I hope someone can clarify up a little klee-fundlement on my part regarding how
Klee performs symbolic execution. Consider the following example program:
--------------------------------------------------------
#include <klee/klee.h>
#define MAXSTR 10
int test(char *str, int offset) {
if (str[offset] == '\n') {
return 1;
}
return 0;
}
int main(int argc, char *argv[]) {
char str[MAXSTR];
int offset;
klee_make_symbolic(str, MAXSTR, "str");
offset = klee_int("offset");
klee_assume(offset >= 0);
klee_assume(offset < MAXSTR);
int result = test(str, offset);
return result;
}
--------------------------------------------------------
There are two paths through this program. As expected, Klee finds exactly two
paths and generates two test cases.
However, if I delete to two klee_assume() statements, then Klee finds 186
paths/test cases.
What leads to the path explosion? Without the assumes, the program admits
undefined behavior, but does not introduce any new paths. It still only has two
and execution should fork into two states at the test() if statement. What
condition forks the other 184 states?
Cheers and Thanks!
Rick Rutledge
_______________________________________________
klee-dev mailing list
[email protected]
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
