RJ J
Reputation: 25
Why IR is needed for symbolic execution?
For example, KLEE works on LLVM bitcode.
Can we build symbolic execution directly on C source code?
Upvotes: 1
Views: 104
Answers (1)
prophe
Reputation: 56
Each LLVM IR contains only one simple operation, but one C statement could contains multiple operations. For example, a[i] = b[i]; could be split into:
addr = b + i; // getElementPtr instruction
tmp = *addr; // load instruction
addr1 = a + i; // getElementPtr instruction
*addr1 = tmp; // store instruction
So it's much more simple to process LLVM IR than source code for a symbolic executor.
Upvotes: 2
Related Questions
- Analyzing LLVM IR instruction
- In concolic testing, what does "concrete execution" mean?
- What are the gaps between symbolic execution and taint analysis?
- Static analysis vs. symbolic execution in implementation
- application of symbolic execution
- Modern symbolic execution techniques
- Working of the IRQs and the iret instruction semantics on a 32 bit kernel (protected mode)
- Why is ROL instruction used?
- Which situations cause "Use of instruction is not an instruction" in LLVM IR?
- how does irb require work?