Closed rasoolmaghareh closed 1 year ago
We are getting error because the for the instruction %14 = sub i64 %12, %13, !dbg !134
,
getBinaryInst() is getting null expr for both the operands.
Operand 1:
%11 = ptrtoint i8* %9 to i64, !dbg !134
KLEE: WARNING: TxWeakestPreCondition::generateExprFromOperand Unary Operand not implemented...
Operand 2:
%12 = ptrtoint i8* %10 to i64, !dbg !134
KLEE: WARNING: TxWeakestPreCondition::generateExprFromOperand Unary Operand not implemented...
since the [PtrToInt ](llvm::Instruction::PtrToInt:)
type is not supported yet.
The check was missing inside TxWeakestPreCondition::getBinaryInst
to return dummy and fail the subsumption check
when any of the operand is missing.
After adding this check program is working fine. I will add the PR as well in this thread.
ref<Expr> ret;
ref<Expr> arg1 = generateExprFromOperand(bo->getOperand(0));
ref<Expr> arg2 = generateExprFromOperand(bo->getOperand(1));
if (arg1.isNull() || arg2.isNull())
return ret;
Getting the below output now:
************Basic Block Coverage Report Starts****************
KLEE: done: Total number of single time Visited Basic Blocks: 35
KLEE: done: Total number of Basic Blocks: 36
************Basic Block Coverage Report Ends****************
************ICMP/Atomic Condition Coverage Report Starts****************
KLEE: done: Total number of Covered ICMP/Atomic Condition: 15
KLEE: done: Total number of All ICMP/Atomic Condition: 15
************ICMP/Atomic Condition Coverage Report Ends****************
KLEE: Memory cap NOT exceeded!
KLEE: done: Total reduced symbolic execution tree nodes = 279
KLEE: done: Total number of visited basic blocks = 908
KLEE: done: Subsumption statistics
KLEE: done: Time for actual solver calls in subsumption check (ms) = 0
KLEE: done: Number of solver calls for subsumption check (failed) = 0 (0)
KLEE: done: Concrete store expression build time (ms) = 125.117
KLEE: done: Symbolic store expression build time (ms) = 0.001
KLEE: done: Solver access time (ms) = 0.887
KLEE: done: Average table entries per subsumption checkpoint = 9.72
KLEE: done: Number of subsumption checks = 279
KLEE: done: Average solver calls per subsumption check = 0.00
KLEE: done: TxTree method execution times (ms):
KLEE: done: setCurrentINode = 1.157
KLEE: done: remove = 336.585
KLEE: done: subsumptionCheck = 222.043
KLEE: done: markPathCondition = 0.562
KLEE: done: split = 1.568
KLEE: done: executeOnNode = 11.944
KLEE: done: executeMemoryOperation = 4.857
KLEE: done: TxTreeNode method execution times (ms):
KLEE: done: getInterpolant = 0.207
KLEE: done: get WP Interpolant = 260.851
KLEE: done: addConstraintTime = 1.306
KLEE: done: splitTime = 1.331
KLEE: done: execute = 11.779
KLEE: done: bindCallArguments = 0.007
KLEE: done: bindReturnValue = 0.055
KLEE: done: getStoredExpressions = 0.61
KLEE: done: getStoredCoreExpressions = 2.581
KLEE: done: total instructions = 3413
KLEE: done: completed paths = 140, among which
KLEE: done: early-terminating paths (instruction time limit, solver timeout, max-depth reached) = 0
KLEE: done: average branching depth of completed paths = 50.2885
KLEE: done: average branching depth of subsumed paths = 19
KLEE: done: average instructions of completed paths = 402.875
KLEE: done: average instructions of subsumed paths = 295.444
KLEE: done: subsumed paths = 36
KLEE: done: error paths = 2
KLEE: done: program exit paths = 102
KLEE: done: generated tests = 0, among which
KLEE: done: early-terminating tests (instruction time limit, solver timeout, max-depth reached) = 0
KLEE: done: error tests = 0
KLEE: done: program exit tests = 0
KLEE: done: NOTE:
KLEE: done: Subsumed paths / tests counts are nondeterministic for
KLEE: done: programs with dynamically-allocated memory such as those
KLEE: done: using malloc, since KLEE may reuse the address of the
KLEE: done: same malloc calls in different paths. This nondeterminism
KLEE: done: does not cause loss of error reports.
