Hello KLEE Developer Team,
I've recently been using KLEE for symbolic execution of a large program. To
precisely control the entry point for symbolic execution, I've wrapped an API
function, klee_entry, as my entry point. Inside klee_entry, I symbolize global
variables and concretize their pointer members before calling the target
function to begin symbolic execution.
However, during actual execution, I've noticed that klee_entry calls the
klee.ctor_stub function. This function appears to invoke constructors for some
global variables, seemingly for initialization. This seems redundant since I've
already manually symbolized these global variables.
I have a couple of questions regarding this behavior:
What is the specific purpose of the klee.ctor_stub function? Is it related to
the initialization of vtables (i.e., indirect calls)?
Within the klee_entry function, is klee.ctor_stub called before or after
klee_make_symbolic is used to symbolize variables? In other words, is the
execution of klee.ctor_stub also subject to KLEE's symbolic execution?
On a related note, how does KLEE generally handle indirect calls (e.g., through
function pointers or virtual functions) during symbolic execution?
Thank you for your assistance!
Sincerely,
lqs66
_______________________________________________
klee-dev mailing list
[email protected]
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
