Symbolic Software-Implemented Fault Injection
-
Clone the repository recursively with
git clone --recursive, otherwise you need to executegit submodule update --initafter cloning to get our extended version of KLEE in the subfolderklee -
Build the extended version of KLEE following the instructions at http://klee.github.io/build-llvm34
-
Set the environment variable
LLVM_BUILD_DIRto the LLVM build used to build KLEE -
Execute
maketo build the LLVM bitcode of the error lib and the examples (e.g.tcas_with_checks.bc)
In the following, it is assumed that the KLEE executables klee and ktest-tool can be found in your PATH.
They are typically in the subfolder klee/build/bin.
klee -only-replay-seeds=0 -optimize=0 -link-llvm-lib=error_lib_empty.bc -inject-bit-error -output-module -emit-all-errors=1 -output-global-vars=error_counter ${bitcode-file}
Each produced ktest file will include the value of error_counter (= number of injection locations on that path).
Add option -output-dir=<string> to generate ktest files in the given directory (enable reuse with symbolic fault injection).
Without that option, the ktest files and some other KLEE stats can be found in the subfolder klee-last.
klee -only-replay-seeds=0 -optimize=0 -link-llvm-lib=error_lib_1.bc -inject-bit-error -output-module -emit-all-errors=1 -no-output-on-peaceful-exit ${bitcode-file}
klee -seed-out=${ktest-file} -only-replay-seeds=1 -named-seed-matching=strict -allow-seed-extension -allow-seed-patching=0 -optimize=0 -link-llvm-lib=error_lib_1.bc -inject-bit-error -output-module -emit-all-errors=1 -seed-forcing-mode=cex -no-output-on-peaceful-exit ${bitcode-file}
-silent-klee-assume, -check-overshift=0, -silent-out-of-bound-pointer-error to enable KLEE-builtin checks
for t in klee-last/*.ktest; do ktest-tool --write-ints --single-line-object $t; done