--------------------------------------------------------------------------------------
| Path | Instrs| Time(s)| ICov(%)| BCov(%)| ICount| TSolver(%)|
--------------------------------------------------------------------------------------
|validation-3/klee-out-0| 3413| 0.68| 45.82| 30.21| 491| 9.37|
--------------------------------------------------------------------------------------
Output for the deletion branch as well:
KLEE: NOTE: now ignoring this error at this location
************Basic Block Coverage Report Starts****************
KLEE: done: Total number of single time Visited Basic Blocks: 35
KLEE: done: Total number of Basic Blocks: 36
************Basic Block Coverage Report Ends****************
************ICMP/Atomic Condition Coverage Report Starts****************
KLEE: done: Total number of Covered ICMP/Atomic Condition: 15
KLEE: done: Total number of All ICMP/Atomic Condition: 15
************ICMP/Atomic Condition Coverage Report Ends****************
KLEE: Memory cap NOT exceeded!
KLEE: done: Total reduced symbolic execution tree nodes = 279
KLEE: done: Total number of visited basic blocks = 908
KLEE: done: Subsumption statistics
KLEE: done: Time for actual solver calls in subsumption check (ms) = 0
KLEE: done: Number of solver calls for subsumption check (failed) = 0 (0)
KLEE: done: Concrete store expression build time (ms) = 1.66
KLEE: done: Symbolic store expression build time (ms) = 0.006
KLEE: done: Solver access time (ms) = 0.101
KLEE: done: Average table entries per subsumption checkpoint = 9.72
KLEE: done: Number of subsumption checks = 279
KLEE: done: Average solver calls per subsumption check = 0.00
KLEE: done: TxTree method execution times (ms):
KLEE: done: setCurrentINode = 1.491
KLEE: done: remove = 4.627
KLEE: done: subsumptionCheck = 3.109
KLEE: done: markPathCondition = 0.337
KLEE: done: split = 1.789
KLEE: done: executeOnNode = 1.904
KLEE: done: executeMemoryOperation = 3.529
KLEE: done: TxTreeNode method execution times (ms):
KLEE: done: getInterpolant = 0.18
KLEE: done: addConstraintTime = 1.413
KLEE: done: splitTime = 1.505
KLEE: done: execute = 1.738
KLEE: done: bindCallArguments = 0.009
KLEE: done: bindReturnValue = 0.043
KLEE: done: getStoredExpressions = 0.607
KLEE: done: getStoredCoreExpressions = 2.36
KLEE: done: total instructions = 3413
KLEE: done: completed paths = 140, among which
KLEE: done: early-terminating paths (instruction time limit, solver timeout, max-depth reached) = 0
KLEE: done: average branching depth of completed paths = 50.2885
KLEE: done: average branching depth of subsumed paths = 19
KLEE: done: average instructions of completed paths = 402.875
KLEE: done: average instructions of subsumed paths = 295.444
KLEE: done: subsumed paths = 36
KLEE: done: error paths = 2
KLEE: done: program exit paths = 102
KLEE: done: generated tests = 0, among which
KLEE: done: early-terminating tests (instruction time limit, solver timeout, max-depth reached) = 0
KLEE: done: error tests = 0
KLEE: done: program exit tests = 0
KLEE: done: NOTE:
KLEE: done: Subsumed paths / tests counts are nondeterministic for
KLEE: done: programs with dynamically-allocated memory such as those
KLEE: done: using malloc, since KLEE may reuse the address of the
KLEE: done: same malloc calls in different paths. This nondeterminism
KLEE: done: does not cause loss of error reports.
--------------------------------------------------------------------------------------
| Path | Instrs| Time(s)| ICov(%)| BCov(%)| ICount| TSolver(%)|
--------------------------------------------------------------------------------------
|validation-2/klee-out-0| 3413| 0.13| 45.82| 30.21| 491| 55.14|
--------------------------------------------------------------------------------------
Commit 60c20f9 fixes the issue.
Thanks
This is the output that I am seeing: