Why IR is needed for symbolic execution?
Question
For example, KLEE works on LLVM bitcode.
Can we build symbolic execution directly on C source code?
1 answers
solution1
1 2022-12-01 06:36:43
Each LLVM IR contains only one simple operation, but one C statement could contains multiple operations. For example, a[i] = b[i]; could be split into:
addr = b + i; // getElementPtr instruction
tmp = *addr; // load instruction
addr1 = a + i; // getElementPtr instruction
*addr1 = tmp; // store instruction
So it's much more simple to process LLVM IR than source code for a symbolic executor.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Is this how to test a stateful API with klee symbolic execution?
How can I tell if the variable involed in a instruction in KLEE is symbolic or concrete
KLEE convert non-symbolic variable to symbolic
Can the return value of a function call be made symbolic so as to bypass executing that function?
Why the function sleep() can not work when the klee execute the Objectfile?
Related Tags