[klee-dev] KLEE for stateful C API
Niklaus Leuenberger
niklaus.leuenb at gmail.com
Mon May 2 08:50:23 BST 2022
Hello klee-dev members,
I'm currently testing out a few approaches on how to test and fuzz a
stateful C API. In the process thereof I found KLEE and am fascinated
by it. I managed to get it to work and am now asking if my approach is
ok or if it has some major drawbacks or problems.
Let's suppose we have following simple but buggy stateful API:
---
#include <assert.h>
static int g_state;
void setState(int state) {
g_state = state;
}
void run(void) {
if (g_state == 123) {
assert(0);
}
}
---
If the state is set to 123 and then run() is invoked the placed assertion fails.
For this I have written following KLEE harness:
---
#include "klee/klee.h"
#include "buggy_api.h"
int main(void) {
for (int i = 0; i < 2; ++i) { // sequentially call 2 APIs
int f_select = klee_choose(2); // what API to call
if (f_select == 0) {
int state = 0;
klee_make_symbolic(&state, sizeof(state), "state");
setState(state);
} else if (f_select == 1) {
run();
}
}
return 0;
}
---
When running with KLEE, the sequence of calls necessary to trigger the
assertion is found almost immediately. But when extending it with more
functions, each doubles the runtime. So it scales rather poorly on
larger APIs.
Is this how I can use KLEE for checking an API? Or does someone have
pointers to a better approach?
Best Regards,
Niklaus Leuenberger
More information about the klee-dev
mailing list