KLEE is a symbolic virtual machine built on LLVM that generates automatic tests with high coverage by using symbolic execution and constraint solving. It is the successor to a similar tool called EXE and uses STP as its constraint solver. KLEE allows testing programs with symbolic inputs to achieve high code coverage and find bugs.

1. KLEE
* a symbolic virtual machine, built on top of the LLVM compiler infrastructure
* used for generating automatic tests with high coverage
* successor of a similar tool, called EXE
* uses STP as a constraint solver
Official website:
https://klee.github.io/
Installation tutorial:
http://blog.opensecurityresearch.com/2014/07/klee-on-ubuntu-1404-lts-64bit.html
Paper:
http://www.doc.ic.ac.uk/~cristic/papers/klee-osdi-08.pdf
Extension:
Klee-multisolver http://srg.doc.ic.ac.uk/projects/klee-multisolver/

2. First example
* testing a simple function with Klee
* compile & run in cmd line
Results are in files test*.ktest
Test1: found a negative number
Test2: found 0 as a positive number
#include <klee/klee.h>
int get_sign(int x) {
if (x < 0)
return -1;
return 1;
}
int main() {
int a;
klee_make_symbolic(&a, sizeof(a), "a");
return get_sign(a);
}
> llvm-gcc -I ../../include --emit-llvm -c -g get_sign.c
> klee get_sign.o
> cd klee-last
> ktest-tool --write-ints test000001.ktest > test1.txt

3. Other examples
* the symbolic variable can be int, char, array of int/char, NO float allowed
* a nice example with Maze:
https://feliam.wordpress.com/2010/10/07/the-symbolic-maze/
* I extended the above example for the Missionaries & cannibals problem,
which runs rather slow and the timing depends a lot on the input data size (in
this case, on the max boat rides allowed to find a solution)
* data initialization:
int shore_left[2], shore_right[2];
shore_left[0] = 3; shore_left[1] = 3;
shore_right[0] = 0; shore_right[1] = 0;
char boat[MAX]; // pairs (m,c) of people transported in one turn
// Make the input symbolic.
klee_make_symbolic(boat, sizeof boat, "boat");
int turns = 0;
while (turns < MAX/2) {
int mboat = turns * 2, cboat = turns * 2 + 1;
klee_assume (boat[mboat] >= 0);
klee_assume (boat[cboat] >= 0);
klee_assume (boat[mboat]+boat[cboat] <= CAPACITY);
// klee_assume (boat[mboat] + boat[cboat] != 0);
turns++;
}
run(shore_left, shore_right, boat); // main function

4. Other examples – cont.
* for both examples, the acceptable input result is represented as bytes (arrays
of char are easier to read in hexa than arrays of int)
* one of the inputs found for the Missionaries problem:
> klee-stats klee-last run.stats
ICov = instruction coverage; BCov = branch coverage

5. Files generated
test*.ktest values found for the symbolic variables
info
explored paths, number of queries,
instructions, generated tests
warnings,
messages
generated by Klee
assembly.ll human readable LLVM bitcode
run.stats use klee-stats tool

6. Useful Klee functions
* klee_make_symbolic (void * addr, unsigned nbytes, const char * name);
* klee_assume ( condition ); // add a constraint and enforce it, avoid &&, ||
* klee_prefer_cex (void * object, unsigned condition ); // gives preference to a
constraint but without forcing it
* klee_assert ( expression ); // klee_assert(0) can be used to signal when a special place in
the code is reached
* klee_abort (); // abort current process
* klee_range ( int begin, int end, const char* name ); // construct a symbolic value in
the interval [begin, end)
* klee_set_forking (unsigned enabled); // 0 to discard other branches in favor of a random one
We can specify the search heuristics:
> klee --search=dfs demo.o
Others accepted are bfs, random-path, random-state, nurs... (non-uniform random search)

7. Useful Klee functions
* klee_make_symbolic (void * addr, unsigned nbytes, const char * name);
* klee_assume ( condition ); // add a constraint and enforce it, avoid &&, ||
* klee_prefer_cex (void * object, unsigned condition ); // gives preference to a
constraint but without forcing it
* klee_assert ( expression ); // klee_assert(0) can be used to signal when a special place in
the code is reached
* klee_abort (); // abort current process
* klee_range ( int begin, int end, const char* name ); // construct a symbolic value in
the interval [begin, end)
* klee_set_forking (unsigned enabled); // 0 to discard other branches in favor of a random one
We can specify the search heuristics:
> klee --search=dfs demo.o
Others accepted are bfs, random-path, random-state, nurs... (non-uniform random search)