Hacker News new | comments | show | ask | jobs | submit login

I use it - I am writing a subset-of-yaml parser, and I've littered the code with a bunch of abort()/assert() statements for things I don't think should be possible. Running klee over my code spits out ~100K test cases (I let it use any 10 byte YAML input), and so while I don't inspect the output of any of the cases - I do make sure that none of them crash.

Similarly, if I make a change which I don't expect to change the output of the parser, then I can use this test suite to be quite sure that my change hasn't changed behaviour.

One thing I am unclear about is what it means for klee to be "done" on my binary. When it has generated all the test cases, if none of them crash my binary, then does that mean it is impossible to crash my binary in 10 bytes of input?

Have you checked out DeepState (https://github.com/trailofbits/deepstate), it's a symbolic unit testing framework that has an interface similar to google test.

I haven't - thanks.

Writing test harnesses specific to the different tools (so far, just AFL and KLEE) has not been particularly difficult - all of them fit easily on one screen. So I'm not sure that deepstate really brings much to the table for what I'm doing.

if your program calls system call or random function which KLEE couldn't handle, some parts of code may not be tested. KLEE uses its special libc (uclibc) to deal with that cases in glibc. To solve this problem perfectly, we usually uses S2E instead of KLEE in large and complex softwares (http://s2e.systems/)

Right - but being a parser, I don't have those problems. My problem domain is quite well specified and there isn't any place for random numbers of system calls.

Can you share more details about this? Is the work already public?

The work won't be public. What details are you interested in?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact