When KLEE starts, the core process calls run function in Executor.cpp, and then program executes the state, forks the state, and select the state to be executed. In this case, there are two function like fork strategy:
- void Executor::branch(ExecutionState &state, const std::vector<ref > &conditions, std::vector<ExecutionState*> &result)
- Executor::StatePair Executor::fork(ExecutionState ¤t, ref condition, bool isInternal)
Actually, we can find out that function in source code, and analyze the internal process. However, I can not understand what is the difference between that functions. In the branch function, there is a process to push back the state in addedStates, but it is not in the fork function. Furthermore, fork function contains solver execution, which results in success value and uses this value for generating pathOS and symPathOS. (I think pathOS and symPathOS value could be used for tracking the solving process on specific state)
Then, what is the difference between branch and fork function, and why does the difference exist in KLEE program? Moreover, why does branch function contain the push back process of addedStates, but not in the fork fucntion.
