Segmentation fault in klee::AddressSpace::~AddressSpace()
YikeZhou opened this issue · comments
Description
KLEE exited unexpectedly when executing the following code.
Surprisingly, after slightly changing the string "100barfoo foobar10" (e.g., to "barfoo"), the segfault is gone.
Steps to reproduce
C++ file main.cpp:
#include <map>
#include <string>
#include <vector>
#include <klee/klee.h>
struct value {
uint32_t data[5] = {};
bool operator==(const value &other) const {
for (size_t n = 0; n < 5; n++)
if (data[n] != other.data[n])
return false;
return true;
}
bool operator!=(const value &other) const { return !(*this == other); }
};
struct tuple {
value curr;
value next;
};
struct ref {
uint32_t *curr;
uint32_t *next;
ref(tuple &t, bool set_next) {
curr = t.curr.data;
next = set_next ? t.next.data : nullptr;
}
};
struct ref_map {
std::map<std::string, std::vector<ref>> table;
void add(const std::string &name, ref &&r) {
std::vector<ref> &parts = table[name];
parts.push_back(r);
}
const ref &at(const std::string &name) const {
const std::vector<ref> &parts = table.at(name);
return parts.at(0);
}
};
int main() {
tuple t;
ref_map m;
m.add("100barfoo foobar10", ref(t, false));
m.add("foobar", ref(t, true));
uint8_t temp;
klee_make_symbolic(&temp, sizeof(temp), "foobar");
m.at("foobar").next[0] = temp;
if (t.curr != t.next)
t.curr = t.next;
}
Compile and run:
clang++ -emit-llvm -c main.cpp
klee --libc=uclibc --posix-runtime --libcxx main.bc
Output of KLEE
KLEE: NOTE: Using POSIX model: /tmp/klee_build130stp_z3/runtime/lib/libkleeRuntimePOSIX64_Debug+Asserts.bca
KLEE: NOTE: Using libc++ : /tmp/klee_build130stp_z3/runtime/lib/libc++.bca
KLEE: NOTE: Enabled runtime support for C++ exceptions
KLEE: NOTE: Using klee-uclibc : /tmp/klee_build130stp_z3/runtime/lib/klee-uclibc.bca
KLEE: output directory is "/home/klee/klee-out-0"
KLEE: Using STP solver backend
KLEE: SAT solver: MiniSat
warning: Linking two modules of different target triples: 'fd64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'fd_3264_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'klee_init_env64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'main.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'fd_init64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'stubs64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'klee_range64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'fd_6464_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'illegal64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.new.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_handlers.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.stdlib_new_delete.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_exception.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_personality.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_default_handlers.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_exception_storage.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.stdlib_exception.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.abort_message.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.fallback_malloc.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'klee_eh_cxx64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_demangle.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.private_typeinfo.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.cxa_virtual.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: '.stdlib_typeinfo.cpp.o.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
KLEE: WARNING ONCE: unsupported intrinsic llvm.load.relative.i64
warning: Linking two modules of different target triples: 'klee_div_zero_check64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
warning: Linking two modules of different target triples: 'klee_overshift_check64_Debug+Asserts.bc' is 'x86_64-unknown-linux-gnu' whereas '__uClibc_main.os' is 'x86_64-pc-linux-gnu'
KLEE: WARNING: undefined reference to function: _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4_
KLEE: WARNING: undefined reference to function: _ZNSaIcEC1Ev
KLEE: WARNING: undefined reference to function: _ZNSaIcED1Ev
KLEE: WARNING: undefined reference to function: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_
KLEE: WARNING: undefined reference to function: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_
KLEE: WARNING: undefined reference to function: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
KLEE: WARNING: undefined reference to function: _ZSt18_Rb_tree_decrementPSt18_Rb_tree_node_base
KLEE: WARNING: undefined reference to function: _ZSt18_Rb_tree_incrementPSt18_Rb_tree_node_base
KLEE: WARNING: undefined reference to function: _ZSt20__throw_length_errorPKc
KLEE: WARNING: undefined reference to function: _ZSt20__throw_out_of_rangePKc
KLEE: WARNING: undefined reference to function: _ZSt24__throw_out_of_range_fmtPKcz
KLEE: WARNING: undefined reference to function: _ZSt28__throw_bad_array_new_lengthv
KLEE: WARNING: undefined reference to function: _ZSt29_Rb_tree_insert_and_rebalancebPSt18_Rb_tree_node_baseS0_RS_
KLEE: WARNING ONCE: Using zero size array fix for landingpad instruction filter
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 94910054578848) at klee_src/runtime/POSIX/fd.c:997 10
KLEE: WARNING ONCE: Alignment of memory from call "malloc" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling __klee_posix_wrapped_main with extra arguments.
KLEE: WARNING ONCE: calling external: _ZNSaIcEC1Ev(94910053961880) at [no debug info]
KLEE: WARNING ONCE: calling external: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_(94910055400000, 94910053851104, 94910053961880) at [no debug info]
KLEE: WARNING ONCE: Alignment of memory from call "_Znwm" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling external: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_(94910055568192, 94910055400000) at [no debug info]
KLEE: WARNING ONCE: calling external: _ZSt29_Rb_tree_insert_and_rebalancebPSt18_Rb_tree_node_baseS0_RS_(true, 94910055568160, 94910054759656, 94910054759656) at [no debug info]
KLEE: WARNING ONCE: calling external: _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev(94910055400000) at [no debug info]
KLEE: WARNING ONCE: calling external: _ZNSaIcED1Ev(94910053961880) at [no debug info]
KLEE: WARNING ONCE: calling external: _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4_(94910055568192, 94910054642272) at [no debug info]
Segmentation fault (core dumped)
Platform
I built the Docker image locally with the latest code on the master branch.
The version of KLEE:
KLEE 3.1-pre (https://klee.github.io)
Build mode: RelWithDebInfo (Asserts: TRUE)
Build revision: ca0d0951c1e43cb5a18e668371f22a12416a98df
LLVM (http://llvm.org/):
LLVM version 13.0.1
Optimized build with assertions.
Default target: x86_64-unknown-linux-gnu
Host CPU: znver1
OS version: Ubuntu 22.04.2 LTS x86_64
After some digging, I assumed the problem was caused by the <string> header file.
Therefore, I tried to compile with C++ header files found in /tmp/llvm-130-install_O_D_A/include/c++/v1 (override the default search path /usr/include/c++/11/). Then the problem just disappeared.
Sounds like a mismatch between libc++ headers and library.
If it's still an issue with matching lib/header combination please reopen.