KLEE提供了4中搜索方法:
01 Depth-First Search (DFS) 深度优先搜索: Traverses states in depth-first order.
02 Random State Search 随机状态搜索:Randomly selects a state to explore.
03 Random Path Selection 随机路径搜索: Described in our KLEE OSDI’08 paper.
04 Non Uniform Random Search (NURS) : Selects a state randomly according to a given distribution. The distribution can be based on the minimum distance to an uncovered instruction (MD2U), the query cost, etc.
可以通过参数--search来设置搜索方法,应用例如下:
$ klee --search=dfs demo.o
$ klee --search=random-path demo.o
KLEE帮助,命令如下:
$ klee --help
--search 用于指定搜索策略,缺省为随机路径搜索
=dfs - use Depth First Search (DFS)
=random-state - randomly select a state to explore
=random-path - use Random Path Selection (see OSDI'08 paper)
=nurs:covnew - use Non Uniform Random Search (NURS) with Coverage-New heuristic
=nurs:md2u - use NURS with Min-Dist-to-Uncovered heuristic
=nurs:depth - use NURS with 2^depth heuristic
=nurs:icnt - use NURS with Instr-Count heuristic
=nurs:cpicnt - use NURS with CallPath-Instr-Count heuristic
=nurs:qc - use NURS with Query-Cost heuristic
多种方法设置的交替搜索策略,可以如下设置:
$ klee --search=random-state --search=nurs:md2u demo.o
查询日志--Query Logging
为了能够记录KLEE符号执行的查询,可以设置如下参数:
01 --use-query-log=TYPE:FORMAT 其中TYPE is either all to log all the queries KLEE made during execution before any optimisation (e.g. caching, constraint independence) is performed, or solver to log only the queries passed to KLEE’s underlying solver. Note that it is possible that some of the unoptimized queries are never executed or are modified before being executed by KLEE’s underlying solver.
格式FORMAT可以是 pc for the KQuery format, or smt2 for the SMT-LIBv2 format.
02 --min-query-time-to-log=TIME (in ms) 用于设置哪些查询需要被记录到日志中。缺省为0,表示记录所有查询日志
设置为:<0 表示超时查询才需要被记录。其中超时设置应用参数 --max-solver-time=TIME
设置为:>0 表示超过 TIME milliseconds 的才需要记录
1030
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
