, i defined my new attribute as like this > > std::vector NextStates; > > I tried to then insert the states like this > > if(IS_OUR_NODE_VALID(p->left) && IS_OUR_NODE_VALID(p->right)){ > p->state->NextStates.push_back(p->left.getPointer()->state); > p->state->NextStates.push_back(p->right.getPointer()->state); > } > else if(IS_OUR_NODE_VALID(p->left)){ > p->state->NextStates.push_back(p->left.getPointer()->state); > p= p->left.getPointer(); > } > else{ > p->state->NextStates.push_back(p->right.getPointer()->state); > p= p->right.getPointer(); > } > > > I was relieved when the build didn't raised any error but when i tried to > get the intermediate results (not included) , I repeatedly get seg-fault. > > Here is the error logs > #0 0x00007f719c63fd01 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) > (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3fd01) > #1 0x00007f719c63da0c llvm::sys::RunSignalHandlers() > (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3da0c) > #2 0x00007f719c640236 (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe40236) > #3 0x00007f719b042520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520) > #4 0x000055757d0c292e std::vector std::allocator >::push_back(klee::ExecutionState* > const&) /usr/include/c++/11/bits/stl_vector.h:1189:20 > #5 0x000055757d0c292e klee::RandomPathSearcher::selectState() > /home/adarsh2023/research/klee/lib/Core/Searcher.cpp:331:37 > #6 0x000055757d0a0008 klee::KInstIterator::operator klee::KInstruction*() > const > /home/adarsh2023/research/klee/include/klee/Module/KInstIterator.h:35:45 > #7 0x000055757d0a0008 klee::Executor::run(klee::ExecutionState&) > /home/adarsh2023/research/klee/lib/Core/Executor.cpp:3619:30 > #8 0x000055757d0a0dbf std::__uniq_ptr_impl std::default_delete >::reset(klee::ExecutionTree*) > /usr/include/c++/11/bits/unique_ptr.h:179:16 > #9 0x000055757d0a0dbf std::unique_ptr std::default_delete >::reset(klee::ExecutionTree*) > /usr/include/c++/11/bits/unique_ptr.h:456:12 > #10 0x000055757d0a0dbf std::unique_ptr std::default_delete >::operator=(std::nullptr_t) > /usr/include/c++/11/bits/unique_ptr.h:397:7 > #11 0x000055757d0a0dbf klee::Executor::runFunctionAsMain(llvm::Function*, > int, char**, char**) > /home/adarsh2023/research/klee/lib/Core/Executor.cpp:4700:19 > #12 0x000055757d050b44 main > /home/adarsh2023/research/klee/tools/klee/main.cpp:1520:5 > #13 0x00007f719b029d90 __libc_start_call_main > ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 > #14 0x00007f719b029e40 call_init ./csu/../csu/libc-start.c:128:20 > #15 0x00007f719b029e40 __libc_start_main ./csu/../csu/libc-start.c:379:5 > #16 0x000055757d060f45 _start > (/home/adarsh2023/research/klee/build/bin/klee+0x40f45) > Segmentation fault > > > When i went to the vector.h file as mentioned in 4 point, I encountered > this condition > > void > push_back(const value_type& __x) > { > if (this->_M_impl._M_finish != this->_M_impl._M_end_of_storage) > { > _GLIBCXX_ASAN_ANNOTATE_GROW(1); > _Alloc_traits::construct(this->_M_impl, this->_M_impl._M_finish, > __x); > ++this->_M_impl._M_finish; > _GLIBCXX_ASAN_ANNOTATE_GREW(1); > } > else > _M_realloc_insert(end(), __x); > } > > > I think this is some memory storage issue if so, what i can do and if not > why? > How can i include execution state as a template in maps and vectors > > > > -------------- next part -------------- HTML attachment scrubbed and removed From f.busse17 at imperial.ac.uk Thu Apr 4 10:45:14 2024 From: f.busse17 at imperial.ac.uk (Frank Busse) Date: Thu, 4 Apr 2024 10:45:14 +0100 Subject: [klee-dev] Why can't we use ExecutionState object in vector or map templates in cpp In-Reply-To: References: Message-ID: <20240404104514.091ae828@gyali> Hi, On Thu, 4 Apr 2024 00:32:02 +0530 Adarsh Sudheer wrote: > Recently i tried to map the current the executionstate to it's left and > right nodes using execution tree and all seemed fine until I encountered > various segmentation errors. Firsty, in the ExecutionState class > definition, i defined my new attribute as like this I'm not sure what you are trying to achieve but keep in mind that only leaf nodes in the execution tree carry a state. > I tried to then insert the states like this > > if(IS_OUR_NODE_VALID(p->left) && IS_OUR_NODE_VALID(p->right)){ > p->state->NextStates.push_back(p->left.getPointer()->state); > p->state->NextStates.push_back(p->right.getPointer()->state); > } > else if(IS_OUR_NODE_VALID(p->left)){ > p->state->NextStates.push_back(p->left.getPointer()->state); > p= p->left.getPointer(); > } > else{ > p->state->NextStates.push_back(p->right.getPointer()->state); > p= p->right.getPointer(); > } > > > I