Coreutils Experiments

Generated by GNU enscript 1.6.4. · path/to/stp/install

testing-env.sh
test.env
sandbox.tgz
/tmp
klee-cde-package/README
llvm-gcc
llvm-gcc
PATH
llvm-gcc
configure
llvm-gcc
--enable-optimized
-r
svn co
llvm-gcc
make config
--with-uclibc
--enable-posix-runtime options
uclibc
POSIX
LD_LIBRARY_PATH
-    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64 (Fedora)
-    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu (Ubuntu)
-    
obj-gcov
-coreutils-6.11$ mkdir obj-gcov
-coreutils-6.11$ cd obj-gcov
-obj-gcov$ ../configure --disable-nls CFLAGS="-g -fprofile-arcs -ftest-coverage"
-... verify that configure worked ...
-obj-gcov$ make
-obj-gcov$ make -C src arch hostname
-... verify that make worked ... 
--disable-nls
coreutils
objc-gcov/src
-obj-gcov$ cd src
-src$ ls -l ls echo cat
--rwxr-xr-x 1 ddunbar ddunbar 164841 2009-07-25 20:58 cat
--rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo
--rwxr-xr-x 1 ddunbar ddunbar 439712 2009-07-25 20:58 ls
-src$ ./cat --version
-cat (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by Torbjorn Granlund and Richard M. Stallman.
gcov
.gcda
gcov
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ ./echo
-
-src$ ls -l echo.gcda
--rw-r--r-- 1 ddunbar ddunbar 1832 2009-08-04 21:14 echo.gcda
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:0.00% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:18.81% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
gcov
.h
echo.c
coreutils
klee-gcc
llvm-gcc
llvm-ld
-coreutils-6.11$ mkdir obj-llvm
-coreutils-6.11$ cd obj-llvm
-obj-llvm$ ../configure --disable-nls CFLAGS="-g"
-... verify that configure worked ...
-obj-llvm$ make CC=/full/path/to/klee/scripts/klee-gcc
-obj-llvm$ make -C src arch hostname CC=/full/path/to/klee/scripts/klee-gcc
-... verify that make worked ... 
-fprofile-arcs -ftest-coverage
CC
klee-gcc
-obj-llvm$ cd src
-src$ ls -l ls echo cat
--rwxr-xr-x 1 ddunbar ddunbar 65 2009-07-25 23:40 cat
--rwxr-xr-x 1 ddunbar ddunbar 66 2009-07-25 23:43 echo
--rwxr-xr-x 1 ddunbar ddunbar 94 2009-07-25 23:38 ls
-src$ ./cat --version
-cat (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-LLVM ERROR: JIT does not support inline asm! 
llvm-ld
.bc
-src$ cat ls
-#!/bin/sh
-lli=${LLVMINTERP-lli}
-exec $lli \
-    -load=/usr/lib/librt.so \
-    ls.bc ${1+"$@"}
-src$ ls -l ls.bc
--rwxr-xr-x 1 ddunbar ddunbar 643640 2009-07-25 23:38 ls.bc 
glibc
lli
cat
uclibc
POSIX
-src$ klee --libc=uclibc --posix-runtime ./cat.bc --version
-KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
-KLEE: output directory = "klee-out-3"
-KLEE: WARNING: undefined reference to function: __signbitl
-KLEE: WARNING: executable has module level assembly (ignoring)
-KLEE: WARNING: calling external: syscall(54, 0, 21505, 177325672)
-KLEE: WARNING: calling __user_main with extra arguments.
-KLEE: WARNING: calling external: getpagesize()
-KLEE: WARNING: calling external: vprintf(177640072, 183340048)
-cat (GNU coreutils) 6.11
-
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by Torbjorn Granlund and Richard M. Stallman.
-KLEE: WARNING: calling close_stdout with extra arguments.
-Copyright (C) 2008 Free Software Foundation, Inc.
-KLEE: done: total instructions = 259357
-KLEE: done: completed paths = 1
-KLEE: done: generated tests = 1
-  
cat.bc
--version
--libc=uclibc
write()
--posix-runtime
cat
__signbitl
__user_main
main()
cat
main()
getpagesize()
warnings.txt
echo
main()
klee_init_env
--help
-src$ klee --libc=uclibc --posix-runtime ./echo.bc --help
-...
-
-usage: (klee_init_env) [options] [program arguments]
-  -sym-arg               - Replace by a symbolic argument with length N
-  -sym-args    - Replace by at least MIN arguments and at most
-                              MAX arguments, each with maximum length N
-  -sym-files        - Make stdin and up to NUM symbolic files, each
-                              with maximum size N.
-  -sym-stdout               - Make stdout symbolic.
-  -max-fail              - Allow up to  injected failures
-  -fd-fail                  - Shortcut for '-max-fail 1'
-...
-  
echo
-src$ klee --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
-KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
-KLEE: output directory = "klee-out-16"
-KLEE: WARNING: undefined reference to function: __signbitl
-KLEE: WARNING: executable has module level assembly (ignoring)
-KLEE: WARNING: calling external: syscall(54, 0, 21505, 189414856)
-KLEE: WARNING: calling __user_main with extra arguments.
-..
-KLEE: WARNING: calling close_stdout with extra arguments.
-...
-KLEE: WARNING: calling external: printf(183664896, 183580400)
-Usage: ./echo.bc [OPTION]... [STRING]...
-Echo the STRING(s) to standard output.
-
-  -n             do not output the trailing newline
-  -e             enable interpretation of backslash escapes
-  -E             disable interpretation of backslash escapes (default)
-      --help     display this help and exit
-      --version  output version information and exit
-
-If -e is in effect, the following sequences are recognized:
-
-  \0NNN   the character whose ASCII code is NNN (octal)
-  \\     backslash
-  \a     alert (BEL)
-  \b     backspace
-  \c     suppress trailing newline
-  \f     form feed
-  \n     new line
-  \r     carriage return
-  \t     horizontal tab
-  \v     vertical tab
-
-NOTE: your shell may have its own version of echo, which usually supersedes
-the version described here.  Please refer to your shell's documentation
-for details about the options it supports.
-
-Report bugs to .
-KLEE: WARNING: calling external: vprintf(183956664, 190534360)
-echo (GNU coreutils) 6.11
-
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by FIXME unknown.
-...
-...
-...
-
-
-
-
-..
-
-
-.
-
-.
-..
-...
-Copyright (C) 2008 Free Software Foundation, Inc.
-KLEE: done: total instructions = 300193
-KLEE: done: completed paths = 25
-KLEE: done: generated tests = 25-  
echo
--v
--version
--h
--help
klee-stats
klee-last
-src$ klee-stats klee-last
--------------------------------------------------------------------------
-| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
--------------------------------------------------------------------------
-| klee-last | 300673 |    1.47 |   28.18 |   17.37 |  28635 |      5.65 |
--------------------------------------------------------------------------
--optimize
--optimze
-src$ klee --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
-...
-KLEE: done: total instructions = 123251
-KLEE: done: completed paths = 25
-KLEE: done: generated tests = 25
-src$ klee-stats klee-last
--------------------------------------------------------------------------
-| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
--------------------------------------------------------------------------
-| klee-last | 123251 |    0.32 |   38.02 |   25.43 |   9531 |     29.66 |
--------------------------------------------------------------------------
echo
kcachegrind
apt-get
yum
run.istats
run.istats
--optimize
 src$ kcachegrind klee-last/run.istats 
__user_main
echo
if
do_v9
-e
$
-    echo -e \a
-Line 1:      a = 1;
-Line 2:      if (...)
-Line 3:        printf("hello\n");
-Line 4:      b = c; 
run.istats
klee-last
.ktest
-src$ ls klee-last
-assembly.ll	  test000004.ktest  test000012.ktest  test000020.ktest
-info		  test000005.ktest  test000013.ktest  test000021.ktest
-messages.txt	  test000006.ktest  test000014.ktest  test000022.ktest
-run.istats	  test000007.ktest  test000015.ktest  test000023.ktest
-run.stats	  test000008.ktest  test000016.ktest  test000024.ktest
-test000001.ktest  test000009.ktest  test000017.ktest  test000025.ktest
-test000002.ktest  test000010.ktest  test000018.ktest  warnings.txt
-test000003.ktest  test000011.ktest  test000019.ktest 
ktest-tool
-$ ktest-tool klee-last/test000001.ktest
-ktest file : 'klee-last/test000001.ktest'
-args       : ['./echo.bc', '--sym-arg', '3']
-num objects: 2
-object    0: name: 'arg0'
-object    0: size: 4
-object    0: data: '@@@\x00'
-object    1: name: 'model_version'
-object    1: size: 4
-object    1: data: '\x01\x00\x00\x00' 
.ktest
klee-replay
.ktest
-src$ cd ..
-obj-llvm$ cd ..
-coreutils-6.11$ cd obj-gcov
-obj-gcov$ cd src
-src$ ls -l echo
--rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo 
klee-replay
.ktest
.ktest
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/test000001.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" "@@@" 
-@@@
-klee-replay: EXIT STATUS: NORMAL (0 seconds) 
klee-replay
.ktest
klee-replay
gcov
klee-stats
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" "@@@" 
-@@@
-klee-replay: EXIT STATUS: NORMAL (0 seconds)
-...
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000022.ktest
-klee-replay: ARGS: "./echo" "--v" 
-echo (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-...
-
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:6.38% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:50.50% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
echo.c
klee-stats
gcov
kcachegrind
gcov
-        -:  193:      }
-        -:  194:
-       23:  195:just_echo:
-        -:  196:
-       23:  197:  if (do_v9)
-        -:  198:    {
-       10:  199:      while (argc > 0)
-        -:  200:	{
-    #####:  201:	  char const *s = argv[0];
-        -:  202:	  unsigned char c;
-        -:  203:
-    #####:  204:	  while ((c = *s++))
-        -:  205:	    {
-    #####:  206:	      if (c == '\\' && *s)
-        -:  207:		{
-    #####:  208:		  switch (c = *s++)
-        -:  209:		    {
-    #####:  210:		    case 'a': c = '\a'; break;
-    #####:  211:		    case 'b': c = '\b'; break;
-    #####:  212:		    case 'c': exit (EXIT_SUCCESS);
-    #####:  213:		    case 'f': c = '\f'; break;
-    #####:  214:		    case 'n': c = '\n'; break; 
kcachegrind
echo.c
--sym-args
obj-llvm/src
-src$ klee --only-output-states-covering-new --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-args 0 2 4
- ... 
-KLEE: done: total instructions = 7437521
-KLEE: done: completed paths = 9963
-KLEE: done: generated tests = 55 
--sym-args
--sym-args 0 2 4
--only-output-states-covering-new
obj-gcov/src
echo.c
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" 
-
- ... 
-
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:6.38% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:97.03% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
zcov
-  int get_sign(int x) {
-    if (x == 0)
-       return 0;
-
-    if (x < 0)
-       return -1;
-    else 
-       return 1;
-  } 
examples/get_sign
klee_make_symbolic()
main()
a
get_sign()
-  int main() {
-      int a;
-      klee_make_symbolic(&a, sizeof(a), "a");
-      return get_sign(a);
-  } 
llvm-gcc
-  --emit-llvm
get_sign.c
get_sign.o
-g
--optimize
-  KLEE: output directory = "klee-out-0"
-
-  KLEE: done: total instructions = 51
-  KLEE: done: completed paths = 3
-  KLEE: done: generated tests = 3 
a
0
0
0
klee-out-0
klee-out-N
klee-out-1
klee-last
-  $ ls klee-last/
-  assembly.ll      run.istats       test000002.ktest
-  info             run.stats        test000003.ktest
-  messages.txt     test000001.ktest warnings.txt 
.ktest
ktest-tool
-  $ ktest-tool --write-ints klee-last/test000001.ktest 
-  ktest file : 'klee-last/test000001.ktest'
-  args       : ['get_sign.o']
-  num objects: 1
-  object    0: name: 'a'
-  object    0: size: 4
-  object    0: data: 1
-  
-  $ ktest-tool --write-ints klee-last/test000002.ktest  
-  ...
-  object    0: data: -2147483648
-
-  $ ktest-tool --write-ints klee-last/test000003.ktest 
-  ...
-  object    0: data: 0 
1
-2147483648
0
0
-2147483648
1
klee_make_symbolic
.ktest
libkleeRuntest
KTEST_FILE
-  $ export LD_LIBRARY_PATH=path-to-klee-root/Release+Asserts/lib/:$LD_LIBRARY_PATH
-  $ gcc -L path-to-klee-root/Release+Asserts/lib/ get_sign.c -lkleeRuntest
-  $ KTEST_FILE=klee-last/test000001.ktest ./a.out 
-  $ echo $?
-  1
-  $ KTEST_FILE=klee-last/test000002.ktest ./a.out 
-  $ echo $?
-  255
-  $ KTEST_FILE=klee-last/test000003.ktest ./a.out
-  $ echo $?
-  0 
examples/regexp
Regexp.c
main
llvm-gcc
examples/regexp
Regexp.o
-I
-c
-g
llvm-nm
-  $ llvm-nm Regexp.o
-         t matchstar
-         t matchhere
-         T match
-         T main
-         U klee_make_symbolic_name
-         d LC
-         d LC1
-
llvm-link
llvm-ld
-$ klee --only-output-states-covering-new Regexp.o
-KLEE: output directory = "klee-out-1"
-KLEE: ERROR: .../klee/examples/regexp/Regexp.c:23: memory error: out of bound pointer
-KLEE: NOTE: now ignoring this error at this location
-KLEE: ERROR: .../klee/examples/regexp/Regexp.c:25: memory error: out of bound pointer
-KLEE: NOTE: now ignoring this error at this location
-KLEE: done: total instructions = 6334861
-KLEE: done: completed paths = 7692
-KLEE: done: generated tests = 22
-
klee-out-1
klee-out-N
klee-last
-output-dir=path
klee
-max-time=seconds
-max-forks=N
-max-memory=N
testN.TYPE.err
free()
abort()
klee
malloc
.err
-Error: memory error: out of bound pointer
-File: .../klee/examples/regexp/Regexp.c
-Line: 23
-Stack: 
-	#0 00000146 in matchhere (re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:23
-	#1 00000074 in matchstar (c, re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#2 00000172 in matchhere (re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#3 00000074 in matchstar (c, re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#4 00000172 in matchhere (re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#5 00000074 in matchstar (c, re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#6 00000172 in matchhere (re=14816465, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#7 00000231 in matchhere (re=14816464, text=14815300) at .../klee/examples/regexp/Regexp.c:30
-	#8 00000280 in match (re=14816464, text=14815296) at .../klee/examples/regexp/Regexp.c:38
-	#9 00000327 in main () at .../klee/examples/regexp/Regexp.c:59
-Info: 
-	address: 14816471
-	next: object at 14816624 of size 4
-	prev: object at 14816464 of size 7
-
assembly.ll
match
'\0'
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic(re, sizeof re, "re");
-  re[SIZE - 1] = '\0';
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
klee
klee_assume
klee_assume
klee_assume
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic(re, sizeof re, "re");
-  klee_assume(re[SIZE - 1] == '\0');
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
klee_assume
'\0'
klee_assume
klee_assume(re[0] != '^')
'^'
klee_assume
klee_assume
klee_assume
--with-llvmsrc=
--with-llvmobj=
--with-llvm=
-j
libkleaverExpr
.h
include/
#include
include/
.cpp
lib/Expr/
kleaverExpr
Makefile
lib/Expr
.cpp
make
path/to/build-dir/docs/doxygen/
make check
test/
test/Feature
dg.exp
test/Expr/dg.exp
.pc
test/Expr
test/Feature/ByteSwap.c
llvm-gcc
%s
%t1.bc
%s
Feature/ByteSwap.c
kleeCore
lib/Core
printf()
lib/Core/Common.h
lib/core/Executor.cpp
-    $ cat info 
-    klee --write-pcs demo.o
-    PID: 12460
-    Started: 2009-05-20 22:31:41
-    BEGIN searcher description
-    DFSSearcher
-    END searcher description
-    Finished: 2009-05-20 22:31:41
-    Elapsed: 00:00:00
-    KLEE: done: explored paths = 3
-    KLEE: done: avg. constructs per query = 6
-    KLEE: done: total queries = 3
-    KLEE: done: valid queries = 0
-    KLEE: done: invalid queriers = 3
-    KLEE: done: query cex = 3
-    KLEE: done: total instructions = 67
-    KLEE: done: completed paths = 3
-    KLEE: done: generated tests = 3 
--use-query-log=all:pc
all-queries.pc
--use-query-log=all:smt2
--use-query-log=solver:pc
solver-queries.pc
--use-query-log=solver:smt2
.ktest
--no-output
--write-cvcs
--write-pcs
.pc
--write-smt2s
.pc
-    $ klee --search=dfs demo.o
-    $ klee --search=random-path demo.o 
-    $ klee --help
-    -search                                 - Specify the search heuristic (default=random-path interleaved with nurs:covnew)
-      =dfs                                  -   use Depth First Search (DFS)
-      =random-state                         -   randomly select a state to explore
-      =random-path                          -   use Random Path Selection (see OSDI'08 paper)
-      =nurs:covnew                          -   use Non Uniform Random Search (NURS) with Coverage-New heuristic
-      =nurs:md2u                            -   use NURS with Min-Dist-to-Uncovered heuristic
-      =nurs:depth                           -   use NURS with 2^depth heuristic
-      =nurs:icnt                            -   use NURS with Instr-Count heuristic
-      =nurs:cpicnt                          -   use NURS with CallPath-Instr-Count heuristic
-      =nurs:qc                              -   use NURS with Query-Cost heuristic   
-    $ klee --search=random-state --search=nurs:md2u demo.o 
klee-stats [options] directories
klee-stats --help
-/* 
- * Simple regular expression matching.
- *
- * From:
- *   The Practice of Programming
- *   Brian W. Kernighan, Rob Pike
- *
- */ 
-
-#include <klee/klee.h>
-
-static int matchhere(char*,char*);
-
-static int matchstar(int c, char *re, char *text) {
-  do {
-    if (matchhere(re, text))
-      return 1;
-  } while (*text != '\0' && (*text++ == c || c== '.'));
-  return 0;
-}
-
-static int matchhere(char *re, char *text) {
-  if (re[0] == '\0')
-     return 0;
-  if (re[1] == '*')
-    return matchstar(re[0], re+2, text);
-  if (re[0] == '$' && re[1]=='\0')
-    return *text == '\0';
-  if (*text!='\0' && (re[0]=='.' || re[0]==*text))
-    return matchhere(re+1, text+1);
-  return 0;
-}
-
-int match(char *re, char *text) {
-  if (re[0] == '^')
-    return matchhere(re+1, text);
-  do {
-    if (matchhere(re, text))
-      return 1;
-  } while (*text++ != '\0');
-  return 0;
-}
-
-/*
- * Harness for testing with KLEE.
- */
-
-// The size of the buffer to test with.
-#define SIZE 7
-
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic_name(re, sizeof re, "re");
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
-/*
- * First KLEE tutorial: testing a small function
- */
-
-
-int get_sign(int x) {
-  if (x == 0)
-     return 0;
-  
-  if (x < 0)
-     return -1;
-  else 
-     return 1;
-} 
-
-int main() {
-  int a;
-  klee_make_symbolic(&a, sizeof(a), "a");
-  return get_sign(a);
-} 
-
-/*
- * First KLEE tutorial: testing a small function
- */
-
-#include <klee/klee.h>
-
-int my_islower(int x) {
-  if (x >= 'a' && x <= 'z')
-    return 1;
-  else return 0;
-}
-
-int main() {
-  char c;
-  klee_make_symbolic(&c, sizeof(c), "input");
-  return my_islower(c);
-}
-
testing-env.sh
test.env
sandbox.tgz
/tmp
klee-cde-package/README
llvm-gcc
llvm-gcc
PATH
llvm-gcc
configure
llvm-gcc
--enable-optimized
-r
svn co
llvm-gcc
make config
--with-uclibc
--enable-posix-runtime options
uclibc
POSIX
LD_LIBRARY_PATH
+    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64 (Fedora)
+    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu (Ubuntu)
+    
obj-gcov
+coreutils-6.11$ mkdir obj-gcov
+coreutils-6.11$ cd obj-gcov
+obj-gcov$ ../configure --disable-nls CFLAGS="-g -fprofile-arcs -ftest-coverage"
+... verify that configure worked ...
+obj-gcov$ make
+obj-gcov$ make -C src arch hostname
+... verify that make worked ... 
--disable-nls
coreutils
objc-gcov/src
+obj-gcov$ cd src
+src$ ls -l ls echo cat
+-rwxr-xr-x 1 ddunbar ddunbar 164841 2009-07-25 20:58 cat
+-rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo
+-rwxr-xr-x 1 ddunbar ddunbar 439712 2009-07-25 20:58 ls
+src$ ./cat --version
+cat (GNU coreutils) 6.11
+Copyright (C) 2008 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later 
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Written by Torbjorn Granlund and Richard M. Stallman.
gcov
.gcda
gcov
+src$ rm -f *.gcda # Get rid of any stale gcov files
+src$ ./echo
+
+src$ ls -l echo.gcda
+-rw-r--r-- 1 ddunbar ddunbar 1832 2009-08-04 21:14 echo.gcda
+src$ gcov echo
+File '../../src/system.h'
+Lines executed:0.00% of 47
+../../src/system.h:creating 'system.h.gcov'
+
+File '../../lib/timespec.h'
+Lines executed:0.00% of 2
+../../lib/timespec.h:creating 'timespec.h.gcov'
+
+File '../../lib/gettext.h'
+Lines executed:0.00% of 32
+../../lib/gettext.h:creating 'gettext.h.gcov'
+
+File '../../lib/openat.h'
+Lines executed:0.00% of 8
+../../lib/openat.h:creating 'openat.h.gcov'
+
+File '../../src/echo.c'
+Lines executed:18.81% of 101
+../../src/echo.c:creating 'echo.c.gcov' 
gcov
.h
echo.c
coreutils
klee-gcc
llvm-gcc
llvm-ld
+coreutils-6.11$ mkdir obj-llvm
+coreutils-6.11$ cd obj-llvm
+obj-llvm$ ../configure --disable-nls CFLAGS="-g"
+... verify that configure worked ...
+obj-llvm$ make CC=/full/path/to/klee/scripts/klee-gcc
+obj-llvm$ make -C src arch hostname CC=/full/path/to/klee/scripts/klee-gcc
+... verify that make worked ... 
-fprofile-arcs -ftest-coverage
CC
klee-gcc
+obj-llvm$ cd src
+src$ ls -l ls echo cat
+-rwxr-xr-x 1 ddunbar ddunbar 65 2009-07-25 23:40 cat
+-rwxr-xr-x 1 ddunbar ddunbar 66 2009-07-25 23:43 echo
+-rwxr-xr-x 1 ddunbar ddunbar 94 2009-07-25 23:38 ls
+src$ ./cat --version
+cat (GNU coreutils) 6.11
+Copyright (C) 2008 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later 
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+LLVM ERROR: JIT does not support inline asm! 
llvm-ld
.bc
+src$ cat ls
+#!/bin/sh
+lli=${LLVMINTERP-lli}
+exec $lli \
+    -load=/usr/lib/librt.so \
+    ls.bc ${1+"$@"}
+src$ ls -l ls.bc
+-rwxr-xr-x 1 ddunbar ddunbar 643640 2009-07-25 23:38 ls.bc 
glibc
lli
cat
uclibc
POSIX
+src$ klee --libc=uclibc --posix-runtime ./cat.bc --version
+KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
+KLEE: output directory = "klee-out-3"
+KLEE: WARNING: undefined reference to function: __signbitl
+KLEE: WARNING: executable has module level assembly (ignoring)
+KLEE: WARNING: calling external: syscall(54, 0, 21505, 177325672)
+KLEE: WARNING: calling __user_main with extra arguments.
+KLEE: WARNING: calling external: getpagesize()
+KLEE: WARNING: calling external: vprintf(177640072, 183340048)
+cat (GNU coreutils) 6.11
+
+License GPLv3+: GNU GPL version 3 or later 
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Written by Torbjorn Granlund and Richard M. Stallman.
+KLEE: WARNING: calling close_stdout with extra arguments.
+Copyright (C) 2008 Free Software Foundation, Inc.
+KLEE: done: total instructions = 259357
+KLEE: done: completed paths = 1
+KLEE: done: generated tests = 1
+  
cat.bc
--version
--libc=uclibc
write()
--posix-runtime
cat
__signbitl
__user_main
main()
cat
main()
getpagesize()
warnings.txt
echo
main()
klee_init_env
--help
+src$ klee --libc=uclibc --posix-runtime ./echo.bc --help
+...
+
+usage: (klee_init_env) [options] [program arguments]
+  -sym-arg               - Replace by a symbolic argument with length N
+  -sym-args    - Replace by at least MIN arguments and at most
+                              MAX arguments, each with maximum length N
+  -sym-files        - Make stdin and up to NUM symbolic files, each
+                              with maximum size N.
+  -sym-stdout               - Make stdout symbolic.
+  -max-fail              - Allow up to  injected failures
+  -fd-fail                  - Shortcut for '-max-fail 1'
+...
+  
echo
+src$ klee --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
+KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
+KLEE: output directory = "klee-out-16"
+KLEE: WARNING: undefined reference to function: __signbitl
+KLEE: WARNING: executable has module level assembly (ignoring)
+KLEE: WARNING: calling external: syscall(54, 0, 21505, 189414856)
+KLEE: WARNING: calling __user_main with extra arguments.
+..
+KLEE: WARNING: calling close_stdout with extra arguments.
+...
+KLEE: WARNING: calling external: printf(183664896, 183580400)
+Usage: ./echo.bc [OPTION]... [STRING]...
+Echo the STRING(s) to standard output.
+
+  -n             do not output the trailing newline
+  -e             enable interpretation of backslash escapes
+  -E             disable interpretation of backslash escapes (default)
+      --help     display this help and exit
+      --version  output version information and exit
+
+If -e is in effect, the following sequences are recognized:
+
+  \0NNN   the character whose ASCII code is NNN (octal)
+  \\     backslash
+  \a     alert (BEL)
+  \b     backspace
+  \c     suppress trailing newline
+  \f     form feed
+  \n     new line
+  \r     carriage return
+  \t     horizontal tab
+  \v     vertical tab
+
+NOTE: your shell may have its own version of echo, which usually supersedes
+the version described here.  Please refer to your shell's documentation
+for details about the options it supports.
+
+Report bugs to .
+KLEE: WARNING: calling external: vprintf(183956664, 190534360)
+echo (GNU coreutils) 6.11
+
+License GPLv3+: GNU GPL version 3 or later 
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Written by FIXME unknown.
+...
+...
+...
+
+
+
+
+..
+
+
+.
+
+.
+..
+...
+Copyright (C) 2008 Free Software Foundation, Inc.
+KLEE: done: total instructions = 300193
+KLEE: done: completed paths = 25
+KLEE: done: generated tests = 25+  
echo
--v
--version
--h
--help
klee-stats
klee-last
+src$ klee-stats klee-last
+-------------------------------------------------------------------------
+| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
+-------------------------------------------------------------------------
+| klee-last | 300673 |    1.47 |   28.18 |   17.37 |  28635 |      5.65 |
+-------------------------------------------------------------------------
--optimize
--optimze
+src$ klee --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
+...
+KLEE: done: total instructions = 123251
+KLEE: done: completed paths = 25
+KLEE: done: generated tests = 25
+src$ klee-stats klee-last
+-------------------------------------------------------------------------
+| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
+-------------------------------------------------------------------------
+| klee-last | 123251 |    0.32 |   38.02 |   25.43 |   9531 |     29.66 |
+-------------------------------------------------------------------------
echo
kcachegrind
apt-get
yum
run.istats
run.istats
--optimize
 src$ kcachegrind klee-last/run.istats 
__user_main
echo
if
do_v9
-e
$
+    echo -e \a
+Line 1:      a = 1;
+Line 2:      if (...)
+Line 3:        printf("hello\n");
+Line 4:      b = c; 
run.istats
klee-last
.ktest
+src$ ls klee-last
+assembly.ll	  test000004.ktest  test000012.ktest  test000020.ktest
+info		  test000005.ktest  test000013.ktest  test000021.ktest
+messages.txt	  test000006.ktest  test000014.ktest  test000022.ktest
+run.istats	  test000007.ktest  test000015.ktest  test000023.ktest
+run.stats	  test000008.ktest  test000016.ktest  test000024.ktest
+test000001.ktest  test000009.ktest  test000017.ktest  test000025.ktest
+test000002.ktest  test000010.ktest  test000018.ktest  warnings.txt
+test000003.ktest  test000011.ktest  test000019.ktest 
ktest-tool
+$ ktest-tool klee-last/test000001.ktest
+ktest file : 'klee-last/test000001.ktest'
+args       : ['./echo.bc', '--sym-arg', '3']
+num objects: 2
+object    0: name: 'arg0'
+object    0: size: 4
+object    0: data: '@@@\x00'
+object    1: name: 'model_version'
+object    1: size: 4
+object    1: data: '\x01\x00\x00\x00' 
.ktest
klee-replay
.ktest
+src$ cd ..
+obj-llvm$ cd ..
+coreutils-6.11$ cd obj-gcov
+obj-gcov$ cd src
+src$ ls -l echo
+-rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo 
klee-replay
.ktest
.ktest
+src$ klee-replay ./echo ../../obj-llvm/src/klee-last/test000001.ktest 
+klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
+klee-replay: ARGS: "./echo" "@@@" 
+@@@
+klee-replay: EXIT STATUS: NORMAL (0 seconds) 
klee-replay
.ktest
klee-replay
gcov
klee-stats
+src$ rm -f *.gcda # Get rid of any stale gcov files
+src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
+klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
+klee-replay: ARGS: "./echo" "@@@" 
+@@@
+klee-replay: EXIT STATUS: NORMAL (0 seconds)
+...
+klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000022.ktest
+klee-replay: ARGS: "./echo" "--v" 
+echo (GNU coreutils) 6.11
+Copyright (C) 2008 Free Software Foundation, Inc.
+...
+
+src$ gcov echo
+File '../../src/system.h'
+Lines executed:6.38% of 47
+../../src/system.h:creating 'system.h.gcov'
+
+File '../../lib/timespec.h'
+Lines executed:0.00% of 2
+../../lib/timespec.h:creating 'timespec.h.gcov'
+
+File '../../lib/gettext.h'
+Lines executed:0.00% of 32
+../../lib/gettext.h:creating 'gettext.h.gcov'
+
+File '../../lib/openat.h'
+Lines executed:0.00% of 8
+../../lib/openat.h:creating 'openat.h.gcov'
+
+File '../../src/echo.c'
+Lines executed:50.50% of 101
+../../src/echo.c:creating 'echo.c.gcov' 
echo.c
klee-stats
gcov
kcachegrind
gcov
+        -:  193:      }
+        -:  194:
+       23:  195:just_echo:
+        -:  196:
+       23:  197:  if (do_v9)
+        -:  198:    {
+       10:  199:      while (argc > 0)
+        -:  200:	{
+    #####:  201:	  char const *s = argv[0];
+        -:  202:	  unsigned char c;
+        -:  203:
+    #####:  204:	  while ((c = *s++))
+        -:  205:	    {
+    #####:  206:	      if (c == '\\' && *s)
+        -:  207:		{
+    #####:  208:		  switch (c = *s++)
+        -:  209:		    {
+    #####:  210:		    case 'a': c = '\a'; break;
+    #####:  211:		    case 'b': c = '\b'; break;
+    #####:  212:		    case 'c': exit (EXIT_SUCCESS);
+    #####:  213:		    case 'f': c = '\f'; break;
+    #####:  214:		    case 'n': c = '\n'; break; 
kcachegrind
echo.c
--sym-args
obj-llvm/src
+src$ klee --only-output-states-covering-new --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-args 0 2 4
+ ... 
+KLEE: done: total instructions = 7437521
+KLEE: done: completed paths = 9963
+KLEE: done: generated tests = 55 
--sym-args
--sym-args 0 2 4
--only-output-states-covering-new
obj-gcov/src
echo.c
+src$ rm -f *.gcda # Get rid of any stale gcov files
+src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
+klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
+klee-replay: ARGS: "./echo" 
+
+ ... 
+
+src$ gcov echo
+File '../../src/system.h'
+Lines executed:6.38% of 47
+../../src/system.h:creating 'system.h.gcov'
+
+File '../../lib/timespec.h'
+Lines executed:0.00% of 2
+../../lib/timespec.h:creating 'timespec.h.gcov'
+
+File '../../lib/gettext.h'
+Lines executed:0.00% of 32
+../../lib/gettext.h:creating 'gettext.h.gcov'
+
+File '../../lib/openat.h'
+Lines executed:0.00% of 8
+../../lib/openat.h:creating 'openat.h.gcov'
+
+File '../../src/echo.c'
+Lines executed:97.03% of 101
+../../src/echo.c:creating 'echo.c.gcov' 
zcov
+  int get_sign(int x) {
+    if (x == 0)
+       return 0;
+
+    if (x < 0)
+       return -1;
+    else 
+       return 1;
+  } 
examples/get_sign
klee_make_symbolic()
main()
a
get_sign()
+  int main() {
+      int a;
+      klee_make_symbolic(&a, sizeof(a), "a");
+      return get_sign(a);
+  } 
llvm-gcc
+  --emit-llvm
get_sign.c
get_sign.o
-g
--optimize
+  KLEE: output directory = "klee-out-0"
+
+  KLEE: done: total instructions = 51
+  KLEE: done: completed paths = 3
+  KLEE: done: generated tests = 3 
a
0
0
0
klee-out-0
klee-out-N
klee-out-1
klee-last
+  $ ls klee-last/
+  assembly.ll      run.istats       test000002.ktest
+  info             run.stats        test000003.ktest
+  messages.txt     test000001.ktest warnings.txt 
.ktest
ktest-tool
+  $ ktest-tool --write-ints klee-last/test000001.ktest 
+  ktest file : 'klee-last/test000001.ktest'
+  args       : ['get_sign.o']
+  num objects: 1
+  object    0: name: 'a'
+  object    0: size: 4
+  object    0: data: 1
+  
+  $ ktest-tool --write-ints klee-last/test000002.ktest  
+  ...
+  object    0: data: -2147483648
+
+  $ ktest-tool --write-ints klee-last/test000003.ktest 
+  ...
+  object    0: data: 0 
1
-2147483648
0
0
-2147483648
1
klee_make_symbolic
.ktest
libkleeRuntest
KTEST_FILE
+  $ export LD_LIBRARY_PATH=path-to-klee-root/Release+Asserts/lib/:$LD_LIBRARY_PATH
+  $ gcc -L path-to-klee-root/Release+Asserts/lib/ get_sign.c -lkleeRuntest
+  $ KTEST_FILE=klee-last/test000001.ktest ./a.out 
+  $ echo $?
+  1
+  $ KTEST_FILE=klee-last/test000002.ktest ./a.out 
+  $ echo $?
+  255
+  $ KTEST_FILE=klee-last/test000003.ktest ./a.out
+  $ echo $?
+  0 
examples/regexp
Regexp.c
main
llvm-gcc
examples/regexp
Regexp.o
-I
-c
-g
llvm-nm
+  $ llvm-nm Regexp.o
+         t matchstar
+         t matchhere
+         T match
+         T main
+         U klee_make_symbolic_name
+         d LC
+         d LC1
+
llvm-link
llvm-ld
+$ klee --only-output-states-covering-new Regexp.o
+KLEE: output directory = "klee-out-1"
+KLEE: ERROR: .../klee/examples/regexp/Regexp.c:23: memory error: out of bound pointer
+KLEE: NOTE: now ignoring this error at this location
+KLEE: ERROR: .../klee/examples/regexp/Regexp.c:25: memory error: out of bound pointer
+KLEE: NOTE: now ignoring this error at this location
+KLEE: done: total instructions = 6334861
+KLEE: done: completed paths = 7692
+KLEE: done: generated tests = 22
+
klee-out-1
klee-out-N
klee-last
-output-dir=path
klee
-max-time=seconds
-max-forks=N
-max-memory=N
testN.TYPE.err
free()
abort()
klee
malloc
.err
+Error: memory error: out of bound pointer
+File: .../klee/examples/regexp/Regexp.c
+Line: 23
+Stack: 
+	#0 00000146 in matchhere (re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:23
+	#1 00000074 in matchstar (c, re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:16
+	#2 00000172 in matchhere (re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:26
+	#3 00000074 in matchstar (c, re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:16
+	#4 00000172 in matchhere (re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:26
+	#5 00000074 in matchstar (c, re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:16
+	#6 00000172 in matchhere (re=14816465, text=14815301) at .../klee/examples/regexp/Regexp.c:26
+	#7 00000231 in matchhere (re=14816464, text=14815300) at .../klee/examples/regexp/Regexp.c:30
+	#8 00000280 in match (re=14816464, text=14815296) at .../klee/examples/regexp/Regexp.c:38
+	#9 00000327 in main () at .../klee/examples/regexp/Regexp.c:59
+Info: 
+	address: 14816471
+	next: object at 14816624 of size 4
+	prev: object at 14816464 of size 7
+
assembly.ll
match
'\0'
+int main() {
+  // The input regular expression.
+  char re[SIZE];
+  
+  // Make the input symbolic. 
+  klee_make_symbolic(re, sizeof re, "re");
+  re[SIZE - 1] = '\0';
+
+  // Try to match against a constant string "hello".
+  match(re, "hello");
+
+  return 0;
+}
+
klee
klee_assume
klee_assume
klee_assume
+int main() {
+  // The input regular expression.
+  char re[SIZE];
+  
+  // Make the input symbolic. 
+  klee_make_symbolic(re, sizeof re, "re");
+  klee_assume(re[SIZE - 1] == '\0');
+
+  // Try to match against a constant string "hello".
+  match(re, "hello");
+
+  return 0;
+}
+
klee_assume
'\0'
klee_assume
klee_assume(re[0] != '^')
'^'
klee_assume
klee_assume
klee_assume
--with-llvmsrc=
--with-llvmobj=
--with-llvm=
-j
libkleaverExpr
.h
include/
#include
include/
.cpp
lib/Expr/
kleaverExpr
Makefile
lib/Expr
.cpp
make
path/to/build-dir/docs/doxygen/
make check
test/
test/Feature
dg.exp
test/Expr/dg.exp
.pc
test/Expr
test/Feature/ByteSwap.c
llvm-gcc
%s
%t1.bc
%s
Feature/ByteSwap.c
kleeCore
lib/Core
printf()
lib/Core/Common.h
lib/core/Executor.cpp
+    $ cat info 
+    klee --write-pcs demo.o
+    PID: 12460
+    Started: 2009-05-20 22:31:41
+    BEGIN searcher description
+    DFSSearcher
+    END searcher description
+    Finished: 2009-05-20 22:31:41
+    Elapsed: 00:00:00
+    KLEE: done: explored paths = 3
+    KLEE: done: avg. constructs per query = 6
+    KLEE: done: total queries = 3
+    KLEE: done: valid queries = 0
+    KLEE: done: invalid queriers = 3
+    KLEE: done: query cex = 3
+    KLEE: done: total instructions = 67
+    KLEE: done: completed paths = 3
+    KLEE: done: generated tests = 3 
--use-query-log=all:pc
all-queries.pc
--use-query-log=all:smt2
--use-query-log=solver:pc
solver-queries.pc
--use-query-log=solver:smt2
.ktest
--no-output
--write-cvcs
--write-pcs
.pc
--write-smt2s
.pc
+    $ klee --search=dfs demo.o
+    $ klee --search=random-path demo.o 
+    $ klee --help
+    -search                                 - Specify the search heuristic (default=random-path interleaved with nurs:covnew)
+      =dfs                                  -   use Depth First Search (DFS)
+      =random-state                         -   randomly select a state to explore
+      =random-path                          -   use Random Path Selection (see OSDI'08 paper)
+      =nurs:covnew                          -   use Non Uniform Random Search (NURS) with Coverage-New heuristic
+      =nurs:md2u                            -   use NURS with Min-Dist-to-Uncovered heuristic
+      =nurs:depth                           -   use NURS with 2^depth heuristic
+      =nurs:icnt                            -   use NURS with Instr-Count heuristic
+      =nurs:cpicnt                          -   use NURS with CallPath-Instr-Count heuristic
+      =nurs:qc                              -   use NURS with Query-Cost heuristic   
+    $ klee --search=random-state --search=nurs:md2u demo.o 
klee-stats [options] directories
klee-stats --help
+/* 
+ * Simple regular expression matching.
+ *
+ * From:
+ *   The Practice of Programming
+ *   Brian W. Kernighan, Rob Pike
+ *
+ */ 
+
+#include <klee/klee.h>
+
+static int matchhere(char*,char*);
+
+static int matchstar(int c, char *re, char *text) {
+  do {
+    if (matchhere(re, text))
+      return 1;
+  } while (*text != '\0' && (*text++ == c || c== '.'));
+  return 0;
+}
+
+static int matchhere(char *re, char *text) {
+  if (re[0] == '\0')
+     return 0;
+  if (re[1] == '*')
+    return matchstar(re[0], re+2, text);
+  if (re[0] == '$' && re[1]=='\0')
+    return *text == '\0';
+  if (*text!='\0' && (re[0]=='.' || re[0]==*text))
+    return matchhere(re+1, text+1);
+  return 0;
+}
+
+int match(char *re, char *text) {
+  if (re[0] == '^')
+    return matchhere(re+1, text);
+  do {
+    if (matchhere(re, text))
+      return 1;
+  } while (*text++ != '\0');
+  return 0;
+}
+
+/*
+ * Harness for testing with KLEE.
+ */
+
+// The size of the buffer to test with.
+#define SIZE 7
+
+int main() {
+  // The input regular expression.
+  char re[SIZE];
+  
+  // Make the input symbolic. 
+  klee_make_symbolic_name(re, sizeof re, "re");
+
+  // Try to match against a constant string "hello".
+  match(re, "hello");
+
+  return 0;
+}
+
+/*
+ * First KLEE tutorial: testing a small function
+ */
+
+
+int get_sign(int x) {
+  if (x == 0)
+     return 0;
+  
+  if (x < 0)
+     return -1;
+  else 
+     return 1;
+} 
+
+int main() {
+  int a;
+  klee_make_symbolic(&a, sizeof(a), "a");
+  return get_sign(a);
+} 
+
+/*
+ * First KLEE tutorial: testing a small function
+ */
+
+#include <klee/klee.h>
+
+int my_islower(int x) {
+  if (x >= 'a' && x <= 'z')
+    return 1;
+  else return 0;
+}
+
+int main() {
+  char c;
+  klee_make_symbolic(&c, sizeof(c), "input");
+  return my_islower(c);
+}
+
testing-env.sh
test.env
sandbox.tgz
/tmp
klee-cde-package/README
llvm-gcc
llvm-gcc
PATH
llvm-gcc
configure
llvm-gcc
--enable-optimized
-r
svn co
llvm-gcc
make config
--with-uclibc
--enable-posix-runtime options
uclibc
POSIX
LD_LIBRARY_PATH
-    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64 (Fedora)
-    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu (Ubuntu)
-    
obj-gcov
-coreutils-6.11$ mkdir obj-gcov
-coreutils-6.11$ cd obj-gcov
-obj-gcov$ ../configure --disable-nls CFLAGS="-g -fprofile-arcs -ftest-coverage"
-... verify that configure worked ...
-obj-gcov$ make
-obj-gcov$ make -C src arch hostname
-... verify that make worked ... 
--disable-nls
coreutils
objc-gcov/src
-obj-gcov$ cd src
-src$ ls -l ls echo cat
--rwxr-xr-x 1 ddunbar ddunbar 164841 2009-07-25 20:58 cat
--rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo
--rwxr-xr-x 1 ddunbar ddunbar 439712 2009-07-25 20:58 ls
-src$ ./cat --version
-cat (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by Torbjorn Granlund and Richard M. Stallman.
gcov
.gcda
gcov
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ ./echo
-
-src$ ls -l echo.gcda
--rw-r--r-- 1 ddunbar ddunbar 1832 2009-08-04 21:14 echo.gcda
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:0.00% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:18.81% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
gcov
.h
echo.c
coreutils
klee-gcc
llvm-gcc
llvm-ld
-coreutils-6.11$ mkdir obj-llvm
-coreutils-6.11$ cd obj-llvm
-obj-llvm$ ../configure --disable-nls CFLAGS="-g"
-... verify that configure worked ...
-obj-llvm$ make CC=/full/path/to/klee/scripts/klee-gcc
-obj-llvm$ make -C src arch hostname CC=/full/path/to/klee/scripts/klee-gcc
-... verify that make worked ... 
-fprofile-arcs -ftest-coverage
CC
klee-gcc
-obj-llvm$ cd src
-src$ ls -l ls echo cat
--rwxr-xr-x 1 ddunbar ddunbar 65 2009-07-25 23:40 cat
--rwxr-xr-x 1 ddunbar ddunbar 66 2009-07-25 23:43 echo
--rwxr-xr-x 1 ddunbar ddunbar 94 2009-07-25 23:38 ls
-src$ ./cat --version
-cat (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-LLVM ERROR: JIT does not support inline asm! 
llvm-ld
.bc
-src$ cat ls
-#!/bin/sh
-lli=${LLVMINTERP-lli}
-exec $lli \
-    -load=/usr/lib/librt.so \
-    ls.bc ${1+"$@"}
-src$ ls -l ls.bc
--rwxr-xr-x 1 ddunbar ddunbar 643640 2009-07-25 23:38 ls.bc 
glibc
lli
cat
uclibc
POSIX
-src$ klee --libc=uclibc --posix-runtime ./cat.bc --version
-KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
-KLEE: output directory = "klee-out-3"
-KLEE: WARNING: undefined reference to function: __signbitl
-KLEE: WARNING: executable has module level assembly (ignoring)
-KLEE: WARNING: calling external: syscall(54, 0, 21505, 177325672)
-KLEE: WARNING: calling __user_main with extra arguments.
-KLEE: WARNING: calling external: getpagesize()
-KLEE: WARNING: calling external: vprintf(177640072, 183340048)
-cat (GNU coreutils) 6.11
-
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by Torbjorn Granlund and Richard M. Stallman.
-KLEE: WARNING: calling close_stdout with extra arguments.
-Copyright (C) 2008 Free Software Foundation, Inc.
-KLEE: done: total instructions = 259357
-KLEE: done: completed paths = 1
-KLEE: done: generated tests = 1
-  
cat.bc
--version
--libc=uclibc
write()
--posix-runtime
cat
__signbitl
__user_main
main()
cat
main()
getpagesize()
warnings.txt
echo
main()
klee_init_env
--help
-src$ klee --libc=uclibc --posix-runtime ./echo.bc --help
-...
-
-usage: (klee_init_env) [options] [program arguments]
-  -sym-arg               - Replace by a symbolic argument with length N
-  -sym-args    - Replace by at least MIN arguments and at most
-                              MAX arguments, each with maximum length N
-  -sym-files        - Make stdin and up to NUM symbolic files, each
-                              with maximum size N.
-  -sym-stdout               - Make stdout symbolic.
-  -max-fail              - Allow up to  injected failures
-  -fd-fail                  - Shortcut for '-max-fail 1'
-...
-  
echo
-src$ klee --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
-KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
-KLEE: output directory = "klee-out-16"
-KLEE: WARNING: undefined reference to function: __signbitl
-KLEE: WARNING: executable has module level assembly (ignoring)
-KLEE: WARNING: calling external: syscall(54, 0, 21505, 189414856)
-KLEE: WARNING: calling __user_main with extra arguments.
-..
-KLEE: WARNING: calling close_stdout with extra arguments.
-...
-KLEE: WARNING: calling external: printf(183664896, 183580400)
-Usage: ./echo.bc [OPTION]... [STRING]...
-Echo the STRING(s) to standard output.
-
-  -n             do not output the trailing newline
-  -e             enable interpretation of backslash escapes
-  -E             disable interpretation of backslash escapes (default)
-      --help     display this help and exit
-      --version  output version information and exit
-
-If -e is in effect, the following sequences are recognized:
-
-  \0NNN   the character whose ASCII code is NNN (octal)
-  \\     backslash
-  \a     alert (BEL)
-  \b     backspace
-  \c     suppress trailing newline
-  \f     form feed
-  \n     new line
-  \r     carriage return
-  \t     horizontal tab
-  \v     vertical tab
-
-NOTE: your shell may have its own version of echo, which usually supersedes
-the version described here.  Please refer to your shell's documentation
-for details about the options it supports.
-
-Report bugs to .
-KLEE: WARNING: calling external: vprintf(183956664, 190534360)
-echo (GNU coreutils) 6.11
-
-License GPLv3+: GNU GPL version 3 or later 
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-
-Written by FIXME unknown.
-...
-...
-...
-
-
-
-
-..
-
-
-.
-
-.
-..
-...
-Copyright (C) 2008 Free Software Foundation, Inc.
-KLEE: done: total instructions = 300193
-KLEE: done: completed paths = 25
-KLEE: done: generated tests = 25-  
echo
--v
--version
--h
--help
klee-stats
klee-last
-src$ klee-stats klee-last
--------------------------------------------------------------------------
-| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
--------------------------------------------------------------------------
-| klee-last | 300673 |    1.47 |   28.18 |   17.37 |  28635 |      5.65 |
--------------------------------------------------------------------------
--optimize
--optimze
-src$ klee --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-arg 3
-...
-KLEE: done: total instructions = 123251
-KLEE: done: completed paths = 25
-KLEE: done: generated tests = 25
-src$ klee-stats klee-last
--------------------------------------------------------------------------
-| Path      | Instrs | Time(s) | ICov(%) | BCov(%) | ICount | Solver(%) |
--------------------------------------------------------------------------
-| klee-last | 123251 |    0.32 |   38.02 |   25.43 |   9531 |     29.66 |
--------------------------------------------------------------------------
echo
kcachegrind
apt-get
yum
run.istats
run.istats
--optimize
 src$ kcachegrind klee-last/run.istats 
__user_main
echo
if
do_v9
-e
$
-    echo -e \a
-Line 1:      a = 1;
-Line 2:      if (...)
-Line 3:        printf("hello\n");
-Line 4:      b = c; 
run.istats
klee-last
.ktest
-src$ ls klee-last
-assembly.ll	  test000004.ktest  test000012.ktest  test000020.ktest
-info		  test000005.ktest  test000013.ktest  test000021.ktest
-messages.txt	  test000006.ktest  test000014.ktest  test000022.ktest
-run.istats	  test000007.ktest  test000015.ktest  test000023.ktest
-run.stats	  test000008.ktest  test000016.ktest  test000024.ktest
-test000001.ktest  test000009.ktest  test000017.ktest  test000025.ktest
-test000002.ktest  test000010.ktest  test000018.ktest  warnings.txt
-test000003.ktest  test000011.ktest  test000019.ktest 
ktest-tool
-$ ktest-tool klee-last/test000001.ktest
-ktest file : 'klee-last/test000001.ktest'
-args       : ['./echo.bc', '--sym-arg', '3']
-num objects: 2
-object    0: name: 'arg0'
-object    0: size: 4
-object    0: data: '@@@\x00'
-object    1: name: 'model_version'
-object    1: size: 4
-object    1: data: '\x01\x00\x00\x00' 
.ktest
klee-replay
.ktest
-src$ cd ..
-obj-llvm$ cd ..
-coreutils-6.11$ cd obj-gcov
-obj-gcov$ cd src
-src$ ls -l echo
--rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo 
klee-replay
.ktest
.ktest
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/test000001.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" "@@@" 
-@@@
-klee-replay: EXIT STATUS: NORMAL (0 seconds) 
klee-replay
.ktest
klee-replay
gcov
klee-stats
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" "@@@" 
-@@@
-klee-replay: EXIT STATUS: NORMAL (0 seconds)
-...
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000022.ktest
-klee-replay: ARGS: "./echo" "--v" 
-echo (GNU coreutils) 6.11
-Copyright (C) 2008 Free Software Foundation, Inc.
-...
-
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:6.38% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:50.50% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
echo.c
klee-stats
gcov
kcachegrind
gcov
-        -:  193:      }
-        -:  194:
-       23:  195:just_echo:
-        -:  196:
-       23:  197:  if (do_v9)
-        -:  198:    {
-       10:  199:      while (argc > 0)
-        -:  200:	{
-    #####:  201:	  char const *s = argv[0];
-        -:  202:	  unsigned char c;
-        -:  203:
-    #####:  204:	  while ((c = *s++))
-        -:  205:	    {
-    #####:  206:	      if (c == '\\' && *s)
-        -:  207:		{
-    #####:  208:		  switch (c = *s++)
-        -:  209:		    {
-    #####:  210:		    case 'a': c = '\a'; break;
-    #####:  211:		    case 'b': c = '\b'; break;
-    #####:  212:		    case 'c': exit (EXIT_SUCCESS);
-    #####:  213:		    case 'f': c = '\f'; break;
-    #####:  214:		    case 'n': c = '\n'; break; 
kcachegrind
echo.c
--sym-args
obj-llvm/src
-src$ klee --only-output-states-covering-new --optimize --libc=uclibc --posix-runtime ./echo.bc --sym-args 0 2 4
- ... 
-KLEE: done: total instructions = 7437521
-KLEE: done: completed paths = 9963
-KLEE: done: generated tests = 55 
--sym-args
--sym-args 0 2 4
--only-output-states-covering-new
obj-gcov/src
echo.c
-src$ rm -f *.gcda # Get rid of any stale gcov files
-src$ klee-replay ./echo ../../obj-llvm/src/klee-last/*.ktest 
-klee-replay: TEST CASE: ../../obj-llvm/src/klee-last/test000001.ktest
-klee-replay: ARGS: "./echo" 
-
- ... 
-
-src$ gcov echo
-File '../../src/system.h'
-Lines executed:6.38% of 47
-../../src/system.h:creating 'system.h.gcov'
-
-File '../../lib/timespec.h'
-Lines executed:0.00% of 2
-../../lib/timespec.h:creating 'timespec.h.gcov'
-
-File '../../lib/gettext.h'
-Lines executed:0.00% of 32
-../../lib/gettext.h:creating 'gettext.h.gcov'
-
-File '../../lib/openat.h'
-Lines executed:0.00% of 8
-../../lib/openat.h:creating 'openat.h.gcov'
-
-File '../../src/echo.c'
-Lines executed:97.03% of 101
-../../src/echo.c:creating 'echo.c.gcov' 
zcov
-  int get_sign(int x) {
-    if (x == 0)
-       return 0;
-
-    if (x < 0)
-       return -1;
-    else 
-       return 1;
-  } 
examples/get_sign
klee_make_symbolic()
main()
a
get_sign()
-  int main() {
-      int a;
-      klee_make_symbolic(&a, sizeof(a), "a");
-      return get_sign(a);
-  } 
llvm-gcc
-  --emit-llvm
get_sign.c
get_sign.o
-g
--optimize
-  KLEE: output directory = "klee-out-0"
-
-  KLEE: done: total instructions = 51
-  KLEE: done: completed paths = 3
-  KLEE: done: generated tests = 3 
a
0
0
0
klee-out-0
klee-out-N
klee-out-1
klee-last
-  $ ls klee-last/
-  assembly.ll      run.istats       test000002.ktest
-  info             run.stats        test000003.ktest
-  messages.txt     test000001.ktest warnings.txt 
.ktest
ktest-tool
-  $ ktest-tool --write-ints klee-last/test000001.ktest 
-  ktest file : 'klee-last/test000001.ktest'
-  args       : ['get_sign.o']
-  num objects: 1
-  object    0: name: 'a'
-  object    0: size: 4
-  object    0: data: 1
-  
-  $ ktest-tool --write-ints klee-last/test000002.ktest  
-  ...
-  object    0: data: -2147483648
-
-  $ ktest-tool --write-ints klee-last/test000003.ktest 
-  ...
-  object    0: data: 0 
1
-2147483648
0
0
-2147483648
1
klee_make_symbolic
.ktest
libkleeRuntest
KTEST_FILE
-  $ export LD_LIBRARY_PATH=path-to-klee-root/Release+Asserts/lib/:$LD_LIBRARY_PATH
-  $ gcc -L path-to-klee-root/Release+Asserts/lib/ get_sign.c -lkleeRuntest
-  $ KTEST_FILE=klee-last/test000001.ktest ./a.out 
-  $ echo $?
-  1
-  $ KTEST_FILE=klee-last/test000002.ktest ./a.out 
-  $ echo $?
-  255
-  $ KTEST_FILE=klee-last/test000003.ktest ./a.out
-  $ echo $?
-  0 
examples/regexp
Regexp.c
main
llvm-gcc
examples/regexp
Regexp.o
-I
-c
-g
llvm-nm
-  $ llvm-nm Regexp.o
-         t matchstar
-         t matchhere
-         T match
-         T main
-         U klee_make_symbolic_name
-         d LC
-         d LC1
-
llvm-link
llvm-ld
-$ klee --only-output-states-covering-new Regexp.o
-KLEE: output directory = "klee-out-1"
-KLEE: ERROR: .../klee/examples/regexp/Regexp.c:23: memory error: out of bound pointer
-KLEE: NOTE: now ignoring this error at this location
-KLEE: ERROR: .../klee/examples/regexp/Regexp.c:25: memory error: out of bound pointer
-KLEE: NOTE: now ignoring this error at this location
-KLEE: done: total instructions = 6334861
-KLEE: done: completed paths = 7692
-KLEE: done: generated tests = 22
-
klee-out-1
klee-out-N
klee-last
-output-dir=path
klee
-max-time=seconds
-max-forks=N
-max-memory=N
testN.TYPE.err
free()
abort()
klee
malloc
.err
-Error: memory error: out of bound pointer
-File: .../klee/examples/regexp/Regexp.c
-Line: 23
-Stack: 
-	#0 00000146 in matchhere (re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:23
-	#1 00000074 in matchstar (c, re=14816471, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#2 00000172 in matchhere (re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#3 00000074 in matchstar (c, re=14816469, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#4 00000172 in matchhere (re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#5 00000074 in matchstar (c, re=14816467, text=14815301) at .../klee/examples/regexp/Regexp.c:16
-	#6 00000172 in matchhere (re=14816465, text=14815301) at .../klee/examples/regexp/Regexp.c:26
-	#7 00000231 in matchhere (re=14816464, text=14815300) at .../klee/examples/regexp/Regexp.c:30
-	#8 00000280 in match (re=14816464, text=14815296) at .../klee/examples/regexp/Regexp.c:38
-	#9 00000327 in main () at .../klee/examples/regexp/Regexp.c:59
-Info: 
-	address: 14816471
-	next: object at 14816624 of size 4
-	prev: object at 14816464 of size 7
-
assembly.ll
match
'\0'
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic(re, sizeof re, "re");
-  re[SIZE - 1] = '\0';
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
klee
klee_assume
klee_assume
klee_assume
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic(re, sizeof re, "re");
-  klee_assume(re[SIZE - 1] == '\0');
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
klee_assume
'\0'
klee_assume
klee_assume(re[0] != '^')
'^'
klee_assume
klee_assume
klee_assume
--with-llvmsrc=
--with-llvmobj=
--with-llvm=
-j
libkleaverExpr
.h
include/
#include
include/
.cpp
lib/Expr/
kleaverExpr
Makefile
lib/Expr
.cpp
make
path/to/build-dir/docs/doxygen/
make check
test/
test/Feature
dg.exp
test/Expr/dg.exp
.pc
test/Expr
test/Feature/ByteSwap.c
llvm-gcc
%s
%t1.bc
%s
Feature/ByteSwap.c
kleeCore
lib/Core
printf()
lib/Core/Common.h
lib/core/Executor.cpp
-    $ cat info 
-    klee --write-pcs demo.o
-    PID: 12460
-    Started: 2009-05-20 22:31:41
-    BEGIN searcher description
-    DFSSearcher
-    END searcher description
-    Finished: 2009-05-20 22:31:41
-    Elapsed: 00:00:00
-    KLEE: done: explored paths = 3
-    KLEE: done: avg. constructs per query = 6
-    KLEE: done: total queries = 3
-    KLEE: done: valid queries = 0
-    KLEE: done: invalid queriers = 3
-    KLEE: done: query cex = 3
-    KLEE: done: total instructions = 67
-    KLEE: done: completed paths = 3
-    KLEE: done: generated tests = 3 
--use-query-log=all:pc
all-queries.pc
--use-query-log=all:smt2
--use-query-log=solver:pc
solver-queries.pc
--use-query-log=solver:smt2
.ktest
--no-output
--write-cvcs
--write-pcs
.pc
--write-smt2s
.pc
-    $ klee --search=dfs demo.o
-    $ klee --search=random-path demo.o 
-    $ klee --help
-    -search                                 - Specify the search heuristic (default=random-path interleaved with nurs:covnew)
-      =dfs                                  -   use Depth First Search (DFS)
-      =random-state                         -   randomly select a state to explore
-      =random-path                          -   use Random Path Selection (see OSDI'08 paper)
-      =nurs:covnew                          -   use Non Uniform Random Search (NURS) with Coverage-New heuristic
-      =nurs:md2u                            -   use NURS with Min-Dist-to-Uncovered heuristic
-      =nurs:depth                           -   use NURS with 2^depth heuristic
-      =nurs:icnt                            -   use NURS with Instr-Count heuristic
-      =nurs:cpicnt                          -   use NURS with CallPath-Instr-Count heuristic
-      =nurs:qc                              -   use NURS with Query-Cost heuristic   
-    $ klee --search=random-state --search=nurs:md2u demo.o 
klee-stats [options] directories
klee-stats --help
-/* 
- * Simple regular expression matching.
- *
- * From:
- *   The Practice of Programming
- *   Brian W. Kernighan, Rob Pike
- *
- */ 
-
-#include <klee/klee.h>
-
-static int matchhere(char*,char*);
-
-static int matchstar(int c, char *re, char *text) {
-  do {
-    if (matchhere(re, text))
-      return 1;
-  } while (*text != '\0' && (*text++ == c || c== '.'));
-  return 0;
-}
-
-static int matchhere(char *re, char *text) {
-  if (re[0] == '\0')
-     return 0;
-  if (re[1] == '*')
-    return matchstar(re[0], re+2, text);
-  if (re[0] == '$' && re[1]=='\0')
-    return *text == '\0';
-  if (*text!='\0' && (re[0]=='.' || re[0]==*text))
-    return matchhere(re+1, text+1);
-  return 0;
-}
-
-int match(char *re, char *text) {
-  if (re[0] == '^')
-    return matchhere(re+1, text);
-  do {
-    if (matchhere(re, text))
-      return 1;
-  } while (*text++ != '\0');
-  return 0;
-}
-
-/*
- * Harness for testing with KLEE.
- */
-
-// The size of the buffer to test with.
-#define SIZE 7
-
-int main() {
-  // The input regular expression.
-  char re[SIZE];
-  
-  // Make the input symbolic. 
-  klee_make_symbolic_name(re, sizeof re, "re");
-
-  // Try to match against a constant string "hello".
-  match(re, "hello");
-
-  return 0;
-}
-
-/*
- * First KLEE tutorial: testing a small function
- */
-
-
-int get_sign(int x) {
-  if (x == 0)
-     return 0;
-  
-  if (x < 0)
-     return -1;
-  else 
-     return 1;
-} 
-
-int main() {
-  int a;
-  klee_make_symbolic(&a, sizeof(a), "a");
-  return get_sign(a);
-} 
-
-/*
- * First KLEE tutorial: testing a small function
- */
-
-#include <klee/klee.h>
-
-int my_islower(int x) {
-  if (x >= 'a' && x <= 'z')
-    return 1;
-  else return 0;
-}
-
-int main() {
-  char c;
-  klee_make_symbolic(&c, sizeof(c), "input");
-  return my_islower(c);
-}
-

Coreutils Experiments

KLEE Documentation

Getting Involved with the KLEE Project

Mailing Lists

Working with the Code

Getting Started: Building and Running KLEE

-1. Trying out KLEE without installing any dependencies -2. Building KLEE -

Trying out KLEE without installing any dependencies

Building KLEE

KQuery Language Reference Manual

Table Of Contents

Add, - Sub, - Mul, - UDiv, SDiv, URem, SRem

And, - Or, - Xor, - Shl, - LShr, - AShr

Eq, - Ne, - Ult, - Ule, - Ugt, - Uge, - Slt, - Sle, - Sgt, - Sge

ReadLSB, - ReadMSB

KLEE Open Projects

KLEE-related Publications and Systems

Coreutils Case Study

Step 1: Build coreutils with gcov

Step 2: Build coreutils with LLVM

Step 3: Using KLEE as an interpreter

Step 4: Introducing symbolic data to an application

Step 5: Visualizing KLEE's progress with kcachegrind

Step 6: Replaying KLEE generated test cases

Step 7: Using zcov to analyze coverage

Tutorial One: Testing a Small Function

The demo code

Marking input as symbolic

Compiling to LLVM bitcode

Running KLEE

KLEE-generated test cases

Replaying a test case

Tutorial Two: Testing a Simple Regular Expression Library

Building the example

Executing the code with KLEE

KLEE error reports

Changing the test harness

KLEE Tutorials

KLEE Bug Reports

KLEE Developer's Guide

- 1. KLEE's Build System - 2. KLEE's Test Framework - 3. Miscellaneous -

KLEE's Build System

Setting up a debug build of KLEE

Adding a class

Building code documentation

KLEE's Test Framework

Miscellaneous

Writing messages to standard error

Adding a command line option to a tool

The KLEE Symbolic Virtual Machine

klee-dev mailing list

Files generated by KLEE

Standard Global Files

Other Global Files

Per-path files

KLEE Options

- 1. Search Heuristics - 2. Query Logging -

Search Heuristics

Main search heuristics

Interleaving search heuristics

Default search heuristics

Query Logging

KLEE Tools

- 1. ktest-tool - 2. klee-stats -

ktest-tool

klee-stats

Regexp.c

get_sign.c

islower.c

Coreutils Experiments

KLEE Documentation

Getting Involved with the KLEE Project

Mailing Lists

Working with the Code

Getting Started: Building and Running KLEE

+1. Trying out KLEE without installing any dependencies +2. Building KLEE +

Trying out KLEE without installing any dependencies

Building KLEE

KQuery Language Reference Manual

Table Of Contents

-1. Trying out KLEE without installing any dependencies
-2. Building KLEE
-

Step 2: Build `coreutils` with LLVM

Step 5: Visualizing KLEE's progress with `kcachegrind`

Step 7: Using `zcov` to analyze coverage

- 1. KLEE's Build System
- 2. KLEE's Test Framework
- 3. Miscellaneous
-

- 1. Search Heuristics
- 2. Query Logging
-

- 1. ktest-tool
- 2. klee-stats
-

+1. Trying out KLEE without installing any dependencies
+2. Building KLEE
+