Hi, I'm running Klee with CoreUtils experiment but I found the instruction and branch coverage is pretty low. I'm using klee's docker with KLEE 1.3.0.0 and LLVM version 3.4. The coverage for some program is shown below:
CoreUtils-6.11 Instruction coverage % Branch coverage % CoreUtils-8.24 Instruction Coverage % Branch Coverage % fold 47.50 34.89 fold 46.56 34.28 uniq 49.69 38.27 uniq 49.47 37.91 cat 43.54 31.18 cat 36.32 26.03 od 59.07 44.43 od 64.60 48.32 cksum 44.18 32.08 cksum 54.44 40.68 nl 39.82 28.19 nl 43.76 32.03 base64 50.11 37.86 base64 48.20 36.25 head 41.54 31.30 head 46.43 34.89 The command I used is same as http://klee.github.io/docs/ coreutils-experiments/: klee --simplify-sym-indices --write-cvcs --write-cov --output-module --max-memory=1000 --disable-inlining --optimize --use-forked-solver --use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls --only-output-states-covering-new --environ=test.env --run-in=/tmp/sandbox --max-sym-array-size=4096 --max-instruction-time=30. --max-time=3600. --watchdog --max-memory-inhibit=false --max-static-fork-pct=1 --max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal --search=random-path --search=nurs:covnew --use-batching-search --batch-instructions=10000 fold.bc --sym-args 0 1 10 --sym-args 0 2 2 --sym-files 1 8 --sym-stdin 8 --sym-stdout May I ask the methodology you used to measure the coverage? And also any comments about the experiments are welcome. Thank you. Best, Yu
_______________________________________________ klee-dev mailing list [email protected] https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
