What’s wrong with this code?_what鈥檚 gone wrong with this code? why are the poin-优快云博客

本文通过一个有趣的KLEE示例，探讨了符号执行工具如何在程序路径探索中工作。KLEE是一个复杂的工具，用于探索LLVM代码的所有可能路径。文章详细分析了一个案例，解释了为何KLEE仅找到一条路径，并展示了当条件更改为可行整数时，KLEE能正确识别两条路径。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Wednesday, April 7, 2010

What’s wrong with this code?

A user on IRC sent me this interesting KLEE example today, which I thought was cute enough I should post it.

If you aren’t familiar with it, KLEE is a tool for symbolic execution of LLVM code. It is way too complicated to explain here, but for the purposes of this example all you need to know is that it tries to explore all possible paths through a program.

In this case, the user was actually talking to me because he thought there was a bug in KLEE, because it was only finding one path through the code. Here is the example:

$ cat t.c
#include "klee/klee.h"

int f0(int x) {
if (x * x == 1000)
return 1;
else
return 0;
}

int main() {
return f0(klee_int("x"));
}

The idea here is that klee_int("x") creates a new symbolic variable, which can be anything (well, any possible int).

The user was expecting that there would be two possible paths through this program, one returning 1 and one returning 0. But KLEE only finds one:

$ clang -I ~/public/klee/include -flto -c t.c
$ ~/public/klee.obj.64/Debug/bin/klee t.o
KLEE: output directory = "klee-out-5"

KLEE: done: total instructions = 24
KLEE: done: completed paths = 1
KLEE: done: generated tests = 1

Upon showing the example to me, I was also confused for a moment. However, since I happen to trust KLEE, I knew to look for a problem in the test case! And of course, the square root of 1000 isn’t an integer, so there is no way this code can return 1. If we change the 1000 to 100, KLEE finds two paths as we would expect:

$ cat t.c
#include "klee/klee.h"

int f0(int x) {
if (x * x == 100)
return 1;
else
return 0;
}

int main() {
return f0(klee_int("x"));
}
$ clang -I ~/public/klee/include -flto -c t.c
$ ~/public/klee.obj.64/Debug/bin/klee t.o
KLEE: output directory = "klee-out-6"

KLEE: done: total instructions = 31
KLEE: done: completed paths = 2
KLEE: done: generated tests = 2