llvm dev - Feb 2021 - Highlight taken LLVM IR branches in a real execution environment

Hey. I realize this question is a bit out-of-place, but I feel someone in
the LLVM community might've ran into a similar topic before.

I'd like to find a way to run LLVM IR and mark all branches taken, given a
specific input.

Take this example:

```
int get_sign(int x) {
if (x == -1234) return -1234;
if (x < 0) return -1;
else return 1;
}
```

It's clear that the `x == -1234` branch is useless if x > 0. Does the
LLVM
project have a way of marking the taken branches, so that one can reason
about them later, possibly in an LLVM pass?

I do realize KLEE exists, but SMT solvers require quite a bit of
"plugging"
of functions to limit the scope. Not to mention the path explosion that a
real binary would entail. What I was looking for was possibly an lldb/lli
mechanism to allow "marking" the taken branches, in a real execution
environment.

Has someone encountered such an issue before?

Many thanks

-- J
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20210226/a0ed1ef8/attachment.html>

Could you elaborate what you mean with "mark" here?

You want to create a flow sensitive static analysis or profile which
branch has been taken at runtime, or both?

FWIW, if you tell LLVM x > 0, e.g., `__builtin_assume(x > 0)` in your 
source,
the branches should be folded away.

~ Johannes


On 2/26/21 9:15 AM, Joseph via llvm-dev wrote:
> Hey. I realize this question is a bit out-of-place, but I feel someone in
> the LLVM community might've ran into a similar topic before.
>
> I'd like to find a way to run LLVM IR and mark all branches taken,
given a
> specific input.
>
> Take this example:
>
> ```
> int get_sign(int x) {
> if (x == -1234) return -1234;
> if (x < 0) return -1;
> else return 1;
> }
> ```
>
> It's clear that the `x == -1234` branch is useless if x > 0. Does
the LLVM
> project have a way of marking the taken branches, so that one can reason
> about them later, possibly in an LLVM pass?
>
> I do realize KLEE exists, but SMT solvers require quite a bit of
"plugging"
> of functions to limit the scope. Not to mention the path explosion that a
> real binary would entail. What I was looking for was possibly an lldb/lli
> mechanism to allow "marking" the taken branches, in a real
execution
> environment.
>
> Has someone encountered such an issue before?
>
> Many thanks
>
> -- J
>
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev