Giters

eurecom-s3 / symcc

SymCC: efficient compiler-based symbolic execution

Home Page:http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

The question about std::cin

liushengahn opened this issue · comments

commented

hello,
I build an instrumented C++ standard library to track data. When I use syd::cin in my program, the result appears as shown in the figure.

#include <iostream>
int nested_checking(const char *buff_array)
{
    if(buff_array[0] == 'A'){
        if(buff_array[1] == 'B'){
            if(buff_array[2] == 'M'){
                return 4;
            }
            if(buff_array[2] == 'N'){
                return 5;
            }
        }
        else if(buff_array[1] == 'C'){
            if(buff_array[2] == 'D'){
                if(buff_array[3] == 'E'){
                    return 5;
                }
                if(buff_array[3] == 'F'){
                    return 6;
                }
            }
            else{
                return 1;
            }
        }
    }
    return 3;
}

int main(int argc,char** argv){
    std::string n;
    std::cin>>n;
    return nested_checking(n.c_str());
}

图片1
After symbolic execution, I got a result that starts with A, but there are a lot of redundant results. This would not have happened without std::cin. Also, there are some strategies for string symbolization (Exponential back-off as I saw in Qsym's paper, It only executes blocks whose frequency number is a power of two.)I suspect it may have introduced a loop that produced redundant results.But I'm not sure. I was hoping you could explain why.
Thank you very much. I look forward to your reply.