On Mon, Nov 2, 2009 at 1:31 AM, Daniel Dunbar <daniel at zuster.org> wrote: > > If you want to run klee in gdb and get a backtrace and perhaps the > result of 'info locals' in the crashing function, that might give a > clue. >
OK, the GDB backtrace is much more thorough: $ gdb klee GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu"... (gdb) run --only-output-states-covering-new --libc=uclibc test.o Starting program: /home/mlcreech/klee/install/bin/klee --only-output-states-covering-new --libc=uclibc test.o [Thread debugging using libthread_db enabled] [New Thread 0x7f49282fa710 (LWP 18296)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f49282fa710 (LWP 18296)] 0x00000000009a2198 in llvm::Value::getValueID (this=0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Value.h:242 242 return SubclassID; (gdb) bt #0 0x00000000009a2198 in llvm::Value::getValueID (this=0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Value.h:242 #1 0x0000000000c18c7d in llvm::isa_impl<llvm::Constant, llvm::Value> (Val=@0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Value.h:316 #2 0x0000000000c1a881 in llvm::isa_impl_wrap<llvm::Constant, llvm::Value const, llvm::Value const>::doit (Val=@0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:71 #3 0x0000000000c1a6ea in llvm::isa_impl_cl<llvm::Value>::isa<llvm::Constant> (Val=@0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:83 #4 0x0000000000c8d00d in llvm::isa_impl_cl<llvm::Value const>::isa<llvm::Constant> (Val=@0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:92 #5 0x0000000000c864c4 in llvm::isa_impl_cl<llvm::Value const*>::isa<llvm::Constant> (Val=0x0) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:101 #6 0x0000000000c827a6 in llvm::isa<llvm::Constant, llvm::Value const*> (Val=@0x7fff675e7e48) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:116 #7 0x0000000000c83b24 in llvm::dyn_cast<llvm::Constant, llvm::Value const*> (Val=@0x7fff675e7e48) at /home/mlcreech/klee/llvm-2.6/include/llvm/Support/Casting.h:225 #8 0x0000000000d7fae6 in RemapOperand (In=0x0, ValueMap=@0x7fff675e88a0, Context=@0x194c970) at LinkModules.cpp:361 #9 0x0000000000d8010e in RemapOperand (In=0x19966e0, ValueMap=@0x7fff675e88a0, Context=@0x194c970) at LinkModules.cpp:401 #10 0x0000000000d8010e in RemapOperand (In=0x1996260, ValueMap=@0x7fff675e88a0, Context=@0x194c970) at LinkModules.cpp:401 #11 0x0000000000d8010e in RemapOperand (In=0x1995e30, ValueMap=@0x7fff675e88a0, Context=@0x194c970) at LinkModules.cpp:401 #12 0x0000000000d83a9d in LinkFunctionBody (Dest=0x1977da0, Src=0x197bb40, ValueMap=@0x7fff675e88a0, Err=0x7fff675e8b50) at LinkModules.cpp:1094 #13 0x0000000000d83ca6 in LinkFunctionBodies (Dest=0x194fee0, Src=0x197a8e0, ValueMap=@0x7fff675e88a0, Err=0x7fff675e8b50) at LinkModules.cpp:1121 #14 0x0000000000d84ea5 in llvm::Linker::LinkModules (Dest=0x194fee0, Src=0x197a8e0, ErrorMsg=0x7fff675e8b50) at LinkModules.cpp:1354 #15 0x0000000000d7da3f in llvm::Linker::LinkInModule (this=0x7fff675e8f70, Src=0x197a8e0, ErrorMsg=0x7fff675e8b50) at /home/mlcreech/klee/llvm-2.6/include/llvm/Linker.h:249 #16 0x0000000000d8ec59 in llvm::Linker::LinkInArchive (this=0x7fff675e8f70, Filename=@0x7fff675e8fc0, is_native=@0x7fff675e8fcf) at LinkArchives.cpp:176 #17 0x0000000000d7d5e6 in llvm::Linker::LinkInFile (this=0x7fff675e8f70, File=@0x7fff675e8fc0, is_native=@0x7fff675e8fcf) at LinkItems.cpp:191 #18 0x000000000095aba2 in klee::linkWithLibrary (module=<value optimized out>, libraryName=@0x7fff675e92f0) at ModuleUtil.cpp:40 #19 0x000000000090607a in linkWithUclibc (mainModule=0x194fee0) at main.cpp:991 #20 0x000000000090713b in main (argc=4, argv=0x7fff675e9bf8, envp=<value optimized out>) at main.cpp:1191 (gdb) At a glance it looks like the instruction list given to LinkFunctionBody() contains a MDNode which contains a NULL entry (at index 9 out of 12), which gets propagated down to dyn_cast<>, which can't handle NULL pointers. But I've got absolutely no context as to what's really supposed to be happening here. :) Please let me know if you need any additional information. Thanks! -- Matthew L. Creech
