search

davidtr1037 / chopper

KLEE / CSE Project
Other
42 stars 21 forks source link

KLEE crashes on dwarfdump #11

Open andreamattavelli opened 7 years ago

andreamattavelli commented 7 years ago 
/home/andrea/work/klee-slicing/klee-build/bin/klee --link-llvm-lib=/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc -skip-functions=dwarf_record_cmdline_options dwarfdump.bc -ka ../../regressiontests/marinescu/hello.original 
KLEE: Linking in library: /home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc.

KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/dwarf-20110612/dwarfdump/klee-out-48"
Using STP solver backend
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
IntToPtr with constant:   <badref> = inttoptr i64 -1 to i8*
  %reverse463 = shufflevector <16 x i8> %reverse, <16 x i8> undef, <16 x i32> <i32 15, i32 14, i32 13, i32 12, i32 11, i32 10, i32 9, i32 8, i32 7, i32 6, i32 5, i32 4, i32 3, i32 2, i32 1, i32 0>
klee: /home/andrea/work/klee-slicing/dg/src/llvm/analysis/PointsTo/PointerSubgraph.cpp:1419: dg::analysis::pta::PSNodesSeq dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(const llvm::Instruction&): Assertion `0 && "Unhandled instruction"' failed.
0  libSlicing.so   0x00002aaaab266752 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab265ec4
2  libpthread.so.0 0x00002aaaabaa9390
3  libc.so.6       0x00002aaaac58b428 gsignal + 56
4  libc.so.6       0x00002aaaac58d02a abort + 362
5  libc.so.6       0x00002aaaac583bd7
6  libc.so.6       0x00002aaaac583c82
7  libLLVMpta.so   0x00002aaaad3168f0 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(llvm::Instruction const&) + 678
8  libLLVMpta.so   0x00002aaaad3139e0 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildNode(llvm::Value const*) + 118
9  libLLVMpta.so   0x00002aaaad313c75 dg::analysis::pta::LLVMPointerSubgraphBuilder::getOperand(llvm::Value const*) + 93
10 libLLVMpta.so   0x00002aaaad314eb1 dg::analysis::pta::LLVMPointerSubgraphBuilder::createStore(llvm::Instruction const*) + 59
11 libLLVMpta.so   0x00002aaaad3166d1 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(llvm::Instruction const&) + 135
12 libLLVMpta.so   0x00002aaaad316f77 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildPointerSubgraphBlock(llvm::BasicBlock const&) + 249
13 libLLVMpta.so   0x00002aaaad31713e dg::analysis::pta::LLVMPointerSubgraphBuilder::buildFunction(llvm::Function const&) + 354
14 libLLVMpta.so   0x00002aaaad31419c dg::analysis::pta::LLVMPointerSubgraphBuilder::createCallToFunction(llvm::Function const*) + 236
15 libLLVMpta.so   0x00002aaaad31432e dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 54
16 libLLVMpta.so   0x00002aaaad314c8d dg::analysis::pta::LLVMPointerSubgraphBuilder::createCall(llvm::Instruction const*) + 321
17 libLLVMpta.so   0x00002aaaad3167e5 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(llvm::Instruction const&) + 411
18 libLLVMpta.so   0x00002aaaad316f77 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildPointerSubgraphBlock(llvm::BasicBlock const&) + 249
