KLEE crashes with option --cex-cache-exp

Question

KLEE crashes with option --cex-cache-exp

christina1993 opened this issue a year ago · comments

christina1993 commented a year ago

Hi,
I just found a bug in KLEE 3.0 related to --cex-cache-exp option. If I invoke KLEE without any arguments on the compiled LLVM-Code (using "clang-14 -I ~/klee/include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone") of the short attached file in code.zip I get

KLEE: output directory is "~/klee-out-2"
KLEE: Using Z3 solver backend

KLEE: done: total instructions = 35
KLEE: done: completed paths = 1
KLEE: done: partially completed paths = 0
KLEE: done: generated tests = 1

as expected.
However if I pass option "--cex-cache-exp", KLEE crashes with the following output:

KLEE: output directory is "~/klee-out-3"
KLEE: Using Z3 solver backend
klee: ~/klee/lib/Core/SpecialFunctionHandler.cpp:511: void klee::SpecialFunctionHandler::handleAssume(klee::ExecutionState&, klee::KInstruction*, std::vector<klee::refklee::Expr >&): Assertion `success && "FIXME: Unhandled solver failure"' failed.
#0 0x00007f2195c3fd01 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3fd01)
#1 0x00007f2195c3da0c llvm::sys::RunSignalHandlers() (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe3da0c)
#2 0x00007f2195c40236 (/usr/lib/llvm-14/lib/libLLVM-14.so.1+0xe40236)
#3 0x00007f2194642520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
#4 0x00007f2194696a7c __pthread_kill_implementation ./nptl/./nptl/pthread_kill.c:44:76
#5 0x00007f2194696a7c __pthread_kill_internal ./nptl/./nptl/pthread_kill.c:78:10
#6 0x00007f2194696a7c pthread_kill ./nptl/./nptl/pthread_kill.c:89:10
#7 0x00007f2194642476 gsignal ./signal/../sysdeps/posix/raise.c:27:6
#8 0x00007f21946287f3 abort ./stdlib/./stdlib/abort.c:81:7
#9 0x00007f219462871b _nl_load_domain ./intl/./intl/loadmsgcat.c:1177:9
#10 0x00007f2194639e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
#11 0x0000557614bed2a5 klee::SpecialFunctionHandler::handleAssume(klee::ExecutionState&, klee::KInstruction*, std::vector<klee::refklee::Expr, std::allocator<klee::refklee::Expr > >&) ~/klee/lib/Core/SpecialFunctionHandler.cpp:522:1
#12 0x0000557614bee4fc klee::SpecialFunctionHandler::handle(klee::ExecutionState&, llvm::Function*, klee::KInstruction*, std::vector<klee::refklee::Expr, std::allocator<klee::refklee::Expr > >&) ~/klee/lib/Core/SpecialFunctionHandler.cpp:231:12
#13 0x0000557614bb3ae0 klee::Executor::callExternalFunction(klee::ExecutionState&, klee::KInstruction*, klee::KCallable*, std::vector<klee::refklee::Expr, std::allocator<klee::refklee::Expr > >&) ~/klee/lib/Core/Executor.cpp:3862:5
#14 0x0000557614bbeded klee::Executor::executeCall(klee::ExecutionState&, klee::KInstruction*, llvm::Function*, std::vector<klee::refklee::Expr, std::allocator<klee::refklee::Expr > >&) ~/klee/lib/Core/Executor.cpp:1690:7
#15 0x0000557614bc69dc klee::Executor::executeInstruction(klee::ExecutionState&, klee::KInstruction*) ~/klee/lib/Core/Executor.cpp:2485:18
#16 0x0000557614bc8a10 klee::Executor::run(klee::ExecutionState&) ~/klee/lib/Core/Executor.cpp:3563:18
#17 0x0000557614bc9715 std::__uniq_ptr_impl<klee::PTree, std::default_deleteklee::PTree >::reset(klee::PTree*) /usr/include/c++/11/bits/unique_ptr.h:179:16
#18 0x0000557614bc9715 std::unique_ptr<klee::PTree, std::default_deleteklee::PTree >::reset(klee::PTree*) /usr/include/c++/11/bits/unique_ptr.h:456:12
#19 0x0000557614bc9715 std::unique_ptr<klee::PTree, std::default_deleteklee::PTree >::operator=(std::nullptr_t) /usr/include/c++/11/bits/unique_ptr.h:397:7
#20 0x0000557614bc9715 klee::Executor::runFunctionAsMain(llvm::Function*, int, char**, char**) ~/klee/lib/Core/Executor.cpp:4597:17
#21 0x0000557614b8e5fd main ~/klee/tools/klee/main.cpp:1520:5
#22 0x00007f2194629d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#23 0x00007f2194629e40 call_init ./csu/../csu/libc-start.c:128:20
#24 0x00007f2194629e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#25 0x0000557614b9d805 _start (/usr/bin/klee+0x3d805)
Aborted

My Setup
klee --version:
KLEE 3.0-pre (https://klee.github.io)
Build mode: RelWithDebInfo (Asserts: ON)
Build revision: edfa29e

Ubuntu LLVM version 14.0.0

Optimized build.
Default target: x86_64-pc-linux-gnu
Host CPU: alderlake
I am working on Ubuntu 22.04.2

Cristian Cadar · Answer 1 · Fri Aug 18 2023 18:39:43 GMT+0800 (China Standard Time)

Thanks, @christina1993 , this is indeed a bug. However, that's an experimental feature, which is not really used (and in fact, it is mostly broken at the moment, from what I can see). Do you have a use case scenario for it, or are you testing KLEE?

This being said, I will push a fix soon, and we can also try to reassess its effectiveness on some benchmarks.

Cristian Cadar · Answer 2 · Fri Aug 18 2023 22:14:27 GMT+0800 (China Standard Time)

Having thought some more about this, I propose to remove this experimental optimisation, see #1655

Cristian Cadar · Answer 3 · Wed Oct 18 2023 16:40:32 GMT+0800 (China Standard Time)

The option was removed in #1655