was relieved when the build didn't raised any error but when i tried to > get the intermediate results (not included) , I repeatedly get seg-fault. The joys of C++. :) > #4 0x000055757d0c292e std::vector std::allocator >::push_back(klee::ExecutionState* > const&) /usr/include/c++/11/bits/stl_vector.h:1189:20 > #5 0x000055757d0c292e klee::RandomPathSearcher::selectState() Seems that you modified the RandomPathSearcher. Can you show the rest of the select() function? > How can i include execution state as a template in maps and vectors Putting pointers to ExecutionStates in a container is not an issue, we do it all the time. It becomes an issue when states get terminated and you still try to access them via their stale pointers. Kind regards, Frank From wjw5351 at psu.edu Tue Apr 2 06:33:45 2024 From: wjw5351 at psu.edu (Wang, Weixuan) Date: Tue, 2 Apr 2024 05:33:45 +0000 Subject: [klee-dev] How to solve path explosion caused by loop? Message-ID: Hi all I met a problem which loop cause path explosion. For example, there are 3 variables, control_block, p_data and event. Control_block and p_data are structures and have some fields as symbolic. Event is an integer between 0 to 42. Now I want to run smp_sm_event(control_block, p_data, event) for each event. When manually set event from 0 to 42 (which means, runs klee for 42 times), klee can get result quickly with each case finishing in controllable instruction number. However, when I try to run the following: for (int event=0; event<=42; event++) { smp_sm_event(control_block, p_data, event) } Then klee's running seems never ends. When manually halt klee, it finishes with more than 10 million instructions. May I get some advice on why this happen, and is there way to solve this problem so that I don't need to manually run klee for many times? Thank you! -------------------- Best regards, Weixuan Master student in Computer Science, Penn State University -------------- next part -------------- HTML attachment scrubbed and removed From zihanliu at zju.edu.cn Tue Apr 2 07:53:09 2024 From: zihanliu at zju.edu.cn (=?UTF-8?B?5YiY5qKT5ra1?=) Date: Tue, 2 Apr 2024 14:53:09 +0800 (GMT+08:00) Subject: [klee-dev] A question on using gcov for coverage testing Message-ID: <3f5e8737.f20e.18e9d954632.Coremail.zihanliu@zju.edu.cn> Dear klee developers, I am recently using klee for test case generation and it has been proved to be an efficient tool in the field of symbolic execution. But when it comes to coverage, a question occurs. Currently the coverage type i want is modified condition/decision coverage, but klee only give icov and bcov by running klee-istats command; luckily, these are open-source tools for mc/dc coverage from gcov's coverage, so i have to figure out a way to use gcov at least to find line coverage. The guide to test coreutils is so old that it cannot accually run at least in my linux system, so my sample code originated from another non-official tutorial for automatic testing is as follows and we can discuss based on this. # main.c #include #include "match.h" #define SIZE 7 int main() { // The input regular expression. char re[SIZE]; // Make the input symbolic. klee_make_symbolic(re, sizeof re, "re"); // // Try to match against a constant string "hello". // match(re, "hello"); return 0; } # match.c #include static int matchhere(char*,char*); static int matchstar(int c, char *re, char *text) { do { if (matchhere(re, text)) return 1; } while (*text != '\0' && (*text++ == c || c== '.')); return 0; } static int matchhere(char *re, char *text) { if (re[0] == '\0') return 0; if (re[1] == '*') return matchstar(re[0], re+2, text); if (re[0] == '$' && re[1]=='\0') return *text == '\0'; if (*text!='\0' && (re[0]=='.' || re[0]==*text)) return matchhere(re+1, text+1); return 0; } int match(char *re, char *text) { if (re[0] == '^') return matchhere(re+1, text); do { if (matchhere(re, text)) return 1; } while (*text++ != '\0'); return 0; } # match.h #include #ifndef _MATCH_H_ #define _MATCH_H_ int match(char *re, char *text); #endif And code to execute klee SE process as follows: clang -I ../../../include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone *.c -c llvm-link *.bc -o linked.bc rm $(ls *.bc | grep -v linked.bc) klee linked.bc Currently i have know about how to separately use gcov for coverage testing, just a modification from klee_make_symbolic to accepted c arguments. For example a modify on main.c: #include"match.h" #defineSIZE7 intmain(intargc, char**argv) { charre[SIZE]; // Assuming the input is passed as a command-line argument. if(argc >1) { strncpy(re, argv[1], SIZE); re[SIZE -1] ='\0'; // Ensure null-termination. } else { printf("Usage: %s \n", argv[0]); return1; } // Try to match against a constant string "hello". match(re, "hello"); return0; } Then separatly using gcov: gcc -Wall-fprofile-arcs-ftest-coverage*.c # This is just a sample, actually we need to : # 1. ktest-tool to get all test cases in plain text form; # 2. loop through the plain text and execute on out program ./a.out 3 gcov a-cov.c However this intrusive way may break the code itself and i need a way to integrate klee testing and gcov coverage. As coreutils tutorial mentioned, "At its core, KLEE is just an interpreter for LLVM bitcode. " However actually i have not figured out how to use .bc code at the execution and gcov process.I even trys clang -fprofile-arcs -ftest-coverage -I ../../../include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone *.c -c but it seems donnot work. As a newbee for klee, i want to ask about: 1. How to combine klee test case gen and gcov coverage process? 2. Potentially, is there other ways klee support for generate mc/dc coverage? Thank you? Yours sincerely, Zihan Liu -------------- next part -------------- HTML attachment scrubbed and removed From sokolsky at cis.upenn.edu Fri Apr 5 13:17:06 2024 From: sokolsky at cis.upenn.edu (Oleg Sokolsky) Date: Fri, 5 Apr 2024 08:17:06 -0400 Subject: [klee-dev] How to solve path explosion caused by loop? In-Reply-To: References: Message-ID: The number of paths explored by KLEE is exponential in the number of iterations: a path discovered in the first iteration is extended by every path discovered in the second iteration, and so on. It seems that you introduce the loop only to explore all possible values of event.? If so, just make it symbolic and add constraint using klee_assume that event is between 0 and 42.? KLEE will explore it all in one run. Oleg On 4/2/24 01:33, Wang, Weixuan wrote: > > Hi all > > I met a problem which loop cause path explosion. > > For example, there are 3 variables, control_block, p_data and event. > Control_block and p_data are structures and have some fields as > symbolic. Event is an integer between 0 to 42. > > Now I want to run smp_sm_event(control_block, p_data, event) for each > event. When manually set event from 0 to 42 (which means, runs klee > for 42 times), klee can get result quickly with each case finishing in > controllable instruction number. > > However, when I try to run the following: > > ?????? for (int event=0; event<=42; event++) { > > smp_sm_event(control_block, p_data, event) > > ?????? } > > Then klee?s running seems never ends. When manually halt klee, it > finishes with more than 10 million instructions. > > May I get some advice on why this happen, and is there way to solve > this problem so that I don?t need to manually run klee for many times? > Thank you! > > -------------------- > > Best regards, > > Weixuan > > Master student in Computer Science, Penn State University > > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://urldefense.com/v3/__https://mailman.ic.ac.uk/mailman/listinfo/klee-dev__;!!IBzWLUs!ULO9Hl20ug8BW2AKvi84--l4PLbb7NQ_3pyq-AkTN0OfwCPsFniuFW3b2jS8lA56Q90H8TjQz3pMjWg5VmPZ$ -------------- next part -------------- HTML attachment scrubbed and removed From vm at xreate.org Sat Apr 13 09:47:42 2024 From: vm at xreate.org (Volodymyr Melnychenko) Date: Sat, 13 Apr 2024 10:47:42 +0200 Subject: [klee-dev] C++ Support Status Message-ID: <8fc220c2-33ad-410f-88dd-1f6863688b5c@xreate.org> Hello, Is Klee a good tool for analyzing C++ code?? I saw an email from 2018 regarding C++,? what's progress on it? Do you have examples of using Klee in C++ projects with CMake, Qt, Boost, STL, Google Test, etc? I just started to go through examples. I set compiler and linker flags as follows: add_compile_options(-flto -emit-llvm -Xclang -disable-O0-optnone) set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}-flto -Wl,-plugin-opt=emit-llvm") Does it look correct? I want to compile a Google Test project for a start consisting of only two cpp files and a few tests. Main function is typical: int main(int argc,char **argv) { testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); } Now gtest runs and executes all tests successfully. Running Klee gives? me this: KLEE: WARNING: executable has module level assembly (ignoring) KLEE: ERROR: Unable to load symbol(_ZTIN7testing4TestE) while initializing globals Thanks! -- Regards, Volodymyr Melnychenko -------------- next part -------------- HTML attachment scrubbed and removed From d.schemmel at imperial.ac.uk Sun Apr 14 17:07:35 