[klee-dev] KLEE klee.ctor_stub Function Behavior and Symbolization Inquiry

[刘乔森]

Hello KLEE Developer Team,

I've recently been using KLEE for symbolic execution of a large program. To precisely control the entry point for symbolic execution, I've wrapped an API function, klee_entry, as my entry point. Inside klee_entry, I symbolize global variables and concretize their pointer members before calling the target function to begin symbolic execution.

However, during actual execution, I've noticed that klee_entry calls the klee.ctor_stub function. This function appears to invoke constructors for some global variables, seemingly for initialization. This seems redundant since I've already manually symbolized these global variables.

I have a couple of questions regarding this behavior:

What is the specific purpose of the klee.ctor_stub function? Is it related to the initialization of vtables (i.e., indirect calls)?

Within the klee_entry function, is klee.ctor_stub called before or after klee_make_symbolic is used to symbolize variables? In other words, is the execution of klee.ctor_stub also subject to KLEE's symbolic execution?

On a related note, how does KLEE generally handle indirect calls (e.g., through function pointers or virtual functions) during symbolic execution?

Thank you for your assistance!

Sincerely,

lqs66
-------------- next part --------------
HTML attachment scrubbed and removed