From haoxintu.2020 at phdcs.smu.edu.sg  Thu Feb  1 00:35:15 2024
From: haoxintu.2020 at phdcs.smu.edu.sg (TU Haoxin)
Date: Thu, 1 Feb 2024 00:35:15 +0000
Subject: [klee-dev] Different behavior of KLEE when testing `dircolors`
 with "--optimize=true/false" option
In-Reply-To: <faa18127-5bc7-45f5-8a03-024f751441b3@imperial.ac.uk>
References: <SI2PR01MB38331150D489DE5725D9ED43857C2@SI2PR01MB3833.apcprd01.prod.exchangelabs.com>
	<CYSNBDBBJGPP.3LFETDHK1K0NZ@loang.net>
	<SI2PR01MB38334EC8AA91772825A20606857C2@SI2PR01MB3833.apcprd01.prod.exchangelabs.com>
	<faa18127-5bc7-45f5-8a03-024f751441b3@imperial.ac.uk>
Message-ID: <SI2PR01MB38334142F118A24CA73CFB7C85432@SI2PR01MB3833.apcprd01.prod.exchangelabs.com>

Hi Daniel,

Thanks for your further investigation. Your explanation makes sense to me.

I started my project a few years ago so I used a relatively older version of KLEE&LLVM. I believe I will build on my next project on the newest versions of them to avoid similar issues and catch up with KLEE's new features.

Thank you very much again for your help and continuous contributions to making KLEE more and more powerful! Have a great week ahead!


Best regards,
Haoxin
________________________________
From: klee-dev-bounces at imperial.ac.uk <klee-dev-bounces at imperial.ac.uk> on behalf of Daniel Schemmel <d.schemmel at imperial.ac.uk>
Sent: Thursday, February 1, 2024 7:26
To: klee-dev at imperial.ac.uk <klee-dev at imperial.ac.uk>
Subject: Re: [klee-dev] Different behavior of KLEE when testing `dircolors` with "--optimize=true/false" option


Hi Haoxin,


The described behavior is indeed very odd. Luckily, the `assembly.ll` that is generated by KLEE shows that this is an actual optimization error - the code that is intended to print your messages does not exist anymore. This means that the issue lies either with the LLVM optimization passes, or in our usage of them.


As you were using fairly old LLVM versions (LLVM 9 & 10 support is about to be removed from KLEE<https://github.com/klee/klee/pull/1686>), I tried to reproduce the issue in a few different configurations:

- LLVM 9 (KLEE master): REPRODUCED

- LLVM 10 (KLEE master): REPRODUCED
- LLVM 11 (KLEE master): NOT reproduced
- LLVM 12 (KLEE master): NOT reproduced

- LLVM 13 (docker.io/klee/klee): NOT reproduced
- LLVM 14 (KLEE master): NOT reproduced
- LLVM 15 (#1664<https://github.com/klee/klee/pull/1664>): NOT reproduced
- LLVM 16 (#1664<https://github.com/klee/klee/pull/1664>): requires an additional include in xmalloc.c to compile; NOT reproduced


Since this bug only occurs with the two LLVM versions that are about to be removed in the next few days anyway, and there is a hard break (none of the newer versions exhibit the same behavior), I tend towards assuming that this specific issue probably stems from an old LLVM bug that has since been rectified.


Best,
Daniel


On 2024-01-31 06:58, TU Haoxin wrote:
Hi Nguyen,

Just installed and run this case using KLEE-3.0 with LLVM-10, and it seems the issue is still reproducible for KLEE 3.

Please check more here: https://gist.github.com/haoxintu/183dda2923965d1e33f64ad59c7f5338#other-trials


Thanks,
Haoxin



________________________________
From: Nguy?n Gia Phong
Sent: Wednesday, January 31, 2024 13:34
To: TU Haoxin; klee-dev at imperial.ac.uk<mailto:klee-dev at imperial.ac.uk>
Subject: Re: [klee-dev] Different behavior of KLEE when testing `dircolors` with "--optimize=true/false" option

On 2024-01-31 at 05:07+00:00, TU Haoxin wrote:
> The behavior is that KLEE fails to fork at a branch
> that should be forked with the option --optimize option enabled
> (i.e., --optimize=true).  While the --optimize option is disabled
> i.e., --optimize=false), the branch can be successfully forked [...]
>
> ### Reproduce the behavior
> #### Enviroment
> * KLEE-2.1 (also tested KLEE-2.3, and they behave the same)

Just curious, is the issue reproducible for KLEE 3?



_______________________________________________
klee-dev mailing list
klee-dev at imperial.ac.uk<mailto:klee-dev at imperial.ac.uk>
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev

-------------- next part --------------
HTML attachment scrubbed and removed

From c.cadar at imperial.ac.uk  Thu Feb  1 12:07:25 2024
From: c.cadar at imperial.ac.uk (Cristian Cadar)
Date: Thu, 1 Feb 2024 12:07:25 +0000
Subject: [klee-dev] KLEE 2024 -- Keynote speakers announced & early
 registration deadline coming up
Message-ID: <33ae7da4-cf6f-b708-0443-768c87900796@imperial.ac.uk>

Dear all,

It is my pleasure to announce a fantastic list of keynotes -- Tevfik 
Bultan, Tomasz Kuchta, and Corina Pasareanu -- for the upcoming KLEE'24 
workshop:
https://srg.doc.ic.ac.uk/klee24/keynotes.html

The workshop will be co-located with ICSE'24, and will take place 15-16 
April in Lisbon:
https://srg.doc.ic.ac.uk/klee24/

The early registration deadline is coming up, on 12 February:
https://conf.researchr.org/attending/icse-2024/registration

We hope to see many of you at the workshop in Lisbon!

Best wishes,
Cristian, Daniel, Frank, Martin, as KLEE'24 Chairs


From lukedram at andrew.cmu.edu  Fri Feb  2 17:02:10 2024
From: lukedram at andrew.cmu.edu (Luke Dramko)
Date: Fri, 2 Feb 2024 12:02:10 -0500
Subject: [klee-dev] Logging the Symbolic Values of Variables
Message-ID: <CAF10keu0jcF07HgixhXkWTj3CvDRcEBFsMY3XaG86qQi8kB2ug@mail.gmail.com>

Hello,

My research group is looking to output the value of each variable's
symbolic representation after the execution of each line in the source
program. Alternatively, the symbolic values of only the variables whose
values are modified on that line would be sufficient as well.

For example, given the following function is being executed symbolically:

1. int fn(int x) {
2.     if (x > 1) {
3.         x++;
4.         x = x * x;
5.     }
6.     return x;
7. }

We would like to know that
- after line 2 (on the true branch) that x is constrained by x > 1.
- after line 3, that x is constrained by x > 2.
- after line 4, that x is constrained by x = y * 2 where y > 2.
etc.

(The above ignores overflow semantics but constraints that capture them
would be welcome.)

Is there a way to do this with Klee? If not, what part of the codebase
should we modify to add this capability?

Thank you for your help!

Best regards,
Luke
-------------- next part --------------
HTML attachment scrubbed and removed

From m.nowack at imperial.ac.uk  Mon Feb  5 10:57:04 2024
From: m.nowack at imperial.ac.uk (Nowack, Martin)
Date: Mon, 5 Feb 2024 10:57:04 +0000
Subject: [klee-dev] Logging the Symbolic Values of Variables
In-Reply-To: <CAF10keu0jcF07HgixhXkWTj3CvDRcEBFsMY3XaG86qQi8kB2ug@mail.gmail.com>
References: <CAF10keu0jcF07HgixhXkWTj3CvDRcEBFsMY3XaG86qQi8kB2ug@mail.gmail.com>
Message-ID: <5E8750F3-72F2-4F4B-80BB-BC8B545B1829@imperial.ac.uk>

Hi Luke,

As KLEE builds on LLVM, the value is either part of an SSA register or a heap/global allocation.

In the first case, the register?s value can be accessed via `eval()`, i.e.
for a Load instruction (https://github.com/klee/klee/blob/3ca81c2dc3881aec0bbf94646c73a148d706c76d/lib/Core/Executor.cpp#L2788)
the result will be stored in the SSA register from the load as part of the `executeMemoryOperation` using the `bindLocal` operation.
You just need to retrieve the result afterwards, i.e. `getDestCell(state, ki).value`.

For the second case, the memory object needs to be resolved first, before retrieving the assocated ObjectState and accessing the values of interest.
Have a look at `executeMemoryOperation` for an example how to load/store memory.

Please keep in mind, depending on the actual optimisation used by the compiler, LLVM version and so on, those are not necessarily representing variables
from the source code.

Best,
Martin




> On 2. Feb 2024, at 17:02, Luke Dramko <lukedram at andrew.cmu.edu> wrote:
> 
> Hello,
> 
> My research group is looking to output the value of each variable's symbolic representation after the execution of each line in the source program. Alternatively, the symbolic values of only the variables whose values are modified on that line would be sufficient as well.
> 
> For example, given the following function is being executed symbolically:
> 
> 1. int fn(int x) {
> 2.     if (x > 1) {
> 3.         x++;
> 4.         x = x * x;
> 5.     }
> 6.     return x;
> 7. }
> 
> We would like to know that
> - after line 2 (on the true branch) that x is constrained by x > 1.
> - after line 3, that x is constrained by x > 2.
> - after line 4, that x is constrained by x = y * 2 where y > 2.
> etc.
> 
> (The above ignores overflow semantics but constraints that capture them would be welcome.)
> 
> Is there a way to do this with Klee? If not, what part of the codebase should we modify to add this capability?
> 
> Thank you for your help!
> 
> Best regards,
> Luke
> _______________________________________________
> klee-dev mailing list
> klee-dev at imperial.ac.uk
> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev


From adarshs2023 at gmail.com  Wed Feb 21 02:03:09 2024
From: adarshs2023 at gmail.com (Adarsh Sudheer)
Date: Wed, 21 Feb 2024 07:33:09 +0530
Subject: [klee-dev] Connection between CFG and execution state
Message-ID: <CAJ+=eW0MrjV9UKg7H7Fx9C-5zOS9YWv4nBwcmsrdbMWm41ZFwA@mail.gmail.com>

Hi all,

Is there any parameter in the Execution state that links the CFG to the
ExecutionSt ate. To be particular, I want to access all ExecutionState
nodes generated from a CFG?

With Regards
Adarsh Sudheer
-------------- next part --------------
HTML attachment scrubbed and removed

From c.cadar at imperial.ac.uk  Thu Feb 29 21:54:42 2024
From: c.cadar at imperial.ac.uk (Cristian Cadar)
Date: Thu, 29 Feb 2024 21:54:42 +0000
Subject: [klee-dev] KLEE 3.1 released
Message-ID: <175227b8-93c2-4ccb-80b5-3e9df9e6a97e@imperial.ac.uk>

Hi all,

It is my pleasure to announce the release of KLEE 3.1!

Big thanks to all the contributors to this version.  The full list of 
changes can be found at https://github.com/klee/klee/releases/tag/v3.1

Best wishes,
Cristian