Highlight taken LLVM IR branches in a real execution environment

Hey. I realize this question is a bit out-of-place, but I feel someone in the LLVM community might’ve ran into a similar topic before.

I’d like to find a way to run LLVM IR and mark all branches taken, given a specific input.

Take this example:

int get_sign(int x) {
if (x == -1234) return -1234;
if (x < 0) return -1;
else return 1;
}

It’s clear that the x == -1234 branch is useless if x > 0. Does the LLVM project have a way of marking the taken branches, so that one can reason about them later, possibly in an LLVM pass?

I do realize KLEE exists, but SMT solvers require quite a bit of “plugging” of functions to limit the scope. Not to mention the path explosion that a real binary would entail. What I was looking for was possibly an lldb/lli mechanism to allow “marking” the taken branches, in a real execution environment.

Has someone encountered such an issue before?

Many thanks

– J

Could you elaborate what you mean with "mark" here?

You want to create a flow sensitive static analysis or profile which
branch has been taken at runtime, or both?

FWIW, if you tell LLVM x > 0, e.g., `__builtin_assume(x > 0)` in your source,
the branches should be folded away.

~ Johannes

It sounds a bit like you’re looking for code-coverage (and in particular branch-coverage)? ie. https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#branch-regions Or other fuzzer frameworks, such as using concolic testing?