2024 From: d.schemmel at imperial.ac.uk (Daniel Schemmel) Date: Sun, 14 Apr 2024 17:07:35 +0100 Subject: [klee-dev] C++ Support Status In-Reply-To: <8fc220c2-33ad-410f-88dd-1f6863688b5c@xreate.org> References: <8fc220c2-33ad-410f-88dd-1f6863688b5c@xreate.org> Message-ID: <606b8f00-41ec-4fff-9d93-0e8b944f7d02@imperial.ac.uk> Hello Volodomyr, C++ support in KLEE is available, with the major caveat that (as for C code) you need to compile everything to LLVM bitcode. Just like for C code, we have a prepared standard library available, although there are some limitations in that regard (again, just as for C). The biggest issue is that we do not currently perform a lot of tests using C++ code, and the user-base that uses KLEE on C code is much bigger. For your example, this means that you need to provide LLVM bitcode for your code as well as the gtest library. Both of them should be built against our standard library, or you will have to provide your own standard library as well (which is a pain). Your code looks to me like it might build your own project as bitcode, but try to link against a binary google test version and it does not deal especially with the standard library location (which in theory could be set up in such a way that it is unnecessary, but that is probably not the case). Best, Daniel On 2024-04-13 09:47, Volodymyr Melnychenko wrote: > > Hello, > > Is Klee a good tool for analyzing C++ code?? I saw an email from 2018 > regarding C++,? what's progress on it? Do you have examples of using > Klee in C++ projects with CMake, Qt, Boost, STL, Google Test, etc? > > I just started to go through examples. I set compiler and linker flags > as follows: > > add_compile_options(-flto -emit-llvm -Xclang -disable-O0-optnone) > set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}-flto > -Wl,-plugin-opt=emit-llvm") > > > Does it look correct? I want to compile a Google Test project for a > start consisting of only two cpp files and a few tests. > > > Main function is typical: > > int main(int argc,char **argv) { > testing::InitGoogleTest(&argc, argv); > return RUN_ALL_TESTS(); > } > > Now gtest runs and executes all tests successfully. Running Klee > gives? me this: > > KLEE: WARNING: executable has module level assembly (ignoring) > KLEE: ERROR: Unable to load symbol(_ZTIN7testing4TestE) while > initializing globals > > Thanks! > > > -- > Regards, > Volodymyr Melnychenko > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev -------------- next part -------------- HTML attachment scrubbed and removed From jaehyeok.lee at g.skku.edu Fri Apr 26 09:44:05 2024 From: jaehyeok.lee at g.skku.edu (=?UTF-8?B?7IaM7ZSE7Yq47Juo7Ja07ZWZ6rO8L+ydtOyerO2YgQ==?=) Date: Fri, 26 Apr 2024 17:44:05 +0900 Subject: [klee-dev] [Question about process of seed in KLEE] For mechanism of detailed process when putting seed in KLEE Message-ID: To Whom it may concern, Hello, this is jaehyoek Lee, a master degree's student in computer science in South Korea. I have some questions about the detailed process of KLEE, especially the seeding process, so I'd like to send this mail. I'm using klee-2.1 under LLVM 6.0.0 version. >From my understanding, if I put a seed file into KLEE using a command like '--seed-file=***.ktest', then KLEE generates that seed file much more quickly than generating that seed file before execution. I found that code line in Klee/lib/Core/Executor.cpp as bool success = solver->getValue(current, siit->assignment.evaluate(condition), res); Siit means the SeedInfo file indicating the seed I put in KLEE. In this case, here is my question. 1. If we put a test case in KLEE, KLEE gets a seed ktest file and uses that information related to the generated test case. Then, when KLEE calls a solver like the aforementioned code, does the solver try to check the path condition of current state and state included in seed? Actually, the point that I couldn't understand is what assignment.evaluate(condition) does in this section. 2. I thought if I put a test case as seed in KLEE, KLEE doesn't have to call a solver because the seed file already has all the information for generating that seed file like state or path-conditions. Is that right? If it's right, Is it okay to understand that Seed Mode doesn't have to call a solver for the feasibility check that would be a very big problem in Symbolic Execution called 'constraint solving cost problem', or solve the path condition the seed file includes? If it's wrong, then what solver calls are doing in Seed Mode? Thank you so much. Sincerely, ? -------------- next part -------------- HTML attachment scrubbed and removed