19 libLLVMpta.so   0x00002aaaad31713e dg::analysis::pta::LLVMPointerSubgraphBuilder::buildFunction(llvm::Function const&) + 354
20 libLLVMpta.so   0x00002aaaad31419c dg::analysis::pta::LLVMPointerSubgraphBuilder::createCallToFunction(llvm::Function const*) + 236
21 libLLVMpta.so   0x00002aaaad31432e dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 54
22 libLLVMpta.so   0x00002aaaad314c8d dg::analysis::pta::LLVMPointerSubgraphBuilder::createCall(llvm::Instruction const*) + 321
23 libLLVMpta.so   0x00002aaaad3167e5 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(llvm::Instruction const&) + 411
24 libLLVMpta.so   0x00002aaaad316f77 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildPointerSubgraphBlock(llvm::BasicBlock const&) + 249
25 libLLVMpta.so   0x00002aaaad31713e dg::analysis::pta::LLVMPointerSubgraphBuilder::buildFunction(llvm::Function const&) + 354
26 libLLVMpta.so   0x00002aaaad31419c dg::analysis::pta::LLVMPointerSubgraphBuilder::createCallToFunction(llvm::Function const*) + 236
27 libLLVMpta.so   0x00002aaaad31432e dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 54
28 libLLVMpta.so   0x00002aaaad314c8d dg::analysis::pta::LLVMPointerSubgraphBuilder::createCall(llvm::Instruction const*) + 321
29 libLLVMpta.so   0x00002aaaad3167e5 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction(llvm::Instruction const&) + 411
30 libLLVMpta.so   0x00002aaaad316f77 dg::analysis::pta::LLVMPointerSubgraphBuilder::buildPointerSubgraphBlock(llvm::BasicBlock const&) + 249
31 libLLVMpta.so   0x00002aaaad31713e dg::analysis::pta::LLVMPointerSubgraphBuilder::buildFunction(llvm::Function const&) + 354
32 libLLVMpta.so   0x00002aaaad31419c dg::analysis::pta::LLVMPointerSubgraphBuilder::createCallToFunction(llvm::Function const*) + 236
33 libLLVMpta.so   0x00002aaaad31432e dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 54
34 libLLVMpta.so   0x00002aaaad3142f5 dg::analysis::pta::LLVMPointerSubgraphBuilder::createFuncptrCall(llvm::CallInst const*, llvm::Function const*) + 51
35 libSlicing.so   0x00002aaaaaefa95d SVFPointerAnalysis::functionPointerCall(dg::analysis::pta::PSNode*, dg::analysis::pta::PSNode*) + 239
36 libSlicing.so   0x00002aaaaaefa848 SVFPointerAnalysis::handleFuncPtr(dg::analysis::pta::PSNode*) + 198
37 libSlicing.so   0x00002aaaaaefa540 SVFPointerAnalysis::handleVirtualCalls() + 314
38 libSlicing.so   0x00002aaaaaefa1cf SVFPointerAnalysis::run() + 39
39 libSlicing.so   0x00002aaaaaf32283 SliceGenerator::generate() + 333
40 klee            0x000000000058a92b klee::KModule::prepare(klee::Interpreter::ModuleOptions const&, std::vector<klee::Interpreter::SkippedFunctionOption, std::allocator<klee::Interpreter::SkippedFunctionOption> > const&, klee::InterpreterHandler*, ReachabilityAnalysis*, Inliner*, AAPass*, ModRefAnalysis*, Cloner*, SliceGenerator*) + 3435
41 klee            0x000000000053414f klee::Executor::setModule(llvm::Module*, klee::Interpreter::ModuleOptions const&) + 1551
42 klee            0x0000000000514a41 main + 4689
43 libc.so.6       0x00002aaaac576830 __libc_start_main + 240
44 klee            0x0000000000526f29 _start + 41
Aborted (core dumped)

Do we support vectors?

andreamattavelli commented 7 years ago

If I link uClibc I succeed with this warning:

/home/andrea/work/klee-slicing/klee-build/bin/klee --libc=uclibc --link-llvm-lib=/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc -skip-functions=dwarf_record_cmdline_options dwarfdump.bc -ka ../../regressiontests/marinescu/hello.original 
KLEE: NOTE: Using klee-uclibc : /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/klee-uclibc.bca
KLEE: Linking in library: /home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc.

KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/dwarf-20110612/dwarfdump/klee-out-49"
Using STP solver backend
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
i8 undef
ERROR: ^^^ global variable initializer not handled
i8 undef
ERROR: ^^^ global variable initializer not handled
...
andreamattavelli commented 7 years ago

dwarfdump now crashes with the following error:

$ /home/andrea/work/klee-slicing/klee-build/bin/klee -blk -posix-runtime -libc=uclibc -link-llvm-lib=/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc -skip-functions=dwarf_whatform dwarfdump.bc -ka -vvv -R -M ../../regressiontests/marinescu/hello.original
KLEE: NOTE: Using klee-uclibc : /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /home/andrea/work/klee-slicing/klee-build/Release+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: Linking in library: /home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/libelf-0.8.13/lib/libelf.a.bc.

KLEE: output directory is "/home/andrea/work/klee-slicing/klee-slicing-experiments/libdwarf/dwarf-20110612/dwarfdump/klee-out-46"
Using STP solver backend
KLEE: Runnining reachability analysis...
KLEE: Runnining pointer analysis...
KLEE: Runnining mod-ref analysis...
KLEE: Computing slices...
i8 undef
ERROR: ^^^ global variable initializer not handled
i8 undef
ERROR: ^^^ global variable initializer not handled
IntToPtr with constant:   <badref> = inttoptr i64 -1 to i8*
klee: /home/andrea/work/klee-slicing/dg/src/llvm/analysis/PointsTo/PointerSubgraph.cpp:1657: void dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentOperands(const llvm::CallInst*, dg::analysis::pta::PSNode*, int): Assertion `idx < (int) CI->getNumArgOperands()' failed.
0  libSlicing.so   0x00002aaaab26b1d2 llvm::sys::PrintStackTrace(_IO_FILE*) + 50
1  libSlicing.so   0x00002aaaab26a944
2  libpthread.so.0 0x00002aaaabaae390
3  libc.so.6       0x00002aaaac590428 gsignal + 56
4  libc.so.6       0x00002aaaac59202a abort + 362
5  libc.so.6       0x00002aaaac588bd7
6  libc.so.6       0x00002aaaac588c82
7  libLLVMpta.so   0x00002aaaad31c2e5 dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentOperands(llvm::CallInst const*, dg::analysis::pta::PSNode*, int) + 71
8  libLLVMpta.so   0x00002aaaad31c537 dg::analysis::pta::LLVMPointerSubgraphBuilder::addArgumentsOperands(llvm::Function const*, llvm::CallInst const*) + 295
9  libLLVMpta.so   0x00002aaaad31c94d dg::analysis::pta::LLVMPointerSubgraphBuilder::addInterproceduralOperands(llvm::Function const*, dg::analysis::pta::LLVMPointerSubgraphBuilder::Subgraph&, llvm::CallInst const*) + 47
10 libLLVMpta.so   0x00002aaaad3193ce dg::analysis::pta::LLVMPointerSubgraphBuilder::createOrGetSubgraph(llvm::CallInst const*, llvm::Function const*) + 214
11 libLLVMpta.so   0x00002aaaad3192f5 dg::analysis::pta::LLVMPointerSubgraphBuilder::createFuncptrCall(llvm::CallInst const*, llvm::Function const*) + 51
12 libSlicing.so   0x00002aaaaaefe6b5 SVFPointerAnalysis::functionPointerCall(dg::analysis::pta::PSNode*, dg::analysis::pta::PSNode*) + 203
13 libSlicing.so   0x00002aaaaaefe5c4 SVFPointerAnalysis::handleFuncPtr(dg::analysis::pta::PSNode*) + 198
14 libSlicing.so   0x00002aaaaaefe282 SVFPointerAnalysis::handleVirtualCalls() + 516
15 libSlicing.so   0x00002aaaaaefde47 SVFPointerAnalysis::run() + 39
16 libSlicing.so   0x00002aaaaaf36b4b SliceGenerator::generate() + 333
17 klee            0x000000000058a97b klee::KModule::prepare(klee::Interpreter::ModuleOptions const&, std::vector<klee::Interpreter::SkippedFunctionOption, std::allocator<klee::Interpreter::SkippedFunctionOption> > const&, klee::InterpreterHandler*, ReachabilityAnalysis*, Inliner*, AAPass*, ModRefAnalysis*, Cloner*, SliceGenerator*) + 3435
18 klee            0x000000000053419f klee::Executor::setModule(llvm::Module*, klee::Interpreter::ModuleOptions const&) + 1551
19 klee            0x0000000000514a91 main + 4689
20 libc.so.6       0x00002aaaac57b830 __libc_start_main + 240
21 klee            0x0000000000526f79 _start + 41
Aborted (core dumped)
andreamattavelli commented 7 years ago

@davidtr1037 I modified DG to actually not crash. In the code of dg::analysis::pta::LLVMPointerSubgraphBuilder::buildInstruction after the assertion the code creates an unknownNode. Removing the assertions and using the unknown might solve the issue.