not work on "ternary operator"

Question

not work on "ternary operator"

tenablezy opened this issue 10 months ago · comments

I use this simple case, but only one path found by KLEE.
However, there are two paths that are a == 0 and a !=0.
not sure if it is the issue on the optimization of compiler ?

/usr/lib/llvm-10/bin/clang -I ../klee/include/klee/ -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone get_sign.c

int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return a?1:3; }
KLEE: done: total instructions = 1268
KLEE: done: completed paths = 1
KLEE: done: partially completed paths = 0
KLEE: done: generated tests = 1

But if I expand it to following, two paths was got.

int main() {
  int a;

  klee_make_symbolic(&a, sizeof(a), "a");

  //return a?1:3;

  if (a) return 1;
  else return 3;
}

KLEE: done: total instructions = 1275
KLEE: done: completed paths = 2
KLEE: done: partially completed paths = 0
KLEE: done: generated tests = 2

Frank Busse · Answer 1 · Sat Aug 19 2023 22:38:36 GMT+0800 (China Standard Time)

not sure if it is the issue on the optimization of compiler ?

Have a look at the bitcode of the version with the ternary operator. It probably passes the result of a select operation to a ret statement. -- There is simply no branch in that code. The version with the if statement should contain the usual br instructions to different basic blocks and hence create branches.

tenablezy · Answer 2 · Mon Aug 21 2023 20:45:00 GMT+0800 (China Standard Time)

thanks for your response,
please guide me what the next step I can try to do?
do you get the same problem as mine ?
is there any option need to be turn on ?

tenablezy · Answer 3 · Mon Aug 21 2023 20:48:17 GMT+0800 (China Standard Time)

sorry to the incorrect operation.
I reopen it since the issue is under discussion.

tenablezy · Answer 4 · Mon Aug 21 2023 20:48:54 GMT+0800 (China Standard Time)

not sure if it is the issue on the optimization of compiler ?

Have a look at the bitcode of the version with the ternary operator. It probably passes the result of a select operation to a ret statement. -- There is simply no branch in that code. The version with the if statement should contain the usual br instructions to different basic blocks and hence create branches.

thanks for your response,
please guide me what the next step I can try to do?
do you get the same problem as mine ?
is there any option need to be turn on ?

tenablezy · Answer 5 · Tue Aug 22 2023 20:33:31 GMT+0800 (China Standard Time)

I have another trial for "ternary operator" on klee.
how to make case 2 successful ?

case 1 : Successful  
int main() {
  int a;
  int b=1,c=0;
  klee_make_symbolic(&a, sizeof(a), "a");
  return a?b:c;


case 2: Failure

int main() {
  int a;
  int b,c;

  klee_make_symbolic(&a, sizeof(a), "a");

   return a?1:0;

Cristian Cadar · Answer 6 · Tue Aug 22 2023 23:58:53 GMT+0800 (China Standard Time)

As @251 mentioned, KLEE runs LLVM bitcode rather than C and does not branch on select instructions. This is by design so if you need a different behaviour, you need to implement it yourself. Changing the C code is quite fragile, but might work to